Fans of software repository Sourceforge were aghast to discover that the site was hijacking orphaned pages and turning legitimate software into Trojans by bundling them with malware, the biggest profile of which were GIMP and Nmap. But now a member of the development team responsible for popular media player VLC has revealed that Sourceforge has been engaging in such shady practices since as early as 2012.
On his personal blog, Ludovic Fauvet has recounted the story of VLC’s rocky relationship with Sourceforge. While Sourceforge didn’t modify the VLC installer in any way, as it did with GIMP and Nmap, it did host scam ads for fraudulent versions of the legitimate software it hosted, including VLC.
“[I]n 2012 Geeknet [parent company of Sourceforge] started to add more banners to their pages and did not bother filtering ads that were obvious scam, misleading users to click on these fake “downloads” buttons. Some if not all of these advertisers were distributing VLC bundled with crapware (as we like to call them).”
“We alerted SF.net quite a few time [sic] asking them to be more careful about these ads and they acted like they were willing to help us, telling they’ll look into it, month after month. But nothing really changed on this side, they removed few ads but they came back eventually. In consequence they also offered to share some revenues with us. They gave few thousands dollars every couple of month [sic] to the non-profit (which was welcome since we’re all volunteers) but we were still unhappy because a lot of VLC users were still impacted by these misleading ads.”
“Then came Dice Holdings who bought most of the online media business of Geeknet (including Sourceforge) in September 2012. Soon after, our previous contact at SF.net left the boat, leaving us without any way to reach the new team for quite some time.”
“The situation worsened again, we received literally dozens of emails each week from angry users complaining about some bundled software and toolbars that were added to the installer. Sourceforge did not (yet) modify our installer in any way, instead our users were clicking on some of these misleading ads. I remember counting more than seven “download” button on our SF.net page!”
The fraudulent ads for VLC forced the developers to move away from Sourceforge:
“We couldn’t continue to operate this way so in April 2013 I started working on a new way to distribute VLC. We rented few servers, contacted some mirrors and everything was ready a couple of weeks later. We were finally able to pull the plug from the Sourceforge website.”
“The situation improved drastically for us past this change, no more complaints about misleading ads or user being tricked into downloading bundled crapware. But this was also the starting point of Sourceforge being SNAFU. One possible explanation could be that they lost their biggest project which was making a significant portion of their revenues since VLC was the most downloaded software on Sourceforge at the time. Interestingly enough, the Gimp project took the same decision few months later, aggravating the Sourceforge situation.”
It’s official: Sourceforge is for losers. Let the mass exodus begin!