In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.
> Very interesting! I'd be interested to hear the corporate-speak rationale for this.
I'm not affiliated with Sourceforge in any way, shape, or form--thank the fucking gods--but I suspect it would be something along the lines of "our downloader and associated offers are optimized to automatically use fewer resources in an environment, such as a VM, where computing resources are scarce."
this is unbelievably malicious! In our earlier discussion there was some discussion about the installer asking for permission to install crapware. in fact if you're going to do malware stuff like this, why even ask?
On a technical level - how come you can detect VM's? with something like BOCHS and if you lie about wall time inside your OS, can't it emulate a PC perfectly? How does crapware know whether it's in a VM or not?
"In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No man is more dangerous. The deserter knows his life is forfeit if he is taken, so he will not flinch from any crime, no matter how vile."
~ Ned Stark, A Game of Thrones.
I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don't think they've got anything to lose at this point.
The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.
This makes me so mad and sad at the same time. For years, it would bring me immense pleasure to just browse projects on sourceforge to see what the world was up to. Now this is just another case of corporations ruining a good thing. I'm glad there are links to Filezilla and Gimp - two products I use frequently.
I kind of view it as a consequence of the market falling out from under their feet - it's cheap enough to host your own files now, and with package managers (even on Windows!) the power users that used to be the target audience of Source Forge have been vanishing.
I was just remembering when sourceforge first appeared and how awesome it was. I slowly started browsing projects on there instead of freshmeat. It is just sad, and frankly a little weird.
> Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.
This is an error on Google's part. For everyone's sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors'.
I've tweeted someone close to the Pywin32 project (hosted on SF) asking to move it, but didn't get a reply. For long-established projects, it's not an easy migration. Please keep prodding any critical project you know of.
At least for Mac, there is a TINY "direct download" link next to the SF Installer button. Using this link will provide the non-junkware, original install files.
Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I'll be building from Git until they fix it :/
I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.
I never use the "downloader", either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.
tldr; don't download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (https://ninite.com/), the "only trusted" downloader according to these guys.
There would have to be a lot of careful discussion about such an organization. I would hate to see it end up being little more than a vector for rent-seeking, and shutting people out of our industry for a host of arbitrary reasons (immigrants, people with the "wrong" education, etc).
This has been brought up multiple times and I couldn't agree more. It'd be great to have a trade organization for software developers where they can be evaluated by a board and loose their "license" to write code. There are some SERIOUS down sides to that, but that'd have to be flushed out in another forum.
[+] [-] gamache|10 years ago|reply
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.
[+] [-] jackmaney|10 years ago|reply
I'm not affiliated with Sourceforge in any way, shape, or form--thank the fucking gods--but I suspect it would be something along the lines of "our downloader and associated offers are optimized to automatically use fewer resources in an environment, such as a VM, where computing resources are scarce."
[+] [-] throwaway498982|10 years ago|reply
On a technical level - how come you can detect VM's? with something like BOCHS and if you lie about wall time inside your OS, can't it emulate a PC perfectly? How does crapware know whether it's in a VM or not?
[+] [-] prajjwal|10 years ago|reply
~ Ned Stark, A Game of Thrones.
I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don't think they've got anything to lose at this point.
The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.
Also, start reporting these malicious pages to Google so they don't show up in search results. https://www.google.com/safebrowsing/report_badware/
[+] [-] M2Ys4U|10 years ago|reply
Take away their free bandwidth and they'll collapse even quicker.
[+] [-] bramgg|10 years ago|reply
[+] [-] withinrafael|10 years ago|reply
[+] [-] god_bless_texas|10 years ago|reply
[+] [-] whoisthemachine|10 years ago|reply
[+] [-] dare_you|10 years ago|reply
[+] [-] jimrandomh|10 years ago|reply
This is an error on Google's part. For everyone's sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors'.
[+] [-] toyg|10 years ago|reply
[+] [-] WorldWideWayne|10 years ago|reply
[+] [-] brokentone|10 years ago|reply
[+] [-] khaki54|10 years ago|reply
[+] [-] oblio|10 years ago|reply
[+] [-] zamalek|10 years ago|reply
[+] [-] userbinator|10 years ago|reply
[+] [-] icpmacdo|10 years ago|reply
[+] [-] andyjohnson0|10 years ago|reply
Also available from https://ninite.com/
[+] [-] skrowl|10 years ago|reply
[+] [-] bhayden|10 years ago|reply
[+] [-] kpcyrd|10 years ago|reply
I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.
[+] [-] jarnix|10 years ago|reply
[+] [-] lioeters|10 years ago|reply
1) to form or make by concentrated effort
2) to imitate fraudulently; fabricate a forgery
They're certainly living up to definition #2..
[+] [-] Negative1|10 years ago|reply
[+] [-] dimino|10 years ago|reply
[+] [-] noarchy|10 years ago|reply
[+] [-] bargl|10 years ago|reply
[+] [-] clean88clean88|10 years ago|reply
Advice. Unix Linux - separate user. low privilege. configure, make, but make install with ROOT PRIVILEGE. check files.
all source code should have search engine keywords for vulnerabilies, updates, etc. for even BSD is somewhat broken, IMHO.
make it easier for the NOT C expert and ASM expert to install reasonably clean software, PLEASE.
Thank U. Thank U. Thank U. ... 1000 times
[+] [-] clean88clean88|10 years ago|reply
Thank you. Thank you. the attack on code repo and the infiltration of the clean database continues, perhaps.