[JohnTHaller]

And it sometimes bases those filters on personal grudges. Which is why all of SourceForge is blocked by default due to bad behavior last year on a handful of projects out of 400,000 that they discontinued after public outcry. Meaning that there is no forgiveness for giving in to public pressure. At the same time, tons of download sites with all kinds of malware and bundleware are allowed right through.

[coldpie]

I don't remember hearing SF apologize for or announce that they're stopping their malware bundling. The sourceforge block is a little extreme, although it's easy to get past it with the big buttons. Overall, I'm OK with punishing that kind of malicious behavior super hard, although I don't feel strongly about it and understand why you object to it.

[JohnTHaller]

There are two separate things here. First, there's the Dev Share program which is opt in to allow projects to make money. This puts a bundleware installer up first that then downloads the main installer as the primary "Download" button with an alternate main installer only link alongside. Projects like FileZilla do this to support their development.

Second, there was a program where some of SourceForge's mirrored projects were distributed in the same fashion. SourceForge does mirroring of open source projects not hosted on SourceForge. SourceForge, in an effort to make more money, used the same bundleware style download installer for projects like GIMP. As GIMP wasn't repackaged in this installer, there was no GPL impact. However, it was distasteful to say the least. After both publishers like GIMP and the wider open source community reacted negatively, SourceForge discontinued the program and announced on their blog that they would not reinstate it. They also stated that they would form an open source community advisory board before implementing any additional open source monetization strategies in the future.

SourceForge currently has about 10 projects that opt in to their Dev Share program. Every one is available for download without using the bundleware installer. And their custom bundleware installer is far clearer about what it is than the majority of the commercial bundelware installers out there, though, like all bundleware installers, it does still make use of dark patterns which I am not a fan of (see also: Avast updates, Flash updates, Java updates all of which pre-bundle Google Chrome and trick you into installing via dark patterns).

So, all 400,000 projects on SourceForge are blocked permanently with no possibility of unblocking because of a few weeks of legal but unethical bad behavior that SourceForge publicly backtracked from and no longer engages in.

Punishing bad behavior makes a lot of sense. But when someone reacts in a positive way to that punishment (stopping it, publicly talking about it, setting up a committee before exploring further options, etc), it makes sense to remove the block. Otherwise, once you're blocked, there's no reason to reform.

[Veratyr]

I think the difference in opinion between you and some of the people you're replying to mainly comes down to "bundleware". You use that word a lot but to me, "bundleware" is malware.

[JohnTHaller]

I'm no fan of bundleware. I've been running PortableApps.com for over 10 years with over 500,000,000 app downloads all 100% bundleware free. Our format disallows bundleware and many of our users use our software on their local machines due to that.

uBlock didn't start blocking SourceForge because of the Dev Share opt-in bundleware program. They started blocking SourceForge because of the GIMP situation which SourceForge backed off of as a result.

uBlock isn't designed to block bundleware. uBlock lets tens of thousands of download sites and software publishers that distribute bundleware. Most of them distribute far worse bundleware, far more of it (some come with 10 offers or more), and use far more dark patterns to trick users into installing than anything distributed by SourceForge. But uBlock still specifically blocks SourceForge despite only about 10 of 400,000 projects using it, all of which have opted in to the program.

Essentially, uBlock appears to be blocking based on the whims of the developer rather than any balanced and fairly applied policy. That's one reason I decided to stop recommending it to others.

[yAnonymous]

SF are distributing malware and they steal other people's work. The block is more than justified and in fact users were asking for it.

[JohnTHaller]

Incorrect. There are two separate things here. First, there's the Dev Share program which is opt in to allow projects to make money. This puts a bundleware installer up first that then downloads the main installer as the primary "Download" button with an alternate main installer only link alongside. Projects like FileZilla do this to support their development.

Second, there was a program where some of SourceForge's mirrored projects were distributed in the same fashion. SourceForge does mirroring of open source projects not hosted on SourceForge. SourceForge, in an effort to make more money, used the same bundleware style download installer for projects like GIMP. As GIMP wasn't repackaged in this installer, there was no GPL impact. However, it was distasteful to say the least. After both publishers like GIMP and the wider open source community reacted negatively, SourceForge discontinued the program and announced on their blog that they would not reinstate it. They also stated that they would form an open source community advisory board before implementing any additional open source monetization strategies in the future.

Today, SourceForge has 400,000 projects hosted, many of which are hosted nowhere else, all of which are blocked by uBlock. Of those, about 10 participate in the Dev Share program on an opt in basis to fund their development. No other projects are presented as a bundleware installer by SourceForge. It's been this way for months since soon after the publisher and community backlash and SourceForge's subsequent apology and policy changes.

[fwn]

The exact bundleware you describe is a badware risk, no matter for what reason it is designed. It is badware since you would not install it if the installer did not trick you, and it is a risk since the bundling bets on your inability to catch all the UI patterns designed to make you install it.

I personally deactivated the block after stumbeling over it. The dialogue is straight forward and takes exactly one click to never bother you with the specific rule ever again. (It looks like this: https://i.imgur.com/A7pA5mb.png )

It may be targeted at the tech crowd, but I think this could be said for the whole extension.

[JohnTHaller]

I'm not arguing that any bundleware is a badware risk. At all. I was arguing that it's disingenuous to block 400,000 projects on SourceForge because of 10 that do bundleware that's on the less worse end of the spectrum (bad but less bad) while still allowing download sites that have much worse bundleware (closer to or actually malware, 10x offers instead of 2, more dark patterns making it more likely you make a mistake, installers that install bundleware even when you select not to, etc) to get through without an issue.

[fwn]

Ok, fair enough. I didn't understand your post that way. I'd be fine with more download pages on that list.

