Don't download software from SourceForge if you can help it

<i>In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.</i><p><i>This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.</i><p>Very interesting! I&#x27;d be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.

<i>&quot;In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No man is more dangerous. The deserter knows his life is forfeit if he is taken, so he will not flinch from any crime, no matter how vile.&quot;</i><p>~ Ned Stark, A Game of Thrones.<p>I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don&#x27;t think they&#x27;ve got anything to lose at this point.<p>The best thing to do at this point would be to speed up their demise. If you&#x27;re a developer that still hosts with them, delete your project and move to Github or Bitbucket.<p>Also, start reporting these malicious pages to Google so they don&#x27;t show up in search results. <a href="https:&#x2F;&#x2F;www.google.com&#x2F;safebrowsing&#x2F;report_badware&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;safebrowsing&#x2F;report_badware&#x2F;</a>

I wonder how many people outraged here know YC funded a company that bundles malware with installers and continues to justify it publically on HN.

This makes me so mad and sad at the same time. For years, it would bring me immense pleasure to just browse projects on sourceforge to see what the world was up to. Now this is just another case of corporations ruining a good thing. I&#x27;m glad there are links to Filezilla and Gimp - two products I use frequently.

&gt; Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.<p>This is an error on Google&#x27;s part. For everyone&#x27;s sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors&#x27;.

I&#x27;ve tweeted someone close to the Pywin32 project (hosted on SF) asking to move it, but didn&#x27;t get a reply. For long-established projects, it&#x27;s not an easy migration. Please keep prodding any critical project you know of.

At least for Mac, there is a TINY &quot;direct download&quot; link next to the SF Installer button. Using this link will provide the non-junkware, original install files.

If you download from Sourceforge try unzipping the installer which will usually defeat the spyware installer that they have been bundling with it.

So sad. Especially for Windows tons of valuable stuff is there, especially smaller utilities like DDMM and similar :(

Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I&#x27;ll be building from Git until they fix it :&#x2F;

Can someone provide a link to filezilla thats not through sourceforge? I just posted an Ask HN about this.

I never use the &quot;downloader&quot;, either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.

Just realized the double meaning of &quot;forge&quot; in SourceForge:<p>1) to form or make by concentrated effort<p>2) to imitate fraudulently; fabricate a forgery<p>They&#x27;re certainly living up to definition #2..

tldr; don&#x27;t download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (<a href="https:&#x2F;&#x2F;ninite.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ninite.com&#x2F;</a>), the &quot;only trusted&quot; downloader according to these guys.

This is why we need some kind of trade organization -- the developers who wrote this stuff need to be kicked out, or disciplined in some way...

Is BOTH Sourceforge and Github -other-verted or per-verted? or sub-verted? The attack on the clean code-base continues.<p>Advice. Unix Linux - separate user. low privilege. configure, make, but make install with ROOT PRIVILEGE. check files.<p>all source code should have search engine keywords for vulnerabilies, updates, etc. for even BSD is somewhat broken, IMHO.<p>make it easier for the NOT C expert and ASM expert to install reasonably clean software, PLEASE.<p>Thank U. Thank U. Thank U. ... 1000 times

ARE BOTH Sourceforge and Github other-verted or perverted-like? What are the alternatives?<p>Thank you. Thank you. the attack on code repo and the infiltration of the clean database continues, perhaps.