Shared publicly  - 
 
It appears that +SourceForge took over the control of the 'GIMP for Windows' account and is now distributing an ads-enabled installer of GIMP. They also locked out original owner of the account, Jernej Simončič, who has been building the Windows versions of GIMP for our project for years.

So far they haven't replied to provide explanations. Therefore, we remind you again that GIMP only provides builds for WIndows via its official Downloads page.
Source for version 2.8 (Stable). GIMP releases available from gimp.org and its mirrors contain the source code and have to be compiled in order to be installed on your system. For instructions, how to build GIMP from source code, please see this page.
1218
598
Dantin Kakkar's profile photoGijs Noorlander's profile photoKyle Luce's profile photoLogan Abbott's profile photo
136 comments
 
Sourceforge has gone evil.  I only use it as a last resort.
Pat Gunn
+
1
0
1
0
 
I'm sure there's more to the story here. I wonder what's going on.
 
+Juan Carlos What would be the point of it? We already have Git hosting, we have a server for publishing releases. We have a bug tracker.
LILA
+
3
4
3
 
+Juan Carlos I don't see the point. Isn't what is happening right just the exact good example of why it would be very stupid to go to github instead as main upstream? That's like going from Charybdis to Scylla.
 
I dont trust SouceForge, moreover as Linux user, I get my apps only in offical provider.
 
<<GIMP releases .. have to be compiled in order to be installed on your system>>
Except in the case of windows, but only if you look carefully. +GIMP fix the install doc so a windows user can understand it.
 
I told a friend of mine about this, and he said that his antivirus killed the installer's download right away, having detected malware on it.  He then tried the official installer off of Gimp's website, and it came up clean.
 
+Juan Carlos Most end users are not going to go look for GIMP on GitHub to download an installer; they are going to either look at their OS's package manager or GIMP's website and for developers, well GIMP has no cause to migrate to GitHub for all the things.
 
No I dont want to cut anyone, but will cut Ads at least...
 
I mean, it's a bitch thing to do, but so is using SourgeForge in 2015. There are enough alternatives. I don't get why people are still messing around with that dinosaur.
 
The last time I installed something from Source Forge I got spyware too. What the heck happened over there?
 
I really enjoyed GIMP but I switched to Photoshop and Lightroom.
 
Sourceforge is getting bought out by hot topic. No joke.
edit never mind, I was unaware that it had been sold off from geeknet in 2012.
 
We also got outed of our +VLC project on sourceforge...
But it does not matter, we moved to our infrastructure a long time ago to our own, which is better and more powerful!
 
I remember the days that sourceforge were one of the good guys 
D T
+
6
7
6
 
Source Forge it seems has joined the dark side. 
 
You can still do a malware free direct download from sf, see link just underneath the green download button, however not many people will notice that.
 
as somebody who runs a GIMP mirror, yes, only use the mirrors on their page, they are updated regularly, and hash checked against the originals for corruption.
 
Why doesn't someone demand the source code of their binaries? I mean, after all, we are talking about Open Source code here. If you use it, you have to share it.
 
When did Sourceforge become evil? Damnit, I missed another intel brief.
 
Why is no one talking about the possibility that SF was hacked? You really think it's in their best interest to piss off the open source community?
 
+Gad Krumholz Wouldn't that be determined by how much money they made from the Open Source community vs what they make from these kinds of adware?
 
+Gad Krumholz well, they had their chance and time to claim so, as a reply to our inquiry. We didn't receive anything, though.
 
... a while ago I told some folks at a forum to get Gimp so they could scan things on their computer and they told me they got malware installed. I wonder if they got it from SourceForge.
 
+Robert Sink they seem to be pretty inconsistent about that - if you're a high profile project, expect that to happen. If not, stick around on SF without being bothered indefinitely.
 
That's what you get for using that cesspool of a website anyways. Seriously, anybody could have seen this coming. Sourceforge has sucked pretty bad for an eternity now; why would you continue using them when GitHub and BitBucket both exist and provide release systems for hosting builds?
 
I really like how on this blog page they are using SSL, but the form is send trough HTTP.
 
+Max Azoury tons of links out of our control linking there.

For code hosting, we were always using the GNOME Git repository (and their SVN and CVS before that). And for releases and web hosting, GNOME gave us our own system as well.
 
There is a fastly diminishing of freedom from advertisements and capitalists. Sad.
 
Oh goodness, how did I never know that SF was doing this - just read the FileZilla disaster from a couple of years ago - turns out this is not a new issue.  Removed my projects and disabled my accounts ;-(
 
waaaait a minute, if they package the EXE file with extra crap, are they not breaking the license terms themselves unless they provide the source?  Hmm. more thought needed.  It should not be possible to legally offer a modified open Source Mirror without offering the Source for the Bloated thing....   
 
+Toby Seaman
They have changed it now, but when clicking the link to the "91.9MB" gimp archive you got an exe file with the same name and a size of about 790k. Presumably this is a separate downloader that downloads the original (unchanged) archive. So these are two separate programs. It would be very hard to argue a license violation.
 
SF is fucking the GIMP? Lol, had to.
 
+Toby Seaman it is a bit more complicated than that - read the Ars Technica article, this is a really good summary of how it is done. You get a small installer instead of the expected ~90MB GIMP installers, and that small installer delivers its payload and then downloads and runs the actual GIMP installer.

Some of the malicious wrapper installers around Free Software that are used with undeniably criminal intent (e.g. to deliver trojans) do that payload separation as well - mostly to appear inconspicuous and to avoid being caught immediately by most anti-malware applications out there.
 
dammit, really, I thought I had a smart idea to stop them for 30 seconds...
 
+Toby Seaman they break GPL when they do NOT provide source.  As this software is packaged-in, it would fall under derivative work.
 
Flip, I opened my SF account in 2001 - sometime in the last decade and a bit, they went bad and I missed the memo, dammit!
 
Google appears to have my back at the moment - I rarely use Chrome but happen to need it tonight - just tried to download GIMP-WIN from SF and got a big red screen asking me if I was sure as they distribute adware/malware
 
SourceForge used to be great - many, many years ago.
 
So SF.net is just Download.com now I guess.
Jon L
+
2
3
2
 
+SourceForge​ has become quite the hive of scum and villainy, you must be cautious there.
 
Wow so +SourceForge is breaking the law to make money?
 
+Zauber Paracelsus​​ SourceForge has released a statement claiming that the Gimp for Windows project was "abandoned".  Don't know how truthful it is though, but here's the link -> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/

So, SourceForge is mirroring abandoned or stoped projects or ones where they maintainer decides not to use anymore SF as delivery platform? They doing it because of they want to help end-users to keep up to date? It look like more to keep SF up and running!/LOL
 
#Sourceforge is no longer reliable! There is too much, way too much trash and down load me junk that many people  get the wrong download. If the adverts were selling something i could see it,,. I have had to clean up far too many people who have downloaded something with trash in it from #sourceforge. I encourage all to dump #sourceforge.
 
I added a comment (#comment-5705) on their blog post: "Robert Collins May 27, 2015 at 9:05 pm #
Perhaps by serving the original binaries, unaltered. That would match the upstream’s intent, since they compile them and offer them on their website.
Your comment is awaiting moderation.
"

Note the last bit 'awaiting moderation' - we'll see if it actually gets approved.
 
That seems bizarre for Source Forge. Since when have they ever had advert driven installers?
Jon L
+
3
4
3
 
+Laura Ess the last few years they've been injecting them into other people data served from their system.
 
I wonder what would happen if Google or Yahoo! acquired them.
 
In that case AdBlockPlus would probably work./
 
'Abandoned' not in the OpenSource sense of a project with no active developers.  They just left SourceForge, but you get no delete option with SF. Notice how no comments on the SF post are making it through 'Moderation'. 
 
I requested to take my project Driver on Demand down from them ages ago, but unfortunately, there is nothing you can do (so I left it up), other than delete the latest commits to the repo, and mess up the SEO on the project. So I decided to leave it up.

Because they only accept open source projects and prevent deletion on the guise of ensuring all open source code is preserved, there isn't much you can do. In fact, I couldn't even delete a project with no source tree that I canned almost immediately, but was a stupid idea. 
 
Just wondering, would a "DMCA" notice do any good?
 
What the hell? SourceForge is getting ridiculous. 
 
Source Forge has been delivering adware, and previously Kelihos bundled with their installers since the day it was made. I never trust that site. It smells rotten just looking at it.
 

https://plus.google.com/+gimp/posts/cxhB1PScFpe


Someone post this news to slashdot please.

This is fucking outrageous.  This infected Gimp binary has been downloaded 6,500 times in the last 5 days alone.  This hurts the Gimp project as well as the entire open source community.

Over at LMMS, we pulled our last few binaries off of SourceForge just a few months ago.  I suppose this was done just in time.

On a semi-related note, I saw some people talk about GitHub vs. SourceForge... I wanted to share our experiences...

We at the LMMS project use Travis-CI (Ubuntu 12.04) to build, upload and copy our Windows binaries to GitHub via: https://github.com/LMMS/lmms/tree/master/.travis triggered by GitHub releases.  We use Mingw32 and Mingw64 on Linux to build them, they never touch a Windows machine before being uploaded.  This process makes our releases free from nearly all malware risks  and allows them to be maintainable by the entire team.  Our website just crawls the GitHub API to grab the latest download links, so our web page is updated automatically when a new stable build is fired, which reduces the maintenance required to run our site. :)
 
Is there a maintained fork of 2.6? It was the last good version of GIMP.
 
+Nikolay Kotykhov Thank goodness for Ubuntu 12.04 being a LTS, I can keep using a maintained version of 2.6 until 2019. Hoping that someone will fork it though. I don't know what they were thinking with 2.8, can't save without a huge hassle, and the good brushes were removed.
 
There is a solution to this IF you've got someone left with contributor access..If they upload something of yours (maybe text from your blog) without asking for permission, or with you specifically denying permission, then you can send a DMCA takedown notice. Since they won't take the copyrighted thing down the project will have to be removed.
 
People like +VLC and +GIMP need to contact the Free Software Foundation (they don't have a G+ page? Seriously?) and see about going after +SourceForge for trademark violation.
 
It's okay, +GIMP , +SourceForge only has about 1,500 followers.  You probably doubled them by mentioning them.

I'm pretty sure they're irrelevant. Today was the first time in years I've logged into my account, and it was to make sure they didn't take any of my projects.
 
Thank you so much♥
 
+GIMP oh I figured why. It just seemed even less pragmatic than usual, even for them.
 
They did the same thing to FileZilla. I dropped the app as a result because I couldn't get around the adware. 
 
To those who say SF is dead: A site which servers tens of millions of downloads per week can sparely be called dead. It is still one of the biggest FOSS hosting sites around.
 
+Björn Kautler maybe it's time SF should die though! I would only use GIMP on windows on my portableapps 16gb flash drive w/ my personnel art assets. The package manager in Linux makes GIMP plugins easy as hell to install...Why would anyone want to use a wizard? I understand the need to get people on their OS using free-software like GIMP. I only go into SF w/ Ublock, ghostery on a Linux machine; and still come out of it feeling dirty somehow.
 
+Rich Levin in the case of Filezilla, the project admins made the decision and get money. In the case of Gimp-Win, SourceForge made the decisions and I assume keeps the money.
 
+Rich Levin I downloaded the zip archive version to my employer's desktop, but haven't use it. Hope I don't need FTP anymore.
 
I want to hear the both sides on this. Where is the maintainer of that project? What's his take on the situation?
gm92845
 
+Björn Kautler You can now say it's also the crappiest place to download software. I will always go for official download links and if SF is the only place to get it, I rather not download it at all. 
 
+Markus Birth +Rich Levin  Filezilla was different. Its main developer willingly joined SF's adware distribution programme. Soon people noticed and report filezilla's installer having adware, but those reports were swiftly closed as NOTABUG. This time SF (or the company behind it, Dice Holdings) has taken a step further and arbitrarily hijacking inactive software projects and use those to distribute ads.
 
I was burned - once and never again - by something (Filezilla?) I downloaded from SF.

I can live with being served ads on the download page, but this installed malware along with the product I wanted. 
 
I mean (former) maintainer of gimp-win project on SF.
 
I'm not sure how "removing the project from SF" might work. What would stop another developer from registering the same project under the same name the next day?
kc chan
+
1
2
1
 
Is the adware free software at least?  :)  Either way, in the words of Karl Pilkington, "Get rid of it!"
 
The same with the DVD authoring tool DVD Styler.
Chrome is even warning you when trying to download from SourceForge
 
Absolutely unacceptable. These guys are like those spam sites in the 90s. We don't need anymore freaking browser tool bars, and weird junk SF .
 
This post just came to my attention as it was shared on Twitter today for some reason, despite it being over a year old. I just wanted to share that my company acquired SourceForge earlier this year and reversed these poor decisions. We do not bundle adware in any installers, all projects are scanned for malware by ESET and Bitdefender, we moved the site to https, we enabled optional 2-factor authentication for accounts, and much more. A big redesign is in progress as well. Just thought I would put this information out there since it is being reshared today. http://arstechnica.com/information-technology/2016/06/under-new-management-sourceforge-moves-to-put-badness-in-past/
arstechnica.com - Under new management, SourceForge moves to put badness in past
Add a comment...