I'm guessing OP took this from reddit thread. If you read that thread you'll see that it's not sourceforge but this one project. So this title is misleading.
Not really, if you see the Google Safe Browsing diagnostic page for sourceforge.net (emphasis mine) [1]:
>> What is the current listing status for sourceforge.net?
>> This site is >>>not currently listed as suspicious<<<.
>> Part of this site was listed for suspicious activity 333 time(s) over the past 90 days.
>> What happened when Google visited this site?
>> Of the 205785 pages we tested on the site over the past 90 days, 588 page(s) resulted in >>>malicious software being downloaded and installed without user consent<<<.
>> The last time Google visited this site was on 2015-06-18, and the last time suspicious content was found on this site was on >>>2015-06-18<<<.
>> Malicious software includes 5877 virus, 4347 trojan(s), 1132 exploit(s).
Very interesting! Of course Google itself is not hosting any malicious content, but they are acting as a bridge between the user and malicious content which they honestly write about. Interesting that they also include blogspot.com pages in that.
Interestingly (to me) this link is blocked by my ad blocker, rather than Google.
> uBlock₀ has prevented the following page from loading:
> http://sourceforge.net/projects/lame/
> Because of the following filter
> ||sourceforge.net^
AFAIK: U-Block Origin is a fork of U-Block which hopes to stay in sync with U-Block, but maintain a per-site block/allow feature which was removed from the newer version of U-Block.
GitHub has a paid business model, so I think they're less likely to be tempted by the dark side. SourceForge is another cautionary tale about how "free is a lie" -- how free leads directly to scummy business models.
>GitHub has a paid business model, so I think they're less likely to be tempted by the dark side
So did Sourceforge. Github has competition in business space (Gitlab Enterprise, Stash) and if it falls out of favor with businesses, anything can happen.
Stash is not a competition. GitLab is.
Stash just falls more behind every update.
Look the release Notes of 3.10 and 3.9. I mean it took from 2.8 to 3.8 that you could use "go get". And still Stash won't implement git protocol in the near future (while gitlab and github enterprise both have this) https://jira.atlassian.com/browse/STASH-2508 however they released a read-only plugin since stash 3.8 READ ONLY.. and there are even more issue's to come that stash won't support or support in the near future.
Gitlab and github enterprise are so far ahead of stash and there is another github like solution coming that is written in go. Also stash is slower than Gitlab, even while gitlab is coded in ruby. Also the CI, way easier to setup (and cheaper) than the stash way of linking their projects.
Wow thats great!
Yeah especially your CI is really really easy to setup for small customers like us. No more XML dangling inside Jenkins or unnecessary options. Just an easy script + your multi runner..
The only thing thats bad on GitLab is that you don't have a Startup license for Enterprise, so we are running Community, since we are only 4 people. However the only things that are won't as good as on your enterprise version is the linking with jira, which however we need since the standard "issues" are just not enough for us. However thats not a fault of gitlab itself. they are good enough for the most things / projects.
I understand your issue, if you want to use GitLab with Jira as a small company the minimum subscription is for 10 people (slightly less than $400 per year). We think this is needed to provide good support. What features would you need in GitLab issues to make the switch from Jira.
Currently we provide our partners Jira access, however they need a simple way to create issue's without knowing everything about the codebase.
Also we use Jira Agile, which is stunningly awesome and simple.
However we just use a half of JIRA's feature so providing a better way to define issue's for external without code access would definitly help.
Also I'm looking forward to migrate away from stash / jira as soon as possible however we have a 3 year subscription which is now at it's half so we need another year to finally go to GitLab Enterprise.
Stash's feature is reliable performance and support.
Github.com goes down; Github Enterprise crawls on very large repositories. (Not everybody's, of course, but the bigger they come, the worse Github performs, and the more money the customer is worth.)
When you call Github support, a support engineer will tell you, "At Github, engineers work on projects that we find interesting. Github Enterprise doesn't get that much interest on our team."
When you call Atlassian support, they fix your problem.
I love google for this and many other ways the fight abuse of browser users. First, they removed CA, which produced a bad certificate, and now sf with their bundles.
I've seen a few differing reports on what SourceForge is doing. From what I gather so far:
1) Originally (a couple years back or so), they started (as an opt in from the project owners) bundling adware with the Windows versions of installers on selected projects.
2) Recently, SourceForge editors have taken over abandoned projects (i.e., projects that no longer use SourceForge as their primary distribution page, and haven't updated the project pages), and have replaced the installers for some of them with their adware-bundled installers.
3) A firestorm erupted over this, SF stated that they would back away from the adware (on taken-over pages -- it would still be present on projects with an agreement from the project owners).
4) They are still taking over abandoned projects and updating them.
Now my question -- for point (4), are they just updating the project download pages with the current versions, or are they still bundling their adware with the projects? Everything I've seen so far (after their "apology" post), it appears that they haven't done any new adware bundling, just taking over the projects. Is this the case? And if so, is the concern that they will slip in the adware in the future?
61 comments
[ 3.6 ms ] story [ 107 ms ] threadedit: Now happening for me in Chromium. (Both of these on Xubuntu 14.04, versions from the repos.)
I can reproduce it if I visit exactly: http://sourceforge.net/projects/camstudio/
but not http://sourceforge.net/ on it's own. Perhaps they only apply the warning to malicious projects rather than the site as a whole.
Edit: Thread: http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...
Response from one user that sourceforge is actually whitelisted by google: http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...
http://safebrowsing.clients.google.com/safebrowsing/diagnost... http://safebrowsing.clients.google.com/safebrowsing/diagnost...
>> What is the current listing status for sourceforge.net?
>> This site is >>>not currently listed as suspicious<<<.
>> Part of this site was listed for suspicious activity 333 time(s) over the past 90 days.
>> What happened when Google visited this site?
>> Of the 205785 pages we tested on the site over the past 90 days, 588 page(s) resulted in >>>malicious software being downloaded and installed without user consent<<<.
>> The last time Google visited this site was on 2015-06-18, and the last time suspicious content was found on this site was on >>>2015-06-18<<<.
>> Malicious software includes 5877 virus, 4347 trojan(s), 1132 exploit(s).
[1] http://safebrowsing.clients.google.com/safebrowsing/diagnost...
||sourceforge.net^$other
uBlock Origin has prevented the following page from
loading:
http://sourceforge.net/
Because of the following filter
||sourceforge.net^$other
Found in: uBlock filters
http://safebrowsing.clients.google.com/safebrowsing/diagnost... :
> Part of this site was listed for suspicious activity 332 time(s) over the past 90 days.
https://google.com/safebrowsing/diagnostic?site=youtube.com
Wonder what's up with that?
On Firefox in Windows they do appear to work fine, as you say.
Edit: I'm an idiot, after the last HN article about sourceforge I pointed them to 127... in my hosts file.
> uBlock₀ has prevented the following page from loading: > http://sourceforge.net/projects/lame/ > Because of the following filter > ||sourceforge.net^
tl;dr: uBlock Origin
[1]: http://helb.github.io/goodbye-sourceforge/
In terms of security/privacy a bricked smart phone is much improved...
So did Sourceforge. Github has competition in business space (Gitlab Enterprise, Stash) and if it falls out of favor with businesses, anything can happen.
The only thing thats bad on GitLab is that you don't have a Startup license for Enterprise, so we are running Community, since we are only 4 people. However the only things that are won't as good as on your enterprise version is the linking with jira, which however we need since the standard "issues" are just not enough for us. However thats not a fault of gitlab itself. they are good enough for the most things / projects.
However we just use a half of JIRA's feature so providing a better way to define issue's for external without code access would definitly help. Also I'm looking forward to migrate away from stash / jira as soon as possible however we have a 3 year subscription which is now at it's half so we need another year to finally go to GitLab Enterprise.
Github.com goes down; Github Enterprise crawls on very large repositories. (Not everybody's, of course, but the bigger they come, the worse Github performs, and the more money the customer is worth.)
When you call Github support, a support engineer will tell you, "At Github, engineers work on projects that we find interesting. Github Enterprise doesn't get that much interest on our team."
When you call Atlassian support, they fix your problem.
1) Originally (a couple years back or so), they started (as an opt in from the project owners) bundling adware with the Windows versions of installers on selected projects.
2) Recently, SourceForge editors have taken over abandoned projects (i.e., projects that no longer use SourceForge as their primary distribution page, and haven't updated the project pages), and have replaced the installers for some of them with their adware-bundled installers.
3) A firestorm erupted over this, SF stated that they would back away from the adware (on taken-over pages -- it would still be present on projects with an agreement from the project owners).
4) They are still taking over abandoned projects and updating them.
Now my question -- for point (4), are they just updating the project download pages with the current versions, or are they still bundling their adware with the projects? Everything I've seen so far (after their "apology" post), it appears that they haven't done any new adware bundling, just taking over the projects. Is this the case? And if so, is the concern that they will slip in the adware in the future?
Tech superpowers cannot coerce me through (direct) regulation or force.