SourceForge adds software bloat to more installers

Oh, how the mighty have fallen. In the "we totally didn't see this one coming" department, SourceForge is under fire for "enhancing" downloads offered on its website via the seemingly industry-standard practice of wrapping applications in new installers that beg users to add other software of questionable value.

The initiative behind the practice is called DevShare. It's optional for developers, and it's been in operation since 2013 as a way for the site to share revenue. DevShare was met with some criticism when it was introduced, most notably from the GIMP Project, which subsequently removed SourceForge as a primary download mirror. The folks behind the GIMP complained about not only the installer practices, but also advertisements masquerading as legitimate download links.

As more popular projects got their installers under the DevShare umbrella, more people started noticing. Scott recently downloaded FileZilla and was greeted by an offer to install additional software.

Yo dawg, I put an installer in the installer for the installer

Things have taken a somewhat darker turn since then. The GIMP project had a SourceForge account acting as a secondary mirror for Windows binaries. SourceForge took over that account and altered the installer. The project now falls under the "sf-editor1" account, which also happens to include a lot of other high-profile software.

SourceForge explained in a blog post that the "GIMP-Win project wasn’t hijacked, just abandoned," and it provided a similar statement to Ars Technica. However, the official GIMP site disagrees with that assessment.

Comments closed
    • just brew it!
    • 4 years ago

    Looks like they have backed down, and will only bundle adware with the installer if the developer opts in: [url<]http://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-projects-only/[/url<]

    • MarkG509
    • 4 years ago

    This news actually stopped me from installing Palemoon for Linux, which is hosted on SourceForge. Instead, I may just grab the source and built it myself.

    • LoneWolf15
    • 4 years ago

    The number of sites NOT doing this has shrunk greatly.

    Usually, I hope I find what I need on MajorGeeks. Almost everyone else (File Hippo, SourceForge, Download.com, etc.) either has 2-3 fake download buttons, or crapware. Both piss me off.

    Which reminds me, I probably should donate at some point to MajorGeeks.

      • Peter.Parker
      • 4 years ago

      Have you tried FreewareHome.com ?
      I find it very well organized, and the description beside the software titles has warnings for crapware. I don’t think they store anything on their servers, I believe they just maintain the list, but it’s still a very good starting point.

    • albundy
    • 4 years ago

    they’d do anything for a buck! and who could blame them? greed is good! don’t they legally have to give you an option to not install their malware? even java and adobe flash have wrappers on their $hitty software, but they give you an option to not install the extra 3rd party garbage.

    • kamikaziechameleon
    • 4 years ago

    Blah first CNET, now this. Torrents here we come!

      • kvndoom
      • 4 years ago

      To reduce bandwidth, sites should just seed their program releases until enough people have it in the wild. Then it just takes care of itself.

    • odizzido
    • 4 years ago

    With torrents I think the need for file hosting sites like this has never been so minimal. I wish everything could be downloaded that way.

      • curtisb
      • 4 years ago

      Hosting costs have gone WAY down since the inception of SourceForge as well. They do offer a central repository for bug reports and message boards for projects, but so few projects, if any, put those features to good use. Hardly any projects are keeping their project pages up to date on SF anymore, either. Most moved on to dedicated sites/URLs long ago.

    • just brew it!
    • 4 years ago

    I consider SourceForge to be a last resort these days. First choice is the repo for the distro I’m dealing with. Second is the developer’s web site. Third is PPAs on Launchpad (if I am dealing with Ubuntu or a derivative thereof).

    Even for Windows installers there are generally better choices out there. Bandwidth is getting cheap enough that it is feasible for projects to host their own downloads and source code repositories. This is probably a big part of why SourceForge has been steadily losing relevance.

    • Deanjo
    • 4 years ago

    I wish the powers that be would take care of this at the DNS level. Start flagging Sourceforge as a malicious software site. You would see them clean up their act really quick. Faster than flagging it in anti-malware, av solutions.

      • gerryg
      • 4 years ago

      This can be done on WOT (Web of Trust) with their browser plugin, and I think it can be reported on OpenDNS if you use that, too. I sort of use WOT, it’s not always useful because a lot of sites are new/unknown, but occasionally I’ll see one that it has flagged as bad, which saved me a few times and makes it worth it in the end. Not sure if/how AdBlock/+ would handle it.

    • geekl33tgamer
    • 4 years ago

    Can’t beat a good bit of closed source Malware wrapped around your open source application.

    • GrimDanfango
    • 4 years ago

    I have never understood this practice in the slightest. It is the most short-sighted act of slash’n’burn money grabbing.
    I’ve known this bundled software affect just about every novice PC-owner I know, to the point that it generally cripples the computers of anyone who doesn’t know specifically what to look for and how to avoid it. Hell, even I’ve had to just flat-out quit an install because I couldn’t decipher what option would prevent the crapware being installed and which wouldn’t.

    The net result is that most general, novice PC users ultimately end up moving away from the PC as a platform. This practice literally drives away audiences to platforms that don’t suffer from this insanity – to Macs or iPads or Android devices.

    People worry about “viruses”, but I haven’t seen an honest-to-goodness straight-up virus in the wild for years now – the reason most users’ PCs end up ceasing to function is simply because they installed a couple of freeware applications and didn’t realise that it was shoveling malicious software in at the same time.

    This might make Sourceforge and co a quick buck in the short term, but it is slowly but surely poisoning the soil. There won’t be many people left to con sooner or later.

    I’d say this practice should be made flat-out illegal, but I’m really not sure whose jurisdiction it would even fall under. At the very least, PC users en-masse need to start treating Sourceforge and all who push this malicious crapware as straight-up malicious. No more wearily shaking our heads at the inconvenience. This isn’t a case of slightly annoying advertising that we endure because it constitutes someone’s primary revenue stream, this is knowingly preying on people for financial gain, and we need to make a show of not tolerating it.

      • bhtooefr
      • 4 years ago

      SourceForge is based in the US, and therefore it could fall into something like FTC jurisdiction.

      Alternately, major software vendors could do something – I believe Google already has, I’ve heard that Chrome is detecting SourceForge downloads as malware. Mozilla could do the same, and Microsoft could detect the malware installer in Security Essentials.

        • rxc6
        • 4 years ago

        That chrome calls it malware is rich given how often I find chrome bundled and trying to sneak into my system.

      • w76
      • 4 years ago

      I don’t know about being illegal, there’s countless products that people probably shouldn’t buy but do; it’s not (in my libertarian view) the governments job at all to protect people from choosing to be dumb. Installing software on a computer without knowing how to read installer prompts is like putting on skis for the first time and taking on a double diamond run. It might go okay for a bit, but eventually you’ll plant your face in a tree. But is it illegal to try? Absolutely not. We’ve got to be responsible for ourselves at some point, unless we just all want to be eternal children.

      People just need to treat SF the way SF is treating its customers, and stop using them. If people continue to utilize the website and their services, that’s sending the signal that people are okay with it, which wouldn’t surprise me but it’d be unfortunate.

      • Platedslicer
      • 4 years ago

      So let me get this straight, you’re telling me that we should get our oh-so-well-intentioned politicians and their goons (who would never, ever think of abusing their power, of course) to protect people from their own incompetence, by raiding the houses of people who are essentially doing advertising for revenue on otherwise free software?

      Well, why not? It’s not like it’s going to cost anything in tax dollars or government power grabs, right?? /s

        • GrimDanfango
        • 4 years ago

        Didn’t quite mean for all the responses to zero in on that particular point. Yeah, I realise it’s not something that would ever work as a nationally policed legal issue… for one thing there’s just too much inherant legal ambiguity built into the practice by design anyway, specifically to hinder anything like that.

        Mainly what I was getting at is that the PC community should really cut ties with any service the moment it starts this crappy platform-damaging behaviour. Treat them like the virus-spewing criminals we all *know* them to be, regardless of whatever ostensible legality they hide behind, and stop treating the whole issue as just some unfortunate necessary evil of free software. It isn’t necessary, and it shouldn’t be seen as acceptable or tolerable.

      • davidbowser
      • 4 years ago

      Not that it is really popular, but this is an argument for the Windows Store. As with the Mac App Store, there is a moderate vetting process that strips out the bulk of the openly malicious stuff and much of the crapware. That makes for happier users, but it cuts into the profits for the software devs as MS and Apple take their percentage (10-15% I think).

      The other bonus to users (at least on the Mac App store) is that you get update notifications and optional auto-install of updated App Store apps. With that, I don’t have to manually download and install 10-15 apps that I use across the multiple systems (a couple desktops and a laptop) every time there is an update.

      NOTE: I am not referring to mobile, but rather the desktop App Stores.

        • GrimDanfango
        • 4 years ago

        It’s a tough choice… this is exactly why curated storefronts have become so popular, but as it stands, it necessitates another compromise we ideally shouldn’t need to make – it hands the reins almost entirely over to an all-powerful gatekeeper company.

        I’d love to see GOG Galaxy expand at some point to include apps as well as games. That seems like an ideal middle-ground… assuming they were never subverted by these crappy malware-bundling practices themselves of course!

      • divide_by_zero
      • 4 years ago

      Good points all around.

      I’ve seen quite a few legit viruses in the wild that require removal, but the vast majority of novice users just end up with a boatload of this parasitic software installed, and no idea how to deal with it. Not sure how many users are actually leaving Windows due to this, but the lack of this type of garbage on the Mac platform probably helps contribute to their “it just works” reputation.

      Really a shame to see SF take this approach — I can only imagine they’re either completely tone-deaf to how their users will react, or it’s literally the last revenue stream possible to keep them afloat.

      • slowriot
      • 4 years ago

      Disagree. You just want to protect fools from themselves. The people you speak have almost universally clicked “Next” without reading what they’re agreeing to. It’s not an issue an issue that needs addressed on a legal basis.

      If it were illegal then these same people will just walk themselves into another trap. In-app purchases or something similar.

        • GrimDanfango
        • 4 years ago

        I don’t want to protect fools from themselves. I want assholes * to answer for the crappy things they do, and for it not to be accepted as solely our responsibility to be on constant high-alert to avoid being caught out by them.
        People who prey on other people should be held to account. It’s irrelevant how ignorant or savvy the people they’re preying on happen to be.

        *-“jerks” just doesn’t carry the same message. Damned language filter autocorrect! 😛

          • slowriot
          • 4 years ago

          You keep acting like installing these applications is a right. It’s not. You do not have a right to install them. If you do not agree with the terms or the actions of the installer then either don’t use it at all or click the “Cancel”, “Back”, “Do not agree” or whatever button that ends it. That simple.

          No one is forcing you into this. The SF installer isn’t forcibly installing software on your PC. It states what it does if you check the boxes. If you don’t like what its going to do then click no and find the software elsewhere or just simply do not use it.

          In order to be a “victim” of must agree. How the hell are you victim if you agree to it?

            • Goofus Maximus
            • 4 years ago

            It is fraudulently profiting from those who don’t know any better, or mistakenly miss one little checkbox during the install process. I’m paranoid, but even I have missed or misread an option that has saddled me with McAfee, once or twice. Who needs force, when trickery will do the job?

            I would say that installing only the software that we think we are installing, without easily missed or misinterpreted “gotchaware” install options, should be a basic “right.” Not having your creations taken over by a third party for arbitrary reasons, as happened to Jernej Simončič, who found himself locked out of his own gimp-win project account, should probably be a right as well.

      • Chrispy_
      • 4 years ago

      It falls under the jurisdiction of capitalism as you essentially described.

      The users (their source of income) do one of the following:
      1) Get burned and learn never to go back to that site again
      2) Get burned and switch to another platform, never needing to go back to that site again
      3) Haven’t got a clue, get infected to hell, and lose the abitilty to ever browse that site again.

      Undesirable website means that revenue dries up, website folds.
      Desirable website means that revenue continues, business as usual.

    • UnfriendlyFire
    • 4 years ago

    Is SF trying to be like CNET?

      • bittermann
      • 4 years ago

      You have to work in IT to figure out which of the download buttons actually let you download the package (only) that you need from the website page. That deceptive crap should be outlawed.

        • UnfriendlyFire
        • 4 years ago

        I recall a download didn’t bother to ask and simply piled malware on my laptop after I used CNET.

        I nuked the laptop’s HDD and reinstalled the OS instead of bothering with the whack-a-mole malware hunting game.

      • NovusBogus
      • 4 years ago

      The open source movement has basically the same problem that shareware/freeware had in the late 90s: nobody actually ponies up any money if they don’t feel obligated to and eventually someone has to pay the bills. So yeah, it’ll probably turn out just like CNET.

    • Welch
    • 4 years ago

    Just a heads up, I’ve removed MyPCBackup from 100’s of systems. It is quite a bit more than just a PUP (Potentially unwanted program) it can be malicious in that it claims you haven’t done backups.. then tries to get you to buy into their BS software. On top of that the links it brings users on will often install other fake Anti-Virus tools to scare users into buying some other fake protection.

    I think people need to stop trying to reinvent the wheel as far as labeling junk like this. Call it what it is… Malware. I don’t need to have a new title of ransomeware or whatever… we all know its malicious in nature and it only confuses people about what they have on their machine. Also its given the AV companies a BS excuse to claim its not a virus… so we can’t really protect you from it.

    Most decent AVs do more than just remove/protect from viruses, which is why some of them are straying away from being called an Anti-Virus and more of a “Security Suite”. Much more fitting I think if they actually do their jobs.

      • just brew it!
      • 4 years ago

      Yes, they’re all types of malware. But I think it is still quite useful to have the sub-category name as well. It is much more concise to say “ransomware” than “malware that goes through the files on your hard drive, encrypts anything that looks important, then forces you to pay hundreds of dollars to a shady offshore web site to get the decryption key (if you don’t have a current backup)”. If someone doesn’t know what “ransomware” is, they can look it up on Google or Wikipedia.

      • divide_by_zero
      • 4 years ago

      Totally agreed. On almost every system from which I’ve removed this trash, it’s certainly not the only malware found. Classifying them into sub-categories doesn’t do anyone any favors — it’s meant to scare and scam novice users, plain and simple.

      So, I’ve been away from hands-on cleaning of client’s systems for a couple years now. I still have my preferred disinfecting routine for friends and family, but curious if any of the AV software vendors have gotten any better at preemptively blocking this and other threats.

    • Melvar
    • 4 years ago

    Wouldn’t adding this installer to GPL’d software violate all sorts of stuff in the GPL? For example, don’t they need to provide the source code for the adware they install?

      • bhtooefr
      • 4 years ago

      It’s a 2-stage downloader – you download the malware installer, then it downloads the GPLed software.

      It’s just as illegal as downloading something GPLed using Internet Explorer.

        • just brew it!
        • 4 years ago

        Even if it is bundled together in the same download it is not necessarily a GPL violation. In order to be a violation the combined package needs to constitute a “derivative work”; AFAIK this is generally taken to mean that there must be some sort of runtime linkage between the proprietary and GPLed code.

        So the only way this would qualify would be if they were distributing modified application binaries, with proprietary malware embedded directly into the application code.

      • Deanjo
      • 4 years ago

      No, not in violation of the GPL in the slightest.

      • NovusBogus
      • 4 years ago

      GPL lets you package, bundle, use, etc. the binaries, you just can’t compile any of the code into your own derivative work. So for example, wrapping an evil trojan around the regular Filezilla installer is totally fine but copying some of the FTP communication functions into my own application’s source code isn’t.

    • UberGerbil
    • 4 years ago

    I wonder if SourceForge is not long for this world. If they’re doing something like this, they must be rather desperate for operating revenue. Hosting is free, and on that scale it isn’t cheap.

      • ImSpartacus
      • 4 years ago

      Yeah, you don’t do this unless it’s your last option.

      They aren’t stupid. There’s no way they think this is a good long term business practice.

        • GrimDanfango
        • 4 years ago

        I feel this is kind of irrelevant. In no other field would it be tolerated for a company to start overtly maliciously preying on people simply because they were “down on their luck”. Restructure, or declare bankruptcy. Hell, ask nicely for dontations. Taking the “I’m gonna burn this house to the ground!” route is messed up, and should cause a company to be instantly and totally ostracised from the field it operates in. Yet we tolerate it as an unpleasant but expected annoyance.

          • ImSpartacus
          • 4 years ago

          I trust that they have weighed their options and they are literally just looking to operate for a little while longer and then call it quits.

          I don’t know the details their situation, so I’m obviously speculating. However, I find it hard to believe that the sf people aren’t fully aware of how destructive their behavior is.

          This is pretty much the nuclear option and they wouldn’t choose it lightly.

            • GrimDanfango
            • 4 years ago

            My point is “we’ll just have to screw over as many people as possible to stay afloat” shouldn’t be an option anyone takes, unless they’re self-serving scum. If it’s the end, and you have a shred of decency, wrap it up with some dignity and move on.

            • Deanjo
            • 4 years ago

            What is really sad is when the likes of Oracle and Adobe also resort to such crap despite being well off.

            • wimpishsundew
            • 4 years ago

            Wait! You don’t want to install the AskMe or Duckduckgo tool bars?

            • kvndoom
            • 4 years ago

            Oh let’s PLEASE not forget McAfee Security Scan! I have to uncheck that every single damn time Adobe Flush updates.

            Oh wait, I just uninstalled Flush until NFL season comes back around. Score!

            • MadManOriginal
            • 4 years ago

            It is part of the reason they are well off.

      • Flying Fox
      • 4 years ago

      GitHub seems to be gaining the most traction in terms of project hosting. Even Google Code is about to be shut down. So yes, SF is dying a slow death.

    • BlackStar
    • 4 years ago

    I used to use Sourceforge as the primary mirror for my open-source software. Not anymore.

    Worse than this, I get creeped out every time I see software redirecting me to Sourceforge for a download. The damage they did to their image is immense and probably (hopefully) terminal.

    And to think I have donated money to these creeps.

    • Toby
    • 4 years ago

    They’ve been doing the adware thing for awhile now and I was hoping it was a bad idea that they would turn away from, but after learning they will usurp a developer’s account to insert adware into software I’m done with them for good.

    This is a shame and it’s very unfortunate that a site that made its name on distributing open-source software can’t see that the target market won’t stand for adware.

    Closed-source adware, I might add. 🙂

    • curtisb
    • 4 years ago

    I rarely use SourceForge links to download anymore for this very reason. You never know if you’re getting the bloated/altered installer until after it’s downloaded. The altered installers used to have a different icon, but I don’t know if they do anymore. Most high-profile projects (GIMP, Notepad++, FileZilla, etc.) offer alternate download links as the primary link on their site now days.

      • Kurkotain
      • 4 years ago

      For some reason i misread that into ‘NopeZilla’

      i want that program

Pin It on Pinterest

Share This