The venerable project hosting service SourceForge may have finally
crossed the line into irrelevance following an abuse of trust related to
the
GIMP project.
Once the darling of open source, SourceForge has been eclipsed by GitHub
and package managers, leaving it with a long, thin tail of (mostly
consumer) software. It has used increasingly desperate measures to
monetize the service through questionable advertising, SEO, and adware
injectors.
A promise unfulfilled
SourceForge flirted with principled respectability a short while ago. Last year, I wrote an article about its
efforts to introduce new monetization options for open source developers
that treated projects very respectfully. I had given advice the
organization had used, so I felt quite positive about its future. It
seemed SourceForge was reversing a slide into dubious practices and had
committed to working with communities to generate revenue ethically with
their cooperation and consent.
The story so far
A while back, the GIMP project folks decided that the saturation of
advertising on SourceForge was no longer a price worth paying to have a
download mirror for their code, so they stopped using it.
The advertisements were not only visually distressing; they were also
often deceptive adverts for alternative downloads laden with adware and
other malware. Similar complaints have been made by other projects;
Apache OpenOffice regularly gets reports of fake download sites being
advertised deceptively next to its download mirrors on SourceForge, for
example.
For reasons it has not articulated, SourceForge saw fit to regard this
decision as "abandonment" of the site (something GIMP vigorously denies)
and took over the provision of GIMP downloads for Windows -- surrounded
by advertising, of course. That was bad enough, but SourceForge went
further, adding an adware injection installer to the download. When
challenged, SourceForge removed the adware installer but justified its
other behavior.
The GIMP project has now demanded all trace of the project be removed
from SourceForge -- and has called on SourceForge to offer a way for all
other projects to do the same. The
project suggests SourceForge can retrieve a little of its reputation:
An acceptable approach would be to provide a method for any project to cease hosting at any SourceForge site if desired, including the ability to:
- Completely remove the project and URLs permanently, and not allow any other projects to take its place
- Remove any hosted files from the service, and not maintain
mirror serving installers or files differing from those provided by the
project or wrap those in any way
- Provide permanent HTTP redirects (301) to any other location as desired by the project
I asked SourceForge for comment and was directed to a
disingenuous blog post. In the process, I was also
alerted
to the situation with Filezilla, whose SourceForge page is distributing
adware. When I expressed my concern about the response, I was
told:
@sourceforge tested easily-declinable offers w/a handful of abandoned projects but removed these based on community feedback
For "easily-declinable offers" read "installers for adware"; for
"abandoned projects" read "projects their owners can't delete"; and for
"community feedback" read "expressions of abject incredulity."
Despite all the fine words SourceForge fed me and others back in 2014
about listening to the open source community, SourceForge has doubled
down on its position that hosting deceptive advertising is accidental
and that offering malware to naive consumer downloaders is a service.
This treatment of GIMP is surely the last straw. It's easy to agree with
the
GIMP project statement that "SourceForge are abusing the trust that we and our users had put into their service in the past."
In the last 24 hours, SourceForge has been scrambling for a solution; I
was told "unmaintained SourceForge projects are not presenting
third-party offers and won't be doing that anytime in future." I asked
if they would provide a way for projects to delete their unwanted
presence but was merely told: "We believe we are now in compliance with
open source best-practices by mirroring original versions of project
files in an effort to ensure that people who come to SourceForge to find
these programs may easily find the most current version available."
My conclusion: It's time to move on from SourceForge. It's no longer a
trustworthy source for downloads; users should avoid projects whose
downloads are hosted there. Open source projects hosted on it should
devise migration strategies.
Comments
Post a Comment