May 17th, 2016

SourceForge Tightens Security With Malware Scans

After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the site’s previous owners. FOSS Force has learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don’t make the grade will be noticeably flagged with a red warning badge located beside the project’s download button.

According to a notice posted on the SourceForge website this afternoon, the scans look for “adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package.” Account holders with projects flagged as containing malware will be notified by SourceForge.

“We’ve partnered with Bitdefender to scan the open source software projects on SourceForge so that users feel more secure in downloading clean, safe software from SourceForge that will not put their machines in jeopardy, nor bundle any adware, malware, or unwanted applications.” the announcement says. “We will also be running additional scans with ESET.”

Bitdefender and ESET are both tech security companies that offer anti-virus products.

This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28. At the time, SourceForge’s reputation was suffering, primarily as a result of DevShare, a program that bundled third party proprietary software offers with Windows downloads. Because of the program, many large open source projects, including GIMP, quit using the site’s hosting services.

The DevShare program was ended in early February, just weeks after the new owners took control. At the time, Logan Abbott, one of the new owners, wrote, “We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that.”

In today’s announcement, SourceForge said that a thousand or so of the site’s most popular projects have so far been scanned, with scans continuing to eventually include “every last project, even dating back years.” As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks.

Of the projects that have been scanned so far, SourceForge says very few problems have been uncovered. “The vast majority of them contained no issues, but projects that were flagged for malware were notified, and most of them have rectified the issues already by removing the flagged files. For the few projects that have not addressed the issues, the malware warning badge will display in red next to the download button.”

Once a project has been flagged, users can click the “Files” tab to determine which files are affected. “We’ve also disabled automatic downloads on projects that have been flagged, so a user would manually have to proceed with downloading a file that may contain malware.”

“Project admins will get an additional dashboard that will provide more in-depth details on why a file was flagged and how to address it,” the notice explains. “Project admins will also be able to submit a support request related to any issue detected by the scanners, and they’ll also be able to request a file be whitelisted once we’ve reviewed it.”

The company also says that beginning immediately, all new projects will be scanned during the uploading process. Projects being uploaded to new user accounts will not be accepted if flagged. For projects that are flagged while being uploaded by registered users who have had accounts for an undisclosed amount of time, SourceForge will accept the upload, but will mark it with the warning badge until the problem is rectified.