61 comments

[ 3.6 ms ] story [ 107 ms ] thread
Not happening for me when I go to that link from Google in Firefox. Can anyone else reproduce this?

edit: Now happening for me in Chromium. (Both of these on Xubuntu 14.04, versions from the repos.)

Yes happens for me in Chrome. Welcome news!
Nope, can freely access the site on both latest versions of Chrome and Chromium. Though the project seems to have moved from that page already.
I got the warning in Chromium just now.
(comment deleted)
No warning for me either on Chrome Version 43.0.2357.124 (64-bit) on a Mac running Yosemite and I'm based in Dublin, Ireland.

I can reproduce it if I visit exactly: http://sourceforge.net/projects/camstudio/

but not http://sourceforge.net/ on it's own. Perhaps they only apply the warning to malicious projects rather than the site as a whole.

Blocked for me when using Chrome Versjon 42.0.2311.90 on Windows 7.
I'm guessing OP took this from reddit thread. If you read that thread you'll see that it's not sourceforge but this one project. So this title is misleading.

Edit: Thread: http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...

Response from one user that sourceforge is actually whitelisted by google: http://www.reddit.com/r/technology/comments/3a9h9x/soureforg...

http://safebrowsing.clients.google.com/safebrowsing/diagnost... http://safebrowsing.clients.google.com/safebrowsing/diagnost...

Looks like the malware-bearing projects need some reporting, then!
Not really, if you see the Google Safe Browsing diagnostic page for sourceforge.net (emphasis mine) [1]:

>> What is the current listing status for sourceforge.net?

>> This site is >>>not currently listed as suspicious<<<.

>> Part of this site was listed for suspicious activity 333 time(s) over the past 90 days.

>> What happened when Google visited this site?

>> Of the 205785 pages we tested on the site over the past 90 days, 588 page(s) resulted in >>>malicious software being downloaded and installed without user consent<<<.

>> The last time Google visited this site was on 2015-06-18, and the last time suspicious content was found on this site was on >>>2015-06-18<<<.

>> Malicious software includes 5877 virus, 4347 trojan(s), 1132 exploit(s).

[1] http://safebrowsing.clients.google.com/safebrowsing/diagnost...

UBlock is actually blocking all of SF
Which filter is blocking SF for you? UBlock is not blocking SF for me.
Blocking for me too. This filter:

||sourceforge.net^$other

It does for me:

uBlock Origin has prevented the following page from

loading:

http://sourceforge.net/

Because of the following filter

||sourceforge.net^$other

Found in: uBlock filters

Yes it does for me. Ublock Origin 0.9.9.1 on Chrome.
Looks like it's maybe uBlock Origin that is blocking (versus just uBlock)
This. It's just in Origin. Started a few days ago.
The following page lists stats for sourceforge itself:

http://safebrowsing.clients.google.com/safebrowsing/diagnost... :

> Part of this site was listed for suspicious activity 332 time(s) over the past 90 days.

I also find it fascinating what Google has to say about itself https://google.com/safebrowsing/diagnostic?site=Google.com
Very interesting! Of course Google itself is not hosting any malicious content, but they are acting as a bridge between the user and malicious content which they honestly write about. Interesting that they also include blogspot.com pages in that.
I get a 404 when I try that link, as well as one from a cousin comment: http://sourceforge.net/projects/cdesktopenv/

Wonder what's up with that?

Both appear to work fine.
Interesting. On both Firefox (with default settings) and Seamonky (with paranoid privacy settings) on Slackware I get a 404 on both of those links.

On Firefox in Windows they do appear to work fine, as you say.

Edit: I'm an idiot, after the last HN article about sourceforge I pointed them to 127... in my hosts file.

Interestingly (to me) this link is blocked by my ad blocker, rather than Google.

> uBlock₀ has prevented the following page from loading: > http://sourceforge.net/projects/lame/ > Because of the following filter > ||sourceforge.net^

uBlock Origin added a filter to block all of Sourceforge...
U-Block origin is blocking SourceForge as well (||sourceforge.net^$other)
I was just looking into U-Block. What's better to use: U-Block or U-Block Origin?
AFAIK: U-Block Origin is a fork of U-Block which hopes to stay in sync with U-Block, but maintain a per-site block/allow feature which was removed from the newer version of U-Block.
Actually, U-Block is the fork, U-Block origin is the branch of the project maintained by the original dev.
(comment deleted)
(comment deleted)
Not unless Google is bricking the phones on purpose. That is after all the very definition of the word "malicious".

In terms of security/privacy a bricked smart phone is much improved...

(comment deleted)
Compete just guesses at data based off of small panel surveys, that's far from accurate.
I find it hard to believe that SF's monthly uniques were growing at 150% YoY until just 2 months ago.
(comment deleted)
Let us keep SourceForge in mind as GitHub goes public.
GitHub has a paid business model, so I think they're less likely to be tempted by the dark side. SourceForge is another cautionary tale about how "free is a lie" -- how free leads directly to scummy business models.
>GitHub has a paid business model, so I think they're less likely to be tempted by the dark side

So did Sourceforge. Github has competition in business space (Gitlab Enterprise, Stash) and if it falls out of favor with businesses, anything can happen.

Stash is not a competition. GitLab is. Stash just falls more behind every update. Look the release Notes of 3.10 and 3.9. I mean it took from 2.8 to 3.8 that you could use "go get". And still Stash won't implement git protocol in the near future (while gitlab and github enterprise both have this) https://jira.atlassian.com/browse/STASH-2508 however they released a read-only plugin since stash 3.8 READ ONLY.. and there are even more issue's to come that stash won't support or support in the near future. Gitlab and github enterprise are so far ahead of stash and there is another github like solution coming that is written in go. Also stash is slower than Gitlab, even while gitlab is coded in ruby. Also the CI, way easier to setup (and cheaper) than the stash way of linking their projects.
GitLab CEO here, glad to hear you're happy with our progress. New CI version with .gitlab-ci.yml coming on Monday :)
Wow thats great! Yeah especially your CI is really really easy to setup for small customers like us. No more XML dangling inside Jenkins or unnecessary options. Just an easy script + your multi runner..

The only thing thats bad on GitLab is that you don't have a Startup license for Enterprise, so we are running Community, since we are only 4 people. However the only things that are won't as good as on your enterprise version is the linking with jira, which however we need since the standard "issues" are just not enough for us. However thats not a fault of gitlab itself. they are good enough for the most things / projects.

I understand your issue, if you want to use GitLab with Jira as a small company the minimum subscription is for 10 people (slightly less than $400 per year). We think this is needed to provide good support. What features would you need in GitLab issues to make the switch from Jira.
Currently we provide our partners Jira access, however they need a simple way to create issue's without knowing everything about the codebase. Also we use Jira Agile, which is stunningly awesome and simple.

However we just use a half of JIRA's feature so providing a better way to define issue's for external without code access would definitly help. Also I'm looking forward to migrate away from stash / jira as soon as possible however we have a 3 year subscription which is now at it's half so we need another year to finally go to GitLab Enterprise.

Stash's feature is reliable performance and support.

Github.com goes down; Github Enterprise crawls on very large repositories. (Not everybody's, of course, but the bigger they come, the worse Github performs, and the more money the customer is worth.)

When you call Github support, a support engineer will tell you, "At Github, engineers work on projects that we find interesting. Github Enterprise doesn't get that much interest on our team."

When you call Atlassian support, they fix your problem.

they won't. maybe they only look at their bigger customers? ;)
I love google for this and many other ways the fight abuse of browser users. First, they removed CA, which produced a bad certificate, and now sf with their bundles.
I've seen a few differing reports on what SourceForge is doing. From what I gather so far:

1) Originally (a couple years back or so), they started (as an opt in from the project owners) bundling adware with the Windows versions of installers on selected projects.

2) Recently, SourceForge editors have taken over abandoned projects (i.e., projects that no longer use SourceForge as their primary distribution page, and haven't updated the project pages), and have replaced the installers for some of them with their adware-bundled installers.

3) A firestorm erupted over this, SF stated that they would back away from the adware (on taken-over pages -- it would still be present on projects with an agreement from the project owners).

4) They are still taking over abandoned projects and updating them.

Now my question -- for point (4), are they just updating the project download pages with the current versions, or are they still bundling their adware with the projects? Everything I've seen so far (after their "apology" post), it appears that they haven't done any new adware bundling, just taking over the projects. Is this the case? And if so, is the concern that they will slip in the adware in the future?

Because it is.
Damn machine learning software. :) Google needs to tune some of the parameters.
People always complain about the power that countries hold. Tech superpowers hold a lot more, and yet nobody elects or really regulates them.
Which "tech super power" has a military and nukes?
Terrible analogy.

Tech superpowers cannot coerce me through (direct) regulation or force.

Oh how the mighty have fallen