Hacker News new | past | comments | ask | show | jobs | submit login
Sourceforge Hijacks the Nmap Sourceforge Account (seclists.org)
484 points by netw0rksec on June 3, 2015 | hide | past | favorite | 196 comments

This is the sort of behavior you get from a company that's lost, and is now trying to extract every penny they can from whatever shenanigans they can get away with.

If they have no future brand value to be concerned about, then, from a game-theoretic approach, it's actually a pretty rational profit seeking move. (As long as they don't incur any downstream liabilities from outright illegal activity for which they might be fined, or successfully sued - if there is any entity left to sue)

Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"

Has Archiveteam, Internet Archive or anyone else taken a shot at mirroring Sourceforge, including binaries? Since its founding there have been a hell of a lot of small projects hosted there whose sites have gone down since. 430,000 projects have been hosted on SourceForge at some point. At least a few tens of thousands of them represent the only remaining copy of a program needed to read a certain sort of data. Maintaining that capability in the face of a company circling the drain represents an extreme historical utility.

Even if you now need a VM to handle the crapware, that's better than losing the apps entirely. If somebody maintained a time-diffed mirror of SourceForge, they could pinpoint the last version before the bundling event occurred in an automated fashion, as well.

EDIT: It seems there's a project to begin this - http://archiveteam.org/index.php?title=SourceForge and an IRC channel, EFNet #coldstorage

Archiving SourceForge is indeed important. Just recently I needed it to hook up a printer: http://sourceforge.net/projects/gimp-print/files/usbtb%20-%2...

We need a open source community website that manages and links to the download-mirrors (HEANET, etc.). There is no need to backup the downloads, just back up the source code and friendly take over the control over the mirrors.

You either go bankrupt as a hero or live long enough to become the monetisation villain.

This is a bit controversial because people like to remember Sourceforge fondly for some reason, but it was never good. It was merely unchallenged.

Google Code was never good either, but people gladly moved from SF to Google Code. And when something actually good came along (Github), Sourceforge simply vanished.

Sourceforge was never a hero. It was a horrible website, with horrible UX. It always had pretty terrible ads and for the past couple of years it has been repeatedly abusing its users' trust, serving malware, been involved in countless drama.

Glad it's gone.

People remember Sourceforge fondly because the service they offered, for the time, was good.

Everything internet sucked around 2000. Search engines where either semi-curated listing or covered a fraction of what was a much smaller internet. Free hosting was a joke, affordable paid hosting was not much better. Your bandwidth at home was not good and anyway your computer was not the powerhouse it is today - you needed to upgrade just to run the next version of Excel, not to play the next AAA game. A lot of websites had terrible UX.

So Sourceforge was not great, but it offered a great package of functionality that basically solved in one shot all the problem of managing a OSS project and gave one roof where to search for new tools and libraries.

What happened is that they stagnated and their utility eroded over the time starting by Google removing any reason to have everything in a central place.

>Everything internet sucked around 2000. Search engines where either semi-curated listing or covered a fraction of what was a much smaller internet.

I disagree, and in fact preferred the internet of 2000 to the internet of 2015.

Google search worked fine in 2000: although SEO existed in 2000, it was much less refined and extensive than in 2015. The main problem in search results today is that profit-motivated content crowds out and makes it difficult to find not-profit-motivated superior content.

Not all the changes are bad, of course. Video in particular (not just bandwidth, but the convenience for consumers and amateur producers provided by Youtube) is much better (but text is more important to me than video). A computer with adequate performance is a lot cheaper in real dollars.

>A lot of websites had terrible UX.

I preferred the UX of the web of 2000 to the UX of the web of today. Searching a web page for a string, copying from a web page, then pasting, scrolling, use of keyboard shortcuts, bookmarking (some sites today have all content sharing the same URL, making bookmarking virtually impossible) all were simpler and more consistent across web pages, therefore requiring less deliberative thought to use, and IMHO thereby better.

In other words, on the web of today, I have to direct my attention to the mechanics of the web page, e.g., how to dismiss the interstitial asking me to follow them on Facebook or whatever so that I can start to see the actual content, which keyboard shortcuts have been overridden by the site, how to scroll and whether scrolling even works. In the web of 2000, I spent more of my time and attention on the actual content (particularly, textual content).

For those who remember the web of 2000: what about the UX of the web of today do you prefer? I have a theory that some people are more easily bored than others and that those people appreciate the web of today because the increase in variety, color and motion (of elements on the page) helps keep them from getting bored. Is that it?

(I remember the Sourceforge of 2000, but have nothing to say about it.)

ADDED. I neglected to consider that Wikipedia did not exist in 2000, which significantly changes the balance. I still disagree with "Everything internet sucked around 2000". In particular, I miss web sites created by individuals not expecting to make money from their writings. Although many (most?) of those web sites still exist, they've become vastly harder to find with a search engine because of content farms and other professionally-produced professionally-SEOed content.

You probably mean that you like the good design from 2000 (and well I share your opinion on that). But there was also the bad ones and there was a lot of them.

The majority of banking sites required you to use ActiveX, very frequently the shopping websites would use weirdo content plugins or have their content in PDF.

Those were the times of multi-frame abuse, webpage with sound and no control, site trying to be clever and disabling right-click. Pop-ups everywhere, site hijacking your browser window and resizing, moving it around. Stupid cursor that make your computer grind to a halt. Site designed for 640x480 and nothing else.

Remember the "blog"-like personal website on geocities and the like ? Remember the portals ?

What I remember most from the time is how much superior I thought the newsgroups were to find anything.

Those were the times of multi-frame abuse, webpage with sound and no control, site trying to be clever and disabling right-click. Pop-ups everywhere, site hijacking your browser window and resizing, moving it around. Stupid cursor that make your computer grind to a halt. Site designed for 640x480 and nothing else.

A lot of these still happen, except they are using different technologies and look slightly different. We have parallax scrolling, Bootstrap-like modal windows, unlinkable single-page apps, websites that screw up "back" button and above all we have pages that require you to download several megabytes of junk and execute tons of JavaScript just to read several kilobytes of text.

Wholly agree on the state of searching. These days pretty much any important words in my technical queries are ignored, and the results end up with the same landing pages for the project I'm searching about mixed in with pop culture trash and autogenerated spam pages rather than anything relevant to the narrower query. It's not a library of knowledge, but a wall of noise.

I've tried eg Yandex and it's not much better, mostly just different (although they do return a good amount of results for things that Google's thought police have vanished). The unfortunate truth is that with the "internet" entering pop culture, pop culture has watered down the Internet.

I was thinking it would be interesting experiment to take adblock one step further and hack something up that retrieved all the Google results and filtered out everything with any advertising. It seems like I'd come across those hard-wrought dense-knowledge textual pages far quicker, since the author's motivation is to share knowledge.

Here's a good rule of thumb to keep in mind:

Any time you have a "theory" about other people that implies that you have a natural superiority to them based on your belief that you have superior taste, you're almost certainly full of yourself

I can usually stay engaged and interested in static documents consisting of black text on a white background for many hours in a row. Some of the people in my life need more mental stimulation than that can provide, and spontaneously tell me as much. (Their main source of mental stimulation is social interaction.)

What part of that or my other comment implies that I think I have superior taste?

Your entire comment is a statement that the web of 2K-ish was superior, and that it is also to your taste, so there's the implication.

Also, in truth, I'm just tired of the "everything new is shitty, everything old is grand" comments on nerd sites, so I call them out habitually.

Well "...need more..." implies you are superior because you don't. As well as "... and spontaneously tell me as much." which implies they give you facts you didn't ask for and coupled with the rest of the comment implies you had no interest in knowing i.e. are time wasters.

I wonder if this comment might not be an example of the point it is trying to make?

I prefer using wikipedia or stackexchange for information rather than searching for hours

Wikipedia and Stack Exchange provide only one kind of information. There are several other types of websites that either went extinct or turned to garbage. Dr. Dobbs is a good example. StackOverflow might be the thing that helps you find a workaround for some API stupidity, but you are not going to "read" StackExchange on daily basis.

Whats worse is that they never had to spend a penny on hosting opensource files, the likes of HEANET in Ireland paid out of their pocket (well me and other Irish taxpayers did in end) to host terabytes of files and use gigabits on downloads at a time when bandwidth was expensive (10 years back bandwidth was a lot more and HEAnets downloads were always fast and I know the guys used a lot of hardware back then for the mirror to support open source).

That's it, we need a open source community website that manages and links to the mirrors (HEANET, etc.).

ftp.heanet.ie was a 32GB Itanium, one of the first Itanium servers I know of.

This doesn't seem quite fair. I don't remember anything else like sourceforge when it came out in 1999. If you ran a project, you found a host somehow or paid for one, and you effectively managed and setup all of the services. From just the web site for the project itself, to the source code control, to mailing lists and bug tracking if you need them, forums. Further, colocation was common but VPS wasn't, if you rolled your own host you were on the hook for a computer for it. Now there may have been something else out there but I don't remember it and sourceforge was embraced because of it. They dramatically lowered the cost and effort to putting an opensource project out there. I assume that they basically created the model google code and github and the others have followed.

They've been in trouble, effectively since VA Linux's stock crashed...

Your gladness is premature: it's still alive and kicking, if busily shooting at its own feet while it does so.

Sounds like a wise saying that I've read on every submission about Sourceforge, problem is that I think it is in general bullshit.

If we'll look down in history, I think there are very few villains that have acted as heroes when starting out. The signs that such companies are assholes are in general there, from the start. As an example, I don't remember a time in which Sourceforge was the hero, as much as I try. Since as long as I remember Sourceforge, it was always the "necessary evil", the nuisance you have to deal with because bandwidth was (and still is) very expensive.

> I don't remember a time in which Sourceforge was the hero, as much as I try

No offense to you personally, but this is a case where it's about grey hair more than ability.

There was certainly a time when Sourceforge was the wham-bam-snickety-snack boom-blam bomb. It was when Slashdot was the Hacker News, when "LAMP" was a new term, when 10Gbps across the U.S. (vs. your living room) was a Big Deal.

> If we'll look down in history, I think there are very few villains that have acted as heroes when starting out.

This is called playing "I told you so." In reality every organization begins with high ideals then adjusts to reality. The elegance of this transition defines how villainous they've become. Consider McDonalds and Whole Foods. Both seemed delightful at the beginning. We see how McDs is now cancerous (or at least diabetesacious) and Whole Foods is anti-union, but surviving anyway, a "mundane evil."

You can't predict which company will become evil or not.

Well, it was a joke based on a cliche from a Batman film. In terms of wise sayings, it's on the level of fortune cookies.

But the underlying point is similar to "you are the product". People chose Sourceforge because it offered free hosting. It was for a long time the "default" choice, back in the early 2000s. They had banner ads, usually from other Linux companies, and that seemed to pay for it. It was easier to use than FTP sites.

The question always remains: who is going to pay for it? If a company is sinking, then they have only two options, to close it down or to engage in ever-shadier chasing of monetisation options. Can you imagine the outrage if they'd put up a paywall? It's basically the same politics as has made "free to play (with gouging IAPs)" the default mode of paying for mobile apps.

Not sure how profitable GitHub is, but there are users paying for private repositories or for the Enterprise version and the revenues thus far seem to be enough to support the free users as well and to an outsider like me being a win-win situation, since GitHub is now the place to be on, with open-source projects giving them free exposure, with the Enterprise version starting to win against other established solutions because "everybody knows GitHub". I used to be a paying customer of GitHub, now I'm enjoying the free benefits and pushing for the Enterprise edition in my organization. Am I the product in this case?

I do hate the "free to play (with gouging IAPs)" model and I actually prefer ads with an option to go ad-free. However even with this business model there are heroes. See for example Path of Exile, a free game in which the in-app purchases do not have an impact on your ability to win: https://www.pathofexile.com/

I do agree with you, the chosen business model makes the difference. I do believe that ads aren't inherently evil, it's just the status quo that is. Yes, today ad-supported means that we are the product, but this product has a free will, a fact that some companies are forgetting. At the very least there are some signs of change. Google for example is at least trying to play it both ways - you can be a paying customer of Google Apps and they'll introduce subscriptions to YouTube for going ads free (with the ability to cache content for offline viewing on mobile devices being the incentive needed for regular folks).

Github are indeed the heroes of the day and have an enterprise revenue model. So far, so good. But Sourceforge is sixteen years old. Will Github still be the good guys in 2030? It's impossible to know.

SourceForge used to have an enterprise revenue model, too. They bet the company (or at least the name) on it - VA Research -> VA Linux -> VA Software -> SourceForge -> GeekNet -> {Dice and HotTopic^WGameStop}.

If Github ever pivots to selling t-shirts, run.

Welp. Time to switch to BitBucket, then.

SF/VA gave Linus and ESR stock. I believe ESR and several others were on some sort of community advisory committee to them. Part of SF's problem was that they didn't want to pick winners so much as create and facilitate "community" they had multiple choices for different tools they hosted. They had build servers and such as that seemed at the time like problem space (how do you know if your code runs on Itanium?) They made, what at the time was, an unprecedented effort to engage community and not be evil.

Ultimately someone needs to pay some bills though, a few transactions later and this seems remarkably far from their start. It's embarrassing and shocking.

> I think there are very few villains that have acted as heroes when starting out.

The logical implication in that line flows in the other direction. It's not that every villain started out a hero, but that every hero (that survives long enough) ends up a villain. Of course, it's untestable as there's no limit on "long enough", but then again, it's just a line from a movie...

How long have you been using SourceForge?

I remember a time when it was a fantastic resource, that it was one of the primary places to get FOSS - my earliest bookmarked link is for AFPL Ghostscript from 2004. IIRC I started using it around 1999 when I first installed Linux. There was Freshmeat too but that IME had far fewer of the major projects. Searching SourceForge was the best way to find projects for a particular need at the time.

The last FOSS project I downloaded there that isn't available elsewhere was last month.

The problem now is raising the alarm all the way out to the endest of end users, that this formerly trusted site cannot be trusted anymore.

Perhaps Google could step up and de-list them, but that is a pretty slippery slope.

Patio11 suggested that in relatoin to Gimp. Also, someone helpfully posted the google link to report websites:


Suggested reason is "embeds malware/adware with downloads".

Could also write mails to the mirror providers listed here: http://sourceforge.net/p/forge/documentation/Mirrors/

And ask them to stop mirroring SF because they distribute Malware. I don't know how many of them provide the mirror for free though. I remember quite a few universities provided SF mirrors back in the day.

I doubt this would ever happen. A large portion of Google's own ad revenue comes from companies distributing adware. I worked for a company that was in the adware distribution business and we funnelled millions to Google--to the point that we had dedicated account reps at Google who helped us to make sure we stayed compliant with Google's adwords policies so we could keep peddling our adware installers.

No it isn't. The site was relevant before as it served what people needed, and was ranked high. It no longer is serving folks' interests, so it can be ranked lower, or de-listed. Completely fine.

I agree with you. To clarify my slippery slope comment, it applies in general to all users of censorship powers. Who is a fit judge to decide what you and I get to see?

D-listing from Google is basically being taken off the internet, so wielding that power too often might get Big G into alot of trouble with agencies like the European Commission.

On balance I think SourceForge deserves a browser level "here be malware" warning, trusting that most users will make the right choice if informed.

>Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"

That's a nice idealistic response, but what about when you can't find a file anywhere else?

Depends on how much you need the file

So that's when we start downloading Sourceforge's files en masse (with ad-blockers enabled so that they're not rewarded for their misbehavior), stripping out the malware, and rehosting them somewhere.

It can never be rational to violate other people, because if you have a rational system of values, doing so will make you feel bad.

Drag down SourceForge all you want (I applaud that) but don't drag down rationality with it.

Simply add their domain to the hosts file to prevent any accidental downloading.

This is a solution for me. It's not a solution for the hundreds of people I've told about GiMP over the years. Some of whom I no longer have contact with. Those people don't know how to edit their hosts file.

I'm not worried for myself I'm worried for them.

Just submitted the story to Slashdot [1].

Sharing the same owner as Sourceforge let's see if it gets "buried" [2] (or "late released due to an editor vacation" [3] as it was their explanation) or if they publish it in a timely manner and within the spirit of the submission.

