GIMP-Win project wasn’t hijacked, just abandoned

There is zero excuse for what they did, and zero excuse for what they have been doing for the past years.<p>Once again reposting what I said in the other thread (which seems to have been modded off the frontpage, sad).<p>I&#x27;m one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.<p>I&#x27;m absolutely sick of them. It&#x27;s not the first time this has happened. I&#x27;ve been pushing for us to move off SF for a while and this is a good occasion to push for it harder.<p>I&#x27;ve sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.<p>If you have similar migration problems to solve as the ones I&#x27;ve highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].<p>[1] <a href="http:&#x2F;&#x2F;sourceforge.net&#x2F;p&#x2F;lxde&#x2F;mailman&#x2F;message&#x2F;34148903&#x2F;" rel="nofollow">http:&#x2F;&#x2F;sourceforge.net&#x2F;p&#x2F;lxde&#x2F;mailman&#x2F;message&#x2F;34148903&#x2F;</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;jleclanche" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jleclanche</a>

This makes me even more angry at SourceForge and not less.<p>1) There is nothing clear and open about the project being abandoned by the author<p>2) The author left SourceForge due to their business practices and this allows SourceForge to take over the repos and continue making money?<p>3) Is SourceForge just going to maintain any project that leaves them and makes a mirror?<p>The sad state of Download.com and SourceForge keeps getting grimmer and grimmer.

Sourceforge took over more than 300 dormant projects.<p>Here is the list, <a href="http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor1&#x2F;profile&#x2F;" rel="nofollow">http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor1&#x2F;profile&#x2F;</a> <a href="http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor2&#x2F;profile&#x2F;" rel="nofollow">http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor2&#x2F;profile&#x2F;</a> <a href="http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor3&#x2F;profile&#x2F;" rel="nofollow">http:&#x2F;&#x2F;sourceforge.net&#x2F;u&#x2F;sf-editor3&#x2F;profile&#x2F;</a>

The GIMP developer has asked SourceForge to remove the installer. Guess they just ignore him.<p><a href="https:&#x2F;&#x2F;mail.gnome.org&#x2F;archives&#x2F;gimp-developer-list&#x2F;2015-May&#x2F;msg00098.html" rel="nofollow">https:&#x2F;&#x2F;mail.gnome.org&#x2F;archives&#x2F;gimp-developer-list&#x2F;2015-May...</a>

Whenever a download link (and more often than not, for me, it&#x27;s usually for a server-based tool) goes to Sourceforge, I cringe - more than a little. For Linux based tools, its because a simple &#x27;wget&#x27; for a file is going to end up with a comlex filename that I have to rename. This, at least, is a simple problem for me to fix.<p>For desktop software, I&#x27;m more concerned after hearing of projects being wrapped in Adware&#x2F;malware. This is a particular problem on sites like <a href="http:&#x2F;&#x2F;download.cnet.com" rel="nofollow">http:&#x2F;&#x2F;download.cnet.com</a>. I&#x27;ve been online since at least 1996, and those sites used to be great to be able to find useful software. Now, I prefer to not install much new software, in order to keep a stable desktop (and it does work - I&#x27;ve only had to wipe my desktop and install Windows from scratch once or twice in my entire online career, I get new PCs more often).<p>I&#x27;ve even seen jobs posted on some sites to work on open-source code - but then the project is hosted on sourceforge.net, and so it is using Subversion for version control. While I may be expert on the underlying technologies that particular project used (and the language) - its not something that would ever convince me to help them - not even while being well paid (and working remotely, which is what I&#x27;m aiming to do from now on).

So, this is a reminder (and a very harsh one) that trusting third parties with your projects <i>may</i> be a risky decision. I see many people suggesting moving off of SourceForge to Github. While we moved most of our stuff to github years ago, and I like github and have no major complaints about them today, I&#x27;m having doubts about the wisdom of staying on any third party hosting site, no matter how nice they seem today.<p>Let&#x27;s put this in context: SourceForge was once (this was many, many years ago) a deeply trustworthy entity. They were <i>excellent</i> stewards of Open Source projects. They consistently took guidance from the community, and wouldn&#x27;t have chosen profits over users or projects (though, certainly, they&#x27;ve profited).<p>Markets change, leadership changes, acquisitions happen. One day, we may not recognize github as the entity we know today, just as we don&#x27;t recognize the entity that SourceForge has become.<p>I&#x27;m not saying don&#x27;t move to github. Obviously, nobody should be starting new projects on SourceForge and github is one of the better third party alternatives. But, it may be worth thinking about what happens when we as an Open Source community build up another SF.net like entity. A central repository for all the most popular Open Source software, controlled by one profit-driven corporation.<p>Maybe it was worth the tradeoff. Maybe SourceForge provided enough value over the years to where it&#x27;s not worth belly-aching about having to rebuild our communities around new tools (maybe even another third party tool), and to educate users that SourceForge is now an untrustworthy provider that should be avoided. Maybe we have to just mourn the loss of a once great supporter of Open Source software and move on to another that will likely, someday, also turn its back on Open Source values in pursuit of profits.<p>I hate trash-talking SourceForge so harshly, as projects I&#x27;ve been involved in have been well-served by SF.net in the past (and even now, we&#x27;re pushing out terabytes of downloads through their mirrors, even though we&#x27;ve moved our revision control to github long ago). But, the company as it exists today is nothing like what it once was. I must assume none of the original founders remain given how far this strays from the original vision of the thing, and certainly it&#x27;s been through multiple acquisitions and leadership changes. Maybe I shouldn&#x27;t feel so bad about it...maybe the SourceForge I knew has been dead for years, and I just didn&#x27;t notice as it&#x27;s taken a while to start to smell.

