[SwellJoe]

So...they're claiming to "maintain" projects, and that means turning them into adware?

That's so underhanded and nasty that it's difficult to believe. If true, it means SourceForge has effectively become the nemesis of every software developer who ever used their services. And, it means every software developer who cares about software freedom and privacy must move everything off of SourceForge.

We host Webmin on SF.net, still, and it is downloaded over 3 million times per year, making it one of the most popular packages in the system administration category for over a decade (last I checked a few years ago, it was second only to phpmyadmin). They've never done anything weird or underhanded with our stuff (but most of our packages are signed and setup in such a way that fiddling with them would be somewhat challenging). Given its popularity, I would assume it would be a likely target for this sort of thing. But, maybe it's only "abandoned" projects? (Whatever that means, since it sounds like the original author in this case did not consider their project abandoned.)

[makomk]

Abandoned projects and "projects that are not hosted on SourceForge", which appears to include projects that still have a Sorceforge page that's actively maintained if the project has moved elsewhere. So if you move off SF.net, they'll take over your page there and use it to distribute adware-enhanced versions of your software. Incredibly underhanded.

[SwellJoe]

Moving doesn't prevent this or protect users, and it actually would potentially trigger such a takeover by SF.net? So, there is no escape?

I'm really finding this hard to believe. It's just incredible. I mean, I've had a bit of a love-hate relationship with SF.net forever, but it's always been the kind of thing you might have with a bratty sibling (i.e. you wish they were doing more with their lives, but you still love them). This is such a massive betrayal of trust that I can't even swallow it.

I mean, the evidence seems to be there, and more than one major project has reported this behavior, so it's not really something I can just ignore. But, it's also just so horrible. (I'm beginning to become repetitive. I just really find this unbelievably awful.)

I don't know anyone involved in SourceForge, and haven't in more than a decade, so I don't even know who to reach out to for some kind of clarification about WTF they think they're doing. Their mirror page doesn't explain anything about distributing malware in these projects they "maintain", so they're already not being forthright about it.

[fomojola]

Shame really: for a while SourceForge was THE place to go for open source software.

They claim (at the bottom of http://sourceforge.net/mirror/) that "If you have an Open Source project outside of SourceForge, we'd like to hear from you. If you want your project mirrored on our site, or if you don't want your project mirrored on our site, please let us know. Or there's any other service that we can extend to your project community, we'd like to hear that, too. Contact us at communityteam@sourceforge.net and we'll be sure the message gets to the right people."

People should email them at communityteam@sourceforge.net and ask to be un-mirrored. Maybe that will work.

[ender1]

I asked them to stop distributing the GIMP installer on May 16th (as soon as we found out what's happening), but didn't even receive a response.