
Google Is Now Listing SourceForge as a Malicious Site - irl_zebra
http://i.imgur.com/FAv6VdV.png
======
dkns
I'm guessing OP took this from reddit thread. If you read that thread you'll
see that it's not sourceforge but this one project. So this title is
misleading.

Edit: Thread:
[http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...](http://www.reddit.com/r/technology/comments/3a9h9x/soureforge_now_listed_as_malicious_when_clicked/)

Response from one user that sourceforge is actually whitelisted by google:
[http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...](http://www.reddit.com/r/technology/comments/3a9h9x/soureforge_now_listed_as_malicious_when_clicked/csamu9j)

[http://safebrowsing.clients.google.com/safebrowsing/diagnost...](http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=sourceforge.net/)
[http://safebrowsing.clients.google.com/safebrowsing/diagnost...](http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=downloads.sourceforge.net/)

~~~
k_roy
UBlock is actually blocking all of SF

~~~
rumdz
Which filter is blocking SF for you? UBlock is not blocking SF for me.

~~~
k_roy
Looks like it's maybe uBlock Origin that is blocking (versus just uBlock)

~~~
fwn
This. It's just in Origin. Started a few days ago.

------
derekp7
I've seen a few differing reports on what SourceForge is doing. From what I
gather so far:

1) Originally (a couple years back or so), they started (as an opt in from the
project owners) bundling adware with the Windows versions of installers on
selected projects.

2) Recently, SourceForge editors have taken over abandoned projects (i.e.,
projects that no longer use SourceForge as their primary distribution page,
and haven't updated the project pages), and have replaced the installers for
some of them with their adware-bundled installers.

3) A firestorm erupted over this, SF stated that they would back away from the
adware (on taken-over pages -- it would still be present on projects with an
agreement from the project owners).

4) They are still taking over abandoned projects and updating them.

Now my question -- for point (4), are they just updating the project download
pages with the current versions, or are they still bundling their adware with
the projects? Everything I've seen so far (after their "apology" post), it
appears that they haven't done any new adware bundling, just taking over the
projects. Is this the case? And if so, is the concern that they will slip in
the adware in the future?

------
phkahler
Let us keep SourceForge in mind as GitHub goes public.

~~~
api
GitHub has a paid business model, so I think they're less likely to be tempted
by the dark side. SourceForge is another cautionary tale about how "free is a
lie" \-- how free leads directly to scummy business models.

~~~
Grue3
>GitHub has a paid business model, so I think they're less likely to be
tempted by the dark side

So did Sourceforge. Github has competition in business space (Gitlab
Enterprise, Stash) and if it falls out of favor with businesses, anything can
happen.

~~~
merb
Stash is not a competition. GitLab is. Stash just falls more behind every
update. Look the release Notes of 3.10 and 3.9. I mean it took from 2.8 to 3.8
that you could use "go get". And still Stash won't implement git protocol in
the near future (while gitlab and github enterprise both have this)
[https://jira.atlassian.com/browse/STASH-2508](https://jira.atlassian.com/browse/STASH-2508)
however they released a read-only plugin since stash 3.8 READ ONLY.. and there
are even more issue's to come that stash won't support or support in the near
future. Gitlab and github enterprise are so far ahead of stash and there is
another github like solution coming that is written in go. Also stash is
slower than Gitlab, even while gitlab is coded in ruby. Also the CI, way
easier to setup (and cheaper) than the stash way of linking their projects.

~~~
dfabulich
Stash's feature is reliable performance and support.

Github.com goes down; Github Enterprise crawls on very large repositories.
(Not everybody's, of course, but the bigger they come, the worse Github
performs, and the more money the customer is worth.)

When you call Github support, a support engineer will tell you, "At Github,
engineers work on projects that we find interesting. Github Enterprise doesn't
get that much interest on our team."

When you call Atlassian support, they fix your problem.

~~~
merb
they won't. maybe they only look at their bigger customers? ;)

------
rawe
The following page lists stats for sourceforge itself:

[http://safebrowsing.clients.google.com/safebrowsing/diagnost...](http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fsourceforge.net&client=googlechrome&hl=en-
US) :

> Part of this site was listed for suspicious activity 332 time(s) over the
> past 90 days.

~~~
csn
I also find it fascinating what Google has to say about itself
[https://google.com/safebrowsing/diagnostic?site=Google.com](https://google.com/safebrowsing/diagnostic?site=Google.com)

~~~
piyush_soni
Very interesting! Of course Google itself is not hosting any malicious
content, but they are acting as a bridge between the user and malicious
content which they honestly write about. Interesting that they also include
blogspot.com pages in that.

------
davidgerard
Not happening for me when I go to that link from Google in Firefox. Can anyone
else reproduce this?

 _edit:_ Now happening for me in Chromium. (Both of these on Xubuntu 14.04,
versions from the repos.)

~~~
m3Lith
Nope, can freely access the site on both latest versions of Chrome and
Chromium. Though the project seems to have moved from that page already.

~~~
davidgerard
I got the warning in Chromium just now.

------
anton_gogolev
Where to move from SourceForge: [1]:

[1]: [http://helb.github.io/goodbye-
sourceforge/](http://helb.github.io/goodbye-sourceforge/)

------
solomatov
I love google for this and many other ways the fight abuse of browser users.
First, they removed CA, which produced a bad certificate, and now sf with
their bundles.

------
rbanffy
The important thing (for retrogeeks like me) is that
[http://sourceforge.net/projects/cdesktopenv/](http://sourceforge.net/projects/cdesktopenv/)
is not doing anything particularly evil.

~~~
joss82
... that you can notice ;)

------
longsleep
U-Block origin is blocking SourceForge as well (||sourceforge.net^$other)

~~~
k-mcgrady
I was just looking into U-Block. What's better to use: U-Block or U-Block
Origin?

~~~
Osaka
AFAIK: U-Block Origin is a fork of U-Block which hopes to stay in sync with
U-Block, but maintain a per-site block/allow feature which was removed from
the newer version of U-Block.

~~~
kuschku
Actually, U-Block is the fork, U-Block origin is the branch of the project
maintained by the original dev.

------
andor
Counterexample:
[http://sourceforge.net/projects/lame/](http://sourceforge.net/projects/lame/)

~~~
AndrewOMartin
Interestingly (to me) this link is blocked by my ad blocker, rather than
Google.

> uBlock₀ has prevented the following page from loading: >
> [http://sourceforge.net/projects/lame/](http://sourceforge.net/projects/lame/)
> > Because of the following filter > ||sourceforge.net^

~~~
X-Istence
uBlock Origin added a filter to block all of Sourceforge...

------
istvan__
Damn machine learning software. :) Google needs to tune some of the
parameters.

------
lectrick
Oh how the mighty have fallen

------
api
Because it is.

------
tzgur8
People always complain about the power that countries hold. Tech superpowers
hold a lot more, and yet nobody elects or really regulates them.

~~~
zevyoura
Which "tech super power" has a military and nukes?

