SourceForge is in trouble.
The download-hosting site retreated after public outcry, removing the junkware it inserted into downloads of the popular GIMP image editing tool without the developers’ permission.
But SourceForge has still lost the trust of the open-source community after the junkware-wrapping scandal—and now more open-source projects are leaving SourceForge for greener pastures like GitHub and FossHub.
Many open-source programs are still available for download from SourceForge, as the open-source license means SourceForge is allowed to host them. But many developers are advising everyone not to download from SourceForge.
Nmap’s developer recently sounded the alarm, saying that the nmap files on SourceForge weren’t provided by the official project. “So far they seem to be providing just the official Nmap files (as long as you don’t click on the fake download buttons) and we haven’t caught them trojaning Nmap the way they did with GIMP,” he wrote. “But we certainly don’t trust them one bit!”
SourceForge appears to have removed nmap from their site, as per the developer’s wishes. But there are still many open-source programs available for download on SourceForge. My recommendation? Download them from the open-source project’s official website and avoid SourceForge.
The download-hosting site retreated after public outcry, removing the junkware it inserted into downloads of the popular GIMP image editing tool without the developers’ permission.
But SourceForge has still lost the trust of the open-source community after the junkware-wrapping scandal—and now more open-source projects are leaving SourceForge for greener pastures like GitHub and FossHub.
It has since faced fierce criticism for its attempts to monetise the site by tricking users into installing sponsored adware that it bundles alongside legitimate applications.
This has resulted in an emerging exodus from the site, led by popular software projects such as photo editing tool GIMP, video player VLC and source code editor Notepad++, which have migrated to GitHub.
 |
Yes, SourceForge Is One of the Bad Download Websites |
FileZilla was an early participant, and FileZilla’s developer responded to concerns: “This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”
Last month, SourceForge caused more controversy by taking control of projects that had left the site and replacing the download links with more adware.
SourceForge appears to have removed nmap from their site, as per the developer’s wishes. But there are still many open-source programs available for download on SourceForge. My recommendation? Download them from the open-source project’s official website and avoid SourceForge.
The malicious software Google discovered on SourceForge included 5,877 viruses, 4,347 trojans and 1,132 exploits hosted across 93 domains, seven of which appeared to be functioning as intermediaries for distributing malware.
 |
| SourceForge, has made many enemies for its adware-bundling monetisation strategy, and now Google has flagged parts of its site as malicious |
This compares to 446 viruses, 1,067 trojans and 97 exploits across seven domains on GitHub, one of which appeared to be functioning as an intermediary for distributing malware.
As a result of the vicious volume of malware on SourceForge, parts of the site have been listed for suspicious activity 333 times by Google over the past 90 days, compared to just once on GitHub.
However, the site’s historic popularity means it still hosts thousands of projects that have been abandoned by their developers but still have users.
Shutting down SourceForge would, therefore, remove access to a vast number of programming languages and file readers that are still hosted on the site.
To preserve this historic code, another group of developers are attempting to protect the data repository of SourceForge against its current ownership.
