Sourceforge has crossed the threshold from bad to criminally bad
A bunch of years back I wrote that Sourceforge.net was “a very useful website for computer programmers (or developers, as we like to call ourselves), because it provides an aggregation point for people, code and knowledge, and it does so for free.”
The reason I blogged about Sourceforge was because the site had started to make mistakes. Next to its small and inconspicuous download links it placed large advertisements that looked exactly like download buttons and that would lead you to all kinds of nasty and unwanted software. I naively assumed that this was a mistake; something Sourceforge would fix as soon as it was pointed out to them. Somebody from Sourceforge even kindly commented to explain what was going on — although the explanation itself was rather disappointing.
These days, Sourceforge not only places problematic ads, it also bundles the software it hosts with extra downloads. And what is worse, it has hijacked high profile projects to do so.
Apparently the GIMP project (a photo editor) had already left Sourceforge in 2013, but had kept an account active to act as a mirror, an extra download site in case the primary site is down. The maintainer of the GIMP’s Windows distribution discovered on 26 May of this year that he had no longer access to his own account.
Earlier that day, the GIMP developers had received word that the GIMP download from Sourceforge was being wrapped in an installer. According to Ars Technica, that installer would try and lure you into installing extra software.
I don’t know much about criminal law, but this seems to be something that should have landed Sourceforge’s owners, Slashdot Media (once a geek-loved brand), firmly into gaol.
Anyway, the lesson is clear: stop downloading from Sourceforge. The company has since promised that it would stop hijacking accounts, but I don’t trust serial abusers.
What is the alternative? Well, for one thing there is a tool called Ninite that promises to help you manage a great number of freeware and FOSS installations, including GIMP, and that promises to do so without installing any kind of spyware or other malware. I am not sure if and how far they can be trusted, but it seems to me that if “no malware” is one of their defining features, they may not wish to throw away their reputation by breaking that promise. Here’s hoping that this is not me being naive again.