
“It appears that SourceForge took control of the 'GIMP for Windows' account” - patdavid
https://plus.google.com/+gimp/posts/cxhB1PScFpe
======
scrollaway
Reposting what I wrote on the Reddit thread:

I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for
our mailing lists and some LXDE legacy stuff.

I'm absolutely sick of them. It's not the first time this has happened. I've
been pushing for us to move off SF for a while and this is a good occasion to
push for it harder.

I've sent an email [1] detailing plans to move. I am urging everyone who still
has projects on Sourceforge to do the same.

If you have similar migration problems to solve as the ones I've highlighted
in the email, please contact me directly and we can share the workload. My
email is available on my Github profile [2].

[1]
[http://sourceforge.net/p/lxde/mailman/message/34148903/](http://sourceforge.net/p/lxde/mailman/message/34148903/)
[2] [https://github.com/jleclanche](https://github.com/jleclanche)

------
etix
This is precisely for these reasons we stopped distributing VLC via SF.net in
2013. I even wrote about it: [https://blog.l0cal.com/2013/05/02/rethinking-
vlc-mirrors-inf...](https://blog.l0cal.com/2013/05/02/rethinking-vlc-mirrors-
infrastructure/)

~~~
biot
Have you checked your site on an iPad? It's alternating the font size between
small and large several times a second, resulting in a strobe effect that
never stops. Yikes!

~~~
walterbell
Bizarre. Happens only in landscape mode.

------
jbk
Our VLC account has been taken too by sf-editor-1.

Fortunately, we've moved to our mirror infrastructure since quite some time,
and it's faster and way better.

Btw, if any other open source project needs help to distribute their binaries
(because of the size), please contact me.

PS-EDIT: signing the installer was a good idea, I guess :)

~~~
davidgerard
Is there anything you can do to stop them malwaring VLC?

------
geofft
What are the reasons for people to use SourceForge today? Why hasn't everyone
else ( _especially_ major projects like GIMP and Audacity) moved off?

Here are some possibilities I can think of, but I'm curious if they're
correct:

\- Mailing list hosting

\- Non-git repository hosting, for projects that prefer CVS or SVN

\- Shell account (though it doesn't seem very useful)

\- Features GitHub has but few others do (binary hosting, website hosting,
etc.) and the project wants to avoid GitHub

Are there others?

~~~
JohnTHaller
One reason is discoverability as they have a rather extensive searchable
directory of open source software.

Another reason for quite a while was binary hosting, which github originally
supported, then discontinued, but finally added again in July 2013.
Additionally, the ability to use any open source license or combinations of
licenses, as Google Code supported binary downloads during the time github
didn't but only permitted one license per project and only from a subset of
open source licenses (originally a small subset, later expanded). Google Code,
of course, is sunsetting now. And github now supports multiple licenses as
well as binary releases.

~~~
geofft
Oh right, the other reason I forgot to mention is lack of volunteer
time/enthusiasm to deal with a move. If you already bounced between Google
Code and SourceForge two years ago, chances are you're probably not completely
excited about jumping ship to GitHub right now.

(But yes, right now, if you're on Git, GitHub will give you binary downloads
and all licenses.)

~~~
hhsnopek
Actually you can easily import your code into repos now. Also considering
Google code is shutting down you can easily move your project to github from
google code.

------
JohnTHaller
SourceForge made a blog post about the GIMP project here:
[http://sourceforge.net/blog/gimp-win-project-wasnt-
hijacked-...](http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-
just-abandoned/)

It appears they switched the GIMP project on SF back to directly downloading
the standard GIMP installer, at least that's what I see right now in Firefox
at 3:30pm NYC time.

~~~
yoz
"Mirrored projects are sometimes used to deliver easy-to-decline third-party
offers, and the original downloads are always available."

In other words: "Yes, we take your project and wrap it in an adware
installer."

~~~
Someone1234
Or as I call it: "the download.com strategy." Honestly SF are scumbags.

------
daveloyall
As noted in other comments, the GIMP installer on
[http://sourceforge.net/projects/gimp-
win/files/](http://sourceforge.net/projects/gimp-win/files/) is now bit-for-
bit identical to the one on
[http://download.gimp.org/pub/gimp/v2.8/windows/](http://download.gimp.org/pub/gimp/v2.8/windows/)
(let's call this one official).

