Jul 102013

UPDATE: Google is rolling out blocking/warning of deceptive site practices Good for Google, hopefully this type of blocking will become more common.

I like to think programmers for the most part try their best to protect the end users from ‘bad things’.  With the announcement of DevShare SourceForge shows that they no longer give a single shit.  I’ll start with the introductory paragraph

Today SourceForge it is [sic] excited to launch DevShare, a new opt-in, revenue-sharing program aimed at giving developers a better way to monetize their projects in a transparent, honest and sustainable way.

Sustainable isn’t even a word that means anything in this context.  The only ‘opt-in’ is on the part of the project so end-users don’t have that choice.  And how about ‘transparent’? If by that they mean invisible to end users that would be correct.  And honest???  Bullshit. If you go to the FileZilla download page with javascript disabled you’ll get a link to the proper clean installer.  Enable javascript and you get something entirely different:fzdownload java

If you click on that nice big green recommended button, you’ll download an ‘installer’ from ASK.com which will in turn try to download something else from ASK.com.  The installer was presumably created by ASK.com as it’s signed with their code signing certificate.  This means that ASK.com has full control over this crapware installer and no mention of oversight on the part of SourceForge.

Further down in the announcement we find this:

We take our role at SourceForge as the trusted source for open source very seriously. That is why we spent considerable time looking for partners we could trust and building a system that does not detract from our core user experience.

Trusted???  Nobody that knows anything trusts ASK.com, they have been surreptitiously installing their crapware on people’s machines using every trick in the book.  I’m pretty sure they invented the ‘industry’.

We know many open source users are skeptical about monetization initiatives. SourceForge will always respect the rights of our users and we will never infringe on them. DevShare offers a transparent installation flow that gives users all the necessary information to make educated choices about what software to install.

What?? This installation ‘flow’ doesn’t give users any information in the beginning.  And there’s the main problem.  If you click the nice big green download button and run that application you will have to give it elevated privileges to your computer (for Vista and beyond) before you will necessarily even know that it’s actually a crapware installer from ASK.com. In addition to that it immediately attempts to contact ASK.com’s servers for some purpose.  My network has blocks in place for bad servers and ASK.com and related are part of that blocking.  All I know is that it tried to do something.

Thanks to DevShare, we are now able to offer a bundle program that is fully compliant with Google’s strictest policies. This includes a solid compliance process for both open source applications and third party offerings. The whole installation flow is clean and has no misleading steps. Uninstallation procedures are exhaustively documented and all applications are verified to be virus and malware free. You can see this on the latest version of FileZilla, our largest DevShare partner to date.

And more bullshit.  Perhaps the part where ASK.com downloads crapware from their servers with full administrator permissions and no notice or choice on your part is outside of what they consider ‘installation flow’.  There is no way they can verify this as virus and malware free, period.

So basically if you download anything from SourceForge there is a serious risk to your systems if you are not careful.  I used to trust SourceForge, I have 3 projects hosted there and I’ve been a developer and contributor for over 11 years.   That ends now.

UPDATE 06/02/2015: this issue has finally hit the mainstream, here and here

UPDATE 06/03/2015: And now they’ve taken over nmap..   Sourceforge is dead, there’s no way they’ll recover from this round of stupid.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>