“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.
Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.
Update: Since the writing of this article, SourceForge has been sold to a new company that stopped the DevShare program discussed in this article. We’re leaving this article here for historical reference, but it has since stopped these shady practices.
Yes, SourceForge Is One of the Bad Download Websites
SourceForge built up a lot of goodwill in the past, being a centralized place for downloading open-source software and hosting software repositories. Over the years, more projects have moved to other repository-hosting services like GitHub.
In 2012, Dice Holdings purchased SourceForge (and Slashdot) from Geeknet. In 2013, SourceForge enabled a feature named “DevShare.” DevShare is an opt-in feature developers can enable for their own projects. If a developer enables this feature, you’ll download their software from SourceForge to find that it’s been wrapped in SourceForge’s own installer, which pushes intrusive junkware onto your system. SourceForge and developers make money by foisting this software on you, just as practically every other download site and freeware distributor does on Windows.
DevShare does require a project owner “opt in” to enable this feature on their project, although they’re now hosting a variety of projects bundled with junkware against the wishes of their developers.
Some projects have chosen to jump onboard the DevShare train on their own, and that’s their own choice. FIleZilla was an early participant, and FileZilla’s developer responded to concerns:
“This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”
Chrome blocked us from downloading FileZilla from SourceForge’s website, warning that it “may harm your browsing experience.”
SourceForge and GIMP
GIMP is a popular open-source image editor — it’s basically the open-source community’s answer to Photoshop. In 2013, GIMP’s developers pulled the GIMP Windows downloads from SourceForge. SourceForge was full of misleading advertisements masquerading as “Download” buttons — something that’s a problem all over the web. SourceForge then rolled out its own Windows installer filled with junkware, and that was the straw that broke the camel’s back. In response, the GIMP project abandoned SourceForge and began hosting their downloads elsewhere.
In 2015, SourceForge pushed back. Considering the old GIMP account on SourceForge “abandoned,” they took control over it, locking out the original maintainer. They then put GIMP downloads back up on SourceForge, wrapped in SourceForge’s own junkware-filled installer. If you’re downloading GIMP from SourceForge, you’re getting a version filled with junkware, one that GIMP’s developers don’t want you to use. SourceForge said they were providing a valuable service to people looking to download open-source software, but GIMP’s developers strongly disagree.
After a lot of negative press, SourceForge later changed their stance. “At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer,” SourceForge wrote in a statement. Given their past actions and the “at this time” wording in their statement, we’d recommend you steer clear of SourceForge anyway. They no longer deserve the trust of the open-source community.
It’s Not Just the GIMP
Other developers didn’t actually choose to enable DevShare. GIMP is currently listed as “brought to you by: sf-editor1” on SourceForge. Click through to sf-editor1’s list of projects and you’ll see quite a few projects hosted by SourceForge itself, from Audacity and OpenOffice to Firefox.
Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.
Although SourceForge may no longer be bundling these applications with junkware for the moment, the SourceForge website is still full of misleading advertisements that point you to installers full of junkware.
Avoid SourceForge Downloads
Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.
Or, better yet, skip all the usual downloading and install the most useful applications using Ninite. Ninite is the only safe centralized Windows freeware download site we’ve found.
If you do have to download from SourceForge, be careful to avoid the downloads that include the SourceForge installer. Go out of your way to grab the direct downloads instead.
And, by the way, SourceForge is now bundling junkware with their Mac downloads too — just like Download.com and other websites. Even Mac users aren’t safe, although we haven’t seen DevShare extended to Linux PCs just yet. Everyone should avoid SourceForge downloads, whether you’re running Windows or not.
In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.