Does anybody have a copy of the "value added" installer?

How did it work? Was it a wrapper which contained a copy of the official
installer? Did it have the same filename? Was there some identifier in the
URL? A cookie?

In other words, can we programmatically identify other hijacked projects?

~~~
JohnTHaller
It's a 730KB downloader installer as used by FileZilla, Angry IP Scanner, and
other apps on SF that participate in the Dev Share program. You run it, it
shows offers, then downloads the actual GIMP installer and runs that. I did a
Virus Total scan of it earlier and the results are here:
[https://www.virustotal.com/en/file/a63a337b0aa6b2686440802eb...](https://www.virustotal.com/en/file/a63a337b0aa6b2686440802eb557a8d5e03567be78e4f6c2a239ca3076ebe43c/analysis/1432747594/)

It seems they've disabled the ability for the GIMP downloader installer posted
earlier today to be able to download GIMP now. Possibly so other sites don't
distribute it further thinking it's the real GIMP installer?

------
Karunamon
Wow. Is this legally actionable? Yeah yeah, their server and so forth, but
pretending to be somebody is generally seen as a Bad Thing© by the courts.

~~~
shiggerino
What's with the copyright symbol?

~~~
Karunamon
A copyright that's been registered by Sourceforge ;)

~~~
javawizard
By which you mean a trademark?

~~~
Karunamon
You both are putting a heck of a lot of effort into nitpicking a single
character used for humorous effect :/

~~~
shiggerino
It's worth nitpicking about, for several reasons.

It would be a shame if a young entrepreneur thought their trademark was
protected by the Berne convention and someone came and took it. It would be a
shame if the Mickey Mouse lobby went completely unopposed because people can't
think critically about what they don't know. It would be a shame if a large
corporation could grab the trademark of a small free software charity because
people don't think it's "a big deal".

------
cillian64
Is there anything suggesting it's SourceForge itself doing this and not just
(an improbably widespread, admittedly) set of account breaches? It makes sense
-- acquire accounts, enable ads, profit.

~~~
ksherlock
"The Open Source Mirror Directory is an extension to our existing software
directory, where __we 'll be mirroring projects that are not hosted on
SourceForge, and SourceForge projects that have been abandoned. __"

Why are we doing this? We want the SourceForge software directory to be as
useful as possible. When you come here to search for a piece of software, we
want you to be able to find it, and find the most up to date releases. And if
that software isn't hosted on SourceForge, we still want you to be able to
find it. Or if a SourceForge project has been abandoned, we want it moved to
the mirror and maintained, so you can always find the newest releases.
Millions of people use SourceForge every day to search for Open Source
software, and we want to give them the best experience possible, even if the
best answer to their search is a project hosted elsewhere, or an abandoned
project newly maintained by the SourceForge team.

[http://sourceforge.net/mirror/](http://sourceforge.net/mirror/)

~~~
SwellJoe
So...they're claiming to "maintain" projects, and that means turning them into
adware?

That's so underhanded and nasty that it's difficult to believe. If true, it
means SourceForge has effectively become the nemesis of every software
developer who ever used their services. And, it means every software developer
who cares about software freedom and privacy _must_ move everything off of
SourceForge.

We host Webmin on SF.net, still, and it is downloaded over 3 million times per
year, making it one of the most popular packages in the system administration
category for over a decade (last I checked a few years ago, it was second only
to phpmyadmin). They've never done anything weird or underhanded with our
stuff (but most of our packages are signed and setup in such a way that
fiddling with them would be somewhat challenging). Given its popularity, I
would assume it would be a likely target for this sort of thing. But, maybe
it's only "abandoned" projects? (Whatever that means, since it sounds like the
original author in this case did not consider their project abandoned.)

~~~
makomk
Abandoned projects and "projects that are not hosted on SourceForge", which
appears to include projects that still have a Sorceforge page that's actively
maintained if the project has moved elsewhere. So if you move off SF.net,
they'll take over your page there and use it to distribute adware-enhanced
versions of your software. Incredibly underhanded.

~~~
SwellJoe
Moving doesn't prevent this or protect users, and it actually would
potentially trigger such a takeover by SF.net? So, there is no escape?

