Someone post this news to slashdot please.
This is fucking outrageous. This infected Gimp binary has been downloaded 6,500 times in the last 5 days alone. This hurts the Gimp project as well as the entire open source community.
Over at LMMS, we pulled our last few binaries off of SourceForge just a few months ago. I suppose this was done just in time.
On a semi-related note, I saw some people talk about GitHub vs. SourceForge... I wanted to share our experiences...
We at the LMMS project use Travis-CI (Ubuntu 12.04) to build, upload and copy our Windows binaries to GitHub via: https://github.com/LMMS/lmms/tree/master/.travis
triggered by GitHub releases. We use Mingw32 and Mingw64 on Linux to build them, they never touch a Windows machine before being uploaded. This process makes our releases free from nearly all malware risks and allows them to be maintainable by the entire team. Our website just crawls the GitHub API to grab the latest download links, so our web page is updated automatically when a new stable build is fired, which reduces the maintenance required to run our site. :)