SourceForge hijacks popular accounts to distribute 3rd-party software
Online source code repository SourceForge has apparently started taking over inactive accounts for popular software, and adding bundle-ware installers to the software packages.
One of the first “victims” was the account hosting GIMP for Windows. Sean Gallagher reported that with the lead developer locked out, control of the account was passed to “sf-editor1,” a SourceForge staff account that is now, apparently, the owner of many most of the Apache Foundation’s projects, Mozilla’s projects, and many, many other high-profile ones.
Visitors who wanted to download the tool were now faced with additional offers to install third-party software that many consider to be ad-ware and potentially even malicious.
SourceForge tried to justify this move by saying that the legitimate owners of the accounts effectively abandoned them, using them perhaps only as a distribution mirror. They also admitted to using some of these projects to deliver “easy-to-decline third-party offers,” but noted that the original downloads are still and always available.
While it’s true that some developers who host their projects on SourceForge decide to allow it to bundle offers for other software with their binaries as part of a legitimate SourceForge revenue sharing plan, GIMP developers have never opted into this plan.
The GIMP team commented that they moved the Windows installers away from SourceForge in 2013 because of the “invasion of the big green ‘Download’ button ads appearing on the SourceForge site.”
“We do not want our users having to dodge any ‘offers’ or to worry about possibly installing malware in the process,” they noted, adding that the the aforementioned bundling of other software with the GIMP project binaries was done without their knowledge and permission, and despite SourceForge’s promise that they would never do such a thing without the developers’ consent.
In the meantime, SourceForge has backtracked a bit.
“In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers for unmaintained SourceForge projects,” they announced on Monday.
“While we had recently tested presenting easy-to-decline third party offers with a very small number of unmaintained SourceForge projects, we discontinued this practice promptly based on negative community feedback. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.”
On Wednesday, Gordon “Fyodor” Lyon, the creator of Nmap, has added his own voice to the group of disgruntled developers, explaining on the Nmap Development mailing list that the Nmap account was also effectively hijacked by SourceForge staff, although they are still offering just the official Nmap files for download.
The GIPM team asked for SourceForge to change their approach, and allow and aid project owners to remove them permanently from the hosting service (if they want it), and not to “maintain mirrors serving installers or files differing from those provided by the project or wrap those in any way.”