- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.
- This isn't recent. In fact it started well over a year ago and was well publicized.
- Even a year ago it was all very malware-y.
- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.
- Those same people are now whining about it.
- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.
This is why I have high hopes for integration with the Microsoft store in Windows 10. I'd be pretty happy giving the Filezilla people .99 cents, assuming no 3rd party installer tricks. MS would store my credit card, it would be a one-click process, take the onus of hosting from Sourceforge/Filezilla, and pay a nice little chunk of change on the side directly to the Filezilla people.
Of course, anyone is free to fork it and host it for free. There are a lot of little things that drive me crazy about Filezilla. I imagine others have the same issues. I could see a fork with good management being very successful.
Ha! The Windows Store is a scum-ridden wasteland. The second top result for Facebook is a fake scam app, claiming to be official. There is a fake Facebook app, paid, that claims to be published by "@Microsoft Corporation". Contacting Store support results in them telling you the app " works as designed ", and if you have a problem with the fake publisher, MS suggests " leave a review ".
Even Netflix had a hard time preventing fakes from being published. Over a month or two, Netflix had to contact MS several times, and MS didn't suspend or remove the publisher. They resubmitted and got listed again. Try searching for HBO, xfinity, etc.
MS is not interested in fixing this problem. Probably some folks have their bonus tied to " number of apps published " and that's that.
I emailed Satya and the manager of the Store, to book effect. The Store is a joke.
For this particular case, if FileZilla is popular, you'll have several fake paid apps. If you're lucky there may be av official app, with no way to verify it's the right one. For most users, they'll be rolling the dice just as much as they are now. Only if FileZilla is extremely diligent would it work. Disney, for example, is a top publisher for the Store, yet all sorts of fake Disney content is on there. I called Disney about this, and after about 15 minutes they figured out "don't go there" (referring to the Store). Even top publishers have a hard time dealing with it. BBC is another case, where top "official" results aren't.
I think this is a point a lot of open source projects miss. They can, and probably should, sell the software even though it is open source.
Trademark (?) protection would prevent a third party from using their name even though it was open source (at least I think so based on the whole Iceweasel event).
Personally, I'd also gladly pay Filezilla a small amount even though it's open source.
Why are these links to Ninite.com flag-killed? It's a tremendously useful program, IMO. Is there some secret danger about this tool I'm missing here?
I'd post my one-click-install-all-the-useful-things Ninite link (which preselects a custom selection of software into one installer) that I use for quickly setting up clean Windows machines at the kids' technology centre I work at. But I fear it might get flagkilled too. (ah doesn't matter anyway, I'm sure the average HNer is smart enough to make their own selection, and currently looking at my selection, some of the tools seem a bit out-of-date, wouldn't pick those today anymore).
This is correct. I actually contacted Filezilla's developer (Tim Kosse) regarding this several months ago, and he let me know that this bundling was intentional on the part of Filezilla.
Even if HN threads are not comprised of the same people, it is still remarkable how entirely different sets of people show up depending on which way the wind is blowing.
Well, I didn't know this, and I'm glad I know now. I'll be looking for an alternative GUI SFTP client for Windows.
I was a bit confused though, I'm pretty sure I installed FileZilla on some Windows machine less than a year ago and would've noticed any malware. But now that I think about it, I used Ninite.com, a multi-install tool for free Windows software, which automatically opts out of any nasty toolbars and such, so I just didn't see it at the time (I'm assuming the malware is at least opt-out, right?).
Doesn't matter though, bundling toolbars/malware is a no-go for me. I know I can (usually) get rid of such pests if they get on my system, but I know so many people who would have a much harder time. Those people are being taken advantage of, they're not "choosing" to have this malware. I can't recommend this type of software to such people because they might get malware if they install it themselves, so they need alternatives without malware. Therefore I won't use the malware-bundled software myself either, because I want to check out the alternatives and see which ones are any good (and I don't really need FileZilla, anyway).
You can get it without the downloader, but it is non-obvious as you have to choose the other download options. To me that implies downloads for different platforms.
