Anatomy of SourceForge/GIMP controversy

Anatomy of SourceForge/GIMP controversy

SourceForge, once the most popular and respected hosting for free/libre projects, is taking another self-inflicted reputation hit. The recent controversy involving GIMP is all about ethics, while on the SourceForge's side it appears to be about money.

If you follow tech industry at all, you couldn't have missed a slew of reports yesterday that SourceForge took control over abandoned gimp-win account where GIMP installers for Windows used to be distributed from, and started providing their own offer-enabled installers instead. Ars Technica did a nice coverage of that, but there is oh so much more to the story.

Offer screen

Screenshot of the installer, courtesy by Ars Technica

Obligatory disclaimer: being affiliated with the GIMP team, I'm naturally under suspicion of being biased, so if you find any of the claims below subpar to expected journalism standards, by all means, do use the comments section to point out mistakes.

How this became even possible

A fair question one might ask is how builds of GIMP for Windows ended up on SourceForge in the first place.

Historically the GIMP team has been somewhat relaxed in how 3rd party efforts were organized. E.g. the official user manual is still a semi-separate project, with its own Git repository, its own team, and its own release schedule. Similarly, both Windows and OS X builds used to be 3rd party contributions, both hosted at SourceForge, one built by Jernej Simončič, the other — by Simone Karin Lehmann.

Jernej recalls:

I started building the installers for GIMP in 2002, and I initially hosted them on the space provided by my then-ISP, Arnes. I moved away from them a few years later, and while I could probably have arranged with them to keep hosting the installers, I already had a SourceForge account, so using that seemed simpler. For a long time SF was the place for hosting binaries for open-source projects — nobody else had comparable infrastructure, when they offered file hosting at all.

This started changing in the recent years. The team began working with contributors more closely, e.g. pulling Mac-specific fixes from builds by Simone. The other related change, which is at the heart of this topic, was moving Windows installers from SourceForge over to gimp.org.

Why GIMP-Win left SourceForge in 2013

First of all, problems with SourceForge are older than some people might expect. At some point in mid-2000s, SourceForge stopped evolving as fast as it used to and focused on advertising-based revenue. This allowed them to go from $6mln in 2006 to $23mln revenue in 2009. But it also alienated free software developers due to poorer service quality. Various projects started moving away.

Among the reasons — context ads on SourceForge download pages, fine-tuned by scammers to pose as download buttons and trick users into downloading the wrong installer, typically containing adware. GIMP users who went to SourceForge for downloads ended up with something entirely different.

Exhibit A:

My girlfriend downloaded the GIMP windows build referenced off the GIMP.org website and it seems to have a Malware/Adware package called "Sweetpacks" bundled with it. I realize that the Windows version of GIMP is linked with a "hey, this isn't us" kind of disclaimer but the fact that GIMP.org links to it gives the sense that its contents are trustworthy or, at least, not hostile. If there is really no validation of that distribution and it contains these kinds of softwares then it may not be such a good idea to have GIMP.org linking to it.

Exhibit B:

When I downloaded this recommended free banner software from the help section, I also got a virus downloaded along with it called CLARO search engine. It will infect all your browsers and you will not be able to search on anything except this stupid Claro search. I had to uninstall all my browsers and switch back to IE instead of Chrome, because reinstalling Chrome still came with this insidious malware. DO NOT download GIMP.

Exhibit C:

I want to recommend GIMP to Windows using friends, but it is not supported officially for Windows. Even worse, the download link for the Windows build goes to an ad-driven filesharing site with ads masquerading as download buttons. A friend on mine clicked on one of these and her antivirus software went nuts! This is a serious problem! Is there anything we can do to help? Does anyone know the dev for the Windows build? I will not be able to recommend GIMP to Windows using friends until that problem is solved! :gaah

The stream of complaints kept on growing, and eventually it became impossible to figure out if users were talking about false positives (Kaspersky antivirus software used to be particularly bad at handling GIMP installers) or fake installers full of actual malware.

Where's the money?

Over time the ads-based monetization strategy at SourceForge became increasingly aggressive. Seeing up to four 320x240 AdSense banners on a downloads page became the new norm for users. Despite introducing a reporting feature, SourceForge couldn't prevent all malicious banners from displaying on their web pages.

Ads on SourceForge

Google AdSensense's Ad placement policy: "Currently, on each page AdSense publishers may place [...] up to three AdSense for content units". There are four units here.

