SourceForge commits reputational suicide

Simon Phipps

The venerable project hosting service SourceForge may have finally crossed the line into irrelevance following an abuse of trust related to the GIMP project.

Once the darling of open source, SourceForge has been eclipsed by GitHub and package managers, leaving it with a long, thin tail of (mostly consumer) software. It has used increasingly desperate measures to monetize the service through questionable advertising, SEO, and adware injectors.

A promise unfulfilled

SourceForge flirted with principled respectability a short while ago. Last year, I wrote an article about its efforts to introduce new monetization options for open source developers that treated projects very respectfully. I had given advice the organization had used, so I felt quite positive about its future. It seemed SourceForge was reversing a slide into dubious practices and had committed to working with communities to generate revenue ethically with their cooperation and consent.

The story so far

A while back, the GIMP project folks decided that the saturation of advertising on SourceForge was no longer a price worth paying to have a download mirror for their code, so they stopped using it.

The advertisements were not only visually distressing; they were also often deceptive adverts for alternative downloads laden with adware and other malware. Similar complaints have been made by other projects; Apache OpenOffice regularly gets reports of fake download sites being advertised deceptively next to its download mirrors on SourceForge, for example.

For reasons it has not articulated, SourceForge saw fit to regard this decision as "abandonment" of the site (something GIMP vigorously denies) and took over the provision of GIMP downloads for Windows -- surrounded by advertising, of course. That was bad enough, but SourceForge went further, adding an adware injection installer to the download. When challenged, SourceForge removed the adware installer but justified its other behavior.

The GIMP project has now demanded all trace of the project be removed from SourceForge -- and has called on SourceForge to offer a way for all other projects to do the same. The project suggests SourceForge can retrieve a little of its reputation:

An acceptable approach would be to provide a method for any project to cease hosting at any SourceForge site if desired, including the ability to:

• Completely remove the project and URLs permanently, and not allow any other projects to take its place
• Remove any hosted files from the service, and not maintain mirror serving installers or files differing from those provided by the project or wrap those in any way
• Provide permanent HTTP redirects (301) to any other location as desired by the project

I asked SourceForge for comment and was directed to a disingenuous blog post. In the process, I was also alerted to the situation with Filezilla, whose SourceForge page is distributing adware. When I expressed my concern about the response, I was told:

@sourceforge tested easily-declinable offers w/a handful of abandoned projects but removed these based on community feedback

For "easily-declinable offers" read "installers for adware"; for "abandoned projects" read "projects their owners can't delete"; and for "community feedback" read "expressions of abject incredulity."

Despite all the fine words SourceForge fed me and others back in 2014 about listening to the open source community, SourceForge has doubled down on its position that hosting deceptive advertising is accidental and that offering malware to naive consumer downloaders is a service. This treatment of GIMP is surely the last straw. It's easy to agree with the GIMP project statement that "SourceForge are abusing the trust that we and our users had put into their service in the past."

In the last 24 hours, SourceForge has been scrambling for a solution; I was told "unmaintained SourceForge projects are not presenting third-party offers and won't be doing that anytime in future." I asked if they would provide a way for projects to delete their unwanted presence but was merely told: "We believe we are now in compliance with open source best-practices by mirroring original versions of project files in an effort to ensure that people who come to SourceForge to find these programs may easily find the most current version available."

My conclusion: It's time to move on from SourceForge. It's no longer a trustworthy source for downloads; users should avoid projects whose downloads are hosted there. Open source projects hosted on it should devise migration strategies.