[Geoserver-devel] SourceForge malware

I just downloaded GeoServer 2.10-RC1 from SourceForge, and on the post-download page, I got redirected to a page that Chrome blocked as malicious.

Is there any plan to move downloads away from SourceForge? I kind of feel like that site might be tainted goods at this point.

Sorry I don't have a screenshot, as I tend to close a tab that looks like that immediately.

Thanks,
Mike

Mike Pumphrey
User Advocate | Boundless
917-338-0407
mike@anonymised.com
http://boundlessgeo.com
@boundlessgeo

Hi,

I download stuff from SourceForge every day but I do not remember any such redirection. Or perhaps Firefox does nor warn me. I do see advertisements on the site, and service is fast and reliable.

-Jukka Rahkonen-

Lähettäjä: Mike Pumphrey
Lähetetty: ‎25.‎10.‎2016 0:37
Vastaanottaja: geoserver-devel@lists.sourceforge.net
Aihe: [Geoserver-devel] SourceForge malware

I just downloaded GeoServer 2.10-RC1 from SourceForge, and on the
post-download page, I got redirected to a page that Chrome blocked as
malicious.

Is there any plan to move downloads away from SourceForge? I kind of
feel like that site might be tainted goods at this point.

Sorry I don’t have a screenshot, as I tend to close a tab that looks
like that immediately.

Thanks,
Mike

Mike Pumphrey
User Advocate | Boundless
917-338-0407
mike@…3839…
http://boundlessgeo.com
@boundlessgeo

The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

SourceForge has admitted wrapping unmaintained downloads with adware, but now claim only to do so where project owners opt in:
http://www.theregister.co.uk/2015/06/03/sourceforge_to_offer_only_optin_adware_after_gimp_grump/
https://en.wikipedia.org/wiki/SourceForge#Project_hijackings_and_bundled_malware

Some adware may be close to malware or may enable injection of malicious content. This may have caused some SourceForge content to be backlisted as malicious.

We could as part of the release process create and publish SHA-512 checksums on ares (or some other server controlled by a trusted community participant). This would allow end-users to verify the integrity of release artifacts downloaded from SourceForge.

Kind regards,
Ben.

On 25/10/16 10:36, Mike Pumphrey wrote:

I just downloaded GeoServer 2.10-RC1 from SourceForge, and on the
post-download page, I got redirected to a page that Chrome blocked as
malicious.

Is there any plan to move downloads away from SourceForge? I kind of
feel like that site might be tainted goods at this point.

Sorry I don't have a screenshot, as I tend to close a tab that looks
like that immediately.

Thanks,
Mike

Mike Pumphrey
User Advocate | Boundless
917-338-0407
mike@anonymised.com
http://boundlessgeo.com
@boundlessgeo

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

We also have https://osgeo-org.atlassian.net/browse/GEOS-7058 with details on what it would take to migrate away from source forge, using github to host download artifacts.