[TMRA] Ohio Section ARRL Source Forge article.

Steve Bellner w8ter at bex.net
Wed Feb 17 05:46:06 EST 2016 

THE TECHNICAL COORDINATOR

Jeff Kopcak - TC

k8jtk at arrl.net <mailto:k8jtk at arrl.net>

Hey Gang,

I was contacted this month by someone concerned that Fldigi would

install a “trojan” on their computer and wanted to know where to

get a clean download of the program. Before panic sets in, there is no

reason to smash your hard drives. Why did I receive this question?

I’ll explain the tech behind the issue.

The place that Fldigi, Flmsg, Flrig, and all other applications are now

hosted is at a place called SourceForge (also abbreviated “SF”).

SourceForge is a web service launched in 1999 that offers tools for

developers to manage their projects for free. They host source code

(for those who wanted to read, audit, modify, or learn from raw code),

web pages for the project, mirrors (hosting in multiple locations in

case any-one server is down), bug tracking, and many other features. It

was the place for hosting free and open-source software. A ton of very

well-known projects were (some still are) hosted on SourceForge: Apache

Server, GIMP, OpenOffice, Firefox, Thunderbird, Audacity, Filezilla,

Drupal, WordPress, JT65-HF… list goes on.

Some users were discouraged by the number of advertisements on the

site. Though it is an ad-supported free service, there weren’t any

viable alternatives.

In July 2013, SourceForge created an optional service available to

developers called “DevShare.” Any developer who participated in the

service would knowingly push additional unwanted programs to anyone

downloading their project. This is commonly referred to as

‘crapware’ encompassing adware, download managers, antivirus

programs, browser toolbars, homepage modifications, search engine

replacements, and the like.

In May 2015, it was reported that SourceForge seized control of what

they considered ‘deprecated or abandoned’ Windows projects. In

taking control, they locked out the developer and “updated” project

downloads to push similar ad-supported content.

This is a problem because the open-source community is just that, a

community. They are made up of enthusiasts that like developing

programs. Much like ham radio, they donate their time and do it for

free. When a company takes the good name of a well-known project and

tarnishes it by installing adware on users’ computers, this doesn’t

go over well with the community. Their business practices effectively

destroyed what was left of SourceForge’s reputation.

The DevShare project started a movement within the community to find

replacements for SourceForge; GitHub primarily. SF since stated they

are not taking control of unmaintained projects. It was too-little,

too-late. Many developers deleted their projects from SF and moved

their content elsewhere. It is up to each developer to make a decision

about their project. I’ve provided links at the end of the article

that go more in-depth for those into tech stories. SourceForge is not

the only site that bundles crapware in downloads. Download sites like

CNet’s Download (dot) com and many other free file hosting services

also push ads and unwanted programs.

Back to Fldigi. The developer of Fldigi maintained the installer and

source files on his own server. Somewhere near the end of last year,

his site was hacked. The decision was made to move the files from his

server over to SourceForge. Likely in an attempt to be more secure.

This created a problem for many who are aware of the issues with

SourceForge. Unfortunately, it is the only place where the Fldigi Suite

updates and downloads reside. I have installed many Fldigi updates since

the move to SourceForge and have not seen anything to suggest any

unwanted programs are included. The issue is something to be aware of.

Good security practice dictates not downloading anything you-yourself

didn’t go looking for. If you do download Fldigi and it is prompting

you to install an antivirus program, this is a huge red flag. Another

example: never click anything that says ‘your plugins, Java, Flash,

antivirus, or system… is out of date’ because you weren’t looking

for those updates.

In other news, I would like to welcome Technical Specialist Eldon -

W5UHQ. If that sounds familiar, it’s because he is the Net Manager

for the OHDEN HF digital net. The Ohio Digital Emergency Net meets

Tuesday evenings at 8pm on 3585 using OLIVIA 8/500 at 1 kHz. The

purpose is to provide statewide communications to EMA and EOC’s in

Ohio using sound card digital modes. If that wasn’t enough, he brings

an extensive background in communications and electronics to the group.

OHDEN net: http://ohden.org/

I will be at the Mansfield Hamfest on February 21. I’ve been invited

to present during the Digital Forum at noon. This is assuming the

weather is better than it has been the last few days, hi hi. The

Digital Forum will contain a presentation on digital voice by Duane -

K8MDA and I will present passing messages using Fldigi. Hope to meet

you at Mansfield! More: http://hamfest.w8we.org/

Articles on SourceForge:

http://www.infoworld.com/article/2929732/open-source-software/sourceforge-commits-reputational-suicide.html

http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

Thanks for reading and 73... de Jeff - K8JTK

****************************************************

More information about the TMRA mailing list