SourceForge malware, thoughts?

Given the recent news about SourceForge wrapping projects (gimp, others) with malware my company is concerned with projects we use, like UrBackup.

I see the client auto-update has a signature check but can users be certain the server or client isn’t wrapped with any of the SF malware/junk?

I’ve been following that and they would only add malware if I tell them to do so or if I stop using sourceforge to distribute the software ;). The only malicious thing currently concerting UrBackup are the download-button ads on the download page, but I think most people are able to avoid those (but it’s definitely not nice).

So I see no reason to hurry to another hosting provider. I’ll have a look if I can upload 400MB to GitHub releases and another look at how much self-hosting it would cost. I moved the auto-updates from my private webspace to sourceforge at some point because there were gigabytes of traffic and I don’t know how much falls under “unlimited traffic”.

The auto-update does indeed verify a signature which only I can create.

1 Like

Today they brought the website down for 6h. Priority increased.