Black “mirror”: SourceForge has now seized Nmap audit tool project
But one policy remains in effect—the takeover of project pages SourceForge’s staff decides are inactive, and assignment of ownership of those projects to staff accounts. One of the latest projects grabbed in this way is the Nmap security auditing tool.
The practice of reassigning ownership was broadly exposed by SourceForge’s takeover of the project page for the Windows version of the GIMP image manipulation tool. While SourceForge staff claimed in a blog post that the project’s account had been abandoned, an official statement from the GIMP development team denied that SourceForge had contacted them about the account, saying that no permission had been given to SourceForge to take over maintenance of the project.
Something similar happened to Nmap, as its developer Gordon Lyon reported in an e-mail message to the project’s mailing list today. “The bad news is that Sourceforge has also hijacked the Nmap account from me,” Lyon, known as “Fyodor” in Internet discussions, wrote. “The old Nmap project page is now blank. Meanwhile they have moved all the Nmap content to their new page which only they control. So far they seem to be providing just the official Nmap files (as long as you don’t click on the fake download buttons) and we haven’t caught them trojaning Nmap the way they did with GIMP. But we certainly don’t trust them one bit! “
Ludovic Fauvet, founder and CTO of Videolabs SAS. Developer of VLC media player, said in a blog post yesterday that SourceForge similarly took over the VLC project’s account on SourceForge. VLC was, in 2012, the most downloaded project on SourceForge, and still remains among its top projects even though the project moved to its own download infrastructure two years ago. That happened, because as Fauvet wrote, “in 2012 Geeknet started to add more banners to their pages and did not bother filtering ads that were obvious scam, misleading users to click on these fake “downloads” buttons. Some if not all of these advertisers were distributing VLC bundled with crapware (as we like to call them).” The VLC team complained to SourceForge, and were assured by the SourceForge team that something would be done about it.
But the misleading ads kept coming back. “In consequence they also offered to share some revenues with us,” Fauvet wrote. “They gave few thousands dollars every couple of month to the non-profit (which was welcome since we’re all volunteers) but we were still unhappy because a lot of VLC users were still impacted by these misleading ads.” And after Dice acquired Slashdot Media in September of 2012, Fauvet said, the contacts at SourceForge that the VLC team had been working with disappeared, “leaving us without any way to reach the new team for quite some time.” The misleading ads got worse, so in April 2013 the VLC team started to move the project to its own dedicated servers for download, ending user complaints about the ads—but also eliminating a major source of revenue for SourceForge, as “they lost their biggest project which was making a significant portion of their revenues since VLC was the most downloaded software on SourceForge at the time.”
SourceForge attempted to lure VLC back with its “DevShare” revenue sharing program, Fauvet said, in July of 2013. At the same time, VLC’s new servers were targeted by a large distributed denial of service attack. “We still don’t know who was behind the attack and their motivations but the coincidence is striking,” Fauvet wrote.
When news emerged that GIMP had been taken over as a mirror, Fauvet noted, “We were quite surprised to discover that the same happened to VLC, the project has been taken over without notice, removing all access to it but luckily the binaries weren’t touched.”
In an e-mail to Ars, Lyon said, “Sourceforge did not communicate with me prior to seizing the account. They have communicated with me many times in the past about participating in these monetization strategies, and I always declined.”
What on earth are Sourceforge thinking?