[1] http://slashdot.org/submission/4487045/sourceforge-hijacks-t...

[2] http://www.reddit.com/r/linux/comments/381q6r/slashdot_buryi...

[3] http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-...

The submission was accepted on Slashdot [1] but with several modifications that changes "Fyodor accuses Sourceforge of hijacking nmap account" to "Fyodor warns that he doesn't control Sourceforge nmap mirror", among other things.

I detailed the changes made and why they were biased in a comment on the same submission. [2]

[1] http://it.slashdot.org/story/15/06/03/126224/nmap-maintainer...

[2] http://it.slashdot.org/comments.pl?sid=7500817&cid=49829957

Slashdot and Sourceforge, is it 2006 again? ;)

This is all such a shame. GitHub is to Sourceforge what HN is to Slashdot.

That is unfair to GitHub.

Give a shot submitting it to http://soylentnews.org as well.

Looks like your submission has made it to the /. front page. I confess I'm at a loss for a meaningful comment on what that says...

Granted it's been, uh, a little while since I've last tried, but my recollection is that Slashdot's submission process has always been arbitrary and frustrating. I wouldn't necessarily attribute lost submissions to malice.

If your old account is listed here, you getting fuxxored:




Edit: added http://sourceforge.net/u/sf-editor/profile/ which includes MySQL and a few other high profile projects.

I didn't know they did this at this scale. I'm suprised by all the big names in the projects they've highjacked: I see apache, drupal, firefox, libreoffice, mysql, postgresql, redmine, sqlite, thunderbird, vlc, virtualbox and many, many others.

They're really going all in with that.

From what I remember, even though Firefox is open-source, you can't use the Firefox name on distributing it without getting approval from Mozilla. This is why Debian went at some point with the Iceweasel name. So Mozilla controls what gets distributed with the Firefox name and they could sue for trademark violations if they want to.

IMHO, all open-source projects should protect their name. For example last time I tried, VLC for iOS was banned from the iTunes Store, yet there were dozens of obscure apps using VLC's name or logo on iTunes Store (this was happening in January). Especially given that there is such a thing as an unregistered trademark, that is valid through usage. Even if you fork it, then authors should have the courtesy to use a different name.

If you have ever uploaded something to sourceforge you have given them the right to use your trademark in perpetuity, something to think about when posting on public sites like this.

But go look at the actual firefox they list.

http://sourceforge.net/projects/firefox points to some personal build of firefox. http://sourceforge.net/projects/firefox.mirror seems a lot more official. I have no idea what binary you get from either of them.

Damn, that's a lot of projects.

OpenOffice, Apache server, hadoop, Audacity, CDex, Colloquy, that's all projects I have at one at my computers, and I haven't gotten to "D" yet.

This is depressing

Seems weird that I could install Hadoop and get some shitty toolbar as a result.

Looks like an opportunity for cloudera

I'd love to see that board meeting.

Plenty popular names on there. That's shocking.

To be clear - there is a difference between mirroring (which is good netizen behavior, and to be complimented), and trojaning (which is modifying the upstream sources before delivering them to users - which is decidedly not good netizen behavior).

It's important to understand which is which for those accounts.

As long as one of those accounts is trojaning (or even just suspected of possibly having been trojaning once) it instantly poisons all the mirrors. Even if they are perfect netizens 99% of the time, that 1% makes all their other efforts useless.

Whoa what. Are you suggesting that suspicion of possibly maybe having put a trojan in someone else's files somewhere is grounds to make all one's efforts useless and poisons everything else you do?

Geeze, I guess we should stop using Google. They've been accused and suspected of much worse by a lot of people. I hope that's not what you meant.

Are you suggesting that suspicion of possibly maybe having put a trojan in someone else's files somewhere is grounds to make all one's efforts useless and poisons everything else you do?

Short answer: Yes. Downloading and running arbitrary binaries from the web inherently a quite dangerous thing do to, and I only feel comfortable taking such a risk with sites I trust. I no longer trust Sourceforge and there is very little they can promise me to make me start wanting to download from them again.

Er, okay.

Well, I don't agree¹ with your method of evaluating trustworthiness (which seems to me rather too quantized and "chastity"-minded), but at least you know exactly what you're doing and who you're trusting.

[1] Read as "I believe it's sub-optimal for a given cost-benefit formula, after some assumptions about certain variables and certain opportunity costs, and other methods would likely be more useful in context."

suspicion of possibly maybe having put a trojan in someone else's files

Isn't it a hard fact at this point?

For Sourceforge specifically? Sure.

In general, the way the comment was worded? No, suspicion does not equal hard fact.

We were talking about the latter.

No, it is not important at all - because today's mirror will silently be replaced with tomorrow's trojan.

It is important to expose this behavior for what it is.

And in the process, remind everyone that abuse of power is a question of WHEN, not IF, whether it's a government entity or a corporate one.

Sourceforge's mirrors are a complete miss-use of the term mirror. A mirror should be an exact copy of the source and should be approved by the original project, which I doubt any of these 'mirrors' are.

Interesting weaseling of SourceForge is to add a "downloader" which fetches either the actual unmodified installer/sources. The "downloader" installs adware while fetching the real installer for the software. In the case of GIMP the filename of the downloader was made to be the same as the filename expected of the installer for a given version. This dirty approach might be thwarting ways of protecting with cryptographic signatures, or even trademarks/copyleft.