The whole blog post can be summarised in the one sentence &quot;Mirrored projects are sometimes used to deliver easy-to-decline third-party offers.&quot;<p>Makes me pretty sad since I still remember the days when SourceForge was one of the good guys.

They show their true colors in the last paragraph:<p><i>We welcome further discussion about how SourceForge can best serve the GIMP-Win author.</i><p>Just stop. How disingenuous can you be? What a disgrace.<p>Do we really need to go there? Ok, how about: &quot;completely suspend and remove the project, and don&#x27;t let the name be reclaimed.&quot;<p>Source Forge is trying to convince us they never thought of that. Really? Give me a break. You knew. You just don&#x27;t care. Fine, you don&#x27;t. But don&#x27;t try to play that off as ignorance. &quot;Oh, yeah, please enlighten us with further discussion!&quot; Get out of here, stop wasting our time.<p>They could just as well have done away with the blog post and put up an image of a giant middle finger, instead. At least that would have been honest.

I moved my project to github after one of their &quot;enticing&quot; offers installed a vpn client that redirected all my traffic and inserted ads into my browsing, when I installed filezilla. The installer they add is designed to make it very easy to install their &quot;offers&quot;without your realising it. I&#x27;m very wary of any code on sf now.

So in fact it was hijacked… by SF.<p>My employer runs a sourceforge mirror – i am going to start some discussion if we can turn it off.<p>Also, old HN post on &quot;what happened to Sourceforge&quot;: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6700115" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6700115</a>

In all fairness, the page for gimp-win on sourceforge clearly states it is a mirror of a project that is no longer distributed by the upstream author through sourceforge --<p>&quot;Hey, this isn&#x27;t a SourceForge project! Check out the SourceForge Open Source Mirror Directory for more information. &quot; -&gt; this links to a page that explains in detail what you are getting.<p>I don&#x27;t have a windows installation handy so I can&#x27;t &#x27;test&#x27; the SF installer to see if the adware or add-on programs are easy to identify and accept or refuse -- has anybody tried that?

I&#x27;ve heard about how SF has been some financial trouble, but isn&#x27;t all this adware nonsense just going to hurt them more in the end? Surely some crowdfunding option could&#x27;ve been more of a viable effort...

Dice Holdings also bought Slashdot, and now there are things that look out of place, like the Kate Upton ad for God of War, Slashdot Deals [1], and annoying ads as tweets on the twitter account which made me unfollow.<p>[1] <a href="https:&#x2F;&#x2F;deals.slashdot.org&#x2F;?utm_source=slashdot&amp;utm_medium=navbar&amp;utm_campaign=dealshp_1" rel="nofollow">https:&#x2F;&#x2F;deals.slashdot.org&#x2F;?utm_source=slashdot&amp;utm_medium=n...</a><p>Would be interesting to see if Slashdot posts this story.

That is some crazy amount of spin. SourceForge started their path down the scummy side a while ago but this is really taking it to a new level.<p>You&#x27;d think that if they really cared, they would back pedal on what they did, but no, instead, they double down by trying to justify what they did and &quot;welcoming further discussions&quot;.<p>Also, this:<p>&gt; deliver easy-to-decline third-party offers<p>How about delivering third-party offers that users need to opt in instead?<p>Terrible, terrible company and organization.

&gt;Mirrored projects are sometimes used to deliver easy-to-decline third-party offers<p>It&#x27;s as if they know the majority of experienced users would decline those &quot;enticing&quot; offers.

So what they did was take an abandoned project, add their adware installer and release it?

tl;dr &quot;Hey, it&#x27;s not our fault that we adopted policies so offensive to the project maintainer that they utterly washed their hands of us, but the license of GIMP basically prevents them from preventing us from distributing the software inside of our third-party shovelware bundle...&quot;<p>Good job SourceForge. A++ would never download anything from again.

Why don&#x27;t they (SourceForge but also all the other software vendors out there, even Oracle with the Java and Ask.com bundling) just have it so it automatically installs all the crapware instead of asking you? Last I checked, it was because this would get them treated as outright malicious. I suggest that we consider such offers where the default option is to install them to be considered as malicious as installing them without asking.

&gt;&gt; Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.<p>So in other words, GIMP-Win was hijacked, just not by a 3rd party.

Lets take action and report the website so browsers warn users once they try to navigate to the page.<p><a href="https:&#x2F;&#x2F;www.stopbadware.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.stopbadware.org&#x2F;</a><p>Please report the entire website, not just some project. They had distributed enough malware already.

&quot;Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.&quot;<p>Well, there&#x27;s your problem.

Wow, it&#x27;s not clear <i>at all</i> that the SF page is a &quot;mirror&quot; of the official project, and for now it remains the first google result.<p>What assholes.

Source Forge has been doing this for a while now, not just gimp.<p>Pretty sure I downloaded Synergy and it deceivingly downloaded a common installer which was small and installed adware as it downloaded the proper executable which you desired to download in the first place

I&#x27;m sure we only hear about &quot;easy to decline&#x2F;opt-out&#x2F;remove&quot; software when it is something nobody ever wants. If the first feature of your software is that it&#x27;s easy to decline, maybe it&#x27;s time to pack up shop.

I have good memories of SF being the hub of OSS back in the day. I was particularly fond of how projects could actively post types of people they were looking for (artists, doc writers, etc) instead of just relying on being stumbled upon and&#x2F;or just listing an issue.<p>However, recently, I cringe if I somehow end up at an SF link. Feels like I&#x27;m on the wrong side of the Internet and that I can&#x27;t trust any downloads from them.

&gt; Based on our prior outreach to the GIMP-Win author, we understand that they had concerns about the presence of misleading third-party ads on SourceForge. They were not alone in those concerns — we were also concerned — leading us to establish a program to enable users and developers to help us remove misleading and confusing ads.<p>right.

Isn&#x27;t this a problem with overly permissive licences used in most OSS? AFAIK there is nothing stopping any commercial entity to just resell you OSS as-is (in case of GPL they just have to link to sources as well). There&#x27;s also nothing stopping them from putting ad- and malware in, correct? IMO it might be a good idea to put some limits into OSS licences - even if most projects wouldn&#x27;t have the means for litigation, at least it would give pause to some legal departments of such companies trying to abuse OSS. I&#x27;d also advocate to have a standard license similar to creative commons for non-commercial use. Why not adding some semi-enforced sponsorship element into OSS projects that are heavily used commercially?

I also notice this isn&#x27;t covered by Slashdot, who is owned by DHI, who owns Sourceforge.

100% scummy. Question is, what do we do about it?<p>I wonder... Is bundling adware installers with GPL software a violation of the GPL? (If not, <i>should</i> it be? v2?&#x2F;v3?) Where&#x27;s the installer&#x27;s source? It wraps it in one linked executable file and presents itself as an installer for it, so I am not clear that any &quot;mere aggregation&quot; defence would hold?<p>There&#x27;s also a reasonable argument that this brings the official project into disrepute: The GIMP may not be trademarked, but would it have to be?<p>Firefox, of course, <i>is</i> trademarked. I dearly hope they&#x27;ve never wrapped Firefox installers with adware, because Mozilla would not like that.

Sourceforge has been dead to me for a while now. I think it started with FileZilla.

Gimp should just push an update that has a &quot;Stop using Sourceforge&quot; splash screen and see if Sourceforge distributes that new version.<p>It&#x27;s a shame. Sourceforge used to be really good.

<a href="http:&#x2F;&#x2F;helb.github.io&#x2F;goodbye-sourceforge&#x2F;" rel="nofollow">http:&#x2F;&#x2F;helb.github.io&#x2F;goodbye-sourceforge&#x2F;</a>

Given that the author hasn&#x27;t given them permission to distribute GIMP, much less a modified installer of GIMP, can he send a DMCA to them?

It is a pitty because I use SF often. I think that the problems could be solved if we could use something like pkgsrc on Windows.<p>Unfortunately this is not a reality or an option but it would be a good alternative.<p>Msys2 project gives a few of these apps as binaries. But it would be more user friendly if we could just download from a source repository and compile locally on windows.

So they take the code from a 3rd party, compile it into an installer with malware bolted on, and reap the profits from the malware.<p>Yeah, hijacked.

Question what are the alternative solutions to distribute window binaries freely,without adware like sf or download.com ? github used to allow binary distribution but not anymore, and I don&#x27;t feel like tags are a good way to do that.

They are doing something with GIMP what they did to VLC.

Fuck SourceForge. The people that bought it blew it.

Bye sourceforge!

I think I&#x27;ve recommended sourceforge.net be added to the webfilter global block list at every client I&#x27;ve worked with in the last 5 years. Once I pointed out the risk of their drive-by download strategy, no one has said no, and very rarely has an end-user complained (something almost always remedied by finding a legitimate download site for them).

Personally, I see this as one of the natural consequences of permissively-licensed software, and the freedom of being able to obtain such from the open Internet. This is a feature, not a bug.<p>If you want something with more security guarantees, then use the walled-garden app stores. It reduces your chances of getting malware, but also reduces the choices available to you.<p>Whether or not people like what SF is doing does not change the fact that it is legal under the GPL. I hate adware myself, but if someone chooses to distribute it legally, then I respect their freedom to... and the only thing I would do is tell the users so they can make an informed decision. The official GIMP site has made a notice about this already.<p>As long as computing platforms exist which allow users to install any software, from anywhere they choose, they will eventually install something they don&#x27;t want (and even in walled-garden app store environments they still manage to.)<p>Something to think about: &quot;Freedom is not worth having if it does not include the freedom to make mistakes.&quot;