I'm really finding this hard to believe. It's just incredible. I mean, I've
had a bit of a love-hate relationship with SF.net forever, but it's always
been the kind of thing you might have with a bratty sibling (i.e. you wish
they were doing more with their lives, but you still love them). This is such
a massive betrayal of trust that I can't even swallow it.

I mean, the evidence seems to be there, and more than one major project has
reported this behavior, so it's not really something I can just ignore. But,
it's also just so horrible. (I'm beginning to become repetitive. I just really
find this unbelievably awful.)

I don't know anyone involved in SourceForge, and haven't in more than a
decade, so I don't even know who to reach out to for some kind of
clarification about WTF they think they're doing. Their mirror page doesn't
explain anything about distributing malware in these projects they "maintain",
so they're already not being forthright about it.

~~~
fomojola
Shame really: for a while SourceForge was THE place to go for open source
software.

They claim (at the bottom of
[http://sourceforge.net/mirror/](http://sourceforge.net/mirror/)) that "If you
have an Open Source project outside of SourceForge, we'd like to hear from
you. If you want your project mirrored on our site, or if you don't want your
project mirrored on our site, please let us know. Or there's any other service
that we can extend to your project community, we'd like to hear that, too.
Contact us at communityteam@sourceforge.net and we'll be sure the message gets
to the right people."

People should email them at communityteam@sourceforge.net and ask to be un-
mirrored. Maybe that will work.

~~~
ender1
I asked them to stop distributing the GIMP installer on May 16th (as soon as
we found out what's happening), but didn't even receive a response.

------
kierank
The number of people casually suggesting github for large binaries on HN is
incredible and funny. They should try downloading something from github in
Asia and they'll learn why local mirrors are useful.

------
ajohnclark
I think this pretty much explains why this happened, a quote from their parent
company here: "2005 - IN AUGUST, WE ARE ACQUIRED BY DICE HOLDINGS, INC., WHICH
IS OWNED EQUALLY BY GENERAL ATLANTIC LLC AND QUADRANGLE LLC, PRIVATE EQUITY
FIRMS IN NEW YORK CITY." via: [http://www.dhigroupinc.com/our-
company/default.aspx](http://www.dhigroupinc.com/our-company/default.aspx)

------
subudeepak
Any other projects affected ? Would be nice to start a list of all affected
projects. This could also be a case of targeted attack on the gimp account.

~~~
prokoudine
[http://sourceforge.net/u/sf-editor1/profile/](http://sourceforge.net/u/sf-
editor1/profile/)

Nice list. Got Audacity there, for instance.

~~~
psykovsky
Bitcoin is on there also. Now that is worrying.

~~~
prokoudine
It doesn't neccessarily mean all of them are affected, but I think it's a call
for a close inspection.

~~~
psykovsky
I download the bitcoin .exe, and it came clean, with the right signatures, but
who knows how they are distributing the stuff. I have a Ubuntu computer. If
they're at least a bit smart they will use their download redirects to serve
the spyware only to Windows computers or something, so that could be why I got
a clean binary. Bitcoin devs investigated, at my request. They removed the sf-
editor1 user from the project owners and checked the binaries to see if sigs
matched, and they did. But like I said, they could be filtering who they serve
the "spyware" to.

------
j_s
Reviewing the meager amount of Twitter chatter it appears SourceForge had
cemented its irrelevance before this craziness.

------
hobarrera
In this age of GitHub being huge, and GitLab being the purely open-source
choice, this can't really end well for SF.

They really really need to up their game if they want to stay relevant. Most
of the stuff I find pointing me to SF these days is usually abandoned (GIMP
and Pidgin are probably notable exception).

------
SamWhited
I'll still never understand why people don't move off of SourceForge; GitHub
and Bitbucket (among others) are almost feature complete, and for the things
that they're missing (mailing lists) there are plenty of free alternatives out
there that are fairly easy to port.

------
unhammer
More details: [http://libregraphicsworld.org/blog/entry/anatomy-of-
sourcefo...](http://libregraphicsworld.org/blog/entry/anatomy-of-sourceforge-
gimp-controversy)

------
yuhong
I wonder what would happen if Google or Yahoo! acquired them.

------
dm2
Is that enough to qualify SourceForge as malicious and ask that it be removed
from Google's search results?

------
naveen99
Pywin32 also should find a new home or maybe a reimplementation in golang.

