Friday, July 29, 2016

Don’t Trust Sourceforge Downloads


In addition to injecting malware into their downloads (a practice they claim, hopefully truthfully, to have stopped), Sourceforge also presents an initial download page over HTTPS, then redirects the user to HTTP for the download itself, snatching defeat from the jaws of victory. This is fantastically irresponsible, especially for a site offering un-sandboxed binaries for download, especially in the era of Let’s Encrypt where getting a TLS certificate takes approximately thirty seconds and exactly zero dollars.

Previously: What Happened to SourceForge?

3 Comments RSS · Twitter

Jeff Tyrrill

What SourceForge did in the past is horrible, beyond the pale, but they were purchased by a different company in January, whose new owner immediately vowed to discontinue the malware bundling. Proper reporting on SourceForge needs to mention the change in ownership and public disavowal of past actions.

SourceForge deserved every bit of its previous scorn but there has been a sharp reboot with the new ownership, and their current actions need to be judged in that context.

Discussion about the state of the changes since January:

How does this affect signed Mac apps, like BibDesk or Skim?

@Sean Seems like that should be OK so long as you verify that they are signed by the proper entity. And note that any items outside the app bundle are not signed—unless they’re on a signed .dmg.

Leave a Comment