[gorhill]

> And it sometimes bases those filters on personal grudges

That I hold "personal grudges" is your personal opinion.

I took care to document the rationale behind my decision to block `sourceforge.net`[1]. Notice that it is not a hard-block, it is a soft-block, which purpose is to act as a warning for the uninitiated. One can easily dismiss and go ahead.

If you followed the project closely you would have seen that I have resisted adding sites as "Badware risks" unless there are enough well supported, credible and repeated references in support of such decision.

[1] https://github.com/gorhill/uBlock/wiki/Badware-risks#sourcef...

[joshschreuder]

Not the OP, but I've stumbled upon this wiki page before, and I just wanted to thank you for writing it all up.

Not only was it interesting, but the fact that you're open and transparent enough to document WHY certain things like this are blocked, is a huge bonus in using uBlock (which is already an essential tool IMO). Thanks.

[JohnTHaller]

My apologies for the statement that it is a personal grudge as I now see that doesn't seem to be the case.

Unfortunately, the evidence you're including is a bit out of context and outdated. Here are the most recent 3:

2015-10-16: "FileZilla binaries from sourceforge ... Malware warn" -- This was a temporary false positive in Windows antivirus on a clean download of FileZilla without bundleware that was then posted to Twitter. I belive it was fixed within 48 hours. To my knowledge, FileZilla has never posted an infected download of their official Windows binaries. And I have downloaded and scanned just about every single FileZilla binary package for Windows going back to version 3.0.6 in February 2008 as part of packaging FileZilla for portable use on USB drives and cloud drives. Note that I am not talking about the "SourceForge installer" that's downloaded first by default because FileZilla has opted into the Dev Share program to generate revenue which I'll detail in a moment.

2015-07-24: Downloading from SourceForge? Official links deliver fakes also -- FileZilla is one of the ~10 projects opted into the Dev Share program. When you click the main download link, you get a "downloader" installer. Essentially, it's a stub installer that offers up bundleware of some sort and, whether you accept or refuse, then downloads the main FileZilla installer. It's not a "wrapper" as mentioned in the article and I'm unsure why they call it that. It's entirely separate. If you dislike the bundleware installer, there's a "Direct Download" link right below the main download button. The main download button is also labeled as "Installer enabled" with an info icon next to it. (An odd nomeclature that I disapprove of.) If you hover it says "This is an ad supported installer. Our secure installer might provide you with an ad during the install process."

2015-06-18: A hotbed of malware: Another blow for SourceForge as Google discovers 588 pages with malicious software -- While most of this has been cleaned up according to the current Google scans, this appears to be due to the fact that SourceForge provides free web hosting to tens of thousands of open source projects and was letting those projects handle what was hosted themselves. Unfortunately, many of these projects were hosting outdated CMS, wiki, issue tracker, and forum installs a while back that would then wind up automatically infected by bots that constantly scan for exploits in hosted apps and use them to distribute malware. SourceForge made changes that discontinued many of these free-for-all hosting setups last year in an effort to increase security but it's been a long process from what I heard. They didn't want to cut off open source projects without warning when these installs where often the only existing communities, manuals, etc for many of these projects. Other open source hosts like Github don't have these kinds of issues because they don't offer full-featured site hosting.

Basically, today, it can be boiled down to two real issues:

#1 - SourceForge has a program called Dev Share that allows projects to opt-in to place a bundleware download installer as their default download. This bundleware or stub installer will show 1-2 offers of additional software to the user as they try to install. The download links are relatively well marked as mentioned in my point regarding '2015-07-24' above, though I would like to see that improved. The direct download link is very well marked as "Direct Download" though I would like to see the font size increased. At present, there are about 10 projects out of the 400,000 hosted projects that participate in this program.

#2 - The incident with GIMP and a couple other projects will live in open source hosting infamy for some time. SourceForge made the (absurdly bad) decision to implement the same Dev Share setup for a handful of hosted binaries for open source projects that either never used SourceForge or left SourceForge last year, including semi-commandeering the SF projects of projects that had left. This behavior was rightly and loudly criticized by the affected project teams and everyone else in the open source community including myself. While technically legal since they weren't adding anything to the open source apps and weren't wrapping the existing binaries or installers in their own bundleware installer (the way some other sites have in the past and do today) it was unethical in most of our eyes. After quite a bit of outcry, SourceForge reversed their decision (IIRC within a couple weeks), promised not to do it again, and agreed to setup an open source community advisory board before exploring other means of monetizing open source downloads. I know about the last part as I was approached to be a part of that board.

I was under the impression that the GIMP et al incident was the reason uBlock added the sitewide block, which is why it seemed like a personal grudge to continue the block after SourceForge backed down and agreed not to engage in that behavior again. It seemed counterproductive to continue the block because it had achieved what seemed to be the desired result. And unblocking them now would allow you to hold the threat of a block over them should they go back on the promise not to engage in the unethical behavior again in the future.

My apologies again for the accusation that it was a personal grudge as it does not seem like that was the case based on your documentation. I still believe that blocking them sitewide now is the wrong call and counterproductive to educating and disciplining bad actors and a bit of a detriment to the open source projects that are hosted there.

I'm not a part of SourceForge or directly affiliated with them, so I don't claim to speak for them. I do host one of the largest open source projects there, PortableApps.com. We've served up hundreds of millions of downloads from them over the years for free. We've never participated in the Dev Share program and SourceForge has never in 10+ years altered any of our download files. And there still isn't a replacement for the download hosting they provide for projects like ours that host hundreds of different apps across all kinds of open source licenses and genres that would like download stats and similar features. And that need the ability to do direct downloads of large Windows installers (up to 1GB for some open source games) directly over an HTTP connection without using a web browser.

I'd be happy to discuss any of this further with you if you'd like. My email address is on my personal site: johnhaller.com