The installer is horrible, and I think that the last I looked at it, the options were all opt-out, they hugely abused anti-patterns to make that process all but impossible.
If you read through this thread [1] on the filezilla forums, you'll see that the administrator defends the use of SourceForge over and over. My guess is that they're receiving kickbacks of some sort for the installation of said malware.
I think the world would be better if people just expected to pay a small amount for software, but we don't live in that world, and so we get "free" software you can download "for free" that installs a bunch of crap so the developers can get paid.
Up until rather recently, it was hard to pay or receive sub-dollar amounts. This problem is solved on the two mobile platforms (though Apple still takes a much larger cut from payments). Paypal / Stripe / Square sort of solve it in the web space.
But we still lack a nice software store (or several) where you could pay a piece of software and pay a nominal amount (or more if you choose to donate), knowing that you won't receive any malware / nagware in exchange, and that a large cut of your payment goes to the authors and maintainers.
Similar things seem to happen around indie musical tracks, so probably the model could survive in the "indie" software area.
Yep, I love it when I find good music on youtube abd a link to bandcamp where I can pay a small minimum amount (or more). They seem to have done something right as me and others typically pay well over the minimum price
It sounds more like a SourceForge issue than FileZilla. SourceForge used to provide clean binaries, but I guess they changed that process in the past year or two to bundle apps in the installer wrapper. You need to be extremely careful during the installation process to make sure that you do not accidentally install some extra software. The same happen to uTorrent - they also added tricky question during the install process to include advertisement, change default browser and such. That's a sad way to earn money - the end-users will definitely move on because of that.
FileZilla could choose to move away from SourceForge, to be honest - any party staying with SF after stunts like this (and this isn't the first one) are as corrupt as SF themselves are IMO
is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases
Unfortunately it must work because people keep doing it. If it didn't increase revenue companies would stop doing it.
It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.
If SourceForge want to stay afloat, they should reinvent themselves as a decent GitHub alternative or pivot. Bundling malware for kickbacks and keeping the old site design won't take them anywhere good.
Open source software really should abandon SourceForge. You can't even download any binaries through HTTPS from them. Even if you log in the download links redirect to plain HTTP.
There's really no reason to use SourceForge anymore. GitHub can do almost everything SourceForge can do, aside from app reviews I guess. GitHub also doesn't make you feel like you're in 2004.
That's a very important point if you're distributing your software to non-technical users, but a download button in either the README.md should do the job. You could also use a GitHub site and host a simple download site for your repo.
It seems to me that if a project on GitHub is interested in making it easy for lay-people to download, then a little dose of
https://pages.github.com/
should do the trick? (Personally I found SF's interface confusing and incredibly "busy" -- I don't think lay-people would fare much better, but I could be wrong.)
If the creator of a software critiques your SaaS that uses his software maybe you should pay more attention to it? I am sure Linus knows git a lot better than most of us.
he doesn't complain about the website design he is complaining about the functionality. In fact he's stated in interviews he doesn't wish to ponder in web development.
I am not surprised someone who's career has been writing the lowest of low-level software. kernels and device drivers, isn't interested the total opposite end of the spectrum, web development.
While I initially thought this as well, at some point the site admin (botg) posts this:
""MalSign.Generic.F84". Looks like a typical false-positive generated by a heuristic.
There is no malware in the SourceForge Downloader, you can safely use it to install FileZilla. While the SourceForge Installer may present third-party offers, they are
clearly labeled as such. All third-party offers can easily be declined. Nothing unwanted is being installed without your consent. Declining offers does not prevent nor otherwise disturb the installation of FileZilla.
If you do not wish to use the SourceForge installer, have a look at the additional download options listed on the FileZilla website."
His stance seems to be that it's not malware, rather a false positive (I have no proof to claim he's wrong and if he is, it could be a honest mistake; he's trusting SF, which I understand), and he mentions that you can also download Filezilla from their own website, without the SF installer.
That seems pretty reasonable to me, but again: at first I got the impression they (FileZilla's owners) simply didn't care.
I hate what SF has been doing, and I refuse to use their installers (although I'm primarily a Linux-user so I don't have to worry about these installers, thankfully), but I don't really feel like the FileZilla owners should be avoided as it looks like they're simply trusting SourceForge, nothing more. I hope I'm right. ;)
my main issue is that, the offers only exist to either affect the people who don't know any better (and would probably chose the opposite if they were more educated about such practices), or those that mis-click.
Most people, when presented with a) a logo (of a group they trust), and b) accept or decline, they are going to make assumptions and not read the middle.
Which ends up affecting a lot of users: every bad review relating to the installer and every complaint in the forums (once again, in relation to the installer), is a person who has been deceived and had a negative experience, because of a decision of the FZ developers (and the installer is choose-able by the project developer, last I inquired)
I've heard similar things about FileZilla and it's creator. Do you have any recommendations for an open source, GUI-based, Linux FTP client?
Most of the time I simply scp or rsync files as neccessary, however I use FileZilla to manage files on my phone and tablets via FTP. I've never found the FTP/SFTP/SMB support in Thunar to be all that reliable...
Maybe Midnight Commander? It can open FTP-connections (and shell connections, too, allowing secure copying of files over SSH rather than FTP), has that well-known dual pane layout, and, while not a GUI application, can be controlled the same way a GUI application can without even needing X. :)
I'm not using GNOME. I'm using XFCE, and unfortunately in my experience Thunar (the XFCE file manager) doesn't handle those sorts of connections too well. I think it's more to do with the FUSE layer beneath it (possibly the same driver that's used by GNOME).
unfortunately I haven't. For the most part, I'm a Windows user, so I've been using Explorer for plain FTP to my phone (which, while not great, does do the job more-than-well-enough for my uses)
Unfortunately, like I say, I've tried that (using Thunar - the otherwise fantastic file manager in XFCE). I'm not sure if it's Thunar's fault, or it's the FUSE layer beneath it, but I've always found it to be a little unreliable. Plus I like to be able to see connection logs and manage the activity queue in the same way I do with FileZilla.
I wonder if Mozilla could argue that Filezilla is infringing on their trademark and damaging their reputation because of this.
I mean, it's an open-source client for a common internet protocol that ends in "zilla". It would be easy for users to assume that Filezilla is affiliated with Mozilla.
And up until the move to Sourceforge's adware downloader system, that would have been fine for everybody - they're both good products.
But now? Now filezilla is riding on mozilla's coattails with the confusion and profiting from it, to the detriment of mozilla's reputation.
We've been sending Windows clients to https://ninite.com/filezilla/ to download it but perhaps we ought to start avoiding it completely. I don't particularly like any other FTP client I've used in Windows, but its been a while since I looked.
Agreed. WinSCP is not only easy to use with a fairly "native" Windows feel (just drag and drop stuff from one half of the window to the other), but it's also not bundled with malware.
If you're on Windows, it's a great site. I just had to provision a new laptop, and it saved me a ton of time, since I was able to install about a third of my checklist with a single download.
SFTP. Changing UNIX modes. Choosing active vs passive per-server. Choose text or binary transfer. Resume transfers. Copy only changed files based on time or size.
It works really well unfortunately. I would prefer my installations without the potential for malware, but I don't see another sftp client as mature as filezilla. There used to be a ton and then it emerged as the best. fwiw it seems the auto updates are malware free.
I always install FileZilla through Ninite or apt-get, so I know my installation is clean, but I'd like to stop using and recommending FileZilla out of principle because of this (and reading the responses on the filezilla forum). Everyone else in my office uses FileZilla as well, and I'm sure many of them used the sourceforge installer and didn't fully read the options.
But you're right, I don't know any other decent FTP clients that I would recommend. Maybe someone on HN knows of a good alternative?
WinSCP is far superior to filezilla. At my last job stuck using a Windows machine for some things, I ended up using it quite extensively. Every bug I submitted to the author was fixed within months. He is also active on the forums, though has a bit of a Linus Torvalds style... which can be offputting for some.
Filezilla use will drop down because most admins I know that hear about this will immediately write it off as too dangerous to even try to get around. Sure you can dig into the sourceforge files and maybe find a clean version, or maybe find a checksumed mirror, but would you really trust it?
