Warning: Don’t Download Software From SourceForge If You Can Help It

“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.

Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.

Yes, SourceForge Is One of the Bad Download Websites

Yes, Every Freeware Download Site is Serving Crapware (Here’s the Proof)

When we wrote about what happens when you install the top ten apps from CNET Downloads, about half of the… [Read Article]

SourceForge built up a lot of goodwill in the past, being a centralized place for downloading open-source software and hosting software repositories. Over the years, more projects have moved to other repository-hosting services like GitHub.

In 2012, Dice Holdings purchased SourceForge (and Slashdot) from Geeknet. In 2013, SourceForge enabled a feature named “DevShare.” DevShare is an opt-in feature developers can enable for their own projects. If a developer enables this feature, you’ll download their software from SourceForge to find that it’s been wrapped in SourceForge’s own installer, which pushes intrusive junkware onto your system. SourceForge and developers make money by foisting this software on you, just as practically every other download site and freeware distributor does on Windows.

DevShare does require a project owner “opt in” to enable this feature on their project, although they’re now hosting a variety of projects bundled with junkware against the wishes of their developers.

Some projects have chosen to jump onboard the DevShare train on their own, and that’s their own choice. FIleZilla was an early participant, and FileZilla’s developer responded to concerns:

“This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”

Chrome blocked us from downloading FileZilla from SourceForge’s website, warning that it “may harm your browsing experience.”

SourceForge and GIMP


Why We Hate Recommending Software Downloads To Our Readers
Windows software downloads are a mess. Many programs try to drag adware and other malicious junk onto your computer. Even… [Read Article]

GIMP is a popular open-source image editor — it’s basically the open-source community’s answer to Photoshop. In 2013, GIMP’s developers pulled the GIMP Windows downloads from SourceForge. SourceForge was full of misleading advertisements masquerading as “Download” buttons — something that’s a problem all over the web. SourceForge then rolled out its own Windows installer filled with junkware, and that was the straw that broke the camel’s back. In response, the GIMP project abandoned SourceForge and began hosting their downloads elsewhere.

In 2015, SourceForge pushed back. Considering the old GIMP account on SourceForge “abandoned,” they took control over it, locking out the original maintainer. They then put GIMP downloads back up on SourceForge, wrapped in SourceForge’s own junkware-filled installer. If you’re downloading GIMP from SourceForge, you’re getting a version filled with junkware, one that GIMP’s developers don’t want you to use. SourceForge says they’re providing a valuable service to people looking to download open-source software, but GIMP’s developers strongly disagree.

Update: After a lot of negative press, SourceForge has changed their stance. “At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer,” SourceForge wrote in a statement. Given their past actions and the “at this time” wording in their statement, we’d recommend you steer clear of SourceForge anyway. They no longer deserve the trust of the open-source community.

It’s Not Just the GIMP

Other developers didn’t actually choose to enable DevShare. GIMP is currently listed as “brought to you by: sf-editor1″ on SourceForge. Click through to sf-editor1’s list of projects and you’ll see quite a few projects hosted by SourceForge itself, from Audacity and OpenOffice to Firefox.

Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.

Although SourceForge may no longer be bundling these applications with junkware for the moment, the SourceForge website is still full of misleading advertisements that point you to installers full of junkware.

Avoid SourceForge Downloads


Mac OS X Isn’t Safe Anymore: The Crapware / Malware Epidemic Has Begun
OS X users like to make fun of Windows users as the only ones that have a malware problem. But that’s… [Read Article]

Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.

Or, better yet, skip all the usual downloading and install the most useful applications using Ninite. Ninite is the only safe centralized Windows freeware download site we’ve found.

If you do have to download from SourceForge, be careful to avoid the downloads that include the SourceForge installer. Go out of your way to grab the direct downloads instead.

And, by the way, SourceForge is now bundling junkware with their Mac downloads too — just like Download.com and other websites. Even Mac users aren’t safe, although we haven’t seen DevShare extended to Linux PCs just yet. Everyone should avoid SourceForge downloads, whether you’re running Windows or not.

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Add a Comment