Sourceforge.net (SF) has been a great location to host free and open-source projects for many years, offering services like VCS, forum, bug tracker, etc to open-source developers for free. Many very popular and busy projects are hosted there, and I myself do have some of my projects hosted there.
Malware bundled with FileZilla installer from SF
Recently I downloaded FileZilla, a popular FTP client (they also have a server), from the SF web page. It has been quite a few years since I had one of my machines infected with adware and spyware, but after the FileZilla installation, my browser settings kept changing, ads showed up, I had weird search bars and was transferred to the annoying ask.com website every few minutes, and there was no way to remove the software which had hijacked my box and installed all this.
Wow! I had fallen prey to a drive-by installer: an installer for FileZilla, downloaded from Sourceforge, which also installs various junk. Sometimes the junk is just stuff you did not want but can remove easily, but in this case it was some ugly malware that refused to uninstall. I tried some virus scanners, they found stuff, but always something remained. So I had to make a backup of my data and reinstall the OS from scratch.
(I’m not gonna explain why bundling malware sucks, and that a hidden opt-out button is not gonna change this.)
Who’s to blame?
Of course, partly this was my fault: most likely there was a button hidden somewhere in the installer that would have allowed me to not install the malware. So why did this happen to me? Of course, I know stuff like drive-by installers exists on the internet. But: I trusted Sourceforge. I never thought they would use them, and I could not believe it was SF who was to blame. Sadly, some searching on the internet strongly suggests they are indeed to blame:
* This article at arstechnica claims that SF employees taken over the GIMP SF account and have modified the installer of GIMP and other free software on SF and added bundled adware to it: http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/
* This thread at the FileZilla forums suggests that in the case of FileZilla, the FileZilla people know that the installer at SF includes bundled crap (they think it was OK because you can refuse to install it): https://forum.filezilla-project.org/viewtopic.php?f=1&t=31967&start=15
* Here is a discussion at reddit about SF shipping adware in installers: http://www.reddit.com/r/technology/comments/1jk1gz/sourceforge_starts_using_enhanced_adware/
Pressure from GIMP community
* According to this article from The Register published in June 2015, SF has responded to pressure from the GIMP community and removed the installer. The article also mentions a new SF policy and quotes “… we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.” http://www.theregister.co.uk/2015/06/03/sourceforge_to_offer_only_optin_adware_after_gimp_grump/
I’m not gonna run that thing again to see whether it installs adware or asks before it does so. And that says it all: my trust in Sourceforge is gone. And I will look into alternatives.