
GIMP-Win project wasn’t hijacked, just abandoned - chris-at
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
======
scrollaway
There is zero excuse for what they did, and zero excuse for what they have
been doing for the past years.

Once again reposting what I said in the other thread (which seems to have been
modded off the frontpage, sad).

I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for
our mailing lists and some LXDE legacy stuff.

I'm absolutely sick of them. It's not the first time this has happened. I've
been pushing for us to move off SF for a while and this is a good occasion to
push for it harder.

I've sent an email [1] detailing plans to move. I am urging everyone who still
has projects on Sourceforge to do the same.

If you have similar migration problems to solve as the ones I've highlighted
in the email, please contact me directly and we can share the workload. My
email is available on my Github profile [2].

[1]
[http://sourceforge.net/p/lxde/mailman/message/34148903/](http://sourceforge.net/p/lxde/mailman/message/34148903/)
[2] [https://github.com/jleclanche](https://github.com/jleclanche)

~~~
Touche
It's unfortunate there aren't many good hosted mailing list services out
there. Google Groups makes it hard to use without a google id, and mailman is
tricky to setup/maintain.

~~~
aDevilInMe
Have a look at freelists www.freelists.org/

~~~
tomswartz07
I love their Terms of Service:

> I have read and agree to the above terms , and agree that if I ask FreeLists
> for email addresses or send SPAM using their resources, they have
> _permission to inflict severe pain on me with large, blunt objects._

[emphasis mine]

~~~
digi_owl
Oh that brings to mind the old User Friendly comic attitude. We really need
more of that these days.

------
baldfat
This makes me even more angry at SourceForge and not less.

1) There is nothing clear and open about the project being abandoned by the
author

2) The author left SourceForge due to their business practices and this allows
SourceForge to take over the repos and continue making money?

3) Is SourceForge just going to maintain any project that leaves them and
makes a mirror?

The sad state of Download.com and SourceForge keeps getting grimmer and
grimmer.

~~~
ntakasaki
>This makes me even more angry at SourceForge and not less.

YCombinator also invested in a company that did this.

[http://www.istartedsomething.com/20130115/y-combinator-is-
fu...](http://www.istartedsomething.com/20130115/y-combinator-is-funding-the-
future-of-spam-in-windows-drive-by-crapware-installers/)

Here's pg's response:

>2\. The apps that get installed are "crapware."

>This one seems a matter of opinion. A lot of the world's most popular apps
and sites seem like junk to us. But the users are choosing to install these
things.

[https://news.ycombinator.com/item?id=5092711](https://news.ycombinator.com/item?id=5092711)

~~~
moron4hire
Are they choosing? I've accidentally installed this crap on a number of
occasions, and I'm typically very vigilant about it. But it's impossible to be
perfect. That is where the adware market has gone: banking on the small-but-
not-0 probability of someone forgetting to read installer wizards very
closely, 100% of the time.

What systems are in place to prevent this from happening with package manager
systems like apt-get, yum, or even npm? How often do we just blindly "sudo
apt-get install blah-blah blah"? I know _I_ don't read the dependencies.

~~~
JoshTriplett
> What systems are in place to prevent this from happening with package
> manager systems like apt-get, yum, or even npm? How often do we just blindly
> "sudo apt-get install blah-blah blah"? I know I don't read the dependencies.

Distributions don't typically package and distribute malware. And everything
packaged in a distribution should be removable via the same package manager
that installed it. So, while you might get a package you don't want, that
package won't start showing you ads or harming your system, and you can always
trivially remove it.

~~~
moron4hire
So the answer is "trust"? We're supposed to just trust Canonical, the company
that put Amazon ads in our desktop search, to not figure out they could put
adware in their package repository?

~~~
JoshTriplett
I wouldn't. But I'd trust Debian.

~~~
SwellJoe
And, I would trust Fedora (which has similarly stringent Open Source
guidelines for inclusion).