Nevertheless they continued with this strategy, and in 2013, SourceForge introduced a program of sharing revenue from ads with actual developers, to which the GIMP team initially agreed. Michael Schumacher, GIMP's treasurer, explains:

The summary of their proposal is like this: "Hey, you are an active and popular project, if you link to your SourceForge downloads from your site, you will get money depending on the number of downloads".

At some point the issue of those ads deceiving users just got unbearable, and we cancelled that, when we abandonded SF in 2013. Since GNOME handles our financial account, Karen Sandler, GNOME's executive director at the time, was involved with this too. I told Karen that we'd return any of the money, if this was deemed appropriate. She didn't tell me to do so.

On November 5, 2013, GIMP team issued an official announcement that they stopped hosting official downloads of Windows installers at SourceForge:

In the past few months, we have received some complaints about the site where the GIMP installers for the Microsoft Windows platforms are hosted.

SourceForge, once a useful and trustworthy place to develop and host FLOSS applications, has faced a problem with the ads they allow on their sites - the green "Download here" buttons that appear on many, many adds leading to all kinds of unwanted utilities have been spotted there as well.

But that was only the first reason. Here's the other one.

The tipping point was the introduction of their own SourceForge Installer software, which bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge.

The team insists that this was intended as criticism on this approach, and that they explicitly stated that in their communication with SourceForge. This news was also duly noted in The Register's coverage of the events, as well as at Slashdot which, like SourceForge, is also owned by Dice Holdings. In other words, the lack of team's interest in providing offer-enabled installers was communicated both directly and publicly.

In their rebuttal, posted on November 14, 2013, SourceForge representatives stated this about the offer-populated installers:

This is a 100% opt-in program for the developer, and we want to reassure you that we will NEVER bundle offers with any project without the developers consent.

However various members of the GIMP team state that they explicitly opted out. In recent a Reddit thread Jernej Simončič, under the handle of 'ender', claims:

They offered us to bundle "offers", which we specifically declined shortly before moving the installer to GIMP's own servers.

Nevertheless, some time between November 2013 and now, SourceForge ignored that the GIMP team opted out of the offers program, took over the gimp-win account, and started distributing offer-enabled installer of GIMP, which at least one team member explicitly forbid them to do, and then they allegedly took all the revenue.

Exhibit D, from November 2014:

I went to SourceForge and tried to download GIMP twice and chrome would not allow the download because of MALWARE.

On May 16, 2015, Jernej Simončič sent the following request to SourceForge:

Please remove the gimp-win project from SourceForge. I do not want any kind of "offers" forced on the users of my installer, and if I knew this was going to happen, I would have shut down the project myself.

As of May 28, 2015, he reports he hasn't heard back from them yet.

The best part comes now. First of all, the offensive installer has already been silently pulled off SourceForge, without any apologies. Secondly, in another official rebuttal posted on May 27, 2015, SourceForge says that they didn't hijack the 'gimp-win' account, instead they "stepped-in to keep this project current" and "established a mirror of releases that are hosted elsewhere". The mirrors were supposed to only store verbatim copies of all installers provided by the upstream projects.

They also made this very claim:

Since our change to mirror GIMP-Win, we have received no requests by the original author to resume use of this project. We welcome further discussion about how SourceForge can best serve the GIMP-Win author.

What it effectively means is:

  1. SourceForge had 11 days to reply Mr. Simončič's request prior to their post in their blog on the controversy, and they allegedly haven't done it so far.
  2. SourceForge claims to welcome further discussion, but doesn't not participate in ongoing discussion, and comments on their blog appear to not get approved.
  3. The only way to get SourceForge to talk at all is raising public awareness at Reddit, HackerNews, followed by coverage in popular media like Ars Technica.
  4. Even then, SourceForge would talk to the media (see updates to Ars coverage), but would not talk to actual team members.

LGW ended up emailing these three questions to SourceForge:

  1. Could you please quote the part of the program's conditions that allows bundling offers for software projects that opted out?
  2. How, in particular, was the decision made to bundle offers for gimp-win project without developers' consent?
  3. Is it correct that in case of projects that opted out, any revenue from bundled offers goes to SourceForge/Dice only?

So far SourceForge's team have been unable to come up with any reply at all.

Update (May 30). Three days into the public leg of the drama, Jernej Simončič finally gets contacted by SourceForge who claim his request was never received. 

Update (May 31). GIMP posts an official response to SourceForge's action. Meanwhile the news have already made it to ExtremeTech, ITWorld, PetaPixelGolem.de, and other popular media.

Update (June 1). Slashdot, also owned by Dice Holdings, publishes a story on the controversy.

Update (June 2). SourceForge posts another blog entry where they announce that  they "have stopped presenting third party offers for unmaintained SourceForge projects", however they still refrain from explaining why they decided to ship the offer-enabled installer without  GIMP developers' concent. Ars Technica posts a new coverage of the events.

Was it useful? There's more:

28 Comments

Leave a comment
  1. The solution to the problem is simple: Boycott

  2. i can’t even imagine whole of the problem

  3. Boycott? That is not a good option.
    Since SF hosts so many opensource projects, they could still earn profit from those hosted project.

  4. I don’t want to stop using Gimp, but perhaps there is no real alternative!

  5. Don’t stop using GIMP. Just don’t download it from SourceForge. Get it from the project’s own website, gimp.org.

  6. Yes, for the person who speaks about stop using GIMP: GIMP is not the problem, Sourceforge is. And this platform does the same thing with many other Free Software.

    The GIMP team are the ones trying to make Sourceforge stop their bad behavior. So don’t stop using GIMP, simply download it from upstream, not from some crappy third party website, *always*!

  7. this article finally convinced me. I’m moving everything away from sourceforge. Its sad to see something good turn sour.

  8. Get the torrent file from gimp.org then download something large and constantly from scourgeforge. The more people that swamp there servers with unnecessary downloads, the quicker they may catch on.

  9. @ssj71, where will you move Rakarrack LV2 and Infamouse Plugins to?

  10. Yet another reason why people shouldn’t trust services such as Github, Gitlab and others… Just host projets on your own house!

  11. You suggest the SF download page displays four advertising units, however only three of them are AdSense units (notice the AdChoices icons in the top right). This is in compliance with the cited AdSense policy, “Currently, on each page AdSense publishers may place [...] up to three AdSense for content units”.

  12. I moved all my projects from SF to GitHub.

  13. I’m moving everything away from sourceforge.

  14. @Anony

    “Yet another reason why people shouldn’t trust services such as Github, Gitlab and others…”

    No. You’re ABSOLUTELY wrong. GitHub is its own company. SourceForge was part of GeekNet, which was purchased by Dice Holdings.

    You see what I’m saying?
    GitHub => GitHub => GitHub
    SourceForge => GeekNet => Dice Holdings

    Most projects on github don’t even feature a “download” button at all. A lot of it requires, you know, git! Github was not made for consumers. It was made for developers.

    I can’t speak for Gitlab - I haven’t looked at it.

    Don’t you *ever* smear other companies for the actions of a company controlled by a third party. You show a major lack of experience when you do so.

  15. @ Mavaddat Javid I clearly see 4 google ad’s in the screenshot of the page, notice 1 banner above the download/hosted by frame, 3 below it.

    unless I’m missing something that’s 1 more than there should be.

  16. GIMP 2.8 looks like a relict. Development is very slow. I am forced to use other tools.

  17. @JMcAfreak
    It doesn’t matter whether it’s an individual company or one controlled by a third party or even whom the services are built for and whatsoever, that’s not what I’m talking about at all.

    Github is a SaaS and not even a OpenSaaS, since it doesn’t make its source code available.
    And what that means is that it can do vendor lock-ins and pretty much anything else it wants, and there will be nothing you can do about it, that reason is enough for people not to trust such services and Github is no exception.
    Even the idea of hosting FOSS in a completely closed ecosystem is stupid enough….

  18. Another sad example of advertisers getting greedy and ruining a business.

    Remember this when you hear people whining about adblock.

  19. Realy informative post, thanks for posting.

  20. SF is a joke to be honest. Github is much better in so many ways.

  21. Here lies the old rule: “If you do not see the product, then you are the product”.

  22. Add “127.0.0.1 sourceforge.net” to your hosts file and never think about it again.
    Sourceforge is the new CNET. I was downloading FileZilla and the installer was trying to install crapware on muy PC.

  23. The times in which the Gimp was king long gone. Thanks for a good piece of content.

  24. Don’t Download Software From SourceForge.Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.

  25. yes GIMP is so famous back in the old days, but now they should think to encourage their abbility

  26. I use Gimp for several years and its a very good application. I love it.

  27. No doubt gimp is the greatest application ever made and there is not alternative yet for gimp.
    I love it.


    Lena!

Tell us what you think

Submit the word you see below: