Hacker News new | past | comments | ask | show | jobs | submit login
Download.com Response to Nmap Offer Bundling (cnet.com)
34 points by fendrak on Dec 7, 2011 | hide | past | favorite | 26 comments

BTW: CNET is not the only entity doing that, they just happen to do it on a scale and got noticed by the public.

There's a class of lowlifes who take popular open source programs, rename it and wrap inside a custom installer that similarly tries to trick the user to install some other, usually crappy, software.

My program (Sumatra PDF) is popular enough that it happened to me 3 times and I know that other popular open-source programs were similarly violated by the same people (not going to link to them or even mention names to not give them google juice).

I love Sumatra PDF, thank you for making it.

As an aside thank you for making Sumatra PDF. It was very helpful during the college days! :)

They are lying.

I just checked and my very much open-source Sumatra PDF is still wrapped in their cnet installer which tries to push some "special offers" or trick the user into installing some other software.

"In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled."

Like hell you did, CNET.

If you read the comments, you'll see they also missed putty and filezilla. Their 'review' indeed seems to have been pretty poor.

Yeah, I noticed. I also asked them to remove bundle from my program via comments. It doesn't seem like there's any other, documented, way to get them to do it.

IANAL; Can you legally threat them for integrating closed source with your GNU GPL?

Might also be a good idea to warn people via your download page. No one knows where else to get it.

This response doesn't respond to the claim that download.com is bundling other software as well (the original nmap post referred specifically to VLC). This response claims that wrapping nmap was a "mistake", should we conclude that wrapping other software was therefore deliberate?

Of course wrapping the other software was deliberate! Someone at c|net designed, built, and deployed the wrapping feature; that is as deliberate as you can get.

However, at least they have re-enabled the direct download link for non-registered users so that those people who understand the difference can avoid the wrapper. I still think it's distasteful to pray on the ignorance of users, as all these wrappers and toolbars do, but that is how they get paid.

He is saying wrapping nmap was a mistake because they aren't supposed to do that with open source software. Therefore I would conclude that anything non-open-source is fair game.

I like how they apologized for the unrest. That is, they apologized for how people reacted, not what they did.

That's how you know it's a company run by bad people.

I think it is instead a bad company that runs people. Just because C/Net tends to attract morally ambiguous people who have no qualms twisting the facts to suit their marketing/business campaigns is a side effect of their mission statement, "As leading destinations for the information and entertainment people crave(1), we don't just support lifestyles – we help define them(2)." via http://www.cbsinteractive.com/company_info.php

NOTE: They are in the CBS Interactive brand portfolio.

(1) Meaning media=software downloads for Downloads.com

(2) Through bundling malware which customers wouldn't intentionally install otherwise.

It's the result of actual people making decisions about what to say.

So are they saying they only intended to bundle the crapware with closed source software, or am I misunderstanding?

That's what I took away from their release too. I'm guessing they know some open source licenses specifically forbid what they did due to the nmap posting and are just trying to CYA.

Most open source licenses don't forbid 'mere bundling' with some other software, even if said other software is Evil. Most likely download.com just doesn't want to have to deal with source distribution requirements from GPL/LGPL software.

I don't doubt that you are correct. This is what I was recalling and referring to from the seclist post regarding nmap:

This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't).

Can't imagine they would want to release the source code to their software at any point, it's easier to just make a blanket statement that you don't intend to bundle any open source software with it. Even if that's not what you actually do which seems to be the case according to some of the other comments.

Interestingly, yes. In fact they are clearly stating it:

"It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again."

Email to developers from download.com:

Download.com Developer Community,

My last communication to you was shortly after we launched the Download.com Installer in late summer. At that time I asked for patience as we began work to deliver a mutually beneficial model to market.

We are on the verge of fulfilling our vision of coming to market with an installer model that delivers files faster and more efficiently to users, while enabling developers to a) opt-in to the Installer, b) influence the offers tied to their files, c) gain reporting insight into the download funnel, and d) share in the revenue generated by the installer. However, due to some press that surfaced yesterday and the potential for subsequent misinformation, I am reaching out now to address that press and to provide a progress report on the upcoming launch:

First, on the press that surfaced yesterday: a developer expressed anger and frustration about our current model and how his file was being bundled. This was a mistake on our part and we apologize to the developer and user communities for the unrest it caused. As a rule, we do not bundle open source software and in addition to taking this developers file out of the installer flow, we have gone in and re-checked all open source files in our catalog. We take feedback from our developer & user communities very seriously and take pains to both act on it and respond in a timely manner.

With that, I want to share progress made thus far: This week we will launch the alpha phase of our new installer. This alpha phase is intended to test the tech and do QA, and will roll through the next few weeks to ensure that our installer is bug free. Between this week and the end of January we will be completing the necessary engineering and administrative work to roll out our beta, which will include a small group of developers who've agreed to participate in the beta launch. Our goal is to exit beta by end of February and have the necessary systems in place to enable opt-in, influence over advertising offers (for those offers that impact your product), download funnel reporting and revenue share back to you, the developers. In the weeks/months following the full release, we will continue to iterate on the model, adding more features to the Installer and bringing greater efficiency to our own download funnel (read: increased install conversion). The initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible. More communication will follow as we move into Q1, and until then, thank you for continuing to work with Download.com.



Quote: It is a Download.com policy not to bundle open source software [...]

To the best of my knowledge, no popular FOSS license forbids bundling. But if they bundled them, they'd have to deal with distribution of the source code too (which is a PITA for so many products of so many different versions and licenses), but possibly they'd also have to open source their installer (can't see it being such a big trade secret, but CNet's that kind of company where they'd all go OMG! Competitors steal our code and ideas!) which is probably why they're refraining from doing so.

Now it's interesting that, reading between the lines, they'll continue to do this for free, non-opensource software (like mine)..... which ironically can and oftentimes do (I do) explicitly state that commercial use is restricted and bundling isn't allowed.

I'd say this response is jumping out of the frying pan (technical issues and obstacles) and into the fire (illegal, in direct violation).

The makers of EasyBCD (non-FOSS freeware) have become pissed about this, and demanded that download.com unbundle it, or delist it because it is a violation of the license.

Throughout their letter they talk about how them taking action was only possible because of their proprietary license.

Translation: We go through a rigorous process to ensure that we don't give you any spyware / adware / malware...

...except, of course, our own.

Anyone know how to remove software from being listed on download.com? In My Products on upload.com I don't see any options, nor anything in the FAQ. I emailed them, but I suspect it will be days before I get a response...

(I would have edited my response to add this to my original reply, but there is no "edit" link for it)

Apparently you have to email them and request removal and you need to give a reason. I'm not sure if they would consider a reason invalid or not. We'll see. I've requested removal of 2 products from their site.

They also wrap AbiWord (GPLv2 licensed) in the cnet downloader..... that ask you if you want to install a toolbar. This does not look good either.

Time to lawyer up a bit.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact