Starting today, SourceForge will display a warning badge next to the download button on any project that has been flagged as containing malware by our malware scans. Our definition of malware includes adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package of any project on SourceForge.
We’ve partnered with Bitdefender to scan the open source software projects on SourceForge so that users feel more secure in downloading clean, safe software from SourceForge that will not put their machines in jeopardy, nor bundle any adware, malware, or unwanted applications. We will also be running additional scans with ESET.
The top 1000 most popular SourceForge projects, representing 84% of all SourceForge traffic, have already been scanned. The vast majority of them contained no issues, but projects that were flagged for malware were notified, and most of them have rectified the issues already by removing the flagged files. For the few projects that have not addressed the issues, the malware warning badge (screenshot below) will display in red next to the download button. At this very moment, in a process that will take weeks, every last project, even dating back years, will be scanned and will display a warning flag if there are any suspicious files flagged by our virus scanners.
Interested parties can click the “Files” tab to see exactly which files in the project were flagged. We’ve also disabled automatic downloads on projects that have been flagged, so a user would manually have to proceed with downloading a file that may contain malware. Project admins will get an additional dashboard that will provide more in-depth details on why a file was flagged and how to address it. Project admins will also be able to submit a support request related to any issue detected by the scanners, and they’ll also be able to request a file be whitelisted once we’ve reviewed it.
Going forward, all new projects uploaded to SourceForge from brand new user accounts will not be accepted if they are flagged by either Bitdefender or ESET scans upon uploading. Projects from users who have been registered with SourceForge for a certain amount of time will be able to upload projects, but if they are flagged they will display the warning.
As with all virus scanners, the method is not 100% perfect, but we are committed to doing everything in our power to ensure that the open source software hosted and distributed on SourceForge is clean, safe, trustworthy, and free of any adware, viruses, malware, or unwanted applications.