How-To Geek
Warning: Don’t Download Software From SourceForge If You Can Help It
“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.
Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.
Update: Since the writing of this article, SourceForge has been sold to a new company that stopped the DevShare program discussed in this article. We’re leaving this article here for historical reference, but it has since stopped these shady practices.
Yes, SourceForge Is One of the Bad Download Websites
SourceForge built up a lot of goodwill in the past, being a centralized place for downloading open-source software and hosting software repositories. Over the years, more projects have moved to other repository-hosting services like GitHub.
In 2012, Dice Holdings purchased SourceForge (and Slashdot) from Geeknet. In 2013, SourceForge enabled a feature named “DevShare.” DevShare is an opt-in feature developers can enable for their own projects. If a developer enables this feature, you’ll download their software from SourceForge to find that it’s been wrapped in SourceForge’s own installer, which pushes intrusive junkware onto your system. SourceForge and developers make money by foisting this software on you, just as practically every other download site and freeware distributor does on Windows.
DevShare does require a project owner “opt in” to enable this feature on their project, although they’re now hosting a variety of projects bundled with junkware against the wishes of their developers.
Some projects have chosen to jump onboard the DevShare train on their own, and that’s their own choice. FIleZilla was an early participant, and FileZilla’s developer responded to concerns:
“This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”
Chrome blocked us from downloading FileZilla from SourceForge’s website, warning that it “may harm your browsing experience.”
SourceForge and GIMP
GIMP is a popular open-source image editor — it’s basically the open-source community’s answer to Photoshop. In 2013, GIMP’s developers pulled the GIMP Windows downloads from SourceForge. SourceForge was full of misleading advertisements masquerading as “Download” buttons — something that’s a problem all over the web. SourceForge then rolled out its own Windows installer filled with junkware, and that was the straw that broke the camel’s back. In response, the GIMP project abandoned SourceForge and began hosting their downloads elsewhere.
In 2015, SourceForge pushed back. Considering the old GIMP account on SourceForge “abandoned,” they took control over it, locking out the original maintainer. They then put GIMP downloads back up on SourceForge, wrapped in SourceForge’s own junkware-filled installer. If you’re downloading GIMP from SourceForge, you’re getting a version filled with junkware, one that GIMP’s developers don’t want you to use. SourceForge said they were providing a valuable service to people looking to download open-source software, but GIMP’s developers strongly disagree.
After a lot of negative press, SourceForge later changed their stance. “At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer,” SourceForge wrote in a statement. Given their past actions and the “at this time” wording in their statement, we’d recommend you steer clear of SourceForge anyway. They no longer deserve the trust of the open-source community.
It’s Not Just the GIMP
Other developers didn’t actually choose to enable DevShare. GIMP is currently listed as “brought to you by: sf-editor1” on SourceForge. Click through to sf-editor1’s list of projects and you’ll see quite a few projects hosted by SourceForge itself, from Audacity and OpenOffice to Firefox.
Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.
Although SourceForge may no longer be bundling these applications with junkware for the moment, the SourceForge website is still full of misleading advertisements that point you to installers full of junkware.
Avoid SourceForge Downloads
Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.
Or, better yet, skip all the usual downloading and install the most useful applications using Ninite. Ninite is the only safe centralized Windows freeware download site we’ve found.
If you do have to download from SourceForge, be careful to avoid the downloads that include the SourceForge installer. Go out of your way to grab the direct downloads instead.
And, by the way, SourceForge is now bundling junkware with their Mac downloads too — just like Download.com and other websites. Even Mac users aren’t safe, although we haven’t seen DevShare extended to Linux PCs just yet. Everyone should avoid SourceForge downloads, whether you’re running Windows or not.
In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
....Or you can just add ?nowrap& to the end of your download-link...
I love HTG and am most grateful to you for this alert. However, you are better at writing interesting stuff than you are at writing English. You yourselves draw attention to the construction used by The Gimp ('“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project.') so I feel justified in writing this OT message to say that it is perfectly good English to use the plural when referring to a company.Cheers,Harry Lake (believe it or not, not a pedant, just a linguist)
"...Or you can just add ?nowrap& to the end of your download-link..." Can anyone confirm or contest this? Thanks ecsjjgg. Thanks HTG for the article as well.
i use a program called "unchecky" very successfully. it automatically opts-out of most junkware. be careful sure - but this program makes thing easier.
I don;it believe in your article, I'm using SF and never got any unwanted software, period.
That's because you're not using abandoned hosted projects.
I have been a long time user of ninite.com
What I have found that is even better for those that are at least moderately technical is Chocolatey http://chocolatey.org. Consider it like apt-get or yum for Windows.
Everything I have ever downloaded via chocolatey has come without the least bit of junkware attached. Like a cli version of ninite with about 50 times as many packages available.
Well that sure is a stupid way of looking at things...cops show up and tell you about your neighbor being murdered."I didn't see my neighbor get murdered so I he must be alright."
Just because you didn't see it happen doesn't mean it didn't happen... if you don't believe HTG then its fine to be skeptical but don't call bullshit until you've went and did research to actually find out if whatever was true or not.
I totally agree. When I'm looking for software I always add ';-sourceforge' to the search string. But here is something that might be helpful to others.
There is a wonderful little program called 'Unchecky'. It's free and you can get it at www.unchecky.com
It automatically unticks the checkboxes that the 'sneakware' has pre-checked. It even finds those ones that somehow 'accidentally' disappear from your screeen for a few seconds.
Recently McAfee managed to install itself during an Adobe Flash update! Talk about sneaky - McAfee was able to sneak in because I had the automatic updates enabled. You DO NOT get the choice to uncheck during an automatic update of flash. (Hope I didn't wander too far off-topic?)
What Harry said. In fact, this is a standard difference between British and America usage: the Brits generally use a plural verb with most collective nouns, whereas in the US we use a singular one (subject to some fine distinctions). So you really need to get that (sic) out of there--it makes you look provincial.
I only get .zip version of any project as far as available, if not then I don't have any issue to install the app while "untick" the unwanted stuff. Seriously, it's not that big deal to discuss.
Ninite and chocolatey are clean and safe, but may not offer the download you want. Unchecky is fine, but can't catch everything. It's as good as it's latest update, like virus protection software.
The bottom line, as the article suggests, is go to the developer site and get a direct download wherever possible. If you can't trust the developer, don't use the product.
I haven't really run into this problem before...do we know how long this has been going on? Are we looking at another Cnet/download.com situation?
I always get FIlezilla from their website anyhow...lol.
psh get outta here
I have come across a siteThey don't wrap there downloads."LO4D.com makes a very strong effort to make sure all files are tested for viruses and malware. We do not alter test results, nor do we use sneaky "installer" or "download manager" schemes."
edit by mod- link removed, site does not pass the sniff test.
Just had to make a new account to back up Harry here. The "sic" is redundant pedantry and should be removed.
Last time i tried to download filezilla (from their own website) it came with all sorts of crapware, even if you pay attention during installation it still manages to install some shit on your computer.
I ran a Google search for that string and came up with a very handy discovery.
For those who run user-scripts in their browser via the Grease Monkey add-on - there is a script available on Greasy Fork called AntiAdware - which eliminates and removes the "bad" download links from many websites completely - leaving only the basic and unbundled option available.
After installing the script, I went to the download page for Adobe Flash Player and the option to download the McAfee - which normally requires the user to "uncheck" the box - was completely missing and invisible, leaving only the basic download option available.
There's some debate as to how effective the script is on SourceForge - but it's certainly worth a try - and you can always easily uninstall the script, should you so desire.
When you download from the Filezilla website, the download links take you to sourceforge for the download. The admins at Filezilla like to place blame on the consumer for not carefully treading through the installation process, yet even those who have not accepted any of the installation "offers" have still reported having adware (malware with a legal team) installed on their computers.
I had difficulty installing and successfully running ElementaryOS. The recommended download site did not work, and I ended up downloading from SourceForge. I put it up in an Oracle VM, and I do not suspect that the problem lies with the downloaded image, but you never know... I wanted to try it, and of the 15 Systems I have put up in Oracle VM this is the only one I cannot run well.... I currently enjoy my Windows 7 and Linux Mint platforms. I for one am leery of all download sources. cnet first spoiled the experience for me... and now I have to say SourceForge looks more and more like what cnet morphed into.
I wonder why no body talks about the company behind sf's installers.Reminds me if Lenovo and Superfish
In that case, can someone suggest a safe site from which to download cDock? Typically I download directly from the developer's site, but he doesn't appear to have one, and goggling "cDock download" gives me a choice of Sourceforge, MacUpdate, softpedia, and a few I don't recognize. MacUpdate, I've read, had a problem with malware bundled with one of its Bitcoin apps (they didn't do this intentionally, but it means they didn't check carefully enough, since the same app on the Apple site was safe).
Disclosure: I admin that site.
I'm curious as to why the moderator believes it doesn't pass a "sniff test". There is absolutely nothing intentionally malicious about the site and we absolutely do not wrap downloads with any kind of installer, download manager or malware. If the developer does, then it's clearly marked and users are directed to read Scott Hanselmann's excellent blog post before continuing to a download.
For the record and pertinent to the topic: We list and mirror programs from sourceforge and always host the safe portable version, when available, of the program which does not contain third party crap. For example, FileZilla Portable does not contain so-called "third party offers" at least right now.
I can now answer my own question:I communicated with the developer, and he reassured me that the distribution on Sourceforge doesn't have anything bundled with it -- that it's the exact file he uploaded. And he also provided me with a direct link to his Github site (which was helpful, since it's not among the first few pages of results in a Google search for "cDock"):http://w0lfschild.github.io/cDock/
I try to avoid them whenever I can. For most of the time I use FileHorse.com an in combination with unchecky.com and malwarebytes.org it's a pretty solid combo.
This is not accurate. SourceForge is one of the few good downloading sites. They have been great for years. The only problem with them is that they have stopped checking what people upload recently. They change nothing with what people upload there, I know because I uploaded a few small programs I made in Visual Basic there a while ago. I have downloaded many programs from them. FileZilla is one of the few programs on SourceForge that I do not trust, as a couple of my friends used it and had problems. Yes, they could be better, but they are still one of the few good sites, and I will continue downloading from them.
Blame Google for that not SourceForge, the oblivious public that are blaming SF for this need to do some research before they write stuff.
GIMP was not affected by that at all.
Is SourceForge somehow doing something wrong with hosting their own installer on their own website? No.
This is jerkish and maybe unethical but there is nothing wrong with it and it does completely comply with the GPL.
What you should be saying is "if you're not downloading software from the official websites, what are you doing? Learn to internet".![smile]( ":smile:")
These are all mirrors. SF is legally allowed to host anything they want on their own website as long as it complies with the license of the software, and it does. This is kind of why I dont like the GPL.
Again, blame Google since it is actually their fault.
That would be impossible because the DEB, RPM, etc installers for Linux do not allow bundling of software. They are specifically designed in a way that would not be possible to do. Also, with Linux people should be using official Distro Repos anyway so that would never happen with those sources too. Multiple layers of essential impossibilities.
"We don't know what it is so just cut it off".
Having done a lot of in-depth research on this and having worked with a malware researcher to figure out how their crapware bundler works, I stand behind our article.
There's a lot more to this story that you just don't know. And we're not yet prepared to write about it.
Ok, now I'm intrigued.