SourceForge was sold in 2012 to a conglomerate company named "DHI GROUP INC" or "Dice Holdings Inc" that owns the following companies:

  Open Web
  The IT Job Board

I remember thinking "I guess they want to get more of the tech community's mindshare to promote their job board" when Dice bought Slashdot. With the way they've alienated the tech community by trashing Slashdot and SourceForge, I wonder how many tech people will use their job board now.

One problem is that people looking for jobs are usually inexperienced with it, so there is constantly an unusually large supply of "fresh meat".

There should be more regulation on the jobs market. It's a data-mining goldmine and fake job postings aren't illegal as far as I'm aware of.

If you didn't know sourceforge have back-pedalled 2 days ago and said they'll stop bundling the crapware in the mirrored projects:


The author, and a lot of the commentators here, don't seem to have seen that announcement.

We saw it, but why does it matter? They also claimed to never add adware without consent before. Even considering to bundle up malware with FOSS projects is offensive to me. They lost my trust and a simple blog post won't win it back.

The policy of taking over "abandoned" projects is super shady as well. That's what this mailing list post is about, isn't it?

Not "we" as the author of the post doesn't know about this announcement from sourceforge, as they say:

we haven't caught them trojaning Nmap the way they did with GIMP

So stop trying to speak for 100s of thousands of people at once.

This very mail also says

PPS: Sourceforge now claims they will stop trojaning software without the developer's permission, but they've broken that exact promise before.

He does know about the announcement, but he does not trust them anymore. That's fully understandable. Fool me twice, etc.

Additionally, you addressed people posting in this thread. The Sourceforge announcement was all over HN and reddit and a lot of people following the whole issue knew about it. It's simply not enough to win back user's trust. But I already addressed that - Yet you chose to critize my way of wording, not the very content.

You probably missed this part at the end:

PPS: Sourceforge now claims they will stop trojaning software without the developer's permission, but they've broken that exact promise before.

But they've said that before. This amount to "we promise to stop breaking the promise we made earlier". I for one won't be trusting this new promise to last either.

Because they said it it must be true!

Fool me twice...

Then why are those hundres of mirror accounts still online? There is simply no excuse for that.

They've probably seen it, just given it no credence

The VLC account has also been hijacked but without wrapping the installer: https://blog.l0cal.com/2015/06/02/what-happened-to-sourcefor...

One should sue for trademark violation. I'll chip in if anyone is fundraising.

I suspect pointing Oracle's lawyers at their MySQL account that sf-editor "owns" might be worth more than collecting donations...

This is definitely a possibility, and when sourceforge bundles nmap with malware I would deem it nessesary. nmap is protected in the US by trademark #78342532.

It feels a bit different here, at least to me. Nmap had a Sourceforge account, but now it's been taken away from them -- "hijacked", as the post describes it. And Sourceforge at least used to be a reputable site and has (had?) some lingering aura of trust around it.

They had this "You Can Take Over Abandoned Projects" policy for years:


I took over APNG project in 2011, nice short name, it was really abandoned, and I don't feel bad about it:


Sure, but this is Sourceforge itself doing the taking over, and they're offering the same downloads (plus their wrappers and what-not) rather than reusing the name for a different project.

Sourceforge was, for a long time, the definitive home for many, many popular open source projects. That they've cached in on this historical trust, and in some cases the fact that the thing they are "mirroring" actually was hosted there at some point, makes this worse.

For example, for years, I've used winscp.sf.net to get to WinSCP when I need it. As of now it redirects to what I believe is WinSCP's actual site, winscp.net. In the past, Sourceforge was the actual location to get the binary. If at some point they set up a "mirror" for WinSCP, there's a good chance that people visiting that haven't in a long time might just accept that if they get a download link at a sourceforge page, it's likely legit.

I can't say the same about any of the sites you listed.

>> SourceForge.net is owned and operated by Slashdot Media. Slashdot Media is a DHI Group, Inc. company.

That explains why these kind of news have been entirely absent from slashdot (with the exception of that one heavily castrated entry).

Good job, Sourceforge.

  echo " sourceforge.net" >> /etc/hosts

I just scraped Google for the indexed mirrors.

  site:sourceforge.net/projects/ inurl:mirror -inurl:files -inurl:reviews -inurl:compare -inurl:support
Gave me these[0] 253 indexed projects. Would be interesting to crawl the entire website to see if there's more.

[0] http://git.io/vkb3N

In spite of account hijacking, GIMP was still downloaded by almost 15k people this week. Six days ago they took over Audacity project as well, which was downloaded by more than 150k this week[0].

[0] http://sourceforge.net/projects/audacity/

What will happen if I run Audacity installer from sourceforge?

I have done that an hour ago. Should I be concerned?

If you have ignored the crapware dialogs of the installer, you should be. But even then there is no telling what they could install without prompting first.

If this is a windows install, do as you would normally do for a spyware infestation.

1. Go through installed programs and uninstall any that you don't want/ didn't know about. Google any you have questions about. (Clicking on date in upper right will sort from newest to oldest.)

2. Get rid of Audacity. We can only assume that this binary is infected as well as the installer.

3. Run something like malware bytes. Do be careful to get the right installer, as the website has many misleading links. Run this.

4. Install in browser: ad block edge for Firefox, or ad block plus for chrome or safari. Quit using IE if you use that.

That should take care of 99% of all problems on your windows machine. I have no clue if you should or should not be worried regarding bad binaries from scamforge. I haven't analyses the binaries.

