Is there anything suggesting it's SourceForge itself doing this and not just (an improbably widespread, admittedly) set of account breaches? It makes sense -- acquire accounts, enable ads, profit.
"The Open Source Mirror Directory is an extension to our existing software directory, where we'll be mirroring projects that are not hosted on SourceForge, and SourceForge projects that have been abandoned."
Why are we doing this?
We want the SourceForge software directory to be as useful as possible. When you come here to search for a piece of software, we want you to be able to find it, and find the most up to date releases. And if that software isn't hosted on SourceForge, we still want you to be able to find it. Or if a SourceForge project has been abandoned, we want it moved to the mirror and maintained, so you can always find the newest releases. Millions of people use SourceForge every day to search for Open Source software, and we want to give them the best experience possible, even if the best answer to their search is a project hosted elsewhere, or an abandoned project newly maintained by the SourceForge team.
So...they're claiming to "maintain" projects, and that means turning them into adware?
That's so underhanded and nasty that it's difficult to believe. If true, it means SourceForge has effectively become the nemesis of every software developer who ever used their services. And, it means every software developer who cares about software freedom and privacy must move everything off of SourceForge.
We host Webmin on SF.net, still, and it is downloaded over 3 million times per year, making it one of the most popular packages in the system administration category for over a decade (last I checked a few years ago, it was second only to phpmyadmin). They've never done anything weird or underhanded with our stuff (but most of our packages are signed and setup in such a way that fiddling with them would be somewhat challenging). Given its popularity, I would assume it would be a likely target for this sort of thing. But, maybe it's only "abandoned" projects? (Whatever that means, since it sounds like the original author in this case did not consider their project abandoned.)
Abandoned projects and "projects that are not hosted on SourceForge", which appears to include projects that still have a Sorceforge page that's actively maintained if the project has moved elsewhere. So if you move off SF.net, they'll take over your page there and use it to distribute adware-enhanced versions of your software. Incredibly underhanded.
Moving doesn't prevent this or protect users, and it actually would potentially trigger such a takeover by SF.net? So, there is no escape?
I'm really finding this hard to believe. It's just incredible. I mean, I've had a bit of a love-hate relationship with SF.net forever, but it's always been the kind of thing you might have with a bratty sibling (i.e. you wish they were doing more with their lives, but you still love them). This is such a massive betrayal of trust that I can't even swallow it.
I mean, the evidence seems to be there, and more than one major project has reported this behavior, so it's not really something I can just ignore. But, it's also just so horrible. (I'm beginning to become repetitive. I just really find this unbelievably awful.)
I don't know anyone involved in SourceForge, and haven't in more than a decade, so I don't even know who to reach out to for some kind of clarification about WTF they think they're doing. Their mirror page doesn't explain anything about distributing malware in these projects they "maintain", so they're already not being forthright about it.
Shame really: for a while SourceForge was THE place to go for open source software.
They claim (at the bottom of http://sourceforge.net/mirror/) that "If you have an Open Source project outside of SourceForge, we'd like to hear from you. If you want your project mirrored on our site, or if you don't want your project mirrored on our site, please let us know. Or there's any other service that we can extend to your project community, we'd like to hear that, too. Contact us at communityteam@sourceforge.net and we'll be sure the message gets to the right people."
People should email them at communityteam@sourceforge.net and ask to be un-mirrored. Maybe that will work.
Why are we doing this? We want the SourceForge software directory to be as useful as possible. When you come here to search for a piece of software, we want you to be able to find it, and find the most up to date releases. And if that software isn't hosted on SourceForge, we still want you to be able to find it. Or if a SourceForge project has been abandoned, we want it moved to the mirror and maintained, so you can always find the newest releases. Millions of people use SourceForge every day to search for Open Source software, and we want to give them the best experience possible, even if the best answer to their search is a project hosted elsewhere, or an abandoned project newly maintained by the SourceForge team.
http://sourceforge.net/mirror/