Sourceforge Hijacks the Nmap Sourceforge Account

[lordi]

Hi Folks! You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to distribute adware/malware.
Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after Sourceforge started tricking users with fake download buttons which lead to malware rather than GIMP. Then Sourceforge took over GIMP's account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. Of course this goes directly against Sourceforge's promise less than two years ago:

"we want to reassure you that we will NEVER bundle offers with any project without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

So much for that promise! Anyway, the bad news is that Sourceforge has also hijacked the Nmap account from me. The old Nmap project page is now blank:

http://sourceforge.net/projects/nmap/

Meanwhile they have moved all the Nmap content to their new page which only they control:

http://sourceforge.net/projects/nmap.mirror/

You can see at the top that the owners of the Nmap page are now 'sf-editor1', and 'sf-editor3'. You can click on those to see other projects they have hijacked.

source :

http://seclists.org/nmap-dev/2015/q2/194

[software182]

:wtf: Sourceforge is getting crap

[lordi]

I don't understand, why Sourceforge sacrifice their reputation for that :s

[shamu726]

There is always more than one side to a story. Here's the response Sourceforge.

Analysis of nmap project and data

We evaluated recent claims of the nmap project regarding changes to their project presence and data on SourceForge. We’ve confirmed conclusively that no changes were made to the project or data, and that all past download delivery by nmap on SourceForge was through our web hosting service where content is project-administered.

tl;dr:

"The old Nmap project page is now blank. Meanwhile they have moved all the Nmap content to their new page which only they control."

SF: "Internet Archive (archive.org) cache was used to assess this concern [page being blank].

2001: Project was empty

2005: Project was empty

2007: Project was empty

2012: Project was empty

2015: Project is empty

The last update date in 2013 relates to the migration of the nmap project (along with all other projects on the site) from SourceForge’s sfx code base to the new Apache Allura-based code base. This migration was an automated operation conducted for all projects, and this platform change did not augment data in the Project Web service or File Release System.

We therefore conclude that no content has been removed from the nmap project page. Look and feel of this page has changed over time, but the underlying data remains has remained unchanged by staff.

The lack of audit trail data further confirms that no changes have occurred on this project."

Read full analysis here:

http://sourceforge.net/blog/analysis-of-nmap-project-and-data/

[lordi]

but what about the claim from software devs that Sourceforge bundle junkware inside their original software

“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.

source :

http://www.howtogeek.com/218764/warning-don%E2%80%99t-download-software-from-sourceforge-if-you-can-help-it/

[shamu726]

Here is Sourceforge's response to the gimp-adware fiasco:

Third party offers will be presented with Opt-In projects only

In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers for unmaintained SourceForge projects.

While we had recently tested presenting easy-to-decline third party offers with a very small number of unmaintained SourceForge projects, we discontinued this practice promptly based on negative community feedback. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.

As a company, we at SourceForge pride ourselves on being highly responsive to our community members and, with that in mind, do our best to respond to all communications and address all concerns in a timely manner. We encourage anyone that would like additional information about our practices or specific issues they have to reach out to us directly by using the “Help” link in the header of the SourceForge site, which provides contact information for our Support team and which will ensure any questions or issues you may have are resolved in an efficient manner. As usual feel free to contact us also at [email protected].

Whether they made an honest mistake with gimp or not, we may never know for sure.

[212eta]

Sourceforge needs to clean the crap :shit: out of it...

[DKT27]

@lordi & shamu726: Good to see you guys give us more info on the matter.

About SF, I'm surprised for them to even consider bundling such things with the softwares. Either way, I wonder if any type of bundling with software is allowed as per the open source software rules.