Homeless in Vancouver: Why the SourceForge website is dead to me

Today (August 9) I clicked on a link to the once-great SourceForge website and my Pale Moon browser kicked up an alert declaring that the Mozilla add-on uBlock Origin has prevented the page from loading because it contained blacklisted code, namely:

||sourceforge.net^$other

The link I clicked on was contained in a post from the University of South Wales security and privacy blog (which I have followed for years), about using Ophcrack, yet another Windows XP password cracker. Ophcrack is a free open source program hosted on the SourceForge website.

Turns out that uBlock Origin isn’t blocking code so much as blocking the SourceForge website itself—something it’s been doing since at least June 24! And I guess I can’t blame it; I haven’t gone near the website for months.

Free download sites certainly feel free to deceive you

Back in March 2015, SourceForge was caught stealthily distributing a malware browser hijacker called Blinkiland, which was designed to be almost impossible for ordinary Windows users to remove.

Blinkiland was hidden in downloads of the Windows version of the popular and respected open source FTP management program called Filezilla (which I’ve used for years).

While attentive users at least have the opportunity to opt out of the crapware piggybacked on downloads of Adobe Flash Player and Oracle’s Java, there was no warning that Fillazilla came bundled with Blinkiland and once it was installed in Windows, Blinkiland could not be uninstalled without going into the Windows registry!

And you couldn’t exactly blame the makers of Filezilla; it was SourceForge that was doing the bundling at the installer level—just like CNET’s Download-dot-com installer (which uBlock also intercepts and which CNET users have a choice to avoid).

There was a bit of an uproar and Blinkiland was removed from the SourceForge installer in late March.

But, as HowToGeeks explained in June, deceptively bundling crapware with legitimate software has become the SourceForge business model, at least since Dice Holdings bought the website in 2012.

The broken promise of SourceForge (not to mention Web 2.0)

SourceForge was created back in 1999 by Slashdot to be a banner-ad-funded website repository for free open source software (FOSS)—this was in the days when proponents of "Web 2.0" said that such large commercial sites would be to the greater good of the free Internet (how did we ever believe that?).

To be fair, it seemed to work for many years. SourceForge grew and grew to become a hugely trusted “store front” of free open source software, reliably hosting hundreds of thousands of quality FOSS projects. It was where you went, both to window shop for FOSS versions of tools that you needed and to get the freshest builds of the FOSS ware that you already used.

Then in 2012 Dice Holdings bought SourceForge and moved the website from a business model of banner ads to bundleware.

In 2013 SourceForge offered FOSS projects the chance to use a new download method called ”DevShare” in which makers of crapware would pay SourceForge/Dice Holdings to piggyback their shit on downloads of legitimate FOSS software, like Filezilla and GIMP; in turn, Dice would cut the FOSS developers a piece of the profits.

Two years later, I’m not even sure if developers can opt-out of using DevShare to distribute their software via SourceForge.

Github is now meant to be the preferred central repository of free open source software (FOSS) but name recognition and sheer momentum keeps SourceForge going; that and the fact that GitHub seems to be designed more to be understood and used by software developers than users.

According to the web-ranking company Alexa, GitHit is now the second most popular open-source website behind Wikipedia but SourceForge is still number four, behind Mozilla, the makers of Firefox.

But people should understand that behind its famous and respected name, SourceForge has fallen to become just another deceptive free download site at the deliberate expense of its users; so infected with greed that it will knowingly distribute malware in order to make a buck.