SourceForge offering "side-loading" installers

By Nathan Willis
August 21, 2013

SourceForge.net is the longest-running project hosting provider for open source software. It was launched in 1999, well before BerliOS, GitHub, Google Code, or most other surviving competitors. Over that time span, of course, its popularity has gone up and down as free software development methodologies changed and project leaders demanded different tools and features. The service is now evidently interested in offering revenue-generation opportunities to the projects it hosts, as it recently unveiled a program that enables hosted projects to bundle "side-loaded" applications into the binary application installer. Not everyone is happy with the new opportunity.

The service is called DevShare, and SourceForge's Roberto Galoppini announced it as a beta program in early July. The goal, he said, is "giving developers a better way to monetize their projects in a transparent, honest and sustainable way". The details provided in the announcement are scant, but the gist appears to be that projects that opt in to the program will get additional bundled software applications added to the binary installers that the projects release. These "side-loaded" applications will not be installed automatically when the user installs the main program, since the user must click an "accept" or "decline" button to proceed, but the installer does try to guide users toward accepting the side-loading installation. The providers of the side-loaded applications are apparently paying SourceForge for placement, and the open source projects that opt in to the program will receive a cut of the revenue.

The DevShare program was invitation-only at the beginning, and Galoppini's announcement invited other projects to contact the company if they were interested in participating in the beta round. The invitation-only and opt-in beta phases make it difficult to say how many projects are participating in DevShare—or which ones, specifically, although the announcement pointed to the FTP client FileZilla as an example. It is also difficult to get a clear picture of what the side-loaded applications currently deployed are. The announcement says the company "spent considerable time looking for partners we could trust and building a system that does not detract from our core user experience", but that does not appear to have assuaged the fears of many SourceForge users. The commenters on the Reddit thread about the move, for instance, were quick to label the side-loaded offerings "adware," "bloatware," "crapware," and other such monikers.

At least two of the side-load payload applications are known: FileZilla includes Hotspot Shield, which is touted as an ad-supported browser security bundle (offering vague promises of anonymity, HTTPS safety, and firewall tunneling); other downloads are reported to include a "toolbar" for Ask.com and related web services. The Ask.com toolbar is a familiar site in these situations; it is also side-loaded in the JRE installer from Oracle, as well as from numerous other software-download sites like Download.com.

To many free software advocates, the addition of "services" that make SourceForge resemble Download.com is grounds for ditching SourceForge as a project hosting provider altogether. Not everyone is so absolute, however. At InfoWorld, Simon Phipps argued that DevShare could be implemented in a manner that respects both the software projects involved and the users, if participation is opt-in for the projects, the projects can control which applications are side-loaded, installation for the user is opt-in, malware is not permitted, and the entire operation is run with transparency.

Phipps concludes that DevShare "seems to score well" on these points, but that is open to interpretation. For example, one aspect of Phipps's call for transparency is that SourceForge should provide an alternate installation option without the side-loading behavior. But many users have complained that the FileZilla downloads disguise the side-loading installer under a deceptive name that looks like a vanilla download. Even if the nature of the installer is clear once one launches the installer, the argument goes, surely it is a bait-and-switch tactic to deliver the installer when users think they are downloading something else.

Indeed, at the moment, clicking on the download link for FileZilla's FileZilla_3.7.3_win32-setup.exe (which is listed as a 4.8 MB binary package) instead triggers a download for SFInstaller_SFFZ_filezilla_8992693_.exe, which is a 1 MB executable originating from the domain apnpartners.com. For now, only Windows downloads appear to be affected, however it is not clear whether or not this is a decision on the part of the FileZilla project or SourceForge, or simply a technical limitation of the team behind the HotspotShield.

Close to two months have now elapsed since the DevShare beta program was announced, and SourceForge has not followed up with additional details. The company has put up a "Why am I seeing this offer?" page that explains the program, how to opt-out of the side-loading installation, and how to uninstall the Ask.com toolbar (although not how to uninstall HotspotShield, for some reason). Inquisitive users thus do have access to the appropriate information about the nature of the side-loading installation and how to decline it, but the page is only linked from within the installer itself.

For its part, the FileZilla project has been fairly blunt about its participation in the program. On a forum thread titled "Sourceforge pushing crap EXEs instead of filezilla installer," developer Tim "botg" Kosse replied simply:

This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.

If you need an unbundled installer, you can still download it from http://download.filezilla-project.org/

Later on in the thread, he assured upset commenters that the project is taking a stand against the inclusion of malware and spyware in the bundle, and indicated that FileZilla had opted out of the Ask.com toolbar, in favor of "only software which has at least some merit. Please let me know should that not be the case so that this issue can be resolved."

It would appear, then, that participating projects do get some say in what applications are side-loaded with their installers in DevShare, which places it more in line with Phipps's metrics for scoring responsible side-loading programs. Nevertheless, based on the discussion thread, FileZilla's reputation among free software advocates has taken a hit due to the move. How big of a hit (and whether or not it will recover) remains to be seen. As DevShare expands from a closed beta into a wider offering for hosted projects, if indeed it does so, SourceForge.net will no doubt weather the same type of backlash.

SourceForge offering "side-loading" installers

Posted Aug 22, 2013 5:21 UTC (Thu) by josh (subscriber, #17465) [Link] (9 responses)

Sourceforge became irrelevant years ago; this would generate more shock (and abandonment) if most serious projects hadn't already abandoned it already.

This does have a positive side: hopefully it's the motivation the stragglers need to start moving out before the lights go off.

I can respect the role Sourceforge had during the early days of Open Source; it was the first major project hosting site, and many great projects had their start there. But this is a pretty clear sign that they've long outgrown the interesting stages of the "first get a million users then figure out how to make money" model.

SourceForge offering "side-loading" installers

Posted Aug 22, 2013 10:20 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

Their new codebase is FOSS (Apache) and a fair bit better than the old PHP based code and probably better than proprietary sites like github. I for one would like to see savane/gforge/fusionforge based sites migrate to it.

SourceForge offering "side-loading" installers

Posted Aug 22, 2013 18:12 UTC (Thu) by wtanksleyjr (subscriber, #74601) [Link]

I'd rather never see any more Sourceforge-inspired pages. I used them back when there was no choice, but it always seemed to me that every feature they had available was the worst choice available, stuck together with barbed wire (that IS hyperbole). Their mailing lists are still unacceptable; their lateness to support any distributed revision control as well (although I admit that here my hyperbole shines, since I liked SVN back when they were early adopters).

Lots of people use SourceForge

Posted Aug 22, 2013 15:26 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link] (3 responses)

Lots of people use SourceForge. They've now switched to a new hosting platform, "Allura", which is reasonable *AND* is open source software itself (hosted by Apache, so SourceForge can't "take it away"). Let's contrast that with github; while github supports the OSS community, the github software itself is proprietary. It is absolutely github's right to do so, and github's generally been a good citizen. But there are reasons to ask questions, too.

Lots of people use SourceForge

Posted Aug 22, 2013 21:14 UTC (Thu) by robert_s (subscriber, #42402) [Link] (2 responses)

>*AND* is open source software itself (hosted by Apache, so SourceForge can't "take it away")

Of course they can. It's apache licensed. They simply start basing sf on proprietary fork without releasing the changes back. This sentence is meaningless.

Lots of people use SourceForge

Posted Aug 22, 2013 21:33 UTC (Thu) by pizza (subscriber, #46) [Link]

In all fairness the ability to use a proprietary fork isn't restricted to the Apache licensed stuff; even if the code was pure GPL (and they didn't own it) they could still host it themselves and make any changes they wanted without releasing any new code.

Now the *A*GPL is another matter.

Lots of people use SourceForge

Posted Aug 23, 2013 18:50 UTC (Fri) by makomk (guest, #51493) [Link]

Not only can they do this, it's exactly what happened to the previous "open source" version of the Sourceforge.net website code as soon as they couldn't gain any more commercial advantage from it being open source.

SourceForge offering "side-loading" installers

Posted Sep 1, 2013 12:56 UTC (Sun) by vasi (subscriber, #83946) [Link] (2 responses)

What would you recommend for hosting autotools-based projects? Recall that with autotools, you don't just release the source straight from version control, instead you run "make dist" to generate a source tarball.

GitHub's Releases doesn't support this model well, it leaves you with two similar-looking release files, one of which is a dist tarball and one of which is direct from git. Google Code has deprecated its Downloads area. Sites like Alioth and Savannah are targeted at specific projects only (Debian and FSF). But on Sourceforge, it's easy to just rsync the new dist tarball.

Maybe Launchpad works ok?

SourceForge offering "side-loading" installers

Posted Sep 1, 2013 14:46 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

launchpad does not support git. fedorahosted is alright

SourceForge offering "side-loading" installers

Posted Sep 2, 2013 7:59 UTC (Mon) by peter-b (guest, #66996) [Link]

I use Launchpad for the geda-gaf package (http://www.geda-project.org/ + http://launchpad.net/geda). Launchpad lets me upload 'make dist' release tarballs. On the other hand we have to keep the source code repository elsewhere because Launchpad still has a bzr problem.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 23, 2013 20:47 UTC (Fri) by giraffedata (guest, #1954) [Link] (8 responses)

surely it is a bait-and-switch tactic to deliver the installer when users think they are downloading something else.

That's a trojan horse, not bait and switch. Bait and switch would be if you clicked on Filezilla and a page came up saying, "wouldn't you rather download Hotspot Shield? Click here to get Hotspot shield instead of Filezilla."