As usual, Avira is right on the money with "Adware/InstallC.buzg." ESET is pretty good too with "a variant of Win32/InstallCore.UQ." None of the other providers clearly identified it.
As time marched on, I've found myself more and more hesitant to use SourceForge at all, even to download things. If a project isn't available on GitHub, BitBucket, or through a package manager, then I'm very unlikely to download the source.
Separate from any particular issue with Filezilla: all Sourceforge downloads are via insecure HTTP, so could be redirected elsewhere, or corrupted in transit, to deliver malware.
Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP download.
And if you ask them about this, you get no reply. Which is interesting.
Yes, they should be regarded as a malware site these days. It's a shame, really. Some other site should probably mirror the projects that aren't anywhere else and host them properly.
Just an FYI for those cases when you need to download something that isn't available anywhere other than SourceForge: there's a small, plain-text "direct download" link under the big download button.
They tend to move this around a bit to make it harder to spot, but it's always been there since the malware-infested download manager was introduced. The malware & crapware is entirely limited to SF's download manager. The application binaries themselves are totally clean.
This is not about SourceForge or FileZilla. This is an issue that plagues most Windows freewares, everyone is integrating offers to the installer. Even FileHippo started this recently.
The download manager (wrapper) of these 2 companies are provided by the same Israeli company InstallCore.
As far as I remember this is an opt-in feature for developers who host their projects on sourceforge that makes the installer offer additional software, by 3rd parties, to be installed. That additional software may be malicious.
Ever since 2007-2008, Source Forge and places like CNET really started to lose trust for me. When I noticed something from source forge had some sort of downloading tool I put my hands down and refused to continue with that sort of thing.
We have enough Ask Tool bar kind of crap from Oracle Java installers, and when useful tools step to doing similar things, it really makes me lose respect and find alternatives.
As a developer, I need to have a work environment that is robust and dependable. Additional promotional packages that can slip through will disrupt or degrade my work. That is not something I can take and feel sane.
I haven't paid for the program and have not installed any adware on my machine, I am happy with the product and have no qualm with someone who has spent their time making something to try to profit from it. I'm not the sort of person who opts-in to install malware so its not an issue to me. If I wanted to be upset about something I would buy a commercial, ad-free, program and complain that it does not have features of filezilla.
I've had a similar experience trying to install OpenCV.
I use windows, and I couldn't figure out why something like OpenCV could possibly have malware with it. When I downloaded it, chrome said "Stop! This is malware!" I thought that there was no way there could be a problem with the file unless Sorceforge was having issues.
What fixed the issue for me was downloading from a different mirror. So perhaps some of the mirrors are compromised?
I faced the same problem. This is a total mess and I could not believe that a most reputed web program like Filezilla hosted at Sourceforge is a malicious software. The best thing should be that Filezilla should be available for download from https://filezilla-project.org firsthand.
i m an idiot but does this impact the linux version ? I use Filezilla on my ubuntu that I downloaded around September'2014 and not sure if I downloaded from Sourceforge. I am guessing this issue is only for Windows, right ?
For Windows and my own servers I don't even bother with FTP anymore, it's just another possible entry into my servers. WinSCP / SCP itself works fine, no FTP server required.
See the acres of discussion about Google Chrome not having a master password. The fact that they caved in and no provide a master password does not mean it's a good idea.
The argument that I recall for Chrome not having an optional master password was that it was often less secure than using the system's encrypted data store for their account, if available.
Requiring a master password to decrypt the network passwords is a perfectly fine idea if you want to maintain portability and reduce the chance that your network passwords are accidentally exposed. An attacker has to both have the password file and either figure out the master password or have code execution privileges on the user's account to gain the network passwords. This is more secure than trying to ensure the password file doesn't get "misplaced" (e.g. on an unencrypted drive, in unencrypted backups, unintentionally through a fileserver, etc).
- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.
- This isn't recent. In fact it started well over a year ago and was well publicized.
- Even a year ago it was all very malware-y.
- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.
- Those same people are now whining about it.
- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.