[Gimp-developer] What next after sourceforge.net?



Sourceforge deceived us but this problem seems to be more
widespread. What are some steps we can take to avoid problems for users
and inform them?

(For purposes of defining malware below: A user wishes to install
GIMP. The user does not expect the installer to side-load other software
that is often undesirable, whether it does so without asking or not.)

From The Free On-line Dictionary of Computing (20 July 2014) [foldoc]:

  malware

     <security> Any {software} designed to do something that the
     user would not wish it to do, hasn't asked it to do, and often
     has no knowledge of until it's too late.


First, note that Sourceforge doesn't appear as that old project
host. Even if we don't have a project there, they "mirror" projects with
the side-loading malware installer so that they can profit from the work
of others. They are able to do this because Sourceforge was once trusted
by users as a reputed provider of free software. The installer that
eventually gets used is ender's, so they are not even building GIMP for
Windows. They have made no contributions to GIMP for Windows. We have
not asked them to continue to update a mirror for GIMP.

Sourceforge is not alone in making such side-loading malware installers.
A Google web search for "gimp" or "gimp download" returns numerous
crapware results and just 1 legitimate result. They all claim to make
GIMP available for download.  Note that you will not find
free-as-in-beer commercial software like Google Earth for download
through their malware installers on these websites (they link to the
respective software's website for these), just free software projects
which are not capable of defending themselves are chosen to exploit.

The GNU GPL gives a lot of freedom to use, modify and redistribute
software. Many developers/contributors of free software actually want
this. They put their hearts and minds into improving software so that
the general public can benefit from the software and don't face any
restrictions. There is little that contributors expect.

There are some who are taking advantage of that freedom by
misrepresenting the creators of that software and fool the public in
order to profit. Profiting from free software is a good thing, but there
are right and wrong ways to do it.

When it comes to software projects, copyright and name (the mark) are
two rights that creators of the effects have. The GNU GPL gives a lot of
rights away so that the software is free. But it doesn't exactly allow
misrepresentation and masquerade.

Many distros ship GIMP, even slightly patched versions for bugfixes or
better integration into their environments. This improves the experience
for users. Formally registering a GIMP trademark may not be seen in a
good light by distributions, even if we readily wish to see them use the
name. See Firefox vs. Iceweasel for example.

Even though GIMP is an established project, we generally don't want to
spend time as contributors to fight a legal battle. There are even
questions of whether we *should*, i.e., whether an established free
software project has to register trademarks and involve lawyers to
protect it from being misused this way.


Looking forward, we would like to protect our users in some way. This
would actually make a difference to users, rather than fighting some
battles.

1. Discourage wrapping of real installer inside a side-loading installer
------------------------------------------------------------------------

Red Hat distributes ISO images of its Enterprise Linux project to its
customers. The ISO images contain RPM packages, which further contain
compiled binaries of various projects licensed, among others, under the
GNU GPL license. Though Red Hat distributes the sources for all
software, the ISO images are not put up for redistribution.

The GIMP installer EXE file is a binary archive, that contains, within
it, the compiled object files from GIMP's source code, and various
resources and other files. The installer EXE, though it is a program, is
not technically a derived work as per the GNU GPL as it is not ever
linked to GIMP. The installer EXE is also signed by ender (Jernej
Simončič).

It is non-trivial to make this GIMP installer EXE for those who have not
spent a significant amount of time learning how to do this. The way that
most side-loading malware installers like Sourceforge.net's operate, is
that after installing crapware, when the time comes to actually install
GIMP, they take ender's installer as-is and run it.

Without losing sight of the principles of free software, we might add a
notice alongside this binary installer about what kinds of activity are
not allowed with this specific installer EXE so that our users don't end
up being fooled.


2. Cleanup search results
-------------------------

If a user searches for "gimp", they ought not to see downloads for GIMP
that fool the user into installing other things on the machine. There is
only one legitimate result for the actual stable release of GIMP, and
several results for side-loading installers even within the first page
on Google. All of these masquerade as GIMP. There are even results that
show up with notices like "Trusted download of GIMP".

Google has various categories on how to takedown such malware results
that misrepresent projects. It seems that such side-loading installers
fall into more than one category. Contacting someone at Google to ask
about it would be best, as we'd have to maintain this as more such
side-loading installers show up.

I'm sure Google cares about whether it wants the general public to have
a good experience by using its search engine and not get masquerