The slow death of SourceForge

The slow and ugly death of SourceForge

SourceForge has been in the news a lot lately, and not for any positive reasons. The site seems to stumble from one bad situation to the next, and some think that SourceForge is making a long, slow and ugly exit.

Christine Hall at FOSS Force has an overview of the slow death of SourceForge:

If SourceForge were a person and I were the New York Times, I’d make certain I had an obituary on file right about now. It’s obvious that the once essential code repository for open source projects is terminally ill, although it’s just as obvious that Dice Holdings, which took over ownership of the site nearly three years ago, has no plans of letting SourceForge go gently into the good night, so we’ll probably see more kicking and noise-making until the lights are inevitably extinguished.

Newer converts to open source probably don’t know much about the site, but it wasn’t long ago when Linux users were very aware of SourceForge and how to use the service, at least well enough to download software — perhaps more aware than they wanted to be. It was the go-to site when looking for a program not available in a particular distro’s repository. Not anymore. Not for a while. These days, the more important projects have either migrated to GitHub or are hosting their own.

It’s time for developers and software users alike to abandon this platform. Softpedia reported yesterday that WINE is planning an exit. Other projects are sure to follow. If I were a developer, I’d be moving, if for no other reason than I’d be afraid I’d wake up one morning to find the site shuttered.

More at FOSS Force

Simon Phipps at InfoWorld notes that SourceForge has been caught red-handed too many times for the site’s denials and promises of better behavior to be taken seriously:

SourceForge flirted with principled respectability a short while ago. Last year, I wrote an article about its efforts to introduce new monetization options for open source developers that treated projects very respectfully. I had given advice the organization had used, so I felt quite positive about its future. It seemed SourceForge was reversing a slide into dubious practices and had committed to working with communities to generate revenue ethically with their cooperation and consent.

So I was very disappointed indeed to hear the news about SourceForge’s decision to take control of the deprecated hosting project for the Windows build of GIMP (the GNU Image Manipulation Program) and use it as a vehicle to ship adware to unsuspecting users. I was even more distressed by the disingenuous self-justification with which SourceForge responded — and finally, angry when I heard the facts and the full story from GIMP insiders.

My conclusion: It’s time to move on from SourceForge. It’s no longer a trustworthy source for downloads; users should avoid projects whose downloads are hosted there. Open source projects hosted on it should devise migration strategies.

More at InfoWorld

And a recent article on How To Geek is warning users to steer clear of downloading software from SourceForge:

Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

More at How To Geek

Technology redditors reacted to the How To Geek article and made it clear that they are on to the download tactics of SourceForge:

Zombie042: “… they have really jumped the shark. Packaging malware with open source software and stealing long established accounts to do so. Just hoping Google ‘adjusts’ their search ranking soon to minimize the impact on less up-to-date IT folks.”

Red_turtle_slide: “Just downloaded FileZilla the other day and they link SourceForge as the main source. When I was installing, I noticed so much piggy backed junk that almost got installed. I skipped through those but would there have been anything else they may have slipped in without my knowing?”

Magixxxx: “Yeah. Such cheesy tactics as well. The classic “make it look like they’re agreeing to the main product”, of course. But it’s more advanced than that.

In the screen where you’re agreeing to install the main product, you can click on the checkbox that says “I agree” or you can click on the actual text next to the checkbox and it’ll still check it. So you get used to doing that. But in the screen that says “I agree to install ASK toolbar” or whatever, clicking on the text doesn’t do anything. You have to actually click on the 10x10px checkbox. They’re hoping that some people will click on the text and assume that they opted out.

And, of course, all of the extra crap is checked by default and hidden away under “advanced installation”. Because of course people who aren’t good with computers won’t use the advanced installation because it sounds scary. In reality it’s just there so you can disable the adware and select what folder you want to install to.”

Mugaboo: “In filezilla’s case, you’re out of luck as the developer is approving it. At that point, there are no binaries you can trust anymore, so the product needs to be abandoned completely.”

Staring_at_keyboard: “It seems like this is the new standard internet business model. Create an outstanding product or service and build up a large, trusting, user base. Then, slowly inject ads/malware/junk/etc. into your product, profit, then sell off to facebook when people start catching on.”

More at Reddit

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.