SourceForge admits adding malware to the packages they host
35 views
Skip to first unread message
Zooko Wilcox-OHearn
May 28, 2015, 7:29:53 PM5/28/15
to cryptop...@googlegroups.com
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
Notice the part where they say "Mirrored projects are sometimes used
to deliver easy-to-decline third-party offers, and the original
downloads are always available.".
In other words, they replace some of the packages they host with
variants that have added spyware or adware bundled in.
This is obviously an egregious security vulnerability, as well as a
slimy practice that surely taints the reputation of everyone involved.
I think it is past time for Crypto++ to divorce itself from
SourceForge in all possible ways. I just finished transferring several
old abandoned projects of mine from SourceForge to github. Wasn't
hard.
Here's a more detailed story about this issue:
http://lwn.net/SubscriberLink/646118/a5b8924c2576ecf1/
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com — Freedom matters.
Notice the part where they say "Mirrored projects are sometimes used
to deliver easy-to-decline third-party offers, and the original
downloads are always available.".
In other words, they replace some of the packages they host with
variants that have added spyware or adware bundled in.
This is obviously an egregious security vulnerability, as well as a
slimy practice that surely taints the reputation of everyone involved.
I think it is past time for Crypto++ to divorce itself from
SourceForge in all possible ways. I just finished transferring several
old abandoned projects of mine from SourceForge to github. Wasn't
hard.
Here's a more detailed story about this issue:
http://lwn.net/SubscriberLink/646118/a5b8924c2576ecf1/
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com — Freedom matters.
Ruben De Smet
May 29, 2015, 5:12:26 AM5/29/15
to Zooko Wilcox-OHearn, cryptop...@googlegroups.com
I agree.
Please move the svn repositories to git and push them to github. git svn
should do the job pretty well. This will make collaboration a lot easier
too, and github is a lot more trustworthy atm.
We had this discussion earlier, and afaik people wanted to move to git
for a lot of reasons.
Thank you
Ruben
Please move the svn repositories to git and push them to github. git svn
should do the job pretty well. This will make collaboration a lot easier
too, and github is a lot more trustworthy atm.
We had this discussion earlier, and afaik people wanted to move to git
for a lot of reasons.
Thank you
Ruben
Jeffrey Walton
Jun 1, 2015, 2:35:28 AM6/1/15
to cryptop...@googlegroups.com
> Notice the part where they say "Mirrored projects are sometimes used
> to deliver easy-to-decline third-party offers, and the original
> downloads are always available.".
> to deliver easy-to-decline third-party offers, and the original
> downloads are always available.".
It reminds me of CNet and Nmap, https://news.ycombinator.com/item?id=3317121.
> I think it is past time for Crypto++ to divorce itself from
> SourceForge in all possible ways. I just finished transferring several
> old abandoned projects of mine from SourceForge to github. Wasn't
> hard.
+1.
Jeff
Jeff
Jean-Pierre Münch
Jun 1, 2015, 8:10:47 PM6/1/15
to cryptop...@googlegroups.com
I agree as well.
The problem with the movement from SourceForge to GitHub is that it has
to be done by Wei Dai, as he is the authority to change the links on the
homepage.
But nonetheless, I'll upload a standard copy of 5.6.2 on my GitHub Acc
asap, so people can find the original and the fork more easily.
BR
JPM
The problem with the movement from SourceForge to GitHub is that it has
to be done by Wei Dai, as he is the authority to change the links on the
homepage.
But nonetheless, I'll upload a standard copy of 5.6.2 on my GitHub Acc
asap, so people can find the original and the fork more easily.
BR
JPM
Jean-Pierre Münch
Jun 4, 2015, 12:55:59 PM6/4/15
to cryptop...@googlegroups.com
Code's up.
For now it's just a mirror of 5.6.2 and as soon as Crypto++ migrates to some other platform I'll take it down as a mirror will be pointless than.
If migration happens not to be done to Github, I'll mirror the official version of the project on GitHub.
Link.
BR
JPM
For now it's just a mirror of 5.6.2 and as soon as Crypto++ migrates to some other platform I'll take it down as a mirror will be pointless than.
If migration happens not to be done to Github, I'll mirror the official version of the project on GitHub.
Link.
BR
JPM
Reply all
Reply to author
Forward
0 new messages