------
simosx
Sourceforge took over more than 300 dormant projects.

Here is the list, [http://sourceforge.net/u/sf-
editor1/profile/](http://sourceforge.net/u/sf-editor1/profile/)
[http://sourceforge.net/u/sf-editor2/profile/](http://sourceforge.net/u/sf-
editor2/profile/) [http://sourceforge.net/u/sf-
editor3/profile/](http://sourceforge.net/u/sf-editor3/profile/)

~~~
castell
On the list Apache Hadoop, Apache Lucene, OpenOffice, SQLite, etc. wow - if
all these downloads come with an malware installer..

------
ww520
The GIMP developer has asked SourceForge to remove the installer. Guess they
just ignore him.

[https://mail.gnome.org/archives/gimp-developer-
list/2015-May...](https://mail.gnome.org/archives/gimp-developer-
list/2015-May/msg00098.html)

~~~
giancarlostoro
This alone seems like reason enough not to use SourceForge even if just for
mirroring a project. Which is what a lot of projects do including some Linux
Distributions, what are alternative hosts at that point though?

~~~
rylee
Gitlab, Bitbucket, GitHub are the big three. There's a whole lot of others,
but those are the ones I know off the top of my head.

~~~
datenwolf
There's also Gitorious

~~~
sytse
GitLab CEO here, Gitorious was acquired by GitLab
[https://about.gitlab.com/2015/03/03/gitlab-acquires-
gitoriou...](https://about.gitlab.com/2015/03/03/gitlab-acquires-gitorious/)

~~~
carussell
It seems like there's an opportunity here for the big three.

I'm thinking something along the lines of, "Don't like the way services like
SourceForge are handling your project nowadays? There are better services to
use; here's a list. Obviously, we'd like you to use ours. We've already set up
a home for you on our service in anticipation of your stay with us, which we
think you'd enjoy. You'll find that it's already fully furnished, even. Here
are the keys. Give us the go-ahead and we'll aggressively pursue the takedown
of badware distributors."

The benefits to any of the three who go for this plan would be the host's
association with such high-profile projects. GitHub may look at this and
decide that at this point in their trajectory, there's just not enough in it
for them, but it seems like either GitLab or Atlassian could benefit from it.

~~~
sytse
At GitLab we already have one-click importers for GitHub.com, Google Code and
Bitbucket. We would love for someone to contribute a SourceForge importer.

~~~
rylee
That's not quite the angle he(?) was going for — he(?) is saying that an
aggressive campaign from one of the Big Three in Git hosting to aggressively
take down badware distributors while hosting your software would be one hell
of a PR campaign.

~~~
sytse
I don't think any of the big three are hosting badware. We want people to
choose GitLab, I don't want to start distributing software like Gimp without
their blessing.

~~~
carussell
I think you're still not hearing what I'm getting at. The idea isn't that the
big three are now peddling crapware-infested downloads, but there exist
services like SourceForge and tons of download sites that are.

This is about aggressively courting existing projects that may still be on
SourceForge out of nothing more than inertia. Migrating away is a process,
even with importers. My original comment was about surveying the landscape for
potential candidates that you'd like to see using GitLab, and then go ahead
and set up a home for select projects before approaching them. This could
include reserving accounts for the core developers, pre-seeding the project
with whatever importing would be required, and just generally making it
stupid-easy to migrate--as easy as just saying, "yeah, okay; we'll do that",
and then setting up their password.

