Anatomy of SourceForge/GIMP controversy
SourceForge, once the most popular and respected hosting for free/libre projects, is taking another self-inflicted reputation hit. The recent controversy involving GIMP is all about ethics, while on the SourceForge's side it appears to be about money.
If you follow tech industry at all, you couldn't have missed a slew of reports yesterday that SourceForge took control over abandoned gimp-win account where GIMP installers for Windows used to be distributed from, and started providing their own offer-enabled installers instead. Ars Technica did a nice coverage of that, but there is oh so much more to the story.
Screenshot of the installer, courtesy by Ars Technica
Obligatory disclaimer: being affiliated with the GIMP team, I'm naturally under suspicion of being biased, so if you find any of the claims below subpar to expected journalism standards, by all means, do use the comments section to point out mistakes.
How this became even possible
A fair question one might ask is how builds of GIMP for Windows ended up on SourceForge in the first place.
Historically the GIMP team has been somewhat relaxed in how 3rd party efforts were organized. E.g. the official user manual is still a semi-separate project, with its own Git repository, its own team, and its own release schedule. Similarly, both Windows and OS X builds used to be 3rd party contributions, both hosted at SourceForge, one built by Jernej Simončič, the other — by Simone Karin Lehmann.
I started building the installers for GIMP in 2002, and I initially hosted them on the space provided by my then-ISP, Arnes. I moved away from them a few years later, and while I could probably have arranged with them to keep hosting the installers, I already had a SourceForge account, so using that seemed simpler. For a long time SF was the place for hosting binaries for open-source projects — nobody else had comparable infrastructure, when they offered file hosting at all.
This started changing in the recent years. The team began working with contributors more closely, e.g. pulling Mac-specific fixes from builds by Simone. The other related change, which is at the heart of this topic, was moving Windows installers from SourceForge over to gimp.org.
Why GIMP-Win left SourceForge in 2013
First of all, problems with SourceForge are older than some people might expect. At some point in mid-2000s, SourceForge stopped evolving as fast as it used to and focused on advertising-based revenue. This allowed them to go from $6mln in 2006 to $23mln revenue in 2009. But it also alienated free software developers due to poorer service quality. Various projects started moving away.
Among the reasons — context ads on SourceForge download pages, fine-tuned by scammers to pose as download buttons and trick users into downloading the wrong installer, typically containing adware. GIMP users who went to SourceForge for downloads ended up with something entirely different.
My girlfriend downloaded the GIMP windows build referenced off the GIMP.org website and it seems to have a Malware/Adware package called "Sweetpacks" bundled with it. I realize that the Windows version of GIMP is linked with a "hey, this isn't us" kind of disclaimer but the fact that GIMP.org links to it gives the sense that its contents are trustworthy or, at least, not hostile. If there is really no validation of that distribution and it contains these kinds of softwares then it may not be such a good idea to have GIMP.org linking to it.
When I downloaded this recommended free banner software from the help section, I also got a virus downloaded along with it called CLARO search engine. It will infect all your browsers and you will not be able to search on anything except this stupid Claro search. I had to uninstall all my browsers and switch back to IE instead of Chrome, because reinstalling Chrome still came with this insidious malware. DO NOT download GIMP.
I want to recommend GIMP to Windows using friends, but it is not supported officially for Windows. Even worse, the download link for the Windows build goes to an ad-driven filesharing site with ads masquerading as download buttons. A friend on mine clicked on one of these and her antivirus software went nuts! This is a serious problem! Is there anything we can do to help? Does anyone know the dev for the Windows build? I will not be able to recommend GIMP to Windows using friends until that problem is solved! :gaah
The stream of complaints kept on growing, and eventually it became impossible to figure out if users were talking about false positives (Kaspersky antivirus software used to be particularly bad at handling GIMP installers) or fake installers full of actual malware.
Where's the money?
Over time the ads-based monetization strategy at SourceForge became increasingly aggressive. Seeing up to four 320x240 AdSense banners on a downloads page became the new norm for users. Despite introducing a reporting feature, SourceForge couldn't prevent all malicious banners from displaying on their web pages.
Google AdSensense's Ad placement policy: "Currently, on each page AdSense publishers may place [...] up to three AdSense for content units". There are four units here.
Nevertheless they continued with this strategy, and in 2013, SourceForge introduced a program of sharing revenue from ads with actual developers, to which the GIMP team initially agreed. Michael Schumacher, GIMP's treasurer, explains:
The summary of their proposal is like this: "Hey, you are an active and popular project, if you link to your SourceForge downloads from your site, you will get money depending on the number of downloads".
At some point the issue of those ads deceiving users just got unbearable, and we cancelled that, when we abandonded SF in 2013. Since GNOME handles our financial account, Karen Sandler, GNOME's executive director at the time, was involved with this too. I told Karen that we'd return any of the money, if this was deemed appropriate. She didn't tell me to do so.
On November 5, 2013, GIMP team issued an official announcement that they stopped hosting official downloads of Windows installers at SourceForge:
In the past few months, we have received some complaints about the site where the GIMP installers for the Microsoft Windows platforms are hosted.
SourceForge, once a useful and trustworthy place to develop and host FLOSS applications, has faced a problem with the ads they allow on their sites - the green "Download here" buttons that appear on many, many adds leading to all kinds of unwanted utilities have been spotted there as well.
But that was only the first reason. Here's the other one.
The tipping point was the introduction of their own SourceForge Installer software, which bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge.
The team insists that this was intended as criticism on this approach, and that they explicitly stated that in their communication with SourceForge. This news was also duly noted in The Register's coverage of the events, as well as at Slashdot which, like SourceForge, is also owned by Dice Holdings. In other words, the lack of team's interest in providing offer-enabled installers was communicated both directly and publicly.
In their rebuttal, posted on November 14, 2013, SourceForge representatives stated this about the offer-populated installers:
This is a 100% opt-in program for the developer, and we want to reassure you that we will NEVER bundle offers with any project without the developers consent.
However various members of the GIMP team state that they explicitly opted out. In recent a Reddit thread Jernej Simončič, under the handle of 'ender', claims:
They offered us to bundle "offers", which we specifically declined shortly before moving the installer to GIMP's own servers.
Nevertheless, some time between November 2013 and now, SourceForge ignored that the GIMP team opted out of the offers program, took over the gimp-win account, and started distributing offer-enabled installer of GIMP, which at least one team member explicitly forbid them to do, and then they allegedly took all the revenue.
I went to SourceForge and tried to download GIMP twice and chrome would not allow the download because of MALWARE.
On May 16, 2015, Jernej Simončič sent the following request to SourceForge:
Please remove the gimp-win project from SourceForge. I do not want any kind of "offers" forced on the users of my installer, and if I knew this was going to happen, I would have shut down the project myself.
As of May 28, 2015, he reports he hasn't heard back from them yet.
The best part comes now. First of all, the offensive installer has already been silently pulled off SourceForge, without any apologies. Secondly, in another official rebuttal posted on May 27, 2015, SourceForge says that they didn't hijack the 'gimp-win' account, instead they "stepped-in to keep this project current" and "established a mirror of releases that are hosted elsewhere". The mirrors were supposed to only store verbatim copies of all installers provided by the upstream projects.
They also made this very claim:
Since our change to mirror GIMP-Win, we have received no requests by the original author to resume use of this project. We welcome further discussion about how SourceForge can best serve the GIMP-Win author.
What it effectively means is:
- SourceForge had 11 days to reply Mr. Simončič's request prior to their post in their blog on the controversy, and they allegedly haven't done it so far.
- SourceForge claims to welcome further discussion, but doesn't not participate in ongoing discussion, and comments on their blog appear to not get approved.
- The only way to get SourceForge to talk at all is raising public awareness at Reddit, HackerNews, followed by coverage in popular media like Ars Technica.
- Even then, SourceForge would talk to the media (see updates to Ars coverage), but would not talk to actual team members.
LGW ended up emailing these three questions to SourceForge:
- Could you please quote the part of the program's conditions that allows bundling offers for software projects that opted out?
- How, in particular, was the decision made to bundle offers for gimp-win project without developers' consent?
- Is it correct that in case of projects that opted out, any revenue from bundled offers goes to SourceForge/Dice only?
So far SourceForge's team have been unable to come up with any reply at all.
Update (May 30). Three days into the public leg of the drama, Jernej Simončič finally gets contacted by SourceForge who claim his request was never received.
Update (June 1). Slashdot, also owned by Dice Holdings, publishes a story on the controversy.
Update (June 2). SourceForge posts another blog entry where they announce that they "have stopped presenting third party offers for unmaintained SourceForge projects", however they still refrain from explaining why they decided to ship the offer-enabled installer without GIMP developers' concent. Ars Technica posts a new coverage of the events.