It would also be a bait and switch if the site refused to let you have Filezilla at all, and offered you Hotspot shield or nothing.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 23, 2013 21:59 UTC (Fri) by jimparis (guest, #38647) [Link] (7 responses)

I agree with the article as written: it is a bait and switch. It is clearly designed to look like a directory listing / file browser: see this screenshot.

With a layout like that, I expect that clicking on a link that says "FileZilla_3.7.3_win32-setup.exe" with a listed size of "4.8 MB" will cause me to download a file from Sourceforge with that name, and with that size. That was the bait. Instead, I got a completely different file from "http://ak.pipoffers.apnpartners.com". The switch.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 23, 2013 23:12 UTC (Fri) by giraffedata (guest, #1954) [Link] (6 responses)

All the facts you give describe a trojan horse and not a bait and switch.

A trojan horse is where you're offered something that looks good, so you take it, but you actually get something else that you didn't want but that the offeror wanted you to have.

Bait and switch is an old marketing ploy where a store advertises item A at a tempting low price (the bait) and when you get there tries to sell you item B, which the store would rather you have because it has a higher profit margin (the switch). Sometimes it isn't even possible to get item A because the store never had it, or had only a few in stock because it really didn't want people to have it. There are laws now that prohibit this latter form of advertising and are referred to as bait and switch laws.

But the key is that the prospective customer in a bait and switch scheme is never tricked into taking Item B. The only thing he's tricked into doing is visiting the store.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 24, 2013 1:17 UTC (Sat) by jimparis (guest, #38647) [Link]

I'm convinced. Thanks for explaining.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 28, 2013 23:47 UTC (Wed) by sitaram (guest, #5959) [Link] (4 responses)

A trojan horse is where you don't realise, without some loss or effort, that you got something else. The payload of a trojan horse is *hidden* (upto a point anyway).

Here, the downloaded filename makes it *very* clear you got something other than you asked for.

I'd say it's still bait and switch...

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 29, 2013 15:38 UTC (Thu) by giraffedata (guest, #1954) [Link] (3 responses)

A trojan horse is where you don't realise, without some loss or effort, that you got something else.

After you have the thing, the trojan horse concept is complete. Going back to the original trojan horse, the cleverness was in that the Spartans opened the gates and rolled the horse inside. If the soldiers had jumped out just after they were rolled inside, it would still be remembered as the same classic military maneuver.

In the side-loading case, you click on a link and invite the program into your computer because you think it is an ordinary installer for FileZilla. The link says, "FileZilla_3.7.3_win32-setup.exe". After clicking, you discover that you've started up an offensive advertising program instead, so the analogy to the Trojan horse is complete.

Whether it's a trojan horse or not, though, it still doesn't have the elements of the advertising strategy commonly known as "bait and switch" (which I detailed in an earlier post).

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 29, 2013 16:13 UTC (Thu) by sitaram (guest, #5959) [Link] (2 responses)

As soon as you see the name of the file *actually* being downloaded, you can cancel the download. Probably even before the download has completed, in most cases. If that's a trojan horse, it's like using glass instead of wood to build it because it is almost *immediately* obvious.

Unless the download completes and the malware *gets* at least unpacked, if not installed, it's not much of a trojan, I think.

The bait-and-switch analogy is better, since "cancel" is precisely what you do there also, that too before (the potential for) any real damage.

Oh and of course there is advertising -- whatever got you to want to click the download link in the first place is it.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 29, 2013 17:24 UTC (Thu) by giraffedata (guest, #1954) [Link] (1 responses)

I can see the difference now between the ways we're looking at this: you're saying the damage doesn't happen until the user runs the crapware installer, whereas my impression is that people believe the damage is done - the offense taken - as soon as the download starts. (The user was tricked into downloading something he didn't want to download).

If you don't count the actual download — and you expect users to notice the file name — I agree there's no trojan horse and there is in fact a bait and switch: you go to the store to get the advertised plain FileZilla installer and when you get there, the salesman says, "we don't have any plain FileZilla installer, but we have this Filezilla + crapware installer" and you say, "well, I wouldn't have come if I'd known that, but since I'm already here, just give me the crapware."

With pure bait and switch, the salesman would actually have to convince you to choose the crapware over the plain install, with both available, but the modified out-of-stock-of-advertised-item version does have an analogy here.

SourceForge offering "side-loading" installers - bait and switch

Posted Aug 29, 2013 17:26 UTC (Thu) by giraffedata (guest, #1954) [Link]

By the way, related to understanding bait and switch, I recently learned, from a PBS Frontline documentary, of bait and switch scheme which is a foundation of the Walmart business model: they call it "introductory pricing." The lowest end product in every product line is normally priced lower than any competitor and heavily advertised. That's the introductory price, because it introduces you (baits you) to the department. But while customers are free to buy the bait, they usually get something further up the line. And what they pay is often not the lowest price in town.

Not to be confused with a loss leader, where customers are actually expected to buy the bait, at below the store's cost.