Jump to content
Aerosol

SourceForge locked in projects of fleeing users, cashed in on malvertising

Recommended Posts

hotelcalifornia-crop.jpg

Update (8:40pm CT): Shortly after this story was published, SourceForge's community team announced a change via blog post: "In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers for unmaintained SourceForge projects." Our original story follows.

The takeover of the SourceForge account for the Windows version of the open-source GIMP image editing tool reported by Ars last week is hardly the first case of the once-pioneering software repository attempting to cash in on open-source projects that have gone inactive or have actually attempted to shut down their SourceForge accounts. Over the past few years, SourceForge (launched by VA Linux Systems in 1999 and now owned by the tech job site company previously known as Dice) has made it a business practice to turn abandoned or inactive projects into platforms for distribution of "bundle-ware" installers.

Despite promises to avoid deceptive advertisements that trick site visitors into downloading unwanted software and malware onto their computers, these malicious ads are legion on projects that have been taken over by SourceForge's anonymous editorial staff. SourceForge's search engine ranking for these projects often makes the site the first link provided to people seeking downloads for code on Google and Bing search results.

And because of SourceForge's policies, it's nearly impossible for open-source projects to get their code removed from the site. SourceForge is, in essence, the Hotel California of code repositories: you can check your project out any time you want, but you can never leave.

Finders, keepers

As Ars reported, SourceForge posted a statement on the service's blog last week contending that GIMP had abandoned their project, and the site's team had merely picked up the account to maintain it under their "mirror" program for open source and free software projects. But the company did admit that it wrapped the GIMP installer on its site with a Web installer offering commercial software packages to get revenue out of the downloads.

For some developers who post code to SourceForge, the adware offering bundles around downloads are welcome. In 2013, the FileZilla project's lead developer Tim Kosse authorized SourceForge to put an offer-producing installer around the project's download file. When someone expressed concern about the adware installer in the FileZilla forum, Kosse replied, "This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software." He added that an unbundled installer was still available on FileZilla's official download page.

FileZilla was an early participant in DevShare, SourceForge's revenue sharing plan for open-source developers. It was supposed to be opt-in only. By allowing SourceForge to wrap downloads in a Web installer that offered up to three different software bundles, open-source projects could generate some cash to support development.

But GIMP never enrolled in DevShare—SourceForge foisted the adware on the project's Windows installer after taking over the project's page. On Sunday, the GIMP team issued an official statement through Michael Schumacher, a maintainer of the GIMP website. It said that the GIMP team was never informed of what SourceForge was going to do. "This

was done without our knowledge and permission, and we would never have permitted it," Schumacher wrote. Furthermore, he noted, the move broke a promise SourceForge made in November 2013: "We want to reassure you that we will never bundle offers with any project without the developers consent."

Schumacher said that "SourceForge are abusing the trust that we and our users had put into their service in the past. We don't believe that this is a fixable situation. Even if they promise to adhere to the set of guidelines outlined below, these promises are likely to become worthless with any upcoming management change at SourceForge. However, if SourceForge's current management are willing to collaborate with us on these matters, then there might be a reduction in the damage and feeling of betrayal among the Free and Open Source Software communities."

One way to fix things, Schumacher said, would be for SourceForge to "provide a method for any project to cease hosting at any SourceForge site if desired, including the ability to: completely remove the project and URLs permanently, and not allow any other projects to take its place; remove any hosted files from the service, and not maintain mirrors, serving installers or files differing from those provided by the project or wrap those in any way; [and] provide permanent HTTP redirects (301) to any other location as desired by the project. This is not unreasonable to expect from a service that purports to support the free software community."

However, SourceForge's current policy makes pulling a project from the site almost impossible:

At SourceForge.net, we feel a commitment to ensuring the long-term availability of the Open Source code released by the projects we host. We will weigh requests for project removal against the community value of leaving the project intact...Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value. Projects that are moving to closed source do not qualify for removal.

Our goal is to generally leave projects intact on SourceForge.net even if the original development team no longer wishes to continue development or support. Options are available to project administrators to tag the project as inactive (Orphaning the project) or to provide notification of a new development location (Relocating the project). These options are listed on the "Removal" section of the Project Admin pages. Specific types of data may be removed from a project without the removal of the entire project. Details regarding the removal of each specific project data type are listed in other sections of this document. Takeover of existing, inactive projects will be considered by SourceForge.net staff.

A little something extra

GIMP left SourceForge in part because of what Schumacher called "the invasion of the big green 'Download' button ads." Those ads, which SourceForge promised to make an effort to block from download pages, appear on nearly every one of the downloads for "mirrored" open-source projects either established or taken over by SourceForge's staff.

SourceForge isn't alone in hosting these deceptive advertisements that try to fool site visitors into downloading something a little extra. CNET's Downloads.com and other download-focused sites also mirror popular open-source and free software to generate advertising revenue and promote software bundles, and they often include ads with "Download" buttons that are totally unrelated to the software the visitor is seeking. And while many legitimate applications are offered through accompanying downloads on those sites, the ads often deliver software that is of questionable value at best—and malware at worst.

But those other sites don't have the same open-source heritage that SourceForge's name carries. Launched in 1999 by the company then known as VA Research (and shortly after as VA Linux Systems), SourceForge was the original open community development platform. The software behind SourceForge became an enterprise product as well. By 2007, even the Department of Defense had embraced it to set up the original Forge.mil at the Defense Information Systems Agency—a way for the military's developers to create military development communities around shared projects, even classified ones.

The enterprise version of SourceForge was sold off to CollabNet in April of 2007. And as competition rose from other source code repositories—chiefly from GitHub, which by January of 2013 had more than five million project repositories—many projects began to abandon SourceForge. The service's character seemed to shift after its sale by Geeknet (along with Slashdot and Freecode) to Dice Holdings for $20 million in September 2012, and that company instead focused on the retail site ThinkGeek. (Update: Geeknet is on track to be acquired by GameStop, after Gamestop outbid Hot Topic. This story originally reported the proposed acquisition by Hot Topic from last week.)

The GIMP-Windows project is still active on SourceForge, and it is still packaged with the bundle-offer installer. Update: SourceForge now says that it will discontinue this practice for all "abandoned" projects, and only offer the advertisement-loaded installer as an opt-in for active project developers.

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...