Become a fan of Slashdot on Facebook


Forgot your password?
SourceForge Advertising The Gimp

SourceForge and GIMP [Updated] 384

New submitter tresf writes: In response to a Google+ post from the Gimp project claiming that "[Sourceforge] is now distributing an ads-enabled installer of GIMP," Sourceforge had this response: "In cases where a project is no longer actively being maintained, SourceForge has in some cases established a mirror of releases that are hosted elsewhere. This was done for GIMP-Win.

Submitter's note: Gimp is actively being maintained and the definition of "mirror" is quite misleading here as a modified binary is no longer a verbatim copy. Download statistics for Gimp on Windows show SourceForge as offering over 1,000 downloads per day of the Gimp software.

In an official response to this incident, the official Gimp project team reminds users to use official download methods. Slashdotters may remember the last time news like this surfaced (2013) when the Gimp team decided to move downloads from SourceForge to their own FTP service. "Therefore, we remind you again that GIMP only provides builds for Windows via its official Downloads page." Note: SourceForge and Slashdot share a corporate parent.
Editor's note: I just got back from a busy weekend to see that a bunch of people are freaking out that we're "burying" this story, so here it is. Go hog wild. Sorry it took so long. (And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)

Update: 06/01 22:37 GMT by T : The SourceForge blog has a welcome update; SourceForge, it says, has effective today "stopped presenting third party offers for unmaintained SourceForge projects. ... At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."
This discussion has been archived. No new comments can be posted.

SourceForge and GIMP [Updated]

Comments Filter:
  • by NotDrWho ( 3543773 ) on Monday June 01, 2015 @08:44AM (#49813821)

    I remember seeing a submission on this early last week.

    • by weilawei ( 897823 ) on Monday June 01, 2015 @08:48AM (#49813845) Homepage

      I am also pleased that they've finally posted it, but still seriously miffed that it took this long.

      • by Kunedog ( 1033226 ) on Monday June 01, 2015 @09:01AM (#49813923)
        Anyone buying the "busy weekend" excuse? Can't say I am, since the story broke near the middle of last week, and we've seen /. willfully ignore the community so many times. Look at the amount of pushback it took to defeat Beta and Bennet Hasselton.

        Wonder if they'll ever drop the anti-Gamergate narrative too (probably not, since they have most of the tech media circling wagons with them on the pro-corruption side)?
        • by 0100010001010011 ( 652467 ) on Monday June 01, 2015 @09:28AM (#49814101)

          It's just the Nth 'eternal September'.

          It's also happening to Little Registry Cleaner []. If you don't read every dialog box very, very carefully you end up with crapware (look at the reviews []).

          The tail end of GenX/Initial GenYs that originally ran Slashdot have moved on with their lives. They sold out (no problem with that, I would have too). Dice put a bunch of kids that grew up on Reddit in charge so you see Slashdot trying to mirror Reddit's content, 'messege', tone & look and it's showing to old hat /.ers.

          If anyone is bored and looking for a place to lure my 30s year old self. Redo slashdot, allow markdown, bbedit, html, LaTeX.. editing. Keep the -2 to +5 moderation system because it limits band-wagoning and group think. Now that everyone can have an opinion it shows. I used to revel in the days that little 19 year old me was bestowed with 5 points to vote with (and tried to ration them accordingly).

          Design a proper responsive layout (It was not Beta) and keep it about tech

          I'm looking for a good place to discuss stuff that is relevant to me like Slashdot used to be. Reddit is good for certain things. Long drawn out posts with actual information isn't one of them. Everyone wants a tl;dr:.

          [And this message took longer to type than one in Markdown because HTML is pretty slow now that I use markdown for everything, blog and all. Not that I don't know but ** is easier, ~~~~, ]

          • by bill_mcgonigle ( 4333 ) * on Monday June 01, 2015 @10:03AM (#49814347) Homepage Journal

            If anyone is bored and looking for a place to lure my 30s year old self. Redo slashdot, allow markdown, bbedit, html, LaTeX.. editing.

            If this is where your interests are, Soylent [] has forked an re-opened Slash, so people can contribute to it. There's been tremendous cleanup/ and some refactoring, to make Slash a more sane/maintainable project.