If you're worried about doing anything with their blessing, this could all
happen in such a way as to not be publicly accessible until the project
actually gives the go-ahead and confirms they would like to make the switch.

~~~
sytse
Making it easy is a great idea and our on-click importers are getting better
all the time. Pre-creating all SourceForge accounts and content is wasteful,
many good usernames will go unused and all our backups will contain many
projects that are never accessed. So we'll focus on making in the import good
and fast instead of doing it in advance and emailing people about it.

------
abulman
Whenever a download link (and more often than not, for me, it's usually for a
server-based tool) goes to Sourceforge, I cringe - more than a little. For
Linux based tools, its because a simple 'wget' for a file is going to end up
with a comlex filename that I have to rename. This, at least, is a simple
problem for me to fix.

For desktop software, I'm more concerned after hearing of projects being
wrapped in Adware/malware. This is a particular problem on sites like
[http://download.cnet.com](http://download.cnet.com). I've been online since
at least 1996, and those sites used to be great to be able to find useful
software. Now, I prefer to not install much new software, in order to keep a
stable desktop (and it does work - I've only had to wipe my desktop and
install Windows from scratch once or twice in my entire online career, I get
new PCs more often).

I've even seen jobs posted on some sites to work on open-source code - but
then the project is hosted on sourceforge.net, and so it is using Subversion
for version control. While I may be expert on the underlying technologies that
particular project used (and the language) - its not something that would ever
convince me to help them - not even while being well paid (and working
remotely, which is what I'm aiming to do from now on).

------
SwellJoe
So, this is a reminder (and a very harsh one) that trusting third parties with
your projects _may_ be a risky decision. I see many people suggesting moving
off of SourceForge to Github. While we moved most of our stuff to github years
ago, and I like github and have no major complaints about them today, I'm
having doubts about the wisdom of staying on any third party hosting site, no
matter how nice they seem today.

Let's put this in context: SourceForge was once (this was many, many years
ago) a deeply trustworthy entity. They were _excellent_ stewards of Open
Source projects. They consistently took guidance from the community, and
wouldn't have chosen profits over users or projects (though, certainly,
they've profited).

Markets change, leadership changes, acquisitions happen. One day, we may not
recognize github as the entity we know today, just as we don't recognize the
entity that SourceForge has become.

I'm not saying don't move to github. Obviously, nobody should be starting new
projects on SourceForge and github is one of the better third party
alternatives. But, it may be worth thinking about what happens when we as an
Open Source community build up another SF.net like entity. A central
repository for all the most popular Open Source software, controlled by one
profit-driven corporation.

Maybe it was worth the tradeoff. Maybe SourceForge provided enough value over
the years to where it's not worth belly-aching about having to rebuild our
communities around new tools (maybe even another third party tool), and to
educate users that SourceForge is now an untrustworthy provider that should be
avoided. Maybe we have to just mourn the loss of a once great supporter of
Open Source software and move on to another that will likely, someday, also
turn its back on Open Source values in pursuit of profits.

I hate trash-talking SourceForge so harshly, as projects I've been involved in
have been well-served by SF.net in the past (and even now, we're pushing out
terabytes of downloads through their mirrors, even though we've moved our
revision control to github long ago). But, the company as it exists today is
nothing like what it once was. I must assume none of the original founders
remain given how far this strays from the original vision of the thing, and
certainly it's been through multiple acquisitions and leadership changes.
Maybe I shouldn't feel so bad about it...maybe the SourceForge I knew has been
dead for years, and I just didn't notice as it's taken a while to start to
smell.

~~~
carussell
People, even hackers, get unreasonably attached to names. Your last paragraph
is key. If the company operating SourceForge today were doing what they're
doing today under any other banner, no one looking to evaluate the options
available to them would come away with the conclusion that TAFKA SourceForge
would be the thing to go with.

------
epaga
The whole blog post can be summarised in the one sentence "Mirrored projects
are sometimes used to deliver easy-to-decline third-party offers."

Makes me pretty sad since I still remember the days when SourceForge was one
of the good guys.

~~~
adekok
> "Mirrored projects are sometimes used to deliver easy-to-decline third-party
> offers."

If they just _mirrored_ the project, no one would be complaining. Having
another place to download copies of the official releases is a good idea.

The issue is they _changed_ the release. They advertised it as "mirror of
Gimp-Win version X". And it wasn't. It was Gimp-Win version X with a boatload
of adware / crapware. This made the Gimp-Win people upset that the crapware
was being falsely associated with their product.

If SF had advertised it as "SF Version of Gimp-Win with magic crapware",
people would be less upset. And fewer people would download it, of course.
Which isn't what SF wants.

Their self-serving statement about "mirror" is a lie. The people who wrote it
should be ashamed of themselves.

------
nothrabannosir
They show their true colors in the last paragraph:

 _We welcome further discussion about how SourceForge can best serve the GIMP-
Win author._

Just stop. How disingenuous can you be? What a disgrace.

Do we really need to go there? Ok, how about: "completely suspend and remove
the project, and don't let the name be reclaimed."

Source Forge is trying to convince us they never thought of that. Really? Give
me a break. You knew. You just don't care. Fine, you don't. But don't try to
play that off as ignorance. "Oh, yeah, please enlighten us with further
discussion!" Get out of here, stop wasting our time.

They could just as well have done away with the blog post and put up an image
of a giant middle finger, instead. At least that would have been honest.

~~~
astrodust
We should start discussing how they can shut themselves down and rid the world
of the blight that SourceForge has become.

RubyForge folded and the world was better off.

------
neomech
I moved my project to github after one of their "enticing" offers installed a
vpn client that redirected all my traffic and inserted ads into my browsing,
when I installed filezilla. The installer they add is designed to make it very
easy to install their "offers"without your realising it. I'm very wary of any
code on sf now.

~~~
Someone1234
The Filezilla team also deserve some credit in that case, as they opted-in to
the ads on purpose (the Filezilla team gets kickbacks from each adware
install).

------
helb
So in fact it was hijacked… by SF.

My employer runs a sourceforge mirror – i am going to start some discussion if
we can turn it off.

Also, old HN post on "what happened to Sourceforge":
[https://news.ycombinator.com/item?id=6700115](https://news.ycombinator.com/item?id=6700115)

~~~
jlgaddis
_> My employer runs a sourceforge mirror – i am going to start some discussion
if we can turn it off._

Please do. IIRC, most (all?) of their mirrors are provided by third-parties
who are graciously offering their resources and SourceForge is taking
advantage of them to serve up and profit from adware/malware installers.

------
bill_from_tampa
In all fairness, the page for gimp-win on sourceforge clearly states it is a
mirror of a project that is no longer distributed by the upstream author
through sourceforge --

"Hey, this isn't a SourceForge project! Check out the SourceForge Open Source
Mirror Directory for more information. " -> this links to a page that explains
in detail what you are getting.

I don't have a windows installation handy so I can't 'test' the SF installer
to see if the adware or add-on programs are easy to identify and accept or
refuse -- has anybody tried that?

------
Xylemon
I've heard about how SF has been some financial trouble, but isn't all this
adware nonsense just going to hurt them more in the end? Surely some
crowdfunding option could've been more of a viable effort...

~~~
coldpie
They've been getting scummier and scummier. They've been doing this ad
bundling thing for years, and their entire website is basically unusable
without adblock. Someone at Slashdot enterprises has no idea what they're
doing. At any rate, SourceForge is going to die soon. I wouldn't be surprised
if Google starts to delist them for distributing malware.

------
ntakasaki
Dice Holdings also bought Slashdot, and now there are things that look out of
place, like the Kate Upton ad for God of War, Slashdot Deals [1], and annoying
ads as tweets on the twitter account which made me unfollow.

[1]
[https://deals.slashdot.org/?utm_source=slashdot&utm_medium=n...](https://deals.slashdot.org/?utm_source=slashdot&utm_medium=navbar&utm_campaign=dealshp_1)

Would be interesting to see if Slashdot posts this story.

~~~
johnduhart
> Slashdot Deals

This has to be some prank, they can't be serious about that.

------
zak_mc_kracken
That is some crazy amount of spin. SourceForge started their path down the
scummy side a while ago but this is really taking it to a new level.

You'd think that if they really cared, they would back pedal on what they did,
but no, instead, they double down by trying to justify what they did and
"welcoming further discussions".

Also, this:

> deliver easy-to-decline third-party offers

How about delivering third-party offers that users need to opt in instead?

Terrible, terrible company and organization.

~~~
Lawtonfogle
Software that requires opt out should be considered as malicious as software
that doesn't give the ability to opt out.

------
r721
>Mirrored projects are sometimes used to deliver easy-to-decline third-party
offers

It's as if they know the majority of experienced users would decline those
"enticing" offers.

~~~
pbhjpbhj
Adobe pull this same scummy move with Flash downloads; Oracle do it with Java
too. Surprised me recently setting up someone's Win 8.1 laptop as I had
thought that such moves were now illegal in the EU - perhaps they are?

~~~
Cthulhu_
Legally, no - after all, people give their express permission by leaving the
box ticked.

The newish anti-spam measures in the Netherlands actually forbid the 'Yes I
would like to receive spam' checkboxes to be pre-checked - has to be opt-in
instead of opt-out.

~~~
pbhjpbhj
I thought that was the ruling for applying whatever directive it was - that
the box couldn't be pre-checked to install other software but instead the user
had to check it (as in your spam example).

[research ensues!]

[http://europa.eu/rapid/press-
release_MEMO-11-675_en.htm](http://europa.eu/rapid/press-
release_MEMO-11-675_en.htm) see (3) "Banning pre-ticked boxes on websites".
I'm sure Oracle - or whoever - would argue that as the consumer isn't paying
they don't have to abide by the regulation but Oracle are being paid to do it
so I don't see how that's any better (in fact it's worse really).

------
StavrosK
So what they did was take an abandoned project, add their adware installer and
release it?

~~~
chris-at
[https://plus.google.com/+gimp/posts/cxhB1PScFpe](https://plus.google.com/+gimp/posts/cxhB1PScFpe)

> It appears that +SourceForge took over the control of the 'GIMP for Windows'
> account and is now distributing an ads-enabled installer of GIMP. They also
> locked out original owner of the account, Jernej Simončič, who has been
> building the Windows versions of GIMP for our project for years.

~~~
arcatek
Apparently happened with VLC too...

> We also got outed of our +VLC project on sourceforge...

> But it does not matter, we moved to our infrastructure a long time ago to
> our own, which is better and more powerful!﻿

------
fixermark
tl;dr "Hey, it's not our fault that we adopted policies so offensive to the
project maintainer that they utterly washed their hands of us, but the license
of GIMP basically prevents them from preventing us from distributing the
software inside of our third-party shovelware bundle..."

Good job SourceForge. A++ would never download anything from again.

------
Lawtonfogle
Why don't they (SourceForge but also all the other software vendors out there,
even Oracle with the Java and Ask.com bundling) just have it so it
automatically installs all the crapware instead of asking you? Last I checked,
it was because this would get them treated as outright malicious. I suggest
that we consider such offers where the default option is to install them to be
considered as malicious as installing them without asking.

------
moron4hire
>> Mirrored projects are sometimes used to deliver easy-to-decline third-party
offers, and the original downloads are always available.

So in other words, GIMP-Win was hijacked, just not by a 3rd party.

------
eridal
Lets take action and report the website so browsers warn users once they try
to navigate to the page.

[https://www.stopbadware.org/](https://www.stopbadware.org/)

Please report the entire website, not just some project. They had distributed
enough malware already.

------
codazoda
"Mirrored projects are sometimes used to deliver easy-to-decline third-party
offers, and the original downloads are always available."

Well, there's your problem.

------
dilap
Wow, it's not clear _at all_ that the SF page is a "mirror" of the official
project, and for now it remains the first google result.

What assholes.

------
JimmaDaRustla
Source Forge has been doing this for a while now, not just gimp.

Pretty sure I downloaded Synergy and it deceivingly downloaded a common
installer which was small and installed adware as it downloaded the proper
executable which you desired to download in the first place

~~~
DanBC
There are two problems.

1) wrapping the software in the sourceforge installer which includes adware.
(That's what you mention).

2) having a page that looks like an official project page and distributing the
software. This is bad for bla bunch of reasons, including 1) above.

------
proactivesvcs
I'm sure we only hear about "easy to decline/opt-out/remove" software when it
is something nobody ever wants. If the first feature of your software is that
it's easy to decline, maybe it's time to pack up shop.

------
thebouv
I have good memories of SF being the hub of OSS back in the day. I was
particularly fond of how projects could actively post types of people they
were looking for (artists, doc writers, etc) instead of just relying on being
stumbled upon and/or just listing an issue.

However, recently, I cringe if I somehow end up at an SF link. Feels like I'm
on the wrong side of the Internet and that I can't trust any downloads from
them.

------
chris-at
> Based on our prior outreach to the GIMP-Win author, we understand that they
> had concerns about the presence of misleading third-party ads on
> SourceForge. They were not alone in those concerns — we were also concerned
> — leading us to establish a program to enable users and developers to help
> us remove misleading and confusing ads.

right.

------
m_mueller
Isn't this a problem with overly permissive licences used in most OSS? AFAIK
there is nothing stopping any commercial entity to just resell you OSS as-is
(in case of GPL they just have to link to sources as well). There's also
nothing stopping them from putting ad- and malware in, correct? IMO it might
be a good idea to put some limits into OSS licences - even if most projects
wouldn't have the means for litigation, at least it would give pause to some
legal departments of such companies trying to abuse OSS. I'd also advocate to
have a standard license similar to creative commons for non-commercial use.
Why not adding some semi-enforced sponsorship element into OSS projects that
are heavily used commercially?

~~~
carussell
This is true of any software that's freely redistributable. There's nothing
particular to FOSS that enables what's going on in this case. (In theory, the
source allows them to change it at the source-level and bake the badware in,
but SourceForge doesn't seem to be doing that.)

------
worklogin
I also notice this isn't covered by Slashdot, who is owned by DHI, who owns
Sourceforge.

------
qrmn
100% scummy. Question is, what do we do about it?

I wonder... Is bundling adware installers with GPL software a violation of the
GPL? (If not, _should_ it be? v2?/v3?) Where's the installer's source? It
wraps it in one linked executable file and presents itself as an installer for
it, so I am not clear that any "mere aggregation" defence would hold?

There's also a reasonable argument that this brings the official project into
disrepute: The GIMP may not be trademarked, but would it have to be?

Firefox, of course, _is_ trademarked. I dearly hope they've never wrapped
Firefox installers with adware, because Mozilla would not like that.

~~~
DSMan195276
I would assume that a non-GPL installer for GPL software would be fine,
because it doesn't actually run the software, just installs it as a set of
files (If it does run the program, generally it doesn't interact with it). I
would equate it to using something like GNU 'indent' on proprietary software -
I doubt using a GPL program to modify data would cause that data to have to be
under the GPL or any other license.

What _is_ very possible is that if they integrated their installer into GIMP's
installer (Since GIMP already has it's own installer), GIMP's installer is GPL
so their modification would be a GPL violation unless they make the code
available. If all their installer does is run GIMP's installer though, then
there's no violation AFAIK.

~~~
true_religion
They could just make the code available for the installer.

It's not as if an installer is software worth protecting via copyright in
2015.

------
owly
Sourceforge has been dead to me for a while now. I think it started with
FileZilla.

------
DanBC
Gimp should just push an update that has a "Stop using Sourceforge" splash
screen and see if Sourceforge distributes that new version.

It's a shame. Sourceforge used to be really good.

------
helb
[http://helb.github.io/goodbye-sourceforge/](http://helb.github.io/goodbye-
sourceforge/)

------
notwhereyouare
Given that the author hasn't given them permission to distribute GIMP, much
less a modified installer of GIMP, can he send a DMCA to them?

~~~
colinbartlett
Does an author need to grant permission for anyone to distribute his/her
GPL'ed source?

~~~
cowsandmilk
They cannot file a DMCA because there are no copyright issues.

This is why popular open source projects should seek trademark protection on
their names.

Sure, people get angry about Mozilla's protection of the Firefox trademark,
but this demonstrates that there are legitimate reasons to trademark a name so
you can protect it from malicious operators.

~~~
nandhp
Which is presumably why Firefox's downloads aren't modified (I checked
yesterday):
[http://sourceforge.net/projects/firefox.mirror/](http://sourceforge.net/projects/firefox.mirror/)

------
fithisux
It is a pitty because I use SF often. I think that the problems could be
solved if we could use something like pkgsrc on Windows.

Unfortunately this is not a reality or an option but it would be a good
alternative.

Msys2 project gives a few of these apps as binaries. But it would be more user
friendly if we could just download from a source repository and compile
locally on windows.

~~~
carussell
Windows 10 is supposed to finally ship with something resembling a proper
package manager. Or something.

------
Pxtl
So they take the code from a 3rd party, compile it into an installer with
malware bolted on, and reap the profits from the malware.

Yeah, hijacked.

------
aikah
Question what are the alternative solutions to distribute window binaries
freely,without adware like sf or download.com ? github used to allow binary
distribution but not anymore, and I don't feel like tags are a good way to do
that.

~~~
taspeotis
> github used to allow binary distribution but not anymore

Sorry I must be missing something, what's wrong with "Upload a release asset"
[1].

[1] [https://developer.github.com/v3/repos/releases/#upload-a-
rel...](https://developer.github.com/v3/repos/releases/#upload-a-release-
asset)

~~~
djpowell
Github used to have a simple binary files service, this was removed with no
replacement, and then the release asset system was added shortly after.

I only recently found out release assets.

------
u04f061
They are doing something with GIMP what they did to VLC.

------
fapjacks
Fuck SourceForge. The people that bought it blew it.

------
nodata
Bye sourceforge!

~~~
danellis
I'm astonished they lasted this long. The only unique thing they ever did was
their compile farm, now long gone.

------
kjs3
I think I've recommended sourceforge.net be added to the webfilter global
block list at every client I've worked with in the last 5 years. Once I
pointed out the risk of their drive-by download strategy, no one has said no,
and very rarely has an end-user complained (something almost always remedied
by finding a legitimate download site for them).

------
userbinator
Personally, I see this as one of the natural consequences of permissively-
licensed software, and the freedom of being able to obtain such from the open
Internet. This is a feature, not a bug.

If you want something with more security guarantees, then use the walled-
garden app stores. It reduces your chances of getting malware, but also
reduces the choices available to you.

Whether or not people like what SF is doing does not change the fact that it
is legal under the GPL. I hate adware myself, but if someone chooses to
distribute it legally, then I respect their freedom to... and the only thing I
would do is tell the users so they can make an informed decision. The official
GIMP site has made a notice about this already.

As long as computing platforms exist which allow users to install any
software, from anywhere they choose, they will eventually install something
they don't want (and even in walled-garden app store environments they still
manage to.)

Something to think about: "Freedom is not worth having if it does not include
the freedom to make mistakes."

~~~
TazeTSchnitzel
The problem is SourceForge hijacking the GIMP site

~~~
userbinator
The official site is [http://www.gimp.org/](http://www.gimp.org/) and it has
nothing to do with SourceForge.

~~~
TazeTSchnitzel
So? SourceForge hijacked the GIMP page on SourceForge, which shows up in
search results for GIMP downloads.