You got the same download as you'd get from Audacity itself. SourceForge is acting as a mirror. Unfortunately, the Audacity installers are not digitally signed, but they are bit-for-bit identical on the SourceForge download to the Audacity website download.

SourceForge never modified installers of projects. Even of ones like FileZilla participating in the program. They push "download offer installers". So, if you try to download FileZilla, you get a 750K download that shows you offers when run and downloads the actual FileZilla installer in the background and runs that after you accept or decline the offers.

Well assume you now have some malware/spyware/adware on your pc now, and assume you need to clean it off. Or check the hash of the installer with some reference bin from a trusted source.

The hash matched the official installer. I doubt they are crazy enough to deliberately hide malware without prompting.

Hijacking the account of one of the security community's most loved and used tool. Yeah ... that seems to be a smart idea.

Yep how to fuckoff both the Black , Grey and White Hat communities.

I wonder how many copies of nmap are running against Sourceforge's servers right now?

The only viable long term way for any open source project is to selfhost[1]

[1] https://www.enalean.com/en/Open-source-community-host-yourse...

It's worth noting that most of the open source software that self hosts becomes an ad page or malware site within a few years once it's abandoned. One advantage to hosting on a shared site is that the project can live on. Or, at least, the binaries and source are still available for interested parties years after the developers moved on, lost interest, or passed away.

A site like Github that hosts open source projects brings a lot of value to the community. Great search, and the same UI when going from project to project. This would be much more cumbersome and time consuming if every project was on a different site with a different interface.

Also, many open source projects don't have the money to afford bandwidth costs of providing large software downloads.

I'm not saying GitHub doesn't help. SourceForge did help at time. But if you value your freedom, you need to understand that, if you don't have the keys of your infrastructure, you are locked to the good will of the provider (and its stakeholders).

I don't buy the money argument. If you have the chance to be a successful enough open source project, you will find hosting companies ready to help you with free VMs.

If you are not that successful, you can use github & co without fear, nobody will try to insert crapware in your packages. And if you want to selfhost, even a raspberry pi will have enough power to serve your site.

What sort of traffic do reasonably popular open source projects see? And what sort of costs would be involved for self hosting?

I think the point here is "reasonably popular", which project would you place here ?

The costs are directly proportional to the traffic but nowadays most "reasonable popular" open source projects can get hardware (VMs) from hosting companies for free.

This is incredible.

We need end to end security without this https insanity as a bandage more than ever. Ubiquitous signing and audit logs more than ever. Tools that, for normal end users, refuse to work if integrity is broken. What sourceforge is doing should be universally seen as damage and systematized intolerance should make the attempt pancake so hard and so fast that nobody ever even tries it.

It's excellent that the nmap people distribute gpg sigs. Now we need socialize the fact that "https does not mean I'm getting want I wanted from the original authors", and start building (yes, we need to get past the http://www.thoughtcrime.org/blog/gpg-and-me/ problems) and using tools that do better.

I think this is the time to remind people some projects (ie filezilla) are willingly distributing the malware with their projects. The developers reaction is basically "there is nothing wrong with it"[1].

I feel like there is a niche service to provide installers that have been decrapified. I'm not talking about ninite (which is private/commercial) but an open source repository of installers that you can "apt-get" for Windows. I know people have tried that in the past - but the problem is that the builds that are posted manually go out of date pretty quickly so I think this process would have to be automated.

[1] https://forum.filezilla-project.org/viewtopic.php?t=31127

Yeah, sad that I at one point thougthey were trustworthy. Hell, at one point I thought CNET was safe...until I downloaded and installed a "BestMp4ToMp3 converter" from there that infected the corporate network. Scumbag city, those sites. That's a major reason I support FOSS like VLC financially.

"BestMp4ToMp3 converter" didn't give it away?

Right. Hopefully momentary iq lapse. :)

They were trustworthy at one point. I was a SF.net developer a long time ago and I can assure you that the number one consideration was the Open Source community. Sure there were ads but never once were we asked to compromise any project to increase ad sales.

Honestly, in hindsight I wish we had gone to a model more like Github.

What I don't understand about any of this is why anyone wouldn't just either move their project to Github or self host. Why would you even still have your project hosted on SourceForge?

I understand the author's grief and anger. I feel bad for them really as this will hurt the NMap brand, but come on, avoid the whole situation and just remove the project from SourceForge completely.

> What I don't understand about any of this is why anyone wouldn't just either move their project to Github or self host. Why would you even still have your project hosted on SourceForge?

They won't let you "move" a project.


> At SourceForge.net, we feel a commitment to ensuring the long-term availability of the Open Source code released by the projects we host. We will weigh requests for project removal against the community value of leaving the project intact...Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value.

I think the problem is that abandoning your project on Sourceforge doesn't have the intended effect.

"SourceForge, the code repository site owned by Slashdot Media, has apparently seized control of the account hosting GIMP for Windows on the service, according to e-mails and discussions amongst members of the GIMP community—locking out GIMP's lead Windows developer. And now anyone downloading the Windows version of the open source image editing tool from SourceForge gets the software wrapped in an installer replete with advertisements."


>What I don't understand about any of this is why anyone wouldn't just either move their project to Github or self host.

Personally, I like their download stats:


But generally, why would I move if I never had problems with the service?

Because perhaps--just fucking perhaps--you don't want malware injected into any of your projects when they're downloaded?

I keep complete control over my projects, and I'll make sure it won't happen.

> I keep complete control over my projects

Until they take that control from you.

> I'll make sure it won't happen


> Until they take that control from you.