            They're very picky on submissions, though, so the variety and community aspects aren't what Slashdot is.

          • by ideonexus ( 1257332 ) on Monday June 01, 2015 @10:03AM (#49814349) Homepage Journal

            The adware bundling is also happening with Filezilla [] now too. I recently downloaded the FTP program to my computer at work and it set off a bunch of virus alerts with our system engineers. It was very embarrassing, but the engineers said they fell for it too.

            The worst part is that there is no opt-out option in the installation process. By downloading the version of the package with the adware, you are agreeing to install the viruses. I eventually found a clean install of Filezilla on Sourceforge, but it's not obvious.

            Google needs to flag Sourceforge as a malware site for these shenanigans.

        • by TWX ( 665546 )
          Maybe they all came to Phoenix ComiCon last week and this weekend and were too busy staring at attractive women in their costumes to care about what happens in the digital world...
        • by AmiMoJo ( 196126 ) <> on Monday June 01, 2015 @10:02AM (#49814339) Homepage Journal

          Look at the amount of pushback it took to defeat Beta and Bennet Hasselton.

          I was actually quite surprised at how responsive the owners have been on those two issues. They clearly invested a lot of money and time into beta, and I dread to think what kind of favours Bennet was offering, but in the end they listened to us. I really didn't think it would happen, I expected beta to become the only option and my beloved (in an abusive partner kind of way) Slashdot die a slow and painful death.

          So kudos for listening. And yeah, I can buy the weekend excuse. Come on, this is Slashdot, the "editors" seem barely literate at times and can't remember posting the same story a mere 24 hours previously. Never attribute to malice what can be adequately explained by incompetence.

          • So kudos for listening.

            They didn't listen. They were ground into submission by an angry mob who were wreaking the very project they were defending. I mean this in a good way. It was a high-impact revolt that was sure to get noticed and forced the hand of the site owners by making it very clear that a) the existing customers cared little for their shit, and b) that new potential customers ended up at a news aggregating site where all comments are filled with hate for the very site they were on.

            It's not kudos for listening. Just be

    • I saw several submissions, and frankly, not one of them was decent journalism. I voted them down.

      Copying a juicy bit from the article and saying "Link to original source" is not a summary.

    • I remember seeing pretty much this same story last week on slashdot!?

      is it an update to the story or is it a dupe?

      • Re:dupe or new info? (Score:5, Informative)

        by RavenLrD20k ( 311488 ) on Monday June 01, 2015 @10:47AM (#49814639) Journal
        It never posted to the front page, but several people made postings about this to the Firehose and when it was seemingly ignored for several days after many up-votes, /. users started hijacking threads (in many cases thwarting the "first post" trolls) as their method of recourse to bring attention to the general user-base that there was an FOSS story of relative importance that was not being put on the front page. This didn't look too good on the eds since it was a negative piece about SourceForge which led to the hijackers making claims of conspiracy and censorship on the part of /. and Dice. I have to admit, Soulskill may have been on vacation, but someone was running the wheels of /. since Wednesday and making a popular post in the Firehose disappear...multiple times.
    • What was the problem? Was it the bandwidth costs? AFAIK most of the files you can download from SourceForge are actually not served by SourceForge itself but by mirrors. So those guys are shouldering the brunt of the costs not you. By doing something like this I would not be surprised if some of the mirrors decided they do not want to work with you anymore.

      If you wanted the extra revenue by bundling ads with applications you should have done this explicitly with a prior public notification of this being don

  • by Chrisq ( 894406 ) on Monday June 01, 2015 @08:47AM (#49813841)
    Interfere with slashdot posts?
  • by rmdingler ( 1955220 ) on Monday June 01, 2015 @08:50AM (#49813859) Journal
    Issuing an opinion on something the umbrella corporation did that you may have no control over would be a solid follow up.
    • by Luxemburg ( 890431 ) on Monday June 01, 2015 @08:57AM (#49813895)

      Additionally, offering such a weak*) excuse for sitting on this story (apparently) for a week actually rings all my alarm bells. Please slashdot editors, explicitly deny (or confirm) there has been any kind of pressure influencing your treatment of this topic.

