SourceForge is dedicated to making open source projects successful. We thrive on community collaboration to help us create the leading resource for open source software development and distribution. We strive to be, above all, trusted, both by the developers working on software, and the people downloading that software. Without trust, Open Source fails.
Yesterday we starting hearing some buzz about a new project called “Anonymous-OS” – people claiming that it was not affiliated in any way with the group referring to itself as “Anonymous” (See Wikipedia for further discussion of that group), and also that the software itself was full of a variety of trojans, malware, viruses, or backdoors.
We looked at the project, and decided that although the name of the project was misleading (we see no evidence that it is connected with Anonymous) it appeared, on initial glance, to be a security-related operating system, with, perhaps, an attack-oriented emphasis. We have, in the past, taken a consistent stance on “controversial” projects – that is, we don’t pass judgement based on what’s possible with a product, but rather consider it to be amoral – neither good nor bad – until someone chooses to take action with it.
This is even discussed in our hosting documentation, in the terms of service.
However, as the day progressed, various security experts have had a chance to take a look at what’s really in this distribution, and verify that it is indeed a security risk, and not merely a distribution of security-related utilities, as the project page implies.
SourceForge, and the Open Source community as a whole, values transparency, particularly where issues of security are involved. This project isn’t transparent with regard to what’s in it. It is critical that security-related software be completely open to peer review (i.e., by providing source code), so that risks may be assessed along with benefits. That is not available in this case, and the result is that people are taking a substantial risk in downloading and installing this distribution.
Furthermore, by taking an intentionally misleading name, this project has attempted to capitalize on the press surrounding a well-known movement in order to push downloads of a project that is less than a week old.
We have therefore decided to take this download offline and suspend this project until we have more information that might lead us to think differently. We’ll be in touch with the project admin, and let you know if and when we find out anything to contrary, but for now, that’s what we’re doing.
We always struggle with taking a project offline, even one that seems, on the face of it, to need it. The reason for this is that we have been entrusted with thousands of projects, by thousands of developers, and we are always at risk of making a judgement about a project that looks malicious, and isn’t. We don’t want to forfeit the trust of the developer community in exchange for the trust of the user community, or vice versa. It’s a tightrope we must walk every time we encounter a project that seems a little suspicious.
We believe that this is the right decision in this case, but will continue to dig into it, to ensure that we’ve gone the right direction.