| My apologies for the statement that it is a personal grudge as I now see that doesn't seem to be the case. Unfortunately, the evidence you're including is a bit out of context and outdated. Here are the most recent 3: 2015-10-16: "FileZilla binaries from sourceforge ... Malware warn" -- This was a temporary false positive in Windows antivirus on a clean download of FileZilla without bundleware that was then posted to Twitter. I belive it was fixed within 48 hours. To my knowledge, FileZilla has never posted an infected download of their official Windows binaries. And I have downloaded and scanned just about every single FileZilla binary package for Windows going back to version 3.0.6 in February 2008 as part of packaging FileZilla for portable use on USB drives and cloud drives. Note that I am not talking about the "SourceForge installer" that's downloaded first by default because FileZilla has opted into the Dev Share program to generate revenue which I'll detail in a moment. 2015-07-24: Downloading from SourceForge? Official links deliver fakes also -- FileZilla is one of the ~10 projects opted into the Dev Share program. When you click the main download link, you get a "downloader" installer. Essentially, it's a stub installer that offers up bundleware of some sort and, whether you accept or refuse, then downloads the main FileZilla installer. It's not a "wrapper" as mentioned in the article and I'm unsure why they call it that. It's entirely separate. If you dislike the bundleware installer, there's a "Direct Download" link right below the main download button. The main download button is also labeled as "Installer enabled" with an info icon next to it. (An odd nomeclature that I disapprove of.) If you hover it says "This is an ad supported installer. Our secure installer might provide you with an ad during the install process." 2015-06-18: A hotbed of malware: Another blow for SourceForge as Google discovers 588 pages with malicious software -- While most of this has been cleaned up according to the current Google scans, this appears to be due to the fact that SourceForge provides free web hosting to tens of thousands of open source projects and was letting those projects handle what was hosted themselves. Unfortunately, many of these projects were hosting outdated CMS, wiki, issue tracker, and forum installs a while back that would then wind up automatically infected by bots that constantly scan for exploits in hosted apps and use them to distribute malware. SourceForge made changes that discontinued many of these free-for-all hosting setups last year in an effort to increase security but it's been a long process from what I heard. They didn't want to cut off open source projects without warning when these installs where often the only existing communities, manuals, etc for many of these projects. Other open source hosts like Github don't have these kinds of issues because they don't offer full-featured site hosting. Basically, today, it can be boiled down to two real issues: #1 - SourceForge has a program called Dev Share that allows projects to opt-in to place a bundleware download installer as their default download. This bundleware or stub installer will show 1-2 offers of additional software to the user as they try to install. The download links are relatively well marked as mentioned in my point regarding '2015-07-24' above, though I would like to see that improved. The direct download link is very well marked as "Direct Download" though I would like to see the font size increased. At present, there are about 10 projects out of the 400,000 hosted projects that participate in this program. #2 - The incident with GIMP and a couple other projects will live in open source hosting infamy for some time. SourceForge made the (absurdly bad) decision to implement the same Dev Share setup for a handful of hosted binaries for open source projects that either never used SourceForge or left SourceForge last year, including semi-commandeering the SF projects of projects that had left. This behavior was rightly and loudly criticized by the affected project teams and everyone else in the open source community including myself. While technically legal since they weren't adding anything to the open source apps and weren't wrapping the existing binaries or installers in their own bundleware installer (the way some other sites have in the past and do today) it was unethical in most of our eyes. After quite a bit of outcry, SourceForge reversed their decision (IIRC within a couple weeks), promised not to do it again, and agreed to setup an open source community advisory board before exploring other means of monetizing open source downloads. I know about the last part as I was approached to be a part of that board. I was under the impression that the GIMP et al incident was the reason uBlock added the sitewide block, which is why it seemed like a personal grudge to continue the block after SourceForge backed down and agreed not to engage in that behavior again. It seemed counterproductive to continue the block because it had achieved what seemed to be the desired result. And unblocking them now would allow you to hold the threat of a block over them should they go back on the promise not to engage in the unethical behavior again in the future. My apologies again for the accusation that it was a personal grudge as it does not seem like that was the case based on your documentation. I still believe that blocking them sitewide now is the wrong call and counterproductive to educating and disciplining bad actors and a bit of a detriment to the open source projects that are hosted there. I'm not a part of SourceForge or directly affiliated with them, so I don't claim to speak for them. I do host one of the largest open source projects there, PortableApps.com. We've served up hundreds of millions of downloads from them over the years for free. We've never participated in the Dev Share program and SourceForge has never in 10+ years altered any of our download files. And there still isn't a replacement for the download hosting they provide for projects like ours that host hundreds of different apps across all kinds of open source licenses and genres that would like download stats and similar features. And that need the ability to do direct downloads of large Windows installers (up to 1GB for some open source games) directly over an HTTP connection without using a web browser. I'd be happy to discuss any of this further with you if you'd like. My email address is on my personal site: johnhaller.com |