      *) Weak to react to it cynically, dismissively, the editor just had a busy weekend, and how dare the readers ever even imagine there might be some sort of hesitation on your part for not publishing this article promptly. After all, it's only a very grave accusation to a service run by the same company for the same audience.

      • by Soulskill ( 1459 ) Works for Slashdot on Monday June 01, 2015 @09:04AM (#49813935)

        There's been no pressure influencing my treatment of this topic.

        The main reason it's late is that we were asking some questions internally so we could put up a more informative post on the subject. Unfortunately, communications were slow. Rather than keep waiting, I just put up the most accurate submission we've gotten. (May or may not still happen later.)

        • by Anonymous Coward on Monday June 01, 2015 @09:14AM (#49813977)

          Then why the hell did you blame a busy weekend to start? Smells like BS to me.

        • by sinij ( 911942 )
          While I didn't find DICE response satisfactory (they should rend garments and ash their heads), I appreciated its inclusion. It would have been great follow-up story to original "This just in!" story. Keep in mind, /. is not stale news for nerds for the most part.
        • Then it sounds to me that we have a case of the "left hand" not having a clue what the "right hand" is doing.. vis a vis the Dice/Slashdot crew and the Dice/ Sourceforge crew... Is that about it??

          • by Soulskill ( 1459 ) Works for Slashdot

            I suppose you could put it that way. Slashdot and SourceForge have been under the same roof for a long time, but they've always been separate entities. I have no interaction with the SourceForge folks on a daily basis.

        • by tresf ( 4129953 ) on Monday June 01, 2015 @10:16AM (#49814437)
          Thanks for posting it, @Soulskill. Better late than never. I'll support you a bit in saying that the readers are focusing on the wrong point. It is the FOSS malware bundling which is the real issue here. The misrepresentation of a product against the author's/community's will is THE issue. Stop trolling the journalist, he's not the one installing malware on your computer, SF is.

          Offering a great product for free should be good enough to drive the traffic and ad revenue that SF needs. Taking a sh** on these great projects does nothing but alienate SF from the very community that helped it gain notoriety in the first place. Sure this is old news, but 1,000 malware installations a day aren't old news. 1,000 malware installations a day should be criminal.

          Coincidentally -- the day after posting this article -- a colleague of mine made a similar mistake of installing OpenOffice from a high-ranking search result and is now dealing with the consequences. Long term, I'm not sure how we fix these bait-and-switch problems, but @Soulskill getting the word out is a good start.

          On a personal note... I manage the downloads for a QT-based project known as LMMS [] and we too feared the day that our installers would be compromized. In anticipation of this, LMMS has moved everything off of SF hosting. This took almost a year as it included forums, downloads, bug tracker, et al. We we very fortunate to get corporate sponsoring [], but not all projects have success in this regard.

          On a personal-side-note, I'd like to add that I've been happy enough with the services over at GitHub that I've chosen them for some of non-free projects (private, paid repositories). Is this not how revenue **should** be generated? Should the exchange of good, honest services for cash not be the norm? Should preying on the innocent and invading privacy, installing viruses for those that would least suspect it NOT be ostracized? SF has become a predator against the unsuspecting.
        • How is it possible that you got blind-sided by this story? For a company with media holdings Dice sure does a lousy job of handling public relations. It's not like slashdot is the first publisher to have a conflict of interest involving it's parent company. The smart thing would have been to simply disclose up front the fact that slashdot's parent company owns sourceforge.
      • by rmdingler ( 1955220 ) on Monday June 01, 2015 @09:19AM (#49814023) Journal

        /. being slower than everyone else to report on a story.

        That is suspicious.

  • by sinij ( 911942 ) on Monday June 01, 2015 @08:51AM (#49813865)
    This behavior should get SourceForge blacklisted as both cyber-squatters and adware, possibly malware vendor.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      This is why nobody uses sourceforge anymore. Years old versions of projects or look alikes of projects distributing malware.

      So yeah...use anything BUT sourceforge. Hell put it in your hosts file as going to, apk would approve.

    • This behavior should get SourceForge blacklisted as both cyber-squatters and adware, possibly malware vendor.

      I agree 100%. 10 years ago sourceforge was a great site. Now it's basically a malware haven. Unfortunately, plugins like Web of Trust (WoT) seem to have been slow to catch up ... WoT is still marking sourceforge as green ("trusted"). Perhaps blackholing the site in DNS really is the best answer...

  • Thanks DICE! (Score:2, Informative)

    by Lumpy ( 12016 )

    Glad to see DICE holding strong on their scumware downloaders.

  • by pop ebp ( 2314184 ) on Monday June 01, 2015 @09:00AM (#49813919)

    I don't buy the /. editors' explanation.

    This story has been repeatedly submitted since at least late Wednesday [] and has [] been [] voted [] to [] red [] multiple times in the firehose.

    Meanwhile, most other red stories have already appeared on the front page, so clearly some editors were still around...

  • by tomhath ( 637240 ) on Monday June 01, 2015 @09:01AM (#49813925)

    (And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)

    Just curious here. Does voting a submission up or down have any effect on whether it's accepted? It seems some stories appear on the front page as soon as they're submitted, others languish for days. Gives the impression the editors are selecting stories based on some agenda other than what slashdot readers want to see.

    • by Soulskill ( 1459 ) Works for Slashdot on Monday June 01, 2015 @09:09AM (#49813959)

      When we select submissions, voting is the strongest factor, but it's not the only factor — timeliness, factual accuracy, the degree to which it's on topic, and several other characteristics all factor in. For example, we're not going to run a 5-year-old story no matter how many people vote it up, nor a story about the sun being made of freshly chopped artichoke hearts.

      • by Anonymous Coward on Monday June 01, 2015 @09:25AM (#49814077)

        And they won't run a story critical of Dice until they persuade the corporate overlords that it's too late to stop it.

      • by Rei ( 128717 )

        Yeah, because this is untimely, facturally inaccurate, five years old, and equivalent to a story about the sun being made of freshly chopped artichoke hearts? Meanwhile things like this [] and this [] are timely wellsprings of useful information?

        And care to respond to the people mocking your "busy weekend" excuse, given that your weekend appears to be five days long and your "the main reason it's late" post which gives an entirely different reason for the delay?

      • Re: (Score:2, Flamebait)

        by Sir_Real ( 179104 )

        Well this is a fucking joke. All of those submissions were factually accurate and timely. They weren't about artichokes and they weren't five years old.

        It is pretty clear that this was buried intentionally. The excuse that you wanted to wait to discuss internally and provide more information is stupid. STUPID. You've done nothing of the sort and there were submissions prior to this were acceptable by the criteria you've outlined.

        Admit it. This was buried. Someone was scared or coerced.

      • Re: (Score:3, Insightful)

        timeliness, factual accuracy, the degree to which it's on topic, and several other characteristics all factor in.

        Factual accuracy and degree on topic hasn't stopped Slashdot from trying to shoehorn a SJW narrative in or other stuff that would have never been relevant on slashdot a decade ago.

        This isn't Reddit, quit trying to shove what ever narrative Dice is pushing and leave it about tech. You're certainly not going to lure any teens and 20 somethings to Slashdot and all you're doing is pissing off all the Slashdotters here that would stay if it wasn't for shit like this.

  • by Anonymous Coward on Monday June 01, 2015 @09:41AM (#49814165)

    Any at all for being so closely affiliated with a company distributing adware and using deceptive practices riding on the backs of open source?

  • by jdeisenberg ( 37914 ) on Monday June 01, 2015 @10:04AM (#49814355) Homepage
    1) I recommended an open source screencast recorder for Windows to a co-worker. She downloaded it from SourceForge, it loaded adware on her system and made her system pretty much unusable. It cost her quite a bit to have her system restored (she wanted to have it done professionally to make sure it was done right). The next time I recommended some other open source software, her response was "No, I don't want to go to that time and expense again. I don't trust anything Open Source any more." Thanks, SourceForge!

    2) I call bullshit on SourceForge's assertion that their adware only comes with projects that aren't actively maintained. There have been a lot of complaints about FileZilla downloads (see, for example, https://forum.filezilla-projec... []), and it is definitely a very active project.

  • by Greyfox ( 87712 ) on Monday June 01, 2015 @10:24AM (#49814499) Homepage Journal
    I've classified Sourceforge as a malicious site for a long time now. Is there some reason other than their early history with the open source movement that they're still around? It seems like they've been trading on and abusing that good will for a VERY long time.
  • SubjectsSuck (Score:5, Interesting)

    by aardvarkjoe ( 156801 ) on Monday June 01, 2015 @10:25AM (#49814503)

    The original announcement [] for when Sourceforge added the "feature" of injecting malware into installers said that the money earned would be shared with the developers. So I have to wonder: did they send the GIMP a check? Have the GIMP developers demanded that Sourceforge do so?

    On the assumption that Sourceforge did not, it seems like they've just burned a bridge that they shouldn't have. They killed any trust that users would have had for SF projects a long time ago, but developers who were willing to sell out have stuck around. But now that developers know that SF is willing to just assume control of a project (and the associated profits), why would any developer continue to use SF.

  • Trust (Score:5, Insightful)

    by Andy Smith ( 55346 ) on Monday June 01, 2015 @10:36AM (#49814585)

    I blanked my Mac a few weeks ago and when I started reinstalling software I got some survey crap popping up on my screen asking for my details. Turns out it was the SourceForge installer for FileZilla that had sneaked it through. Googling it threw up enough horror stories to make me just blank the Mac again and start over. I'll never download anything from SourceForge again. A decade of trust destroyed in one stupid move.

  • This one is voluntary though. I even got the crapwere when I denied the install.

    https://forum.filezilla-projec... []

  • []

    SF claims the project was abandoned in 2013.

    To quote another user from Ars:

    "the files page has the folder GIMP + GTK+ (stable release) with a last modified time of 2014-11-18. In that, GIMP 2.8.14 is the latest with the 2014-11-18 modification date. The previous file, GIMP 2.8.10 has a modification date of 2014-05-29. (This is just shy of 6 months.) The one before that, GIMP 2.8.8 is also last modified 2014-05-29, and the one before that is GIMP 2.8.6 last modified on 2013-06-24. (This one is just shy of 11 months back.)

    So the project was abandoned, but a year later, it's still updating files. And it had three releases in the year after it was supposedly abandoned. The last release was just a few days over 6 months ago, and the project has a history of up to 11 months between releases. How does that qualify as "abandoned"?

    No, this is a bullshit excuse Sourceforge was hoping no one would delve into the details to call their bullshit on. There is no other way to put it than they flat-out lied about the abandonment."

    Oh, and to boot - According to the gimp-win developer, they locked him out of his account.

    That's right, SourceForge STOLE THE ACCOUNT using an account called SF-editor1 in order to wrap one of the most popular FOSS projects with a malware installer.

    So here's what we do, guys. I've got a really good attorney. Same one that helped me kick EA's ass back in the Spore lawsuit days.

    We band together, we find every person that has had this malware pushed on them, and we sue the ever-living shit out of SourceForge in a class-action suit where accepting a settlement is NOT AN OPTION. Knowingly distributing malware, using misleading language to get the malware to install, and the damage the malware does to the user's computer are all entirely actionable in court and we need to band together to put a legal end to this crap once and for all. We now have the evidence in the testimony of the former account holder, we have copies of the malware, we have copies of the installer, we have screencapped evidence of the lies SourceForge has posted. SourceForge is DEAD IN COURT.

    Look up Mark Punzalan Law. Let him know Alex from the Spore/EA case sent you.

    If you want, I can come forth as class representative again. I will be more than happy to be the headman ripping these people apart in court.

  • by ( 3412475 ) on Monday June 01, 2015 @02:23PM (#49816459)

    Saying you had a "very busy weekend", to my eyes, feels just like a euphemism for "management argued a lot before this got posted, and when it did get posted, the expression modified binary had to replace bundled with malware".

    Personal Note: "bundled with malware" is what every other place I read the article used to define it.

    Personal Note 2: If I happened to stumble on some facts, I want to stress I understand them completely as I also happen to have a very policy-centered full time job. I'm just letting my thoughts fly in a comment, because, well, comment section is still community moderated in full that I know, thus still being free (in the extreme, FSF-like sense of the word "free").

Building translators is good clean fun. -- T. Cheatham