Doesn't SourceForge routinely inject malware into the little install bundle executables, too? Once upon a time, SourceForge was revered for its good will and the ripples it was making in the FOSS pond. Too bad the site they've become can't close down soon enough.
It tends to make the download link the wrapper software, which installs the malware and downloads the actual software. This lets them supply e.g. unmodified Firefox binaries but still malware you.
I find the rapidly increasing collapse of the 'monetize downloads' business model quite refreshing. I hope Github has enough revenue to not have to revert to things like this in the future.
I imagine so. I don't think SourceForge's commercial offerings ever had much wind behind them, but pretty much every company I've done any kind of work for in recent years has a commercial GitHub account.
I work for a company that uses paid Github, and it's the BEST THING EVER. We will be happy to keep throwing money at Github well into the future. We just outgrew the "platinum" plan ($200/mo), but they have plans all the way up to "aluminium" (with an I) (just over $1000/mo).
They don't suck and we're enormously happy. As the sysadmin whose job it would otherwise be to manage Gitorious or Gitlab locally, I am delighted to be able to outsource this task.
So yeah, I'm extrapolating from anecdote but for the moment I think their prospects of continued payment for services are pretty good.
I have always thought this is something Github could capture on. GitHub is missing download of Compiled Binary, and some forum for user ( not developers ) interaction.
GitHub does handle binaries, available through the "releases" link on the repo navigation bar. Developers can relate releases to tags and upload binaries.
Looks like the SourceForge n++ page is still there(http://sourceforge.net/projects/notepad-plus/), but downloads have been removed. I find it interesting that they're directing people to their github page and not their website. Considering that users are going to sourceforge to download the application, not build it from source.
All I see under the title "Notepad++ 6.7.9 release" is a direct link to download the source code and a link to download the binaries from their site. It seems like they should be directly linking to their website from the sourceforge page.
A lot of what you've listed either ships along with other software as libraries on platforms like Windows and Mac and/or ship as part of linux distos. Hence SF would not benefit spending time infecting these and as a consequence, the owners have little reason to move away from SF.
That is absolutely true, I had the same thought. I should add that my list was biased away from Windows applications, as I made the list by summarizing the output of:
Besides Notepad++, I have in this box Pidgin, KeePass, DjVuLibre/WinDjView, DOSBox, Freeplane, TeXnicCenter, NAPS2, WikidPad, WinMerge, REDUCE (great CAS), JaxoDraw, MinGW/MSYS, NumPy/SciPy (Windows binaries are there...) and quite a few more.
I don't think REDUCE and JaxoDraw are going anywhere soon. Same for the WP 31S/34S calculator projects. Maxima and matplotlib are there as well.
I really need some of these, so for me blocking SourceForge is not an option even at this moment. It just isn't as easy as the vibe here makes it. I'm just as careful as you should when downloading Windows installers. Block most of the JS there, scan the files, always go for custom setups and when in doubt use sandboxing.
I think if I was any project leaving sourceforge, I would try and delete as much as possible, including the user account. Failing that, I would upload as the last release an "installer" that just gives notice that downloads through sourceforge are no longer supported due to their scammy behaviour, and a link of where to get the valid download.
I also just found out today that Mumble has moved their binaries and source to Github as well (the update prompt for 1.2.9 pointed to the Github binary directly).
Last time I checked, their download links all pointed to SourceForge.
so what's the deal with the 'injection'? They've been bundling crapware with the installers for a few years at least right? But for a long while there was always an option on the file list/downloads page that users in the know could click to get a clean installer 'direct download'. That appears removed now, is that what everyone is up in arms about?
A couple of years ago they started using a malware wrapper, that installed adware then did the real download. Projects got very upset and they swore they wouldn't do this again, then offered profitsharing (which some projects took them up on, e.g. Filezilla).
Then, two years after promising they would never do this again, they started doing it again.