They won't because I'm not abandoning my projects.

People who complain have one thing in common - they abandoned their projects on SF. It's kinda like letting the domain name expired and then complaining that somebody took over. Always keep an eye on your hosting and your domain names, folks.

> They won't because I'm not abandoning my projects.

What makes you think that will make a difference? They'll hijack whatever they want that's hosted on their servers whenever they want to hijack it.

Devs who never abandoned their projects are doing fine. Not one of them complained about "hostile takeover".

And what makes you think that this couldn't change at literally any time?

I was wondering the same thing.

Clean up your mess when you're done and you won't have rats.

Should Sourceforge perhaps be added to Google's Safe Browsing blacklist?

So what decent release tarball storage services are there today if github's autogenerated release tarballs don't do it for you?

Given that a VPS like Digital Ocean will give you 1 Terabyte/month for $5/month, isn't it straightforward to hose your own tarball now?

I see the nmap tarball is 20 Megabytes = 50,000 downloads.

The cost of hosting should be easily covered by your user base.

DigitalOcean feels wrong for this purpose since they provided VPS not storage per se. I would suggest hosting the website on Digital Ocean, github or something similar and hosting files on S3 or some similar service that specializes in storing files rather than providing VPSs.

The problem isn't really in the overall bandwidth usage though, it's the concurrency.

Would the $5/month droplet stand up to a surge of people coming in for a latest release, or a bit of press coverage? Would there be enough bandwidth that everyone gets the file fast or would they all slow to a crawl

What about providing a BitTorrent link? The main server could provide a backstop seed, and presumably enough other people would seed too for any decent-sized project.

P2P downloads would help cover some of the costs, but popular projects probably need a direct download link with load balancing as well.

If the project doesn't want to manage their own infrastructure, they're probably going to want a CDN or object storage provider. The most cost-friendly I've seen is OVH's RunAbove object storage, but I'd be interested to know if there is anything else comparable.

50000 downloads is ridiculously low for any popular software package. Besides, VPS are not that fast at serving static files as you think. My VPS-hosted site became like 10x as fast when I made it pull 100kb-ish javascript files from a CDN instead of off VPS harddrive.

Do users pay anything at all? Or enough to cover that trivial cost?

Oh bollocks, I thought by 1TB/month you meant in storage, not bandwidth!

Realistically, we need to move to decentralization for this. Same way that the distributed github project was like a, "Oh yeah, this is our insurance policy in case GitHub ever becomes garbage."

I'm surprised the nmap.mirror site doesn't have hundreds of reviews telling people to not use it, and pointing them to the official site.

I'd be interested to see how sourceforge respond to DMCA requests.

MOZILLA: http://sourceforge.net/projects/firefox points to "personal builds of Firefox"; http://sourceforge.net/projects/firefox.mirror/ seems to describe legit Firefox. I haven't tried to download it to see what I get.

FEDORA: http://sourceforge.net/projects/fedora/ points to some random software. http://sourceforge.net/projects/fedora.mirror describes Fedora the OS.

Not only scummy, but semi-competant too.

278 downloads for Fedora 17 32bit this week? Those poor souls trying to get into Linux ...

It was around 10 (my own included) negative reviews as of a few minutes ago.

If I submit my resume to Dice.com, I fully expect them to mail me a baggie of white powder and a coupon for 25% off anthrax vaccines.

Is it time to start publicly shaming their mirror partners?

I think it's pretty clear that DHI has no shame, but what about the mirrors?

How to literally kill your company:

1. this

The company is already dead. This is simply looting the corps.

Nice, hopefully intentional, typo ;)

However, are SF really making money from these mirrors? As I understand it from other comments here, you can still download the tarballs, and they seem more 'official' that the non mirror-suffixed accounts? When does mirroring become bad practice, what is the line you need to cross?

I'm pretty sure they are earning some money off this, and taking into account the website was going to die anyway, I don't think this is negative thing for them to do.


Sourceforge needs to call it a day. Its day of relevancy is over, once upon a time it filled a need but we have Github, Bitbucket and much better choices now. What we are seeing is a site that is lost and will never be able to earn back the respect that it once had.

> Sourceforge needs to call it a day

The world is calling it a day on Sourceforge - they are just hanging around to milk what they can out of past glories.

Of course they can't just turn off anyway: there would be outcry from people because their currently idle project that hasn't moved to being hosted elsewhere suddenly became unavailable.

This bit is inaccurate:

"Of course this goes directly against Sourceforge CEO Michael Schumacher's promise less than two years ago:"

Michael Schumacher is not SourceForge's CEO, but a GIMP developer. The article quoted in the mail was written by Roberto Galoppini.

This is not hijacking at all. They created a new account, the old one remains blank as the author says. Sure it's morally questionable and leads to having a very bad reputation. But it's not hijacking. GPL code can be forked, mirrored, bundled and distributed. As long as the terms of GPL are obeyed there's nothing technically wrong with what SF is doing.

Of course they've completely blown all trust and squandered their reputation.

They may well be GPL2/3 section 2a/5a (prominent notice that they have modified the program... in this case the installer) , and likely 2b/5b,c also (are they also providing the source code for the crapware?). If these are found not to apply (because the court finds it to be mere aggregation ) we may need a minor GPL update :-)

Alternately one could look into trademark law, perhaps?

Sourceforge is now on my personal blocklist for Google search results. Along with expertsexchange which I added years ago, and Quora which may surprise some.

What is wrong with Quora. You may not like their business model, but I don't think they are doing anything terrible like source forge.

