SourceForge Downloads Available Again - Yes, You Can!

Historical Context: SourceForge and Software Downloads

Originally published in 2015 with the headline "Warning: Don’t Download Software From SourceForge If You Can Help It", this article reflects a past situation. Significant alterations have occurred since its initial release.

In 2016, SourceForge underwent a change in ownership. The new company promptly discontinued the controversial DevShare program.

Outdated Criticism and Current Status

The remainder of this article is preserved for historical documentation. However, it’s important to note that the criticisms detailed within are no longer entirely applicable.

Presently, SourceForge is operating under different management and is not exhibiting the previously problematic behaviors. The platform’s practices have demonstrably improved.

While past concerns were valid, the current state of SourceForge necessitates a revised assessment. The issues highlighted in the original publication are no longer representative of the platform’s operations.

Concerns Regarding Software Distribution on SourceForge

The GIMP project has publicly expressed serious concerns, stating that SourceForge has been compromising the confidence previously held by both the project and its user base.

Specifically, since 2013, reports have surfaced indicating that SourceForge has been incorporating unwanted software – often referred to as junkware – into software installers.

This practice has, in some instances, been carried out without the explicit consent or knowledge of the software developers themselves.

Recommendations for Users

It is strongly advised to avoid downloading software directly from SourceForge whenever alternative options are available.

A growing number of open-source projects are now distributing their installation files through different platforms, ensuring a cleaner download experience.

The versions hosted on SourceForge may contain bundled junkware, potentially impacting system performance and security.

Precautions for SourceForge Downloads

If downloading from SourceForge is unavoidable, users are urged to exercise extreme caution throughout the download process.

Pay close attention to all prompts and carefully review the installation options to prevent the unintentional installation of unwanted programs.

SourceForge’s past actions necessitate a heightened level of vigilance when obtaining software from their platform.

SourceForge: A Decline in Trustworthiness

It's important to acknowledge that SourceForge has become recognized as a less reliable source for software downloads. This is linked to practices that introduce unwanted software alongside legitimate programs.

Previously, SourceForge was a respected hub for open-source software, offering centralized repositories for developers and users. However, a shift has occurred, with many projects now migrating to alternative hosting platforms like GitHub.

The Introduction of DevShare

In 2012, Dice Holdings acquired SourceForge, along with Slashdot, from Geeknet. A significant change followed in 2013 with the introduction of "DevShare."

DevShare is a program developers can voluntarily activate for their projects. When enabled, downloads from SourceForge are packaged with the platform’s installer. This installer often includes potentially unwanted programs, or junkware, that are installed on the user’s system.

This practice generates revenue for both SourceForge and the developers involved, mirroring the tactics employed by numerous other download sites and freeware distributors on Windows.

Developer Consent and Concerns

While DevShare initially required explicit consent from project owners, SourceForge has since been found to host projects bundled with unwanted software even without the developers’ permission.

Some developers have willingly participated in DevShare, exercising their right to choose. FileZilla, for example, was an early adopter. Their developer defended the practice, stating:

"The installer does not install any spyware and clearly presents users with a choice regarding the installation of additional software."

Browser Warnings and User Protection

Concerns regarding software safety have led to protective measures from web browsers. Google Chrome, for instance, has blocked downloads of FileZilla from SourceForge, displaying a warning that the download "may harm your browsing experience."

This action highlights the increased risk associated with downloading software from SourceForge and the importance of exercising caution.

GIMP and SourceForge: A Contentious Relationship

The open-source image editor GIMP, often considered a free alternative to Photoshop, has a complex history with the software download platform SourceForge. This situation highlights concerns regarding software distribution and user experience.

Initial Departure from SourceForge

In 2013, the developers of GIMP made the decision to remove their Windows downloads from SourceForge. This action was prompted by the proliferation of deceptive advertisements on the platform. These ads were designed to mimic legitimate download buttons, misleading users.

Further exacerbating the issue, SourceForge began bundling its own Windows installer with unwanted software – often referred to as junkware. This practice ultimately led GIMP’s team to seek alternative hosting solutions for their downloads.

SourceForge's Reassertion and Controversy

By 2015, SourceForge responded by claiming the original GIMP account was "abandoned." Consequently, they assumed control of the account, effectively excluding the original maintainers.

Subsequently, GIMP downloads were reinstated on SourceForge, but these versions were packaged with SourceForge’s installer containing junkware. This meant users downloading from SourceForge were receiving a version of GIMP not endorsed by its developers.

SourceForge justified their actions by stating they were offering a service to users seeking open-source software. However, GIMP’s developers vehemently disagreed with this assessment.

Shift in Policy and Lingering Concerns

Following substantial negative publicity, SourceForge revised its policy. They announced that third-party offers would only be presented with projects that had explicit approval from the developers.

However, the phrasing "at this time" within their statement, coupled with their previous actions, raises continued skepticism. It is generally advisable to avoid downloading software from SourceForge due to a loss of trust within the open-source community.

Important Note: Always download software directly from the official project website to ensure you receive a clean and secure version.

The Issue Extends Beyond GIMP

The decision to activate DevShare wasn't universally adopted by software developers. Currently, GIMP is identified as being "brought to you by: sf-editor1" on the SourceForge platform. Investigating sf-editor1’s project portfolio reveals numerous projects also hosted directly by SourceForge, including well-known applications like Audacity, OpenOffice, and Firefox.

Navigating to a project’s official web presence typically leads to legitimate download locations. For instance, the Audacity homepage directs users to FOSSHUB for obtaining Audacity, bypassing SourceForge. However, a Google search for "Audacity" frequently prioritizes the SourceForge page in its results.

Despite a potential cessation of bundling applications with unwanted software, the SourceForge website continues to feature deceptive advertisements. These ads often redirect users to installers containing potentially unwanted programs.

Deceptive Practices Persist

The prevalence of misleading advertisements on SourceForge remains a concern. Users are still at risk of inadvertently downloading installers loaded with junkware through these deceptive links.

SourceForge’s ranking in search results, even when official websites exist, contributes to this problem. This makes it crucial for users to exercise caution when downloading software.

• Always verify the download source.
• Prefer official project websites.
• Be wary of advertisements on download portals.

It is important to note that while some developers have avoided DevShare, the potential for encountering bundled junkware through SourceForge remains. Users should prioritize downloading directly from the software’s official site whenever possible.

Steering Clear of SourceForge Downloads

Related: Increased Malware Risks for Mac OS X – The Growing Problem of Crapware and Malware

It is advisable to refrain from obtaining software through SourceForge. Even if it appears prominently in Google search results, it’s best to bypass SourceForge and navigate directly to the official website of the software project. Seek out download links provided by the project itself – many have relocated and now offer clean downloads elsewhere.

Alternatively, consider utilizing Ninite for installing essential applications. Ninite currently stands as the sole centralized Windows freeware download site we deem consistently secure.

Should downloading from SourceForge be unavoidable, exercise extreme caution. Specifically, avoid any downloads bundled with the SourceForge installer; prioritize direct download options instead.

Furthermore, SourceForge now incorporates unwanted software into its Mac downloads, mirroring practices seen on Download.com and similar platforms. This means Mac users are also at risk, though we haven't yet observed this practice extending to Linux systems. All users, regardless of operating system, should avoid SourceForge downloads whenever possible.

Understanding the Risks

Our testing indicates that SourceForge’s downloader exhibits less problematic behavior within a virtual machine environment. However, to accurately assess its actions, it’s crucial to test it on a genuine Windows installation on physical hardware, not a virtualized system.

This tactic of obfuscation is increasingly employed by malicious applications to evade detection and thorough analysis.

Key Takeaways

• Prioritize Official Sources: Always download software from the project’s official website.
• Utilize Ninite: For Windows, Ninite provides a safe and streamlined installation experience.
• Avoid Bundled Downloads: Be wary of downloads containing the SourceForge installer.
• Exercise Caution: Regardless of your operating system, SourceForge poses a potential security risk.

Protecting your system requires vigilance and a preference for trusted download sources. Avoiding SourceForge is a proactive step towards maintaining a secure computing environment.