- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.
- This isn't recent. In fact it started well over a year ago and was well publicized.
- Even a year ago it was all very malware-y.
- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.
- Those same people are now whining about it.
- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.
Of course, anyone is free to fork it and host it for free. There are a lot of little things that drive me crazy about Filezilla. I imagine others have the same issues. I could see a fork with good management being very successful.
Even Netflix had a hard time preventing fakes from being published. Over a month or two, Netflix had to contact MS several times, and MS didn't suspend or remove the publisher. They resubmitted and got listed again. Try searching for HBO, xfinity, etc.
MS is not interested in fixing this problem. Probably some folks have their bonus tied to " number of apps published " and that's that.
I emailed Satya and the manager of the Store, to book effect. The Store is a joke.
For this particular case, if FileZilla is popular, you'll have several fake paid apps. If you're lucky there may be av official app, with no way to verify it's the right one. For most users, they'll be rolling the dice just as much as they are now. Only if FileZilla is extremely diligent would it work. Disney, for example, is a top publisher for the Store, yet all sorts of fake Disney content is on there. I called Disney about this, and after about 15 minutes they figured out "don't go there" (referring to the Store). Even top publishers have a hard time dealing with it. BBC is another case, where top "official" results aren't.
Trademark (?) protection would prevent a third party from using their name even though it was open source (at least I think so based on the whole Iceweasel event).
Personally, I'd also gladly pay Filezilla a small amount even though it's open source.
This is why I use the zlib license.
Also, if it silently autoupdates, it's worthless.
Ninite Ninite Ninite.
I'd post my one-click-install-all-the-useful-things Ninite link (which preselects a custom selection of software into one installer) that I use for quickly setting up clean Windows machines at the kids' technology centre I work at. But I fear it might get flagkilled too. (ah doesn't matter anyway, I'm sure the average HNer is smart enough to make their own selection, and currently looking at my selection, some of the tools seem a bit out-of-date, wouldn't pick those today anymore).
I have never pronounced Ninite as "Nye-Nite" or heard anyone else pronounce it that way in the UK.
I'm guessing you are American?
I tend to doubt that. HN commenters in one thread are not the same as HN commenters in another thread.
I was a bit confused though, I'm pretty sure I installed FileZilla on some Windows machine less than a year ago and would've noticed any malware. But now that I think about it, I used Ninite.com, a multi-install tool for free Windows software, which automatically opts out of any nasty toolbars and such, so I just didn't see it at the time (I'm assuming the malware is at least opt-out, right?).
Doesn't matter though, bundling toolbars/malware is a no-go for me. I know I can (usually) get rid of such pests if they get on my system, but I know so many people who would have a much harder time. Those people are being taken advantage of, they're not "choosing" to have this malware. I can't recommend this type of software to such people because they might get malware if they install it themselves, so they need alternatives without malware. Therefore I won't use the malware-bundled software myself either, because I want to check out the alternatives and see which ones are any good (and I don't really need FileZilla, anyway).
The installer is horrible, and I think that the last I looked at it, the options were all opt-out, they hugely abused anti-patterns to make that process all but impossible.
I think the world would be better if people just expected to pay a small amount for software, but we don't live in that world, and so we get "free" software you can download "for free" that installs a bunch of crap so the developers can get paid.
But we still lack a nice software store (or several) where you could pay a piece of software and pay a nominal amount (or more if you choose to donate), knowing that you won't receive any malware / nagware in exchange, and that a large cut of your payment goes to the authors and maintainers.
Similar things seem to happen around indie musical tracks, so probably the model could survive in the "indie" software area.
...and someone has already made one for SF and a few other sites: http://userscripts-mirror.org/scripts/review/417459
Assuming sourceforge will not get rid of that feature after too many people start using it.
is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases
Or they are just dangerously lazy.
It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.
Unless it's a desperate attempt at saving a sinking ship.
That's like saying "even the creator of baked beans doesn't like Tesco". So what?
regardless, this has been happening for the entire last year with the consent of the developers: https://forum.filezilla-project.org/viewforum.php?f=1&sid=13...
I would be very doubtful they will listen to their users any further about the harm it does.
I'll probably avoid FZ from now on, I don't exactly enjoy using software that is openly hostile towards me
I think it is best to avoid these guys.
""MalSign.Generic.F84". Looks like a typical false-positive generated by a heuristic.
There is no malware in the SourceForge Downloader, you can safely use it to install FileZilla. While the SourceForge Installer may present third-party offers, they are
clearly labeled as such. All third-party offers can easily be declined. Nothing unwanted is being installed without your consent. Declining offers does not prevent nor otherwise disturb the installation of FileZilla.
