Download.com has apologised for bundling open-source packages, including Namp and VLC, with crudware toolbar installers.

But Sean Murphy, the vice-president and general manager of CNet's Download.com, defended the policy of bundling more generally and fell short of endorsing an opt-in policy for software extras.

A row kicked off on Monday after it emerged that users who have downloaded Nmap, a popular network auditing and penetration testing tool, from Download.com found the Babylon Toolbar included by default.

Gordon Lyon (aka Fyodor), the developer of Nmap, cried foul over the way the toolbar was foisted on users. The toolbar - which changes users' browsing experience, sets the browser's home page to MSN and makes Bing the default search engine - was also offered to consumers downloading the popular VLC media player software. Fyodor also alleged that Download.com's installer violates Nmap's copyright.

Within hours of venting his anger online, Microsoft got in touch with Fyodor saying, as he puts it, that they "didn't know they were sponsoring Cnet to trojan open-source software, and that they have stopped doing it". At around the same time the Nmap installer available from Download.com switched to punting "special offers" from Cnet, and after various other changes it eventually offered a clean install, at least in the case of Nmap.

In a statement (extract below), Murphy said that bundling the toolbar with the open-source package was a mistake:

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again.

Cnet's Nmap installer was initially detected as a Trojan by BitDefender and F-Secure, and as a potentially unwanted program by Panda, McAfee and others, according to an initial report by VirusTotal on Monday. However by Wednesday, of all the major suppliers of anti-virus software, only McAfee reported anything amiss.

Murphy said warnings that the installer might be malware were all false alarms. Download.com is removing the registration requirement for directly fetching files from developers' websites rather than via its download manager.

It's unclear whether the apology will be enough to draw a line under the controversy. Proprietary freeware and trial software available from Download.com will still be offered in conjunction with Download.com's installer packaging. Users can opt-out but many are likely to just follow the default option and accept what they are fed. All this falls far short of an opt-in policy that critics would like Download.com to adopt.

Fyodor has created a webpage with background on the controversy, links to the news articles, and the latest updates here.

Unwrapping the wrapper costs extra

The initial controversy sparked condemnation from security firm Sophos (here) and struck a chord with other developers, who also objected to CNet's wrapper bundling business practices, albeit for slightly different reasons.

"I pay $79 a year to list my application 'Chit Chat for Facebook' on the website, with which I fund development through a toolbar app," programmer Daniel Offer told El Reg.

"That said, I've noted that Cnet have 'wrapped' it in a downloader application without notice, which is shameful given that I pay to list my software on their website. Cnet is not the first download site to do this, but it's eating away at genuine developers' funds to pay for new development," he added.

Chit Chat for Facebook is not open source and developers like Offer have the option of getting rid of the wrapper, but only for a price.

"I spoke with Cnet and they told me that I could get rid of their wrapper by 'opting out by paying $99 a month for their premium service, or by paying for the pay per download'. Everyone is suffering with the recession, but they're helping to kill the little ISVs which produce so much great software," he concluded.

A contrasting view comes from Reg reader Charles, who argues download.com was doing nothing untoward (at least in the case of Nmap) and that it's up to users to check what they are downloading.

"Adding default opt-ins to software is one of the most common practices among vendors, especially where 'freeware' is concerned," he writes. "How do you think the bills get paid? When end users download or install software it is their responsibility, and a very simple one at that, to watch what they are doing. New applications whether from the internet, a CD or DVD should always be inspected or scanned for malware prior to installation, regardless the source."

"When I buy an automobile should I expect the dealer to drive it for me? Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality," he concludes. ®