Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday May 28 2015, @03:12PM   Printer-friendly
from the this-is-not-the-host-you-are-looking-for... dept.

Google, or someone using their hosting service, noted that SourceForge had established a mirror to the official GIMP-for-Windows site and were now offering downloads which contained adware:

It appears that +SourceForge took over the control of the 'GIMP for Windows' account and is now distributing an ads-enabled installer of GIMP. They also locked out original owner of the account, Jernej Simončič, who has been building the Windows versions of GIMP for our project for years.

So far they haven't replied to provide explanations. Therefore, we remind you again that GIMP only provides builds for Windows via its official Downloads page.

SourceForge's mirrored sites facility is described thus:

The Open Source Mirror Directory is an extension to our existing software directory, where we'll be mirroring projects that are not hosted on SourceForge, and SourceForge projects that have been abandoned.

The problem, though, is that GIMP-for-Windows is not an abandoned project, but moved from SourceForge to Google because the writers "had concerns about the presence of misleading third-party ads on SourceForge".

SourceForge has responded, acknowledging that Gimp-Win had abandoned SourceForge due to misleading ads and claim "They were not alone in those concerns — we were also concerned — leading us to establish a program to enable users and developers to help us remove misleading and confusing ads." They also admit "Mirrored projects are sometimes used to deliver easy-to-decline third-party offers..." which suggests that they have merely changed the way that they deliver their ads - but not necessarily the ad's content. So, some might say, they've rectified the situation by providing both misleading ads and misleading hosting.

SourceForge also say "Since our change to mirror GIMP-Win, we have received no requests by the original author to resume use of this project. We welcome further discussion about how SourceForge can best serve the GIMP-Win author." Perhaps letting the writer choose where he hosts his project would be a good place to start.

Sourceforge hijacks GIMP For Windows project, adds malware to downloads

SourceForge (SF) has taken over control of the GIMP for Windows SF project and is now distributing an adware/malwared installer for GIMP. They also locked out the maintainer, Jernej Simončiči. Sourceforge claims it was "abandoned" and they're providing a service by "mirroring" the original, though it's unclear how much value malware adds for the end user, rather than for SF. (This comes two years after SF claiming its malware was just "misunderstood".)

Since being busted, SF is now serving an .exe that matches that at the official download site.

Other projects recently hijacked by SF include many Apache projects (Allura, Derby, Directory Studio, the Apache HTTP server, Hadoop, OpenOffice, Solr, and Subversion); Mozilla Firefox, Thunderbird, and FireFTP; Evolution and Open-Xchange; Drupal and WordPress; Eclipse, Aptana, Komodo, MonoDevelop, and NetBeans; VLC, Audacious, Banshee.fm, Helix, and Tomahawk media players; and many others.


[Editor's Comment: First Submission and 2nd Submission. Submissions significantly edited before publication]

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by nitehawk214 on Thursday May 28 2015, @07:33PM

    by nitehawk214 (1304) on Thursday May 28 2015, @07:33PM (#189269)

    How do you feel about them delivering malware and ads with your name stamped on it?

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
  • (Score: 1) by KGIII on Friday May 29 2015, @12:59AM

    by KGIII (5261) on Friday May 29 2015, @12:59AM (#189426) Journal

    It is pretty crappy and if anyone is still using those apps they should be smart enough to notice the option to disable the adware during the install. As a firm believer that security is a process not an application I am not able to help those users and I am not so offended as to remove my content. Actually, I no longer recall the password or have the email either as the ISP went out of business and I never thought to change it. Also, from reading it, they could have locked me out. My typical emails and password combinations do not work and resetting the password was ineffective so I can not get in. So, care about it or not, there is not much to do at this point.

    --
    "So long and thanks for all the fish."
    • (Score: 2, Informative) by anubi on Friday May 29 2015, @06:24AM

      by anubi (2828) on Friday May 29 2015, @06:24AM (#189528) Journal

      I have also noted a lot of "repackaging" going on... especially at CNET and download.com.

      What looked like old trusted programs are now wrapped up in some sort of installer that also puts God-knows-what in my machine.

      All I know to do at this point is try to find the MD5 digest of the "real thing" and compare any downloaded .exe to that.

      You can get a simple MD5 digester here. [winmd5.com]

      Use this digester to get the MD5 of anything ( expecially DLL's and EXE's ) you question the validity of.

      You can submit the MD5 digest you get to these folks and they will tell you if they have seen it before and if it's got problems. [isthisfilesafe.com]

      If you are running a system compatible with the MYCROFT search window, ( FireFox and others are compatible ), you can get the VirusTotal plugin that is also quite handy.

      And don't ever let a web page install for you. You have no idea what they are going to do once you let them in. Once they insist on Java Script being enabled and they insist you have to drop your pants to get the download... they are setting you up to be screwed - big time.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 0) by Anonymous Coward on Friday May 29 2015, @05:37AM

    by Anonymous Coward on Friday May 29 2015, @05:37AM (#189520)

    The marketing interns at DICE only pick out popular applications, attaching it to too many things would involve more work.