Verify your sourceforge windows installer downloads
![](https://secure.gravatar.com/avatar/c0da24f75f763b6bac90b519064f30b3.jpg?s=120&d=mm&r=g)
hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in. I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much. Cheers, Julian Taylor
![](https://secure.gravatar.com/avatar/59bdb3784070f0a6836aca9ee03ad817.jpg?s=120&d=mm&r=g)
IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore. Could we use some resources (e.g. rackspace ?) to host those files ? Do we know how much traffic they get so estimate the cost ? David On Thu, May 28, 2015 at 9:46 PM, Julian Taylor < jtaylor.debian@googlemail.com> wrote:
hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe
As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in.
I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much.
Cheers, Julian Taylor _______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/871426dddc1a9f702316c1ca03a33d9b.jpg?s=120&d=mm&r=g)
Migrating from SourceForge seems worth considering. I also agree this is a breach of trust with the open source community. It is my impression that the GIMP team stopped using SF for downloads some time ago in favour of using their own website, leaving the SF account live to maintain the old release downloads: https://mail.gnome.org/archives/gimp-developer-list/2015-May/msg00098.html According to the SourceForge blog, they assumed the "GIMP for Windows" account was abandoned, and it appears SF decided to make some money off it as a mirror site offering adware-bundled versions of the official releases: http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ We would not want the same thing to happen to NumPy, but on the other hand deleting all the old releases on SourceForge would break a vast number of installation scripts/recipes. Peter On Thu, May 28, 2015 at 2:35 PM, David Cournapeau <cournape@gmail.com> wrote:
IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore.
Could we use some resources (e.g. rackspace ?) to host those files ? Do we know how much traffic they get so estimate the cost ?
David
On Thu, May 28, 2015 at 9:46 PM, Julian Taylor <jtaylor.debian@googlemail.com> wrote:
hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe
As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in.
I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much.
Cheers, Julian Taylor _______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/2a9d09b311f11f92cdc6a91b3c6519b1.jpg?s=120&d=mm&r=g)
David Cournapeau <cournape@gmail.com> wrote:
IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore.
Here is their lame excuse: https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ It probably means this: If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better. Sturla
![](https://secure.gravatar.com/avatar/349e93a0d84ba9a5b3e117bba082f6ce.jpg?s=120&d=mm&r=g)
Here is their lame excuse:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
It probably means this:
If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better.
I noticed that like most BSD-licensed software, NumPy's license includes this clause: "Neither the name of the NumPy Developers nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission." There's an argument to be made that SF isn't legally permitted to distribute poisoned installers under the name "NumPy" without permission. I recall a similar dust-up a while ago about "Standard Markdown" using the name "Markdown"; the original author (John Gruber) took action and got them to change the name. In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI? Andrew
![](https://secure.gravatar.com/avatar/59bdb3784070f0a6836aca9ee03ad817.jpg?s=120&d=mm&r=g)
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette <andrew.collette@gmail.com> wrote:
Here is their lame excuse:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
It probably means this:
If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better.
I noticed that like most BSD-licensed software, NumPy's license includes this clause:
"Neither the name of the NumPy Developers nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission."
There's an argument to be made that SF isn't legally permitted to distribute poisoned installers under the name "NumPy" without permission. I recall a similar dust-up a while ago about "Standard Markdown" using the name "Markdown"; the original author (John Gruber) took action and got them to change the name.
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there. David
Andrew _______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/da3a0a1942fbdc5ee9a9b8115ac5dae7.jpg?s=120&d=mm&r=g)
28.05.2015, 20:05, David Cournapeau kirjoitti: [clip]
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the "Releases" section --- there's one for each tag. Pauli
![](https://secure.gravatar.com/avatar/2a9d09b311f11f92cdc6a91b3c6519b1.jpg?s=120&d=mm&r=g)
Pauli Virtanen <pav@iki.fi> wrote:
Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the "Releases" section --- there's one for each tag.
And then Sourceforge will put up tainted installers "for the benefit of NumPy users". :)
![](https://secure.gravatar.com/avatar/da3a0a1942fbdc5ee9a9b8115ac5dae7.jpg?s=120&d=mm&r=g)
28.05.2015, 20:35, Sturla Molden kirjoitti:
Pauli Virtanen <pav@iki.fi> wrote:
Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the "Releases" section --- there's one for each tag.
And then Sourceforge will put up tainted installers "for the benefit of NumPy users". :)
Well, let them. They may already be tainted, who knows. It's phishing and malware distribution at that point, and there are some ways to deal with that (safe browsing, AV etc).
![](https://secure.gravatar.com/avatar/c0da24f75f763b6bac90b519064f30b3.jpg?s=120&d=mm&r=g)
On 28.05.2015 19:46, Pauli Virtanen wrote:
28.05.2015, 20:35, Sturla Molden kirjoitti:
Pauli Virtanen <pav@iki.fi> wrote:
Is it possible to host them on github? I think there's an option to add release notes and (apparently) to upload binaries if you go to the "Releases" section --- there's one for each tag.
And then Sourceforge will put up tainted installers "for the benefit of NumPy users". :)
Well, let them. They may already be tainted, who knows. It's phishing and malware distribution at that point, and there are some ways to deal with that (safe browsing, AV etc).
there is no guarantee that github will not do this stuff in future too, also PyPI or self hosting do not necessarily help as those resources can be compromised. The main thing that should be learned this and the many similar incidents in the past is that binaries from the internet need to be verified of they have been modified from their original state otherwise they cannot be trusted. With my mail I wanted to bring to attention that both numpy (since 1.7.2) and scipy (since 0.14.1) allow users to do so via the signed README.txt containing checksums.
![](https://secure.gravatar.com/avatar/da3a0a1942fbdc5ee9a9b8115ac5dae7.jpg?s=120&d=mm&r=g)
28.05.2015, 21:52, Julian Taylor kirjoitti:
there is no guarantee that github will not do this stuff in future too, also PyPI or self hosting do not necessarily help as those resources can be compromised. The main thing that should be learned this and the many similar incidents in the past is that binaries from the internet need to be verified of they have been modified from their original state otherwise they cannot be trusted.
Indeed, but on the other hand, there's no reason for us to continue cooperating with shady partners, especially when there are easy alternatives. We can just quietly change the main binary distribution channel and be done with it.
![](https://secure.gravatar.com/avatar/998f5c5403f3657437a3afbf6a16e24b.jpg?s=120&d=mm&r=g)
On May 28, 2015 7:06 PM, "David Cournapeau" <cournape@gmail.com> wrote:
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette < andrew.collette@gmail.com> wrote:
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
David
Is that something that could be fixed? Has anyone asked the pypi maintainers whether they could change those rules, either in general or by granting exceptions on a case-by-case basis to projects that have proven track records and importance? It would seem to me that if the rules on pypi are forcing critical projects like numpy to host elsewhere, then the rules are flawed and are preventing pypi from serving is intended purpose.
![](https://secure.gravatar.com/avatar/09939f25b639512a537ce2c90f77f958.jpg?s=120&d=mm&r=g)
Speaking from the matplotlib project, our binaries are substantial due to our suite of test images. Pypi worked with us on relaxing size constraints. Also, I think the new cheese shop/warehouse server they are using scales better, so size is not nearly the same concern as before. Ben Root On May 29, 2015 1:43 AM, "Todd" <toddrjen@gmail.com> wrote:
On May 28, 2015 7:06 PM, "David Cournapeau" <cournape@gmail.com> wrote:
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette < andrew.collette@gmail.com> wrote:
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
David
Is that something that could be fixed? Has anyone asked the pypi maintainers whether they could change those rules, either in general or by granting exceptions on a case-by-case basis to projects that have proven track records and importance?
It would seem to me that if the rules on pypi are forcing critical projects like numpy to host elsewhere, then the rules are flawed and are preventing pypi from serving is intended purpose.
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/5f88830d19f9c83e2ddfd913496c5025.jpg?s=120&d=mm&r=g)
On Fri, May 29, 2015 at 7:28 PM, Benjamin Root <ben.root@ou.edu> wrote:
Speaking from the matplotlib project, our binaries are substantial due to our suite of test images. Pypi worked with us on relaxing size constraints. Also, I think the new cheese shop/warehouse server they are using scales better, so size is not nearly the same concern as before.
Ben Root On May 29, 2015 1:43 AM, "Todd" <toddrjen@gmail.com> wrote:
On May 28, 2015 7:06 PM, "David Cournapeau" <cournape@gmail.com> wrote:
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette < andrew.collette@gmail.com> wrote:
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
David
Is that something that could be fixed?
For the current .exe installers that cannot be fixed, because neither pip nor easy_install can handle those. We actually have to ensure that we don't link from pypi directly to the sourceforge folder with the latest release, because then easy_install will follow the link, download the .exe and fail. Dmg's were another non-supported format, but we'll stop using those. So if/when it's SSE2 .exe installers only (make with bdist_wininst and no NSIS) then PyPi works. Size constraints are not an issue for Numpy I think. Ralf Has anyone asked the pypi maintainers whether they could change those
rules, either in general or by granting exceptions on a case-by-case basis to projects that have proven track records and importance?
It would seem to me that if the rules on pypi are forcing critical projects like numpy to host elsewhere, then the rules are flawed and are preventing pypi from serving is intended purpose.
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/998f5c5403f3657437a3afbf6a16e24b.jpg?s=120&d=mm&r=g)
On Mon, Jun 1, 2015 at 3:43 AM, Ralf Gommers <ralf.gommers@gmail.com> wrote:
On Fri, May 29, 2015 at 7:28 PM, Benjamin Root <ben.root@ou.edu> wrote:
Speaking from the matplotlib project, our binaries are substantial due to our suite of test images. Pypi worked with us on relaxing size constraints. Also, I think the new cheese shop/warehouse server they are using scales better, so size is not nearly the same concern as before.
Ben Root On May 29, 2015 1:43 AM, "Todd" <toddrjen@gmail.com> wrote:
On May 28, 2015 7:06 PM, "David Cournapeau" <cournape@gmail.com> wrote:
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette < andrew.collette@gmail.com> wrote:
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
David
Is that something that could be fixed?
For the current .exe installers that cannot be fixed, because neither pip nor easy_install can handle those. We actually have to ensure that we don't link from pypi directly to the sourceforge folder with the latest release, because then easy_install will follow the link, download the .exe and fail.
Dmg's were another non-supported format, but we'll stop using those. So if/when it's SSE2 .exe installers only (make with bdist_wininst and no NSIS) then PyPi works. Size constraints are not an issue for Numpy I think.
Ralf
What about adding some mechanism in pypi to flag that certain files should not by downloaded with pip?
![](https://secure.gravatar.com/avatar/5c72cdd9729a363eff338b611f582ce1.jpg?s=120&d=mm&r=g)
On 28 May 2015 at 10:05, David Cournapeau <cournape@gmail.com> wrote:
On Fri, May 29, 2015 at 2:00 AM, Andrew Collette <andrew.collette@gmail.com> wrote:
Here is their lame excuse:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
It probably means this:
If NumPy installers are moved away from Sourceforge, they will set up a mirror and load the mirrored installers with all sorts of crapware. It is some sort of racket the mob couldn't do better.
I noticed that like most BSD-licensed software, NumPy's license includes this clause:
"Neither the name of the NumPy Developers nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission."
There's an argument to be made that SF isn't legally permitted to distribute poisoned installers under the name "NumPy" without permission. I recall a similar dust-up a while ago about "Standard Markdown" using the name "Markdown"; the original author (John Gruber) took action and got them to change the name.
In any case I've always been surprised that NumPy is distributed through SourceForge, which has been sketchy for years now. Could it simply be hosted on PyPI?
They don't accept arbitrary binaries like SF does, and some of our installer formats can't be uploaded there.
Bintray [1] has been providing a free service for hosting 'bottles'(compiled binaries) for the Homebrew project [2]. Probably an option to look at. [1] https://bintray.com/ [2] http://brew.sh/
David
Andrew _______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
![](https://secure.gravatar.com/avatar/2a9d09b311f11f92cdc6a91b3c6519b1.jpg?s=120&d=mm&r=g)
Julian Taylor <jtaylor.debian@googlemail.com> wrote:
It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe
WTF?
participants (10)
-
Andrew Collette
-
Benjamin Root
-
David Cournapeau
-
Julian Taylor
-
Pauli Virtanen
-
Peter Cock
-
Ralf Gommers
-
Saket Choudhary
-
Sturla Molden
-
Todd