Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Open Source SourceForge Software Technology

SourceForge Tightens Security With Malware Scans ( 84

Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.
This discussion has been archived. No new comments can be posted.

SourceForge Tightens Security With Malware Scans

Comments Filter:
  • by mhkohne ( 3854 ) on Tuesday May 17, 2016 @05:21PM (#52130359) Homepage

    Nicely done guys. Sourceforge had definitely gone down the toilet in my eyes. We'll see how it pans out going forward, but this can't hurt.

    • by ITRambo ( 1467509 ) on Tuesday May 17, 2016 @05:39PM (#52130453)
      It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.
      • I wonder whether the use of proprietary client-side script [] is a "serious repair" under consideration. Reliance on proprietary client-side script gives SourceForge an F rating [] among free software project hosts that FSF reviewed, the same as that of GitHub.

      • by LesFerg ( 452838 )

        It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

        A good job? I was disappointed to see a large central ad on their downloads page, just last week, featuring the title "Start your download now" followed by a large green download button.

        While somebody familiar with their downloads page will recognize what that is, a less experienced person trying to download my app could make a serious mistake there. I thought somebody said they were going to clean up that kind of crap?

    • by Anonymous Coward

      Here here! Nice to see the changes happening at Sourceforge.

    • by Shoten ( 260439 )

      I can't believe they weren't doing this to begin with; it seems incredibly irresponsible to host a software repository in this day and age but not make sure that you're not distributing malware in the process.

      Another way that SourceForge Media is fixing broken things...way to go!

  • I must have missed something. Someone bought slashdot? For how much?
  • I'm glad to see the positive changes made by SF. I've always hoped they would come back around for the better. Maybe, with some luck, can come back too.

    • Maybe, with some luck, can come back too.

      Don't hold your breath on We removed its name from's header this morning.

      • Dang, I really liked that site too. Used to be _the_ place to go look if you wanted to find some software. Then they added themes and all that on there, it was great. It's a shame that freshmeat has faded away into obscurity. :(

  • by tlhIngan ( 30335 ) <slashdot@w o r f . n et> on Tuesday May 17, 2016 @05:39PM (#52130455)

    A lot of people abandoned SourceForge because they started bundling crap with all the installers. Does their scanner catch those as well, or are they going to blame the project owners for what SF did to their binaries?

    • by whipslash ( 4433507 ) Works for Slashdot on Tuesday May 17, 2016 @05:39PM (#52130459) Journal
      We got rid of those bundled installers shortly after purchasing SourceForge: []
      • by Anonymous Coward

        awesome :)

    • by LesFerg ( 452838 )

      A lot of people abandoned SourceForge because they started bundling crap with all the installers.

      No they did not. It was never done to all installers. Can't you even get your facts straight? The revenue related advertising and co-install bundling option was offered to project owners as an option. It was never forced on them. Sometime later on a bad decision was made to repackage projects which looked like they had been abandoned, but even that bad decision affected a relatively small number of projects, not all projects. Admittedly it was a bastardly thing to do to a previously trusted applicatio

  • by wbr1 ( 2538558 ) on Tuesday May 17, 2016 @06:09PM (#52130599)
    What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.
    • by dstyle5 ( 702493 )
      Although I did not have this option enabled, a comment on its demise would be appropriate. I can't find it anymore either.
    • What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

      Interesting. The last several weeks it wasn't working for me, but it started to do so again about maybe a week ago. It appears to be broken for some users then, and work for others, although pretty arbitrairly...

  • Ever wonder how so many backdoors and virus vectors (not to mention zero day exploits) got propagated into OSS code? Wonder whose scanning code they're using? =8-0

  • Does anyone have an example of a Sourceforge project that has malware in it, so we can see the warning notice first-hand?
  • A decade ago, I wrote a socks server and posted it to Sourceforge. It does exactly what it says it will do, and it was so good and convenient that malware authors found it to be a useful payload to drop on machines to get a backdoor into them. So then virus scanners flagged it as malware, and sourceforge trusts those, and then they deleted the current version of the binary. Now that page has big scary warnings about software that plainly does what it says with all the source there to prove it (see it for

  • So I just got a failure that makes me think that the problem isn't gone. To test out the new measures against Malware, I tried downloading PDFCreator. This is off the SourceForge pages, never visiting the project homepage to receive their malware riddled installer. The SourceForge link is a web-installer, so the thing that SourceForge can scan has no Malware embedded in it. But the .exe that the installer downloads does.

    Is there a process for notifying about bad actors? Will repeat offenders be perma

This process can check if this value is zero, and if it is, it does something child-like. -- Forbes Burkowski, CS 454, University of Washington