SourceForge Tightens Security With Malware Scans

Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.

Certainly can't hurt

[mhkohne]

Nicely done guys. Sourceforge had definitely gone down the toilet in my eyes. We'll see how it pans out going forward, but this can't hurt.

Re:Certainly can't hurt

[ITRambo]

It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

Proprietary script

[tepples]

I wonder whether the use of proprietary client-side script [gnu.org] is a "serious repair" under consideration. Reliance on proprietary client-side script gives SourceForge an F rating [gnu.org] among free software project hosts that FSF reviewed, the same as that of GitHub.

Re:

[LesFerg]

It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

A good job? I was disappointed to see a large central ad on their downloads page, just last week, featuring the title "Start your download now" followed by a large green download button.

While somebody familiar with their downloads page will recognize what that is, a less experienced person trying to download my app could make a serious mistake there. I thought somebody said they were going to clean up that kind of crap?

Re:

[whipslash]

Traffic and comments are actually up vs the same period last year

Re:

[nullchar]

I don't have real data, but anecdotally this "feels" accurate to me. (Very long-time /. reader so I've seen the ups and downs.)

I would say total story comment counts were quite low from autumn 2015 through winter 2016 but have risen this spring.

Easy to compare "today" (meaning each day) to prior years using the old side-bar widget that showed past high-comment stories on the same day. Recent years are dramatically lower than past years, but the trend appears to be going back up.

Perhaps some researchers coul

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

I've been thinking about what I'd like from a Github like service. Maybe we can share some ideas for Sourceforge to consider.

Apart from the obvious one (lower prices), maybe integration with other version control systems that aren't Git. A better system for releasing binaries and tagged versions. Better tools and easier access for non-programmers who want to contribute documentation. Imagine if we could get Wikipedia levels of participation for open source documentation.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Here here! Nice to see the changes happening at Sourceforge.

Re:

[Shoten]

I can't believe they weren't doing this to begin with; it seems incredibly irresponsible to host a software repository in this day and age but not make sure that you're not distributing malware in the process.

Another way that SourceForge Media is fixing broken things...way to go!

Re:

[whipslash]

When was this?

Re:Do not trust Sourceforge

[whipslash]

Sorry about that. We only purchased SourceForge on January 28th and started making improvements after that.

Re:

[BlackPignouf]

To be fair, Azureus was great but Vuze is a piece of malware shit.
It might not even be related to Sourceforge.

Re:

[h2oliu]

The problem with a signed build system, is what happens when malware is developed within Sourceforge? Upload the software, build it. Generate signed malware for installation. Sure Filezilla might have a l. But then what about the cert for SF.net/calculator?

Slashdot was sold?

[110010001000]

I must have missed something. Someone bought slashdot? For how much?

Re:Slashdot was sold?

[whipslash]

Yes we purchased Slashdot and SourceForge in late January: https://meta.slashdot.org/stor... [slashdot.org] ... Terms of the deal unfortunately do not allow me to disclose for how much

Re:

[MightyMartian]

For enough that you have to shove advertising down on our throats again. I have to say I'm totally thrilled with what Kelly said... Not sure who Kelly is, but it must be important.

Re:Slashdot was sold?

[110010001000]

Congrats! The site does seem a bit better lately.

Re:

[whipslash]

Thanks. We're doing our best.

Re:

[whipslash]

Thanks for commenting twice about this. We included our own post in the description, but many people prefer seeing a third party source report on this as well rather than just directly posting our own announcements.

Re:

[AmiMoJo]

Thanks, your efforts are really appreciated.

Re:

[laurencetux]

there are most likely tripwires setup so that if the amount leaks EVERYBODY that knows the number loses money.

Re:

[Anonymous Coward]

Something that would be trivial to implement and only sourceforge.jp has (or had) is MD5 and SHA256 sums of the binaries.

Very often SF mirrors don't use HTTPS and usually I download the same executable from within 3 different networks in different countries to make sure nothing has been tampered with in transit.

Re:

[b1ng0]

Sale price was $2.8M

Good to see positive changes

[chr1st1anSoldier]

I'm glad to see the positive changes made by SF. I've always hoped they would come back around for the better. Maybe, with some luck, freshmeat.net can come back too.

Re:

[ChristophWeber]

Maybe, with some luck, freshmeat.net can come back too.

Don't hold your breath on freshmeat.net. We removed its name from slashdotmedia.com's header this morning.

Re:

[chr1st1anSoldier]

Dang, I really liked that site too. Used to be _the_ place to go look if you wanted to find some software. Then they added themes and all that on there, it was great. It's a shame that freshmeat has faded away into obscurity. :(

What about SF's own crap?

[tlhIngan]

A lot of people abandoned SourceForge because they started bundling crap with all the installers. Does their scanner catch those as well, or are they going to blame the project owners for what SF did to their binaries?

Re:What about SF's own crap?

[whipslash]

We got rid of those bundled installers shortly after purchasing SourceForge: https://news.slashdot.org/stor... [slashdot.org]

Re: What about SF's own crap?

[Anonymous Coward]

awesome :)

Re:

[whipslash]

Ads with "Download" buttons in them have been eliminated from the site.

Re:

[LesFerg]

Ads with "Download" buttons in them have been eliminated from the site.

No they have not. I saw a large "Start your download now" ad, with large green download button, top center of the download page just last week. I was very disappointed.

Re:

[whipslash]

Some slip through programmatic advertising channels, but they are typically removed as soon as they are caught and then that advertiser is banned from the site. We will have a self-serve reporting option attached to each ad very soon so that they are reported and removed ASAP. The vast majority of them are gone.

Re:

[LesFerg]

A lot of people abandoned SourceForge because they started bundling crap with all the installers.

No they did not. It was never done to all installers. Can't you even get your facts straight? The revenue related advertising and co-install bundling option was offered to project owners as an option. It was never forced on them. Sometime later on a bad decision was made to repackage projects which looked like they had been abandoned, but even that bad decision affected a relatively small number of projects, not all projects. Admittedly it was a bastardly thing to do to a previously trusted applicatio

Applause required, but

[wbr1]

What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

Re:

[dstyle5]

Although I did not have this option enabled, a comment on its demise would be appropriate. I can't find it anymore either.

Re:

[EmeraldBot]

What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

Interesting. The last several weeks it wasn't working for me, but it started to do so again about maybe a week ago. It appears to be broken for some users then, and work for others, although pretty arbitrairly...

Re:

[whipslash]

Yes he stopped linking to SourceForge Filezilla project page from his own site after we told him he cannot bundle software with the project anymore.

Re:

[oddware]

weird, any more info on this? just checked the download links on the filezilla home page [https://filezilla-project.org/] and everything was pointing to source forge.

Have been using it for years, hope they are not going down the tubes.
Does anyone have any suggestions for a linux based alternative to filezilla?

Re:

[whipslash]

It may depend on what OS you're using right now. On this Mac I am seeing no link to SourceForge here: https://filezilla-project.org/... [filezilla-project.org] . I've checked on Windows as well but not Linux. You can always download it from SourceForge as we do not allow FileZilla to bundle anymore: https://sourceforge.net/projec... [sourceforge.net]

Re:

[oddware]

I was wondering if it because i am on linux, weird it would replace the download links for windows installers on the "additional download options" just because i am on linux.....unless they think i intend to run it via wine and the "value add" software is not compatible.
Thanks for the info, great to see you are trying to turn source forge around.

Re:

[oddware]

Just messed with the user agent string, now i see it....sneaky.

Re:

[CronoCloud]

You should be able to pull a "clean" version from your distro repos. That's how it works with Fedora.

About freakin' time

[h8sg8s]

Ever wonder how so many backdoors and virus vectors (not to mention zero day exploits) got propagated into OSS code? Wonder whose scanning code they're using? =8-0

Re:About freakin' time

[whipslash]

Scans are done by Bitdefender and ESET

Example?

[freeze128]

Does anyone have an example of a Sourceforge project that has malware in it, so we can see the warning notice first-hand?

Re:

[whipslash]

All current live projects have rectified any issues with malware due to us notifying them except for this Demo Project we created: https://sourceforge.net/projec... [sourceforge.net] . Here is an older version of PDF Creator that shows the warning: https://sourceforge.net/projec... [sourceforge.net] (automatic downloading disabled and notice about possible malware). Keep in mind this is an older version of their project and their current project here is fine: https://sourceforge.net/projec... [sourceforge.net]

Re:

[whipslash]

Any bundled installers that were added by the previous SourceForge ownership were removed months ago

Sigh...

[malxau]

A decade ago, I wrote a socks server and posted it to Sourceforge. It does exactly what it says it will do, and it was so good and convenient that malware authors found it to be a useful payload to drop on machines to get a backdoor into them. So then virus scanners flagged it as malware, and sourceforge trusts those, and then they deleted the current version of the binary. Now that page has big scary warnings about software that plainly does what it says with all the source there to prove it (see it for

Re:

[whipslash]

That is not our malware warning on your project, that is the browser warning.

Re:

[whipslash]

I will take a look at what's going on here

PDF Creator still probably in violation

[Kobun]

So I just got a failure that makes me think that the problem isn't gone. To test out the new measures against Malware, I tried downloading PDFCreator. This is off the SourceForge pages, never visiting the project homepage to receive their malware riddled installer. The SourceForge link is a web-installer, so the thing that SourceForge can scan has no Malware embedded in it. But the .exe that the installer downloads does.

Is there a process for notifying about bad actors? Will repeat offenders be perma