Unless it changed recently, but I used to click there through Google search results and still get some blurred out page, or only one answer, or a timeout that tried to make me register.

And quite frankly, I prefer the rather diverse universe of stackexchange sites.

I wouldn't mind hitting Quora through Google on occasion, but sometimes they actually have just a stub page, where the question isn't answered at all, so it shouldn't rank so high.

I also prefer the stack exchange sites, but there is some information of Quora that is just not available anywhere else.

Even Quora? :-)

I think they removed the logged-in requirement. At least I have been able to see every answer even though I never registered.

You can see the answer if you go to the page via a google search result. If a friend sends you a link, they block the answer with that annoying login modal.

It's pretty easy to delete with the developer tools, though.

Couldn't find how to do it in Google, did it in my hosts file...

For this device sourceforge now lives on May it wither there forever.

Read that as expert sex change, and thought you were revealing some very personal information on HN.

That's why they added the - to the domain. experts-exchange.com

I might be asking too late, but what's stopping someone from: 1. Identifiying hijacked accounts 2. Forking to GitHub 3. Waiting for the inevitable ranking change 4. Handing over the project to the owner when/if they are identified.

I realize there's a good deal of handwaving here--particularly at 3 and especially 4. But, is this a bad idea? Seems like 4 can be replaced simply by the owner reforking, too.

The original nmap page in the article is back live now.

As much as I hate malware, can we confirm it was sourceforge that got rid of the old page? Maybe someone set up the mirror after a data problem or error rendered the old page blank and just wanted to get it up, or that person was nefarious? (Occasionally people can be "too helpful" on community sites by registering other people's projects).

I guess the question is really who owns sf-editor1/2/3/4.

The reason being I can't see a lot of bonus for someone doing it this way. I'd just put adware in the margins. The site looks sketchy anyway these days so it's not doing them a lot of good...

Maybe we should all learn something from this and also the thing about RadioShack selling of all their customer data. What will Google do when it gets shaky?

A reminder that this is just one of the consequences of open-source, free (as in libre) license software: It wouldn't be truly free otherwise.

I'm not saying I condone Sourceforge's actions, and this does deserve to be known widely, but what one person would consider privacy-invading malware could be another person's "helpful offers assistant" (or whatever)...

average pay per install rates are around 0.2 - 0.5 $ per install. i wont be surprised if they make 10k-20k + / day

> If you don't trust SSL by itself (and we don't blame you), you can also check the GPG signatures: https://nmap.org/book/install.html#inst-integrity

Ironically linking to a page served via SSL


Not really. It's just a quick guide to using gpg to verify a software distribution. Many people already know how to do this, or you could look at the manpage if you prefer.

keyword : "by itself"

You need to have a chain of trust somehow... that's the best they could do.

I just wish they'd give up their domain name to someone worthy. Source Forge. Conjures up Gandalf for me.

I went to GIMP to get the latest version for Windows (Mine was 2+ years old)

Strange, it seems newer but the Windows version was the same as mine.

Google what up, randomly saw the Sourceforge controversy for GIMP in the news.

Went to straight to SourceForge and got my update. Because they could be bothered.

If you want Sourceforge to be evil, get your shit together GIMP. (Windows users are people too, plus appreciate all the work, but it'd be nice if you remembered us)

PS And remember that if you're GPL or whatever then don't complain when someone follows the rules but doesn't do what you want. Is it GPL or not?

You can't say you're anti censorship, as long as it's what you want. You can't say you're GPL as long as it's what you want.

People are free to add malware to the product. Account hijacking not so much.

If I go to GIMP.org and click Downloads, I see this:


> GIMP for Windows

> Via HTTP (.exe)

> Download GIMP 2.8.14

If I go to SourceForge.org (clicking first SF link on Google for "GIMP download"), I see this:


> Download

> gimp-2.8.6-setup.exe

> Browse All Files

SourceForge has 2.8.6, GIMP.org has 2.8.14.

SourceForge has an older version. Where the hell did you go to?

(In fairness, SourceForge also has 2.8.14, but you have to go look at the file list rather than clicking the big green button. OTOH, GIMP.org's big button goes straight to the latest version.)

Sourceforge is looking more like a goner every day.

It's time for github to step up and start offering projects download hosting and the whole slew of other things that sourceforge gives a project.

Github does have download hosting, though. Their "releases" feature has worked fine for my projects, at least:


For me the real question would be, why was/is anyone still using sourceforge? Inertia?

I hope everybody still hosting there will take this reminder to finally move their stuff to a different host.

For many there are many projects that were hosted here before dying, and because of that, SF is both the official place to download and also SF sees it as fair game to take over and wrap with malware.

Why would they care about something that had 150 downloads since 2014? Seems like it may just have expired due to inactivity on the account.

Hoovering up the inactive accounts is probably in automated process. There would be little point putting in extra code to exclude less trafficked areas.

You deserve all the ads and then some. Bunch of freeloaders...

The BOFH in me is more upset with the software projects that abandonded those accounts without properly closing them.

It would be nice if SourceForge wasn't "Hotel California"


The problem is that it is basically impossible to completely close and remove a software project from Sourceforge. The best you can do is tag it as "inactive" or "relocated" and provide a link to the new site, but the project site will still exist.

Let's say it becomes possible. Then what? If your project is popular, it would be on softpedia, filehippo, majorgeeks and many other "free software" aggregators. If your project license allows others to distribute your software, you can't stop them.

Can you delete all the code from it? Or do they prevent that as well?

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact