Hacker News new | past | comments | ask | show | jobs | submit login
FileZilla now contains adware if you download from the official homepage (twitter.com/nixcraft)
542 points by URfejk 21 days ago | hide | past | favorite | 173 comments

It has been like that for a long time. Many years I believe. There is an option to download clean versions on their website. "Download > Show Additional download options" is the page you are after.


If you check the filename of the windows installer you download from the frontpage the name is FileZilla_Version_Sponsored-setup.exe

The installer available from the link above does not contain the word "Sponsored" and the installer is 2.5 MB smaller.

Additional. Windows Defender tries it best to prevent you from installing the version found on the frontpage due to the adware. It has no issues with the other installer.

We've had to ban the application entirely from our work machines. At least when we went through review, even the "clean" versions packaged things that tripped our antivirus software, and at that point, we as an organization decided to stop trusting the author entirely.

There's quite a lot of forum posts where the author defends this practice, so we don't see this reversing any time soon.

We packaged it ourselves and made it available as an SCCM bundle, since users don't have admin rights on their systems anyway.

I'm surprised nobody made a forked commercial version yet.

Remove the adware, replace the logo, sell commercial licenses.

There's FileZilla Pro.


As someone who is happy to pay for good software, I can't ever see myself buying a paid version of something (no matter how good it might be) if the author has a history of using dark patterns and showing their apparent contempt for their users with the "free" edition. I'd be constantly wondering what other traps might be lurking in there.

Right. The fact that you can get around something, or that someone failed to do something to you is not the important thing. What matters far more is the fact that they tried and wanted to.

>If you check the filename of the windows installer you download from the frontpage the name is FileZilla_Version_Sponsored-setup.exe

Damn...that reminds me of the old days of sneaky checkboxes hidden in installers, usually actually hidden, that would be pre-checked confirming your consent to whatever ad/spyware to be installed alongside whatever you wanted to install.

I remember that shit being everywhere for a few years. Got tricked by them once or twice and had a hell of a time cleaning things up after.

Yeah, the one I remember was RealPlayer, which during the install wizard had a list of check boxes. The ones initially visible were unchecked, but if you scrolled you'd find the spam consent ones were checked.

RealPlayer... RealAudio... immediately jettisoned back to the 90's :)

Adobe Reader comes to mind


If you're using filezilla on windows only (not cross platform) then winscp is a great replacement. No worries about ads or repackaging.

WinSCP is great and I find myself using it more and more over FileZilla. I wish there was a WinSCP equivalent for Linux too.

Really depends what you use it for (dual pane SSH file manager/FTP file manager/file manager). You can do this with Nautilus or Fman plus GNOME if you want to, since gvfs abstracts protocols such as FTP, SSH, SMB, ...

On Windows you go such as well, including Fuse/Dokan, and on macOS you got MacFuse. Hence on macOS I use (by default CLI but if that does not cut it) Finder/Fman, and if that doesn't work, Cyberduck. Fman and Cyberduck also work on Windows, on Linux Cyberduck does not work but Fman does. CrossFTP might also work for you, as might Wine.

I'm not sure about all features, such as FXP (which is insecure anyway, and only used in scene).

Came here to say this. There's been adware in the official download for what feels like 7-10 years now.

Does this impact the Filezilla server or just the client?

You could also download it with Ninite. Nothing downloaded with Ninite will install the sponsored versions of software.

Windows Defender tries it best to prevent you from installing the version found on the frontpage due to the adware.

...as if Windows (10) itself didn't contain any. More than 2.5MB of it, no doubt! How ironic to see the pot calling the kettle black.

Edit: if you don't believe me, search around here and elsewhere for "Windows 10 adware". I'm surprised that this is even a controversial comment.

Is it really a controversial comment? Or are people just tired of hearing the same "but Microsoft does this this and this" everytime something positive comes up?

Are you saying we all should switch away from Microsoft right this instant? If you aren't, then what? Let's boycott windows defender? Make our windows experience even worse? That will show them.

There are no relevant search results for "windows 10 adware". Can you be more specific?

In the start menu you automatically get stubs for apps like Candy crush, Adobe CC, and others. You never requested them but they'll install on first use.

While the phrasing implies this is new, here's an discussion about the issue from 2018.


An article from 2018...


A question about it on their forum from over 4 years ago


It's like a Mitch Hedberg punchline:

    FileZilla now contains adware...
    it always did, but it does now, too.

RIP Mitch. One hell of a funny guy.

"Always has been."

From the last link, the exchange went like this..

User: Just downloaded filezilla from the "official site". This one and was infected by adware which trashed my browser. WTF. I have trusted filezilla for years this is MOST Disappointing.

Admin: The offer-enabled installer may display third-party offers during installation. Nothing is installed without your prior consent. In case you have accidentally agreed to an offer, you can completely uninstall it from Windows' Add/Remove Programs dialog. If you do not wish to use the offer enabled installer, have a look at the additional download options page.

It's even a bit worse than that.

You already probably imagine that the installer has default-selected checkbox that will install something extra if you don't catch it and deselect it.

But what surprised me was, it actively reacts and tries again if you do catch it.

If you don't stop it, it installs something extra. Straightforward.

But if you DO stop it, it then tries to install a 2nd, different extra unwanted crap. There are 2 things in the installer from the get-go, but it only hits you with the 2nd one if you managed to catch and decline the 1st one.

That's a whole special extra level of actively attempting to trick and decieve. That is crossing a line from at least plausible deniability that it's just a passive annoyance, into activly adversarial behavior against your own users.

Someone please file criminal charges under the Computer Fraud and Abuse Act for that. That clearly 'exceeds authorized access'.

I didn't say it was illegal, just dickish.

Fraud... maybe. It might possibly qualify as an attempt to deceive. I think it would be a very weak case and practically impossible to make that argument.

That dynamic reactive 2nd attempt to trick you, which is only invoked if you caught and declined the first, is materially different from the first attempt, and different from if the installer always presented both extras.

The special difference is just that it exposes the intent which was theoretically deniable otherwise, even if everyone "just knows" what's really going on.

If an installer always proposes an extra, or 2, or 13, then the vendor can claim "I'm just offering this extra that I honestly and sincerely believe the user might be interested in and might benefit from".

We "just know" that's bs, but it's possible and it's hard to disprove purely on the face of it.

You could try by pointing out things like how the outer packaging only said that the contents would be Product not Product+OtherProduct, and how the checkbox for the non-advertized and un-expected extra was pre-selected and visually tiny. But that just doesn't quite add up to proof of anything.

But offering one extra, and then only trying again with another if the user declined the first, THAT exposes that the only intent of the extra was to get the user to take it any way they can manage to do it, and not a sincere "offer" of something the user might have actually voluntarily sought otherwise.

It's not that it's 100x more evil. The norm is already bad, and this is just a little more of the same.

It's that it exposes the true intent in a way that can't be denied.

It also invalidates any arguments based on "the user accepted" something. You'd never actually win in court, but in plain conversational argument, if say the crapware caused some damage, the vendor could't claim that the user voluntarily accepted the risk of damage by voluntarily installing the software. But like I said that's just fantasy academic theory. You'd never actually make that stick in court.

Why not you? You seem to know about "filing criminal charges" and the specific law he violated.

I had believed that only a government prosecutor in the United States could "file criminal charges." Do you know how this works?

I'm not an injured party.

You start here: [1]

[1] https://www.justice.gov/criminal-ccips/reporting-computer-in...

You can just download Filezilla to become an injured party.

> The offer-enabled installer may display third-party offers during installation. Nothing is installed without your prior consent. In case you have accidentally agreed to an offer, you can completely uninstall it from Windows' Add/Remove Programs dialog.

Except in looking into it further, there was a particular sketchy offer that was being sent called "Search Bundle" that was completely opaque, put what is essentially an APT on the machine, and was not listed in Add/Remove programs.

The other applications (Firefox, Opera, etc) seemed to allow for normal uninstallation, but not that one.

In case anyone out there hasn’t moved on: WinSCP is better than FileZilla ever was.

When FileZilla started doing the adware thing years ago, I switched to WinSCP on Windows and never looked back. I was so pissed at FileZilla that I stopped using it on Linux even though their Linux builds didn't have any adware. gFTP is good enough for most servers, and recent versions fixed a lot of long standing bugs. On Mac it's Cyberduck all the way.

For mac I had a paid FTP client called YummyFTP, the app was superb, however the developer passed away and the app stayed on 32 bits

In the golden age of FTP there are plenty of great proprietary clients. Of of my mind I can think of (for Windows) FlashFXP, FTPRush, CuteFTP, SmartFTP, and so on.

I'm spoiled with Transmit :)

Transmit is good too, although I really liked the Scheduling function YummyFTP had. It was great for setting a large download to 2AM when the DSL network wasn't overloaded. Wish Transmit would add that feature. I suppose it can be done with Automator but it's not as nice as built in.

There's also Cyberduck for Windows.

When I looked to FileZilla alternatives some time ago, I was surprised that there wasn't actually many alternatives. WinSCP is my default now too.

It's been a long time ... perhaps 12 or 15 years ... but when I was driving a FreeBSD desktop I would install Konqueror as a file manager and then plug in:


... addresses and browse SFTP-capable addresses very conveniently.

I have no idea if any of these components (Konqueror ? fish ?) are still in use ?

I thought it was a tremendously convenient workflow and it was nice to not have a different application for file management and SSH file endpoints.

Which leads me to my lament that all these years later you can't just put an sftp:// address into the mac finder. It's an almost comically blatant missing feature.

It still works just as you'd expect in Dolphin (the current KDE file manager), you click in the breadcrumb address bar on top, type in fish:// and the address, and you get a login prompt.

All of the other KIO slaves work as well, certainly SMB/CIFS works great and I use it all the time.

KDE has all these nice convenient little features that just makes everyday tasks a bit easier.

How much KDE Do I need to install just to get dolphin?

That is, if I am using a different window manager such as ion3...

I use dolphin with i3 on arch. It's not nothing (particularly if you install optional deps for features like thumbnailing or search indexing), you have a lot of the foundational modules like kparts and kio required, but it's not like you'll end up installing kdm, kwin, or the desktop apps: https://archlinux.org/packages/extra/x86_64/dolphin/

Depends on how it's packaged you could trivially end up with an extra GB of libraries. I guess it depends on whether that much storage is meaningful.

WinSCP also has epic automation interface which include PowerShell cmdlets, unlike mentioned competitors.

CyberDuck is a nicer-looking and more user-friendly alternative to both.

So buggy though.

I do like CyberDucks features when it comes to cloud storage like S3, but I do miss the WinScp file commander like interface.

CyberDuck ten years ago was the only Mac FTP app that actually worked.

Did not realize that CyberDuck has a Windows version; thanks!

Alternative too, esp for console fans: Midnight Commander

any chance you know of something comparable for linux? I have tried a half dozen or so in last few months and keep coming back to filezilla, maybe it's because it's familiar, but always like options.

I use lftp. The website design tells you exactly how the tool works.


One of the most valuable features is its ability to download a single file over multiple connections

    pget -n 4 your.file.tar.gz
because many ISPs limit speed per flow and opening multiple of them, even to the same target, allows you to max out your connection.

I use this all the time not due to ISP limits but in Australia the 200-400ms latency limits you instead especially as you go over 50Mbit. Mirror command is also great :)

+1 for lftp. On windows I use it via Cygwin for scheduled tasks etc. FileZilla has a speed advantage over winscp but nothing like the flexibility.

appreciated, thank you

Your file manager probably does FTP. Try enter a [s]FTP[s]:// URL into your location field. Depending on your distro, for gnome or derivatives you might have to install a gvfs plugin package first.

Just to add, you file manager probably does SCP and SFTP too. So, on Linux just launch whatever tool you use to browse and copy files, it will probably work seamlessly.

It's Windows that does nothing out of the box, so people has to go after tools.

Windows does this out of the box, by typing in an ftp:// address into the default explorer file manager address bar. it even saves logins if you want. Windows has done this since Windows 95 /IE4 days. Good to know that Linux has finally joined the fresh tech wave of the 90's and copied that basic useful function.

My little brother once heard Jack and Diane on the radio, and proudly proclaimed that John Cougar Mellencamp has copied Jessica Simpson's "I Think I'm in Love with You." That also was funny.

> Good to know that Linux has finally joined the fresh tech wave of the 90's and copied that basic useful function.

I don't think anyone has said that Linux didn't do this in the 90s too, e.g. KDE supports this since KDE2, released in the year 2000: https://en.wikipedia.org/wiki/K_Desktop_Environment_2

In pretty much its current transparent form, though more protocols have been added since.

Not sure what CDE supported, which I think was the big pre-Gnome/KDE UI.

There is also Gftp, which is most probably available in your distro.


WinSCP is so much better than Filezilla, I just run it in Wine.

Last time I compared the two Filezilla was a lot faster on fast connections. Grabbing the same bunch of files from the same server it was as at times literally twice as fast as WinSCP.

If you're talking nearly 10 years ago, yes I saw that too, but WinSCP has long since improved dramatically.

I'm probably talking 3-4 years ago.

The nice thing about FileZilla is that you don't have to qualify which OS you're using. Now it's "Grab WinSCP if you're using Windows, X if Linux, Y if macOS. Now here are 3 separate pages we probably didn't keep up to date on how to connect and download what you need from our servers."

Nah, they had a long runing bug where the client was -significantly- slower at transferring files than filezilla (or plain old CLI). They fixed it a couple years ago though and I'd say now it's easily an equal without all the baggage.

Neither Cyberduck nor WinSCP seem to be able to do parallel transfers as well as FileZilla can, especially over SFTP - i.e. FileZilla is about twice as fast downloading from a server ~300ms away than WinSCP is, and this is on a gigabit connection.

Could as well just use Double Commander, or platform-specific analogs, and have a good file manager for both local files and ftp/ssh. (Though admittedly fewer features might be supported over the net.)

This often works the other way around, too; remote file managers like WinSCP can usually do local things just fine.

WinSCP was using too much CPU when I last checked (years ago TBH), and it doesn't work on Linux.

For macOS, I'm spoiled with Forklift, which does a lot of things out of the box, sufficiently.

For Linux the default file managers all support SFTP/SCP.

Also there's Krusader (KDE/Qt - https://krusader.org/ ) if you want something with two panes.

For most of the time, I use KDE's own KIO slaves but, sometimes for long running stuff I want something more advanced. TBH, my remote servers list is taking a lot of space on the left pane. :D

Will take a look to Krusader, didn't check it for a very long time.

Edit: Just checked, it looks a lot like PathFinder (for macOS). Will try it, thanks again.

Agreed, but FZ has built in support for backblaze b2. Anyone have an alternative? Other than cyberduck, the performance was too low to be useful to me.

B2 has an S3-compatible API, so WinSCP should work.

Good point! Last I was looking at this was before the B2 S3 api was available. Might consider switching to WinSCP now.

wish Commander view add `ADDRESS` bar for quick dir changes.

This is unfortunately nothing new.

Ironically, Sourceforge (which many years ago had their own adware-adding program, i.e. otherwise-clean software would be infected if downloaded from SF) has cleaned up their act, started enforcing against adware, and as a result the SF version of FileZilla is clean (or at least was when I last checked).

I was still actively lurking around slashdot when the new guys came in and bought slashdot and sourceforge.

I don't know if any of them are reading, but I think you've done a remarkable job. It saddens me that I don't get to experience your improvements because...ultimately...slashdot and sourceforge just don't turn up on my radar anymore.

Nevertheless, I'd like to thank you guys!

The new Sourceforge team has generally done a great job. Here is a review that might help some people.


For general project discussion, Sourceforge's traditional discussion forum is far superior to Github/GitLab issues (though I haven't tried Github Discussions beta yet). The forum can be configured for users to be able to post without creating an account (though only as a specific user named "Anonymous", not arbitrary names) which is as important feature when creating software for users who aren't likely to have Github or Sourceforge accounts.

Sourceforge download statistics tracking of releases (including graphing per country and with arbitrary timestamps) is far superior to Github, which doesn't offer even private tracking of download numbers without directly using their API. This is actually a really ridiculous situation.


Sourceforge recently added the ability for the project administrator to mark any review as spam, which automatically hides it. This single change has completely ruined the trustworthiness of Sourceforge's reviews, as unscrupulous application authors are able to mark all poor reviews as spam so users only see good reviews. Because of this, I recommend AlternativeTo (http://alternativeto.net/), as they have better review non-interference policy.

Sourceforge's entire website seems to go into maintenance mode for a few minutes every 24 hours, which is frustrating for those in less favorable timezones.

Even after using it for a long time, Sourceforge user-interface and settings/permissions is overly complex, confusing and non-intuitive. I find Github's well designed settings page much easier. Though admittedly Github has its share of UI quirks. New Github users are understandably initially confused by the concept of Pull Requests (which should have been called Merge Requests) and the fork user-interface. As a developer familiar with both tools (and git, PRs etc) I find Github easier to use than Sourceforge, which is saying something.

Many Sourceforge projects tend to have their source code mirrored on a rarely updated Github project, which then gets forked and developed without changes being upstreamed, which causes fragmentation.

Many third-party tools (like CircleCI) tend to target only Github (and to a lesser degree GitLab/Bitbucket) and ignore Sourceforge entirely.

It's too easy for newbie users to download older releases (Github has the same issue unless you create a Github Pages site to highlight the most recent release).


Sourceforge is actually a reasonable tool to develop open-source software in 2021.

For new projects I would generally suggest sticking with Github and GitLab, but for existing projects on Sourceforge changing hosting to Github may not be required.

The real killer is lack of integration of third-party tools like CircleCI. That's enough to switch to Github. But you will likely miss the excellent download statistics, anonymous support forum and user review system.

I disagree. The SourceForge UI is still a confusing mess compared to GitHub or GitLab.

It's not too bad if you use a search engine to search the site and an adblocker.

This is a really good tip in general. SF is under new management and they seem to really be trying to right the ship.

It's probably too late for them to gain back meaningful market share given how popular github has become, but credit where credit is due.

I find it interesting that ads are considered acceptable and commonplace in Android and to a slightly lesser extent iOS apps; but on desktop they are seen as almost malware.

To be clear, I also avoid it when I can, and most of the time ad-free or open-source alternatives are available (in this case I have been using WinSCP). I dislike the mobile app ecosystem with its plethora of garbage, privacy invading apps; and I am glad that desktop apps usually aren't like that. But if a program is much better than its alternatives and the ads are not too annoying, I guess I don't mind supporting its development via ads. Being a poor person from a poor country, I couldn't afford purchasing the program or donating to it, so ads sound like one way of supporting a program I like so much (though my ad views are probably worthless for the same reason).

The only adware program I actually have is PotPlayer (the only thing that comes close is KMPlayer, which I used before; but it's originally built by the same developer and added ads even earlier). I think a few other programs I use had adware-bundled installers (e.g. JDownloader, CDisplayEx,...) but I had found adware-free installers. Even in the case of PotPlayer, it doesn't show ads, just an empty window (maybe again because I am in a poor country?) so I blocked the empty "ads" via hosts file. What's the point of annoying myself if that's not even supporting the developer? But if PotPlayer actually showed ads to me; assuming it didn't upload my private data and no comparable open-source/ad-free program emerged, I feel like I should be fine with it rarely showing some ads in the corner.

> I find it interesting that ads are considered acceptable and commonplace in Android and to a slightly lesser extent iOS apps; but on desktop they are seen as almost malware.

Totally different beast. The Android and iOS variety are embedded in the App. On Windows they are almost always a third party application installed separately with it's own uninstaller and granted near admin rights to the machine.

It's the difference between inviting your friend over to your home and him showing up wearing a Nike shirt, or showing up with a dude you've never met who is spinning a sign. He can roam about your house without your knowledge and doesn't leave when your friend does.

Usually Android ads are embedded in the apps. Close the app and the ad goes away. Uninstall the app and you won't see its ads again. Just including ads in an application doesn't make it adware.

Adware infects the whole system, displaying popups and installing unwanted extensions in your web browser that follow you around. If FileZilla wants to include ads in the actual app that's one thing, but that's not what people are taking issue with.

The well was so badly poisoned by malware in the late 90s/early 2000s that anyone who was active in that era has a visceral reaction to the idea of bundled shitware or ads in desktop software.

You haven't lived until you've had to repeatedly clean out forty-five different search toolbars that your clueless relative managed to install alongside Adobe Acrobat...

I suspect there are various reasons why advertising is accepted on mobile platforms and not on desktop operating systems.

One could simply be a difference in the user base. I am fairly certain those who object to advertising on desktop operating systems also object to it on mobile platforms, but there is a large number of people who use mobile devices who rarely use traditional computers.

Another difference is intended use. Mobile devices are largely intended for media consumption, much as televisions, broadcast radio receivers, and newspapers/magazines. These are markets where advertising has been accepted for decades. Traditional computers are more likely to be used for productivity, where advertising has never been widely accepted.

There is also the nature of the software itself. Software on mobile devices have a lower perceived value since it offers less value (at least in terms of features). The publishers of the software desire some means of generating revenue, so consumers have not been left with much of an option.

One reason I’m opposed to adware on desktop is because it often leaks into the entire computer. If I install FileZilla and is has ads only in the application, I would probably consider that acceptable.

But instead, ads show up in my web browser, pop up from the systray, add themselves as shortcuts in my file manager, etc. It’s the definition of malware.

I use iOS which is mostly immune to this, but I know showing notification ads on Android while the app is closed is met with the same amount of criticism.

How are notification ads even a thing? Showing ads whilst I am trying to use the app is bad enough (particularly these full-screen ones that you can dismiss if you tap the tiny black cross on a grey background that shows up after 10 seconds), but actually interrupting me with a notification when I’m doing something entirely unrelated is a whole other level. I’m glad I never came across one of those.

> One reason I’m opposed to adware on desktop is because it often leaks into the entire computer.

That's a valid point.

> I know showing notification ads on Android while the app is closed is met with the same amount of criticism.

Is that even a thing these days? I seem to recall Google making changes to the notification system a few releases back that should have addressed that. Then again, I usually stick to apps distributed via F-Droid so I don't know what the typical user has to deal with.

This isn't an image display ad; it's straight up browser-hijacker malware, new search tab replacement, URLs-you-enter redirector, entering your bank URL might not go to your bank type of shit.

Unremovable and hidden also.

To be clear, I don't consider ads "acceptable" on my phone, either. If I download an application and there are ads, there's a high likelihood I'll either block the ads or - if that proves impossible - I'll uninstall the app entirely.

For clarification, FileZilla itself does not appear contain adware nor has it switched to ads within the app from my analysis. The main download page for Windows installers contains a bundleware offer within the installer as you install (this offer may currently be offline). The installer filename contains the string _sponsored_. If you click through to the show additional download options, you can get all the installers without bundleware for all OSes.

Also, no malware when installed by Ninite, which I imagine is how many of us get it on our systems.

No malware or bundleware in the portable package I maintain either. PortableApps.com and PortableApps.com Format prohibit it.

Wow. I recall when this first happened because of SourceForge being sold to shady people who decided to put ad/malware loaders around the installers of all the exes hosted there (like FileZilla). But that was the early/mid-2000s. It's hard to believe it is being allowed to happen again in modern times.

SourceForge is to software as maggots are to meat. Don’t know how the people behind it have an ounce of self respect.

SourceForge was a huge blunder. They were so close to being Github, but they opted to to squeeze out every last dollar, instead. ExpertsExchanges and AIM are similar--products that could have been medium-large opportunities today, but business and product choices that left an opening for a competitor.

That said, I'm not convinced SourceForce could have actually been Github because it didn't have the culture, the brand was mispositioned, and it's hard to to be Github without lots of VC.

Ah yes, Expert-Exchange - the site where you could simply google your way around their paywall. Never took this page too serious, tbh.

AFAIK the new SourceForge, after they’ve been bought, is much better. Also, much less relevant now that everything is on GitHub.

I’d imagine that it’s easy to drown out the sound of your conscience when you’re driving a brand new Model X and live in a big house.

It really amazes me that people keeps using FileZilla or dedicated ftp graphical clients in general. Linux and Windows has built-in graphical clients in file managers, and I don't recall if MacOS Finder has the same.

It sure does, Finder can easily connect to FTP and other network shares with Finder -> Go -> Connect to Server.

Reasons I can think for dedicated graphical clients is the transfer log and the additional controls when connecting to servers. I agree that it's not really necessary unless you have very specific requirements, I guess.

I think macOS Finder is limited to read-only FTP access [1] though there are alternatives [2] that mount drives through a variety of protocols.

[1]: https://support.apple.com/guide/mac-help/network-address-for...

[2]: https://mountainduck.io/

It's not really comparable. The default side-by-side view most of FTP graphical client use is ciritial and almost essential for any semi-serious use with FTP that is beyond just copying a few files.

I do agree that most of people only use FTP for that, so I guess it's sufficient for average user. Protocol support would still be an issue though.

Dolphin also supports side by side view, it's the "Split" button. It's even present in the default toolbar, so it's not an obscure option.

The FTP support in Windows and MacOS has always been terrible.

Windows used to do it through Internet Explorer, and it was very easy to screw up your whole desktop session as soon as there was anything slightly wrong with an FTP connection. It also did not support ftps or sftp, and often would not handle write permissions properly. I’ve not checked recently but if i remember correctly, years ago there were reports that Microsoft would (rightly) remove support at some point (ftp is just a bad and insecure protocol in 2021).

MacOS Finder afaik never had write-permission support for ftp, and overall the experience was similarly poor. I used to run Cyberduck or Transmit if forced to use FTP.

Linux desktops did include decent support for FTP, particularly in KDE Konqueror which had a great plugin architecture; I expect they still do. FileZilla was never popular on Linux anyway.

Last time I used the built-in FTP client in Windows Explorer it was an awful experience (think it was Windows XP). It also does not support SFTP or SCP.

Then you aren't thinking too hard. Most of these GUIs have advanced features that can be quite useful as well as making it easy to set up sites that you would like to keep but don't want to have to remember the entire address of (aka a sites list). So they definitely have their uses if you aren't just a casual ftp/sftp user.

You can keep a list of different FTP connections in FileZilla and easily connect to one or the other. That's why I keep using it (although less and less these past few years as FTP isn't really a thing anymore).

Dolphin supports this, too. For any type of supported network location (FTP, SFTP, SMB, NFS, etc)

The site manager of a dedicated FTP client can do more than just save an address.

It can save multiple accounts within the same site, have different IPs and auto rotate, have different profiles about speed limit, thread limit, listing method, encodings, default folder to open on both sides, to name a few.

The Finder is a bit rubbish though, for FTP. It never quite works like it should and likes to hang the Finder, if not the whole device, quite frequently. Transmit is brilliant, though.

It’s read only too.

Cyber duck for me !

I occasionally use this software through Debian's package for it, which of course doesn't contain the adware. But the strategy employed here does leave me with a bit of a sour taste and a desire to stop using the software altogether.

Most graphical DE shells on Linux will just mount sftp (scp/ssh) graphically, no need for stuff like this.

People still say Linux DEs aren't user friendly but IMO they're much more so than other OSes largely because other OSes have a moat to protect.

I use FileZilla on Linux because the file manager integrated ftp clients were not very good, and did not save connections etc. Just less of a PITA. I see I should try gftp or another alternative though.

I'd imagine it's wrapping ssh which will reuse connections if you tell it to in your ssh config. I use that heavily on my mobile computers.

I wonder if the Chocolatey version has the adware.

don't hate the player, hate the game.

this is the result of parasitic capitalism. i have no doubts that a dev who contributed so strongly to the opensource ecosystem for such a long time specifically wants to be in this situation. you wouldn't, i don't, they probably don't.

how else are we supposed to support our families and the community? there's no other source of revenue or support for a freelance programmer in caretaker mode for a mature and stable codebase. donations don't cut it, obviously.

Open Source is not a business model, it is a development methodology — and that development methodology invites modifications by users under a license which upholds a set of conditions friendly to such modifications (spelled out in OSI's Open Source Definition).

Nobody has to write software that abuses its users with freakin' adware, proprietary or open source — and any creator who does so should be shunned. All the more so if they simultaneously abuse us and invite open source collaboration. This isn't starving people being driven to steal food.

Minor correction, I think you meant "I have doubts..." not "I have no doubts" (or you meant to double negative it later with "I have no doubt that... would not want...")

Are you seriously claiming that adware is the only way for a programmer to make money?

How would you do it? If nobody sells your software, and nobody is donating.

Get a different job? It may not have anything to do with FileZilla but no software developer with a successful open source project on their resume is forced to use adware. I'd understand if they were unable to work for whatever reason, but FileZilla development looks too active for that.

The issue with that is so much of the software industry is propped up by advertising. There is nowhere to go without being involved with ads, so why fight it?

So why hide the 'good' version?

Towards the end of the shareware era this became more and more common. I have to wonder how much money this must be bringing in for the Filezilla project for them to just be so blasé about it. I

Can someone explain this to me in layman's terms? The link from a Twitter reply[0] shows about 14 malware items contained in the installer. Do these get invisibly installed onto your computer? Is there some way to detect them after the fact and remove them?

Since I was worried, I checked my most recent FileZilla FTP Client installation file, and it seems clear[1].

[0] https://www.virustotal.com/gui/file/ec4c01ab48df9095b602323c...

[1] https://www.virustotal.com/gui/file/4c9e0e07eaafabfe7be191d1...

As others have pointed out, FileZilla has been caught doing shady stuff for a while now. Antivirus doesn’t pick up on everything; furthermore, just because it’s clean today doesn’t mean it will be tomorrow, and FileZilla’s actions have demonstrated that they’re not above shipping malware. There are better, free tools out there that don’t have this issue. FileZilla fell behind the competition well over a decade ago; you should look into finding a new tool that meets your needs. WinSCP is a popular option.

Yes - this doesn't really answer my question. Another comment mentions the dark patterns trying to get you to install things you don't want in the process. That kind of thing is annoying but manageable. Quietly installing malware is a whole different animal, so I'm trying to get an explanation of if that's what's happening with the bad installation file above.

(And yes given this thread, I've already downloaded WinSCP to use going forward, though I haven't installed it / used it yet.)

As of writing, it looks like the answer is probably “no.”

You've got SFTP and rsync. There's no need for these kind of stuff if you're on Linux. Some DEs file manager are giving you the option to mount SFTP servers

As someone who's using Linux but not that much at ease with this, it's nice sometimes to have a GUI.

In KDE you can access this sort of thing with the built-in GUI file manager right out of the box. You don't need a third-party app.

1. Open Dolphin (file manager)

2. Right click in the Places section on the left to add entry

3. Type `fish://<the-address>`

4. Click OK


As someone that's spent multiple decades living on the command line for almost all my file management... sometimes I still open the GNOME file manager because a GUI makes a select few tasks simpler.

It's all about the right tool for the job. Some people are more comfortable with a GUI for the majority of file management tasks, some people are more comfortable with the CLI for the majority of file management tasks. It's just a bit silly to be a zealot and put yourself through a lot of pain if one of these isn't optimal for whatever you're trying to do.

I was disappointed I had to scroll this far down on an HN thread to find "just use rsync!"

A few thoughts:

-I've noticed the overall experience of downloading and installing on a lot of "classic" windows apps making installing a little dicier- ads are served on the download page, and look like official install links, and installers themselves have issues like the above.

-App store is one way I supposed - it's a way to cryptographically sign things but with an element of control delegated to the central computer vendor; which is unpalatable to a lot of the open source/free computing crowd

-The one thought that came to me - is blockchain tech - i.e. Blockchain Chicken Farm, NFTs, etc a parallel development to address this sort of thing? The parallel seems to mirror Jennifer 8. Lee's book on the rise of General Tso's Chicken (open source) vs. McDonald's Chicken McNuggets (corporate), vs. the old ESR essay re "The Cathedral vs. the Bazaar" model of Microsoft vs. Linux development?

As I remember it, ads/malware trying to look like install (or download) links have been common for the last 10 years - to the point of training me to ignore any image that has the word "Download" in it. Choco helps work around much of that.

It's more concerning to have official installers contain adware/malware though.

I stopped using it long ago because of this (still open) issue which is now 16 years old https://trac.filezilla-project.org/ticket/2191

While I liked and used FileZilla just several months ago, I discovered that most Linux distributions come with ftp and sftp programs, and it's very easy to use them, easy as navigating your system through command line.

With sftp you connect with "sftp -P [port] [ip address]", and navigation is very intuitive.

cd changes directory on server, lcd changes directory on local machine

Same with ls/lls (first lists directory on server, latter on local machine).

get downloads files, put uploads them, add -r option for folders, and that's pretty much it. exit for exit of course lol

lftp is -far- superior to sftp, you should check it out if you do a lot of scp/sftp/ftp.

That's why I still use http://ninite.com/ for most downloads.

They have saved me so much headache not dealing with such bundled adware / malware.

Any idea what kind of revenue this potentially brings in, assuming this is the rationale begins this decision? In contrast to tarnishing the Filezilla name (albeit this could mostly be controversial in the hn crowd)

Around $0.01 per active user per year from open source donations. Many factors: depends on the type of open source (infra vs user-facing) and the technical ability and geographic location of your users.

PPI malware seems to go for around $0.40/install [0]

[0] https://medium.com/csis-techblog/installcapital-when-adware-...

Tangentially related, but I had a Windows FTP client back in the day called LeechFTP that I loved and I miss it.

Yep, LeechFTP was a good client for its time.

I also remember running Serv-U FTP Server 2.5 on a dial-up modem back in the AOL/NetZero days. Good times.

So, don't touch it. WinSCP for Windows and Cyberduck for macOS.

Switched to CyberDuck for everything, FileZilla couldn't even connect reliably to multiple SFTP accounts on AWS servers have the time

Looking at download filenames only versions for Windows have "sponsored" variants. Can I presume that version for macOS is clean?

It has indeed been like this for nearly half a decade. To clarify, it's sourceforge that did this wrapping.

Wow, I just switched to Transmit a few weeks ago from years of using Filezilla...looks like I dodged a bullet.

Filezilla has been like this for years assuming you downloaded the regular version. There's a no-adware version, but it's kinda hidden.

I usually got it from brew cask, not sure which "version" it downloaded - never saw any ads in it, myself but either way - I'd rather just not deal with a scummy project anymore.

Only the version downloaded from the developer’s website included malware. Versions in various repositories are fine.

Cyberduck is similar and nice. Don't use it much though, can't promise it's ad free.

In 2015 I wrote this blog post about Filezilla having a networking error:


The solution? WinSCP. Filezilla has been rubbish for years!

Freeware also Need to make money to live

Interestingly the applications are free to collect any personal data as they are not included in GDPR. When I requested from one company to let me export my data from the application in a human readable format or to at least send documentation of their file format, so that I can port my data to another application, they refused saying that GDPR only applies to online apps. It's possible that companies will be moving their online apps to electron or native phone apps to bypass GDPR.

IANAL but I have worked on GDPR compliance and I’m not sure how that will fly if they are phoning home. Of course the EU regulators probably won’t have bandwidth to chase these minnows but worth reporting in any case.

I think in OP case the app is not phoning home. The data are still in his pc, but he would like to export it in another format. I don't think GDPR applies here, but I am not an expert.

It's a little tricky to infer the specifics, but adware that collects personal data would be non-sensical if it doesn't phone home. In fact the whole idea of "collecting data" implies it is being sent to storage under control of the collecting entity. I think this is pretty clear cut under GDPR and there's no bypassing it based on the technicality of web app vs native app—I believe regulators learned their lesson about tight coupling to specific technical implementions with the earlier cookie laws.

On the other hand, you could be write that OP is just talking about data portability in which case there is "data collection", just lack of an export feature.

If they don't have an EU office, I assume they can ignore GDPR because the EU has no jurisdiction.

As has already been said, this is not news, nor is it a change, it is not news. It is not even something, that can be reprehensible to the people who maintain the Filezilla project. Funny to see people who have been using the software for half their lives, criticizing this. This can only surprise someone who installed filezilla for the first time, or had not installed it for half a lifetime..

So crazy.

Some of the software the adware installer requires an opt out to not install can be harmful or hard to remove, like the "Search Offer powered by Bing" in the article linked elsewhere in this site. Even the free AVs will often start you as a trial for the paid version or have incredibly easy ways to convert your install to such a trial and nag the user to pay up once the trial expires, arguably reducing their computer security.

I know HN has a strong libertarian bent, and uou could argue this is a free market, buyer beware situation, but in that case, wouldn't the criticism posted be part of that and how buyers know that they should beware?

So the people who dont know better pay for stuff they dont need? Sounds like literally everything else. Most people who buys cars dont know anything about cars and thus they likely overpay. This sucks but its in fact a "free market" thing.

A free market, according to my econ prof at least, has:

1. easy entrance/exit to the market,

2. many buyers and sellers, and

3. perfect information availability.

If the players don't have good information, it is at best a severely degraded free market.

All the infos about cars are easily available. It chances nothing, most buyers of car simply dont care enough to get fundamental knowledge about cars. If you would value the time it takes for an average car buyer to get fundamental knowledge it would cost way more than what they overpay so unless you already have above average knowledge it makes no sense to dig into it. You are better off asking someone who has the knowledge and no incentive to fool you aka a friend not the sale person.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact