For many years, I've always used Slashdot to keep me in formed of "geek" news, and SourceForge for great open source software.
Since Slashdot and SourceForge are owned by the same parent company, I am now refusing to patronize either website, due to multiple incidents of SourceForge bundling malware with open source project downloads.
This all started approximately two years ago. Case in point, this bug ticket for FileZilla.
In May, SourceForge started distributing malware with GIMP, a popular image editor.
Finally, just a few days ago, SourceForge started hijacked nmap for possibly the same purpose, software which is popular in the security community - talk about a slap in the face.
With this most recent incident, no longer will I sit idle and let SourceForge infect unsuspecting people with malware. There are no excuses for this behavior, and anything SourceForge will say to justify this should be completely disregarded by the open source and security community.
As of today, I will recommend to my clients that they do not download any software from SourceForge, and recommend alternative news sites from Slashdot, such as Reddit.
If you have an open source project on SourceForge, now is the time to migrate to GitHub or other similar sites, and close your project on SourceForge.
Show SourceForge and Slashdot you will not stand for intentionally infecting people with malware.
No comments:
Post a Comment