Press "Enter" to skip to content

SourceForge Tightens Security With Malware Scans

After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the site’s previous owners. FOSS Force has learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don’t make the grade will be noticeably flagged with a red warning badge located beside the project’s download button.

SourceForge warning badge
A screenshot of the SourceForge warning badge that now displays on any project found to be containing malware.

According to a notice posted on the SourceForge website this afternoon, the scans look for “adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package.” Account holders with projects flagged as containing malware will be notified by SourceForge.

“We’ve partnered with Bitdefender to scan the open source software projects on SourceForge so that users feel more secure in downloading clean, safe software from SourceForge that will not put their machines in jeopardy, nor bundle any adware, malware, or unwanted applications.” the announcement says. “We will also be running additional scans with ESET.”

Bitdefender and ESET are both tech security companies that offer anti-virus products.

This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28. At the time, SourceForge’s reputation was suffering, primarily as a result of DevShare, a program that bundled third party proprietary software offers with Windows downloads. Because of the program, many large open source projects, including GIMP, quit using the site’s hosting services.

The DevShare program was ended in early February, just weeks after the new owners took control. At the time, Logan Abbott, one of the new owners, wrote, “We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that.”

In today’s announcement, SourceForge said that a thousand or so of the site’s most popular projects have so far been scanned, with scans continuing to eventually include “every last project, even dating back years.” As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks.

Of the projects that have been scanned so far, SourceForge says very few problems have been uncovered. “The vast majority of them contained no issues, but projects that were flagged for malware were notified, and most of them have rectified the issues already by removing the flagged files. For the few projects that have not addressed the issues, the malware warning badge will display in red next to the download button.”

Once a project has been flagged, users can click the “Files” tab to determine which files are affected. “We’ve also disabled automatic downloads on projects that have been flagged, so a user would manually have to proceed with downloading a file that may contain malware.”

“Project admins will get an additional dashboard that will provide more in-depth details on why a file was flagged and how to address it,” the notice explains. “Project admins will also be able to submit a support request related to any issue detected by the scanners, and they’ll also be able to request a file be whitelisted once we’ve reviewed it.”

The company also says that beginning immediately, all new projects will be scanned during the uploading process. Projects being uploaded to new user accounts will not be accepted if flagged. For projects that are flagged while being uploaded by registered users who have had accounts for an undisclosed amount of time, SourceForge will accept the upload, but will mark it with the warning badge until the problem is rectified.

3 Comments

  1. Duncan Duncan May 17, 2016

    Looks like the new owners are giving it an honest (unlike the old ones) try. I hope for everyone’s sake it’s not too late.

    Until about a month ago I was on the privoxy project (which has been hosted at sourceforge for years under its old name, junk-busters) mailing list, as I had used it for some time and had even filed a bug at one point. Unfortunately, filing the bug was hard enough I doubt few would have bothered, because they were still using the sourceforge bug tracker (which is definitely not bugzilla!), which required a sourceforge account to file a bug. Basically, I had to setup an account as if I were a developer getting ready to setup a project there. Then of course I started getting the sourceforge spa^H^H^Hnewsletters. I opted out of at least one, which did seem to stop the weekly, but I still kept getting the monthly one. It did have some interesting information such as the two monthly focus projects, one community picked, one staff picked. So I didn’t really mind getting it, but I’d have never signed up for it because as I said it was more developer focused, while my interest is more Linux desktop admin. I think I stopped getting it after the ownership change.

    Anyway… privoxy has been planning to get off of sourceforge for some time, it was mostly a matter of one of the principle devs actually having the necessary time to complete the transfer to elsewhere, and they seem to be actually doing it now, just as sourceforge seems to be turning around. I imagine it’s not the only such project, while others have already moved. Like I said, I hope it’s not too late for sourceforge.

    Meanwhile, tying up the privoxy loose end as to why it was until a month or so ago (yes, it does tie back into the sourceforge subject again at the end, there’s an analogy here)… I had used it since I switched to Linux, both as a junk-buster (privoxy’s original name, junkbuster proxy), and as a color scheme rewriter, rewriting the usual dark text light background schemes that so hurt my eyes to read, to a much more comfortable dark background light text, while still keeping the same general page color scheme (brown and brick red text became bright red, robin’s egg blue backgrounds became navy blue, etc).

    But privoxy has one problem which has gotten harder and harder to deal with over the years — it doesn’t deal with encrypted connections, and it can’t plug into for instance squid, either, which /can/ deal with encrypted connections. With more and more pages and sites going or encouraging https connections, privoxy was less and less effective.

    But once I discovered request-policy-continued, a security-focused browser extension that blocks connections to sites other than the one you’re actually visiting, unless you whitelist them, used here along with the noscript and disconnect extensions as well, that filtered most of the junk, so I was effectively using privoxy only for the color rewriting — where again it was less and less effective due to more and more pages being https.

    So about a month ago I got fed up and went looking for yet another browser extension, finding the aptly named “Dark Background and Light Text” extension. After finding that it did what it said on the label, surprisingly effectively, with far less configuration and fiddling than I had needed for privoxy, I reconfigured firefox to connect directly, bypassing privoxy. A few days later I shut down the privoxy service and uninstalled it, tarballing and archiving my custom config just in case, and… no longer needed my subscription to that mailing list.

    FWIW, privoxy has had handling encrypted connections on the todo list since I first started using it in 2002 or so. But, well, it’s still there, and with more and more of the web going encrypted… in a few years unencrypted http proxies in a sea of https connections are probably going to be about as relevant as a gopher proxy or client is today, in a sea of http and https.

    And unfortunately, tho the new sourceforge owner’s hearts seem to be in the right place now, I’m afraid they may well be headed toward the same degree of irrelevancy in a sea of git and github (much like bitkeeper/bitmover, finally open-sourced as it struggles to compete with git and github, oh, the irony!). Oh, well…

  2. Mike Mike May 18, 2016

    SourceForge requires an account to do a git clone. Until that changes, nothing else will help much in bringing back developers.

    Trivial access to source is a prerequisite for generating developer participation these days.

  3. Kobun Kobun May 24, 2016

    Web installers (ala PDF Creator) appear to be the way the malware will continue to flow.

Comments are closed.

Breaking News: