Please move KeePass out of SourceForge
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
SourceForge was once a great place for open source software but that's not the case anymore.[1] SF has served malware-ridden installers since last year[2] and now they've even seized control of some SF accounts to offer more malware installers.[3]
Hosting KeePass on a service that might decide to offer malware instead of a clean installer is a really bad idea. I understand that migrating a project can be a lot of work but I feel this is something that should be done sooner rather than later.
[1] https://helb.github.io/goodbye-sourceforge/
[2] https://forum.filezilla-project.org/viewtopic.php?f=1&t=32945
[3] http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/
KeePass has never used the SourceForge installers and is never likely to - they have asked. Some developers have chosen the SF installer as a way to increase revenues, but it is a choice.
cheers, Paul
What SF has begun to do is put a wrapper around installers for various projects, so it isn't like they're just forcing this on to people who used the SF installers, but on everyone. They've also begun taking over of accounts, claiming they were abandoned, despite some of them having releases within 2 weeks of SF taking control.
The issue isn't the ones that have or have not decided to use the installer, the issue is SourceForge has lost all integrity and has taken old accounts over by force and has been re-bundling the software with the malware laden SF installer without the permission of the project owners and wont talk to them about it nor will they give the project back[1][2]
[1] https://plus.google.com/+gimp/posts/cxhB1PScFpe
[2] https://mail.gnome.org/archives/gimp-developer-list/2015-May/msg00144.html
Last edit: Kusuriya 2015-06-01
Thank-you for bringing the issue to this project's attention.
There is no need for preemptive action because, as you already know, reasonable alternatives exist. The disruption to the project would be the same now as sometime in future.
Last edit: wellread1 2015-06-01
I don't understand. What are you referring to here?
Please move this project away from sourceforge in order to maintain it's integrity.
+1 please move. SourceForge is not friendly for users.
Sourceforge is only used for the downloads and forums. You may not like SF but consistency makes it easier for supporting KeePass.
cheers, Paul
But that's the problem in my opinion. I definitely do not want risk getting malware/adware/... in my KeePass installer. Who knows what shady thing SF.net will come up with next? This could very well damage KeePass' reputation as a reliable, secure and trustworthy piece of software.
Maybe one could at least move the downloads somewhere else (they are linked from keepass.info anyway, so that change wouldn't be confusing for users, I think). The question is: Where? SF.net does have the advantage of providing a large network of mirrors...
I know that GitHub also provides hosting for binary files (without having to commit them to a repository), so maybe that could be an alternative. One could also use GitHub to host the KeePass sources as a nice bonus, making contributing easier. :-)
I mean, one could probably move the entire project to GitHub. As far as I see, the only thing that's missing on GitHub is a forum -- they only have a bugtracker. Then again, maybe a forum could be hosted on keepass.info?
This is a tempest in a teapot.
According to Sourceforge the policy affected projects that Sourceforge perceived as abandoned. It certainly seem reasonable that there should be some sort of policy regarding abandoned projects. Granted their first attempt at a policy was a little ham handed, but Sourceforge apparently is sensitive to the criticism and backed off promptly, see the update at the bottom of the Sourceforge post.
But some of the projects that SF has begun taking over were not abandoned. When they took control over Mozilla's projects, they had a release just two weeks prior, and had other activity in the meanwhile.
They're saying one thing, but doing another.
It's also worth noting that the KeePass installer is signed by Dominik Reichl and any attempt to change it will break the signature.
cheers, Paul
While I agree that it probably is a good idea for SF.net to have some policy for abandoned projects, I wouldn't call adding adware to installers "a little ham handed" -- I would even go so far as to call it "evil". Call me paranoid, but I don't fully trust them not do try something similar again in the future.
Well, at least the KeePass installers are signed, so that's something, yes. :-) I just saw that a 2048 bit RSA key is used to sign the Windows installers, so that's good.
By the way, I noticed that the key used to create the GPG signatures (for other downloads) is a 1024 bit DSA key, which I think is considered insecure nowadays. Changing to a 2048+ bit RSA key might be a good idea.
Ah! You mean do something to raise some revenue. That really is evil.
In my opinion, shipping adware with other people's software without asking them first is not a good way to raise revenue; it's shady. Well, we appear to have different opinions regarding that.
It's a shame that you aren't taking these concerns seriously.
Even Notepad++ has decided to leave SourceForge because of the hijacking of abandoned projects: https://notepad-plus-plus.org/news/notepad-plus-plus-leaves-sf.html
One of the projects using the 'SourceForge' installer is FileZilla where you have to click a 'Show additional download options' link to get to the crap-free installer.
This caused me to migrate to WinSCP.
Of course it's up to the KeePass project to decide to stay with SourceForge, it's my decision to leave KeePass...
For now I'll just disable the update-check of KeePass until I find an alternative that doesn't rely on a platform with questionable moral values..
Last edit: Micha R 2015-06-17
If one downloads the Zip file of KeePass there will never be any third party programs or installers.
KeePass never needed any setup or installer at all.
So what is here the problem ?
I really hope you will leave SF asap.
This mass exodus may secretly be exactly what TPTB at SF now want - a lot of abandoned projects that they can repackage with their "installers" of dubious quality - so people like Don Ho of Notepad++ may be playing right into their hands.
Personally, I hope Dominik never moves off SF; he seems well aware of the issues, and well equipped to handle them - and as soon as he were to move the project, any leverage he (or any project manager) had against these policies would be gone.
No, the best way to fight these forces is from within, IMO. When your castle is being overrun, you don't go outside and start hitting the walls with a battering ram - and to me, all these angry posts make about as little sense. Furthermore, the project managers using SF aren't the ones making SF policy, so why should they be the ones getting all the grief about it?
Last edit: T. Bug Reporter 2015-06-17
I am not the one to suggest moving off SF, but you people seem to be downplaying the real issues here:
That may be true for software in general, but I suspect it's lower for this project, because of the nature of the program; many people come here specifically seeking a program that won't leave traces on the computer it's used on. Dominik probably has access to stats that could confirm this.
My point exactly.
Dominik has his own site (keepass.info) that's independent of SF; his use of SF is already limited to only those things that SF does better than he can do on his own, such as this forum and bug tracker. If this issue persists, Dominik could easily post notices on his site explaining his position - notices that SF wouldn't be able to remove or alter. I'm sure that Dominik can also provide stats showing that most people come here via his own pages rather than from links on SF itself.
Last edit: T. Bug Reporter 2015-06-21
A very good reason to stay at SF.
We are not fighting to stay, just pointing out that it is convenient to stay.
cheers, Paul
It would seem its a catch 22 in regards to the abandoned project issue. However, I am not sure what prevents them from finding the most popular open source projects not on SF and the creating repos not managed by the author. I think you need to stay active on SF in order to protect the presence, the same way people will register their handle on a social networking site even if they don't use it in order to prevent someone pretending to be them.
These forums are not very robust on SF, but forum software is a pain to manage and to secure, and I do not believe there is any easy way to migrate these forums without screen scraping; I need to re-read the TOS, but the forum content may not belong to the project owner. There are people who have SF accounts, so that is one less account to put in your KeePass DB.
Also, I would imagine any self hosted forums on the KeePass site would be a juicy target for attackers since there is a chance a brand new user not familiar with security might use their master password on the site. Third party solutions like Get Satisfaction may be an option or pushing people to Super User, but that may result in financial costs and fragmentation.
I generally like the look and workflow on Github more. Support issues may make more sense in a tracker than in a forum anyway. However, "regular" users are unlikely to create accounts on any project hosting site to ask questions and are more likely to turn to generic "help" forums they may like to use or Super User. Things like News or announcements for addons can be put into a wiki on Github, but that would permit some users to delete other's contributions. For third-party addons, etc. in many cases these disucssion should happen on the developers own site, but it also makes sense here since they may actually be KeePass related issues and not all third party development is actively supported or has a community. Third-party project association would be a killer feature for any public project management site.
I think in weighing the pros and cons, squatting your ground on SF makes the most sense right now, but I would like to see the binaries hosted elsewhere. If the source was moved or cross managed on Github I think that may increase non-core team commits. The forums probably are best the way they are for the time being.
Some of the projects that they were taking over weren't abandoned though. They took over the projects for nmap, VLC, Mozilla, and GIMP. There was a firefox release posted on SF two weeks before SF took control of the repo. They claimed that the GIMP repo was abandoned, but there had been a release on SF within the past 6 months (and not the year and a half that SF claimed). VLC had releases this year as well (2.2.0 in end of February, and 2.2.1 in April).