On 5/27/2015 7:19 PM, Ken Simpson wrote:
Just try to imagine now what other projects might be compromised and
what that could mean for Internet security...
I've still reeling from this but here is more info
https://sourceforge.net/mirror/...
SourceForge Open Source Mirror Directory
The Open Source Mirror Directory is an extension to our existing
software directory <https://sourceforge.net/directory/>, where we'll be
mirroring projects that are not hosted on SourceForge, and SourceForge
projects that have been abandoned.
Why are we doing this?
We want the SourceForge software directory to be as useful as possible.
When you come here to search for a piece of software, we want you to be
able to find it, and find the most up to date releases. And if that
software isn't hosted on SourceForge, we still want you to be able to
find it. Or if a SourceForge project has been abandoned, we want it
moved to the mirror and maintained, so you can always find the newest
releases. Millions of people use SourceForge every day to search for
Open Source software, and we want to give them the best experience
possible, even if the best answer to their search is a project hosted
elsewhere, or an abandoned project newly maintained by the SourceForge team.
By mirroring these projects here, we come a step closer to that reality.
And, in the process, we do those projects a small favor in return,
providing another way to get to their website, and being part of their
software distribution mirroring network. We’re putting your software in
front of more than 42 million additional potential users a month.
SourceForge has always been about promoting Open Source, whether those
projects are developed and hosted at SourceForge or elsewhere.
Obviously, we prefer that projects are hosted and maintained on
SourceForge, but mostly we love Open Source, and want to be part of
promoting it in whatever ways we can.
What are we doing?
Projects are listed in the mirror neighborhood when they're not
developed or hosted at SourceForge. Also included in the mirror are
projects that were previously hosted on SourceForge but have been
abandoned for various reasons, and instead release future content on
another site. We want our users to be able to find the most up to date
projects and software, so a number of these abandoned projects will be
moved to the Mirror Directory and maintained by the SourceForge team.
Before adding a project to the mirror directory, we check the project
website or wiki for their open source license, making sure they are
compliant with the SourceForge Terms of Use
<http://slashdotmedia.com/terms-of-use/>. We then document which open
source license they use when we create the mirror project.
The project pages will include a description of the product, a list of
features, screenshots, links to their official website, and a mirror of
their software releases. The projects will also be categorized by
software topic, license, and the supported operating systems, allowing
you to search and find what you are looking for with ease.
We'll be monitoring all of these projects so that we always have the
latest updates and releases available.
You'll be able to identify that a project is a mirror, rather than a
SourceForge project, by the the presence of the SourceForge Open Source
Mirror Directory logo that appears in the top right corner of the page.
We want to hear from you.
If you have an Open Source project outside of SourceForge, we'd like to
hear from you. If you want your project mirrored on our site, or if you
don't want your project mirrored on our site, please let us know. Or
there's any other service that we can extend to your project community,
we'd like to hear that, too. Contact us at [email protected]
<mailto:[email protected]> and we'll be sure the message
gets to the right people.
On Wed, May 27, 2015 at 4:16 PM, Kevin A. McGrail <[email protected]
<mailto:[email protected]>> wrote:
Wow. Really living up to the forging of Source code...
I've reached out to see if I can get control of the SA code and
escalated this to the ASF Board of Directors. This is unbelievable.
Regards,
KAM
On 5/27/2015 6:59 PM, Joe Quinn wrote:
http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/
Sourceforge has been updating abandoned accounts of major
projects and adding their own advertising. The list of projects
affected includes (copied from the article):
* Most of the Apache Foundation's projects—including Allura,
Derby, Directory Studio, the Apache HTTP server, Hadoop,
OpenOffice, Solr, and Subversion;
* The Mozilla Project's Firefox, Thunderbird, and FireFTP;
* The Evolution and Open-Xchange mail clients;
* The Drupal and WordPress content management systems;
* The Eclipse, Aptana, Komodo, MonoDevelop, and NetBeans
integrated development environments;
* The VLC, Audacious, Banshee.fm, Helix, and Tomahawk media
players;
* The Reaver WPS Wi-Fi hacking tool;
* and a host of games, utilities, and other applications.
SA has a repo on Sourceforge here:
http://sourceforge.net/projects/spamassassin/
The latest version is 2.20, last update 2013-04-25. Thus far it
appears to have not been taken over and still serves a plain zip
from the download link.
I recognize some of the listed authors, but I don't think any of
them have been active recently. Does anyone have access to this
account so we can maintain it or shut it down?
--
*Ken Simpson*
CEO, MailChannels
Tel: +1 604 685 7488
www.mailchannels.com <http://www.mailchannels.com/>
Twitter <https://twitter.com/mailchannels> | LinkedIn
<http://www.linkedin.com/company/mailchannels>
--
*Kevin A. McGrail*
President
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
http://www.pccc.com/
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[email protected] <mailto:[email protected]>