If you do not wish to use the SourceForge installer, have a look at the additional download options listed on the FileZilla website."
His stance seems to be that it's not malware, rather a false positive (I have no proof to claim he's wrong and if he is, it could be a honest mistake; he's trusting SF, which I understand), and he mentions that you can also download Filezilla from their own website, without the SF installer.
That seems pretty reasonable to me, but again: at first I got the impression they (FileZilla's owners) simply didn't care.
I hate what SF has been doing, and I refuse to use their installers (although I'm primarily a Linux-user so I don't have to worry about these installers, thankfully), but I don't really feel like the FileZilla owners should be avoided as it looks like they're simply trusting SourceForge, nothing more. I hope I'm right. ;)
Most people, when presented with a) a logo (of a group they trust), and b) accept or decline, they are going to make assumptions and not read the middle.
Which ends up affecting a lot of users: every bad review relating to the installer and every complaint in the forums (once again, in relation to the installer), is a person who has been deceived and had a negative experience, because of a decision of the FZ developers (and the installer is choose-able by the project developer, last I inquired)
If you use Mac check out Transmit by Panic. It's the best FTP client I've ever used.
Most of the time I simply scp or rsync files as neccessary, however I use FileZilla to manage files on my phone and tablets via FTP. I've never found the FTP/SFTP/SMB support in Thunar to be all that reliable...
I mean, it's an open-source client for a common internet protocol that ends in "zilla". It would be easy for users to assume that Filezilla is affiliated with Mozilla.
And up until the move to Sourceforge's adware downloader system, that would have been fine for everybody - they're both good products.
But now? Now filezilla is riding on mozilla's coattails with the confusion and profiting from it, to the detriment of mozilla's reputation.
But you're right, I don't know any other decent FTP clients that I would recommend. Maybe someone on HN knows of a good alternative?
I use a paid version of SmartFTP & like it. Combines Filezilla with Putty.
Filezilla use will drop down because most admins I know that hear about this will immediately write it off as too dangerous to even try to get around. Sure you can dig into the sourceforge files and maybe find a clean version, or maybe find a checksumed mirror, but would you really trust it?
EDIT: I missed the 's' in 'sftp'. But as for that, there's commandline sftp, from openssh. But I realize it's apples and orange juice.
lftp :~> open sftp://example.com
lftp example.com:~> ls
Visit http://downloads.sourceforge.net/project/filezilla/FileZilla... to directly start downloading
Or, switch to someother FTP client.
List of FTP Server Software - https://en.wikipedia.org/wiki/List_of_FTP_server_software
Comparision of FTP Client Software - https://en.wikipedia.org/wiki/Comparison_of_FTP_client_softw...
Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP download.
Yes, they should be regarded as a malware site these days. It's a shame, really. Some other site should probably mirror the projects that aren't anywhere else and host them properly.
They tend to move this around a bit to make it harder to spot, but it's always been there since the malware-infested download manager was introduced. The malware & crapware is entirely limited to SF's download manager. The application binaries themselves are totally clean.
The download manager (wrapper) of these 2 companies are provided by the same Israeli company InstallCore.
We have enough Ask Tool bar kind of crap from Oracle Java installers, and when useful tools step to doing similar things, it really makes me lose respect and find alternatives.
As a developer, I need to have a work environment that is robust and dependable. Additional promotional packages that can slip through will disrupt or degrade my work. That is not something I can take and feel sane.
I use windows, and I couldn't figure out why something like OpenCV could possibly have malware with it. When I downloaded it, chrome said "Stop! This is malware!" I thought that there was no way there could be a problem with the file unless Sorceforge was having issues.
What fixed the issue for me was downloading from a different mirror. So perhaps some of the mirrors are compromised?
>This installer may include bundled offers. Check below for more options.
Yes, it's a bit dirty. Valid discussion here is how to make open source viable, otherwise pimps like sourceforge will exist.
Now get off my lawn with your fancy installers :)
Unfortunately, this is a reminder that free software isn't a guarantee of software freedom or safety.
Chocolatey packages include silent, malware free installers
Or seeing as it's licensed under GPLv2, maybe we should just setup a GitHub repo with the latest source and links to pre-compiled binaries.
See the acres of discussion about Google Chrome not having a master password. The fact that they caved in and no provide a master password does not mean it's a good idea.
Requiring a master password to decrypt the network passwords is a perfectly fine idea if you want to maintain portability and reduce the chance that your network passwords are accidentally exposed. An attacker has to both have the password file and either figure out the master password or have code execution privileges on the user's account to gain the network passwords. This is more secure than trying to ensure the password file doesn't get "misplaced" (e.g. on an unencrypted drive, in unencrypted backups, unintentionally through a fileserver, etc).