FYI the SourceForge version of FileZilla is clean, and has been since 2016. The official FileZilla installer has been doing this for some time now though. In case people don’t know, a lot has changed at SourceForge since my company acquired them in 2016. All projects are scanned for malware. We covered the improvements again here https://sourceforge.net/blog/brief-history-sourceforge-look-...
That is awesome and I'm glad you are working to clean up the Sourceforge reputation. However, the issue (at least for me) is one of shattered trust. Even though you can affirm the Filezilla downloads you host don't have malicious payloads in the installer, I no longer trust the creator of Filezilla. If he's scummy enough to fill up his "bundled" installer with known malware and viruses, and then lie to his users about it on his forum, he's scummy enough to put something potentially harmful in the program itself.
It would be trivial to integrate a hidden Monero or other coin miner in the source of the main Filezilla program that only runs when the program itself is running. I know I often leave my FTP going overnight for uploading big files (I have really fast downstream but painfully slow upstream) and that's a lot of time for my machine to be surreptitiously mining for someone else. Multiply that by the hundred of thousands if not millions of Filezilla users across all platforms, and you have the potential for a ton of illicitly gained virtual money at your users' expense.
