SourceForge used to be a reputable place to download open source software. Now, that reputation is doing a full reverse as SourceForge becomes a place to avoid.
A little relevant history: SourceForge was acquired by Dice Holdings from the previous owner Geeknet in September 2012. On July 1st of 2013, SourceForge announced a new program for developers called DevShare which allowed installers to be repackaged as ad-supported installers to provide developers a source of income.
The setup seems very similar to the malware-laden Firefox installer I have seen before except this is done with the developer’s blessing. Now, it seems that FileZilla, the FTP server/client, may be the biggest project to jump on-board with SourceForge’s DevShare program. If you choose to download FileZilla through SourceForge, the installer now appears to be a stub at only 1MB in size and comes from hxxp://ak.pipoffers.apnpartners.com
If you download this installer beginning with FileZilla 3.7.1.1 and run it, you will receive offers like installing the ASK Toolbar, connecting to Offercast, installing HotSpot Shield, and so on. The project manager seems to be standing their ground in the forums saying that the adware is optional and people have the ability to uncheck the extra installs. Java includes the Ask Toolbar, Adobe Flash includes the McAfee Security Scan, and there are plenty of other culprits when it comes to bloatware. The trend doesn’t make it forgivable. Anybody that has done any desktop support work knows that toolbars are often installed even though the user doesn’t want them. Possibly worse than just bundling the bloatware in with FileZilla, the adware installer actually resulted in an error for people trying to install the application on 64-bit Windows.
The program or feature “??C:Users[username]AppDataLocalTempFileZilla_3.7.2_win32-setup.exe” cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.
I can say from personal experience that FileZilla is a decent FTP client but do you want to install a compromised program? Do you want to be connecting to your server or website from a computer that is running adware and who knows what else? A number of recent reviews on the FileZilla SourceForge page are letting the developer know that they don’t like the application being hijacked. The revenue gap between needs and supply with open-source software is not a new problem but there has to be a better way.
If you want to continue using FileZilla, I can only recommend it if you get the unbundled installer. If you visit the FileZilla website download page, you will see a big green button that says “Download Now, SourceForge – Trusted for Open Source”. Below that you will notice a line “This installer may include bundled offers. Check below for more options.”
If you click the link ‘Show additional download options’, you are taken to the all downloads page which lists download links to Windows, Linux, Mac OS X, source code, and checksums downloads directly from filezilla-project.org without any bundled adware.
“SourceForge – Trusted for Open Source”? I think they’re going to have to change their tag line if this trend keeps up. It sounds like the trust is gone. SourceForge now seems worse than CNET and other download sites that have tons of misleading ads surrounding their download links.