RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

SourceForge

Company

SouceForge is network of the websites to which more than 21 thousand program projects which is in a stage of development are in total uploaded and are available to everyone.

On January 27, 2011 the oldest portal for a hosting of the SourceForge.net OpenSource-projects temporarily suspended providing services to a part (CVS, web access to source texts of ViewVC, a possibility of loading of new releases, remote terminal access). Next day, on January 28, to the registered users of SourceForge.net the email notification came with the notification that their passwords were reset.

Administrators of SourceForge.net published a detailed report about invasion according to the results of 'the first round of the analysis' on Saturday January 29. For the first time the fact of invasion managed to be detected in number environment 26: apparently, first of all servers on which CVS software version management system worked were subject to the attack. However traces of invasion managed to be detected also on other servers servicing the portal.

According to data of SourceForge, the general sequence of the attack 'was quite standard': 'Everything began with increase in privileges to the superuser's level on one of our platforms that allowed the malefactor to obtain authentication data which were then are used for access to machines with the activated SSH interface'. However the segmented architecture of internal network SourceForge allowed to prevent distribution of the attack on other zones of network. At this moment administrators of SourceForge detected the attack.

Shutdown of a part of services of the portal was undertaken to reduce attack distribution probability. As for reset of the user passwords, it was caused by detection of the modified SSH server which was programmed on collecting of the user passwords: 'We have no bases to believe that the hacker succeeded in collecting of passwords, reported in the blog SourceForge. – But existence of this [modified] server and existence of access to the hashed and ciphered data placed on the server unilaterally induced us to take preventive measures and to reset all passwords of users of SourceForge'.

In addition to urgent measures, administrators of SourceForge started the analysis of the changes which happened during invasion. 'It is better to be reinsured, than to regret afterwards, reported in the blog, – therefore we decided to carry out large-scale project data verification: from releases of files before new adding in SCM'. Data are going to be compared to the backup copies written before invasion and at detection of suspicious places administrators of SourceForge will contact specific project teams.

In process of completion of data validation the SourceForge servers return to normal work.

However it is already absolutely clear that further the architecture of security of SourceForge will become more strict: 'In most cases, decisions in the past were made proceeding from the general reliance principle to software developers with the open code who work together, play by rules and in general do that it is necessary', reported in the blog. But today 'there came time to review balance between general trust and security'. Administrators already started deployment of new version of the web interface of access to source texts of 'secure project web' based on the protected architecture. Besides, the failure option from use of old version management system of CVS which has architectural restrictions is considered and hardly gives in to scaling. Administrators of SourceForge recommend to users to pass to the alternative SVN and Git systems.

2015: Not the best times of SourceForge

Founded in 1999 when there was no Github yet, the website SourceForge.net became the place for placement of free projects. However the project, according to some users and participants, fell by the bottom: there began to add compulsorily advertizing software (adware) to distribution kits of free projects, without volition of developers[1].

The first problems appeared in 2013 when owners of SourceForge decided to implement "innovation": the big green Download button which leads to loading of an installer as a part of which not only the original program, but also adware - in a makeweight. The alternative option of program load was left without adware in the form of the imperceptible link "Direct Download" under the button.

Such option of monetization caused perturbation in many program writers of open source and some of them left SourceForge in 2013. In response to what SourceForge promised to add never an installer with adware without the consent of meynteyner of the project.

On June 22, 2015 it became known that for once popular hosting of applications of SourceForge there came tough times. On the website How-To-Geek there was an appeal of software developers in which they suggest to boycott this portal. Then published article "Why Large OpenSource-projects Leave SourceForge" in the PC World edition. The reason — very unsuccessful model of monetization selected by the management of service[2].

Despite a promise of administration of a resource not to apply the installer to distribution of programs without the consent of developers, a number of popular free projects stopped cooperation with SourceForge. Original files, at the same time, deleted, however service independently monitored updates and supported appropriate sections in working order.

In 2015 SourceForge without approval of software developers resumed practice of distribution of demanded programs by means of own installer which included also "advertizing" applications. It began with GIMP (the truth, in several days the installer was deleted). Then queue and other OpenSource-applications came.

The administration of the portal abstains from implementation of additional programs in installers of the free software so far, but this opportunity is had and developers have no warranties that it will not be used.

The feature of free licenses does not allow developers to prohibit placement of the applications obviously. Therefore they can act with exclusively "soft" methods. In particular, the website is already blocked by the uBlock expansion. And developers appealed to users to load their programs from the official sites, but not from SourceForge hosting.

The website SourceForge is blocked by the uBlock expansion, 2015

On June 3, 2015 the alarm was given by Gordon Lyon famous in the Internet under the nickname Fyodor, the author of the popular utility for scanning and security audit of the websites Nmap. According to the author, "SourceForge stole its account with open source-программой Nmap". He reported about it in the mailing list Seclists.org[3].

Hi everyone! You should be already heard the latest news that Sourceforge.net stole the account of the GIMP project for distribution of adware/malware. Before GIMP used this account Sourceforge for distribution of the installer of Windows, but they left after Sourceforge began to deceive users with false buttons of downloading which conducted to malware, but not GIMP. Then Sourceforge took control of the account GIMP and began to extend the Trojan installer which tried to set using tricks different malware and adware prior to the real GIMP installation. Of course, it directly contradicts the promise made by Sourceforge less than two years ago: "We assure you that we will NEVER make a bundle with any project without the consent of developers"".

Notes