We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Time to boycott SourceForge?

Published May 30th, 2015 at 9:35 AM EDT , modified May 30th, 2015 at 9:35 AM EDT

On Wednesday, ArsTechnica reported that the Windows version of the open-source GIMP image editing app hosted on SourceForge has been “seized” by SourceForge and used for distributing adware. This is a troubling development, but not exactly surprising for those who have been following the antics of SourceForge lately. Is it time to boycott SourceForge, as is already recommended for sites like and Softonic?

First, let’s look at a little history. SourceForge changed hands in late 2012, being bought by Dice Holdings. Less than a year later, it began offering a program called DevShare, which allowed developers to include adware in their installers to help fund development efforts. (Of course, SourceForge gets a cut as well.) This program has caused significant controversy, such as the opinions expressed in a blog post on Gluster.

A SourceForge download button linking to an adware installer

SourceForge download button linking to an adware installer

FileZilla was one that adopted this technique early on, with highly negative reactions. Initially, only the Windows version of FileZilla was affected, but early this year, FileZilla was found to be installing adware on Macs as well. (Incidentally, the current FileZilla download on SourceForge is guilty of the same malware-like behavior I recently described with MPlayerX – namely, it tries to avoid analysis by behaving differently in a virtual machine.)

The maintainers of the GIMP project withdrew from Sourceforge in 2013 over concerns about bundled adware, as well as confusing advertisements with “Download Now” buttons, linking to junkware or more adware, littering SourceForge pages. They intended for GIMP not to be available on SourceForge any longer.

Unfortunately, SourceForge recently decided to start hosting GIMP downloads again, wrapping GIMP in their adware installer. The excuse given by SourceForge was that the project had been abandoned, and that SourceForge “continues to house historical releases for community benefit.” Troublingly, however, SourceForge does not seem to understand why people might object to this kind of thing.

Worse, they don’t seem to understand that the folks behind GIMP don’t want their software hosted on SourceForge at all. They have said, “We also invite the Gimp-Win developer to take back control of the project if that is his desire, while respectfully asking that he maintain any project updates or allow us to do so.” This seems not to acknowledge that the GIMP developers didn’t want GIMP to be on SourceForge at all anymore, and does not offer the option of removing it from SourceForge as was their original desire.

The implications to developers are quite clear: if you ever choose to make your software available on SourceForge, the current management will consider that to be a lifelong binding commitment. If you should ever desire for your app to be removed from SourceForge… well, too bad. They will reserve the right to continue hosting it whether you like it or not. And it might be used to generate revenue for SourceForge through the installation of bundled adware, to boot.

FileZilla installerFor those considering the download of some software from SourceForge, caution is advised. Personally, I would advise avoiding them entirely. Any company willing to behave this way is not to be trusted.

Some will say that SourceForge isn’t doing anything wrong. After all, their installers will alert the user to the bundled “special offers” and allow him/her to opt out. However, there are some problems with that. Adware is not easy to get rid of, and modifies the system in ways that most people don’t know how to deal with. It can destabilize or slow the system, introduce security vulnerabilities, induce people to install software they shouldn’t (like MacKeeper), and other things. In some cases, adware has even been implicated in causing repeated tech support scam pop-ups.

If a developer wants to use ads for generating revenue, by all means, do so, but do it within the app’s interface. I frequently used and recommended Carbon Copy Cloner back when it was ad-supported. I also use plenty of iOS apps that include ad banners at the top or bottom of the screen. The difference in these cases is that the ownership of the ad is clear, and if I don’t like the ads, I can simply get rid of the app (or buy an ad-free version).

For those who have stumbled across adware-infested installers and who don’t know how to get rid of the adware installed, try my AdwareMedic app.

Tags: , , ,


  • Richard says:

    What alternative to SourceForge do you recommend?

    • Thomas says:

      As a developer, I believe GitHub is now the go-to standard place for sharing code. If you’re looking for somewhere to download an app, go to the developer’s own website. If the app in question is only available on SourceForge, consider other alternatives. If you must download from SourceForge, be very cautious about it. Pay close attention to what the installer is doing, and be prepared to deal with an adware infection.

  • A Mac User says:

    Along with the common advice of “don’t click on links in email messages …” we need to add another rule:

    never install software that’s required to perform downloads … ever!

    The OS and standards-based computing mechanisms offer all anyone should ever need to perform downloads so anything more than that should be suspect. If a site can’t offer a download via a simple link, just go somewhere else.

  • Sacha says:

    Always a good idea to get software from the developers website, not a download site.

    • Zack Mac says:

      Problem with this was that all GIMP downloads, excluding source tars to build yourself, resulted in you downloading the Binary’s from SF. Thankfully they have now been hosting it on their own for a while, but GIMP-Win, which is actually not associated with the gimp team other then adding contributions back to the source, was hosted there as far back as I can remember.

  • Reg Shepherd says:

    I’ve noticed this trend as well and have been extremely careful as of late. There have been times when I wondered what I downloaded to have these continually bothersome pop-ups appear on my screen. Didn’t take long to figure it out. GitHub, BitBucket and others are definitely becoming the trend. I started using both for my development projects.

  • Michael Hall says:

    I used sourceforge yesterday and it spammed my mac, removed most of it by using adware medic but today I found something called app finder on my macbook launchpad. I cannot find a way to remove it if I click on it it brings up a web page of that name. Any advice please?

    • Thomas says:

      I’m not familiar with that app, but you should be able to find it in either in your main Applications folder or in an Applications folder in your home folder. In the Finder, choose Home from the Go menu to find the latter. When you find it, just drag it to the trash from there.

      If you can’t find it, and if a Spotlight search doesn’t turn up its location, try downloading EasyFind and using that to search for it.

    • ben says:

      Launchpad came with Mac OSX 10.9. It is an Apple application.

  • Michael Hall says:

    Thanks, took your advice and found app finder in home folder, spent much of yesterday searching for this thing so again thanks. By the way it was add ware as if you clicked on it you went to a certain page via chrome.

    All the best

  • eric says:


    As usual great article…

    I would like to add one more recommendation, if I may… “Little Snitch” has been my savior on more then a few occasions with unwanted included installs.

    I have used the “deny forever” choice for many apps that “call home” for their ads. You do need to really look at each site an app is trying to connect to, so it take a little work on behalf of the user, but I think if ‘one’ is reading your site then they are already more than half way there.

    hope this help someone..


  • Pieterr says:

    Sourceforge has posted a blog entry that SF has stopped bundling ads.

    Meanwhile, the developer of NMAP is reporting similar problems as GIMP:

  • Grrrr says:

    Sourceforge is full of it to claim they stopped bundling on June 5th. My brand spanking new Mac just got thoroughly infected with adware + spyware by downloading FileZilla. It’s June 8. No one should download from Sourceforge. Ever.

  • TGBX says:


    Yes, it is time to boycott SourceForge.

This post is more than 90 days old and has been locked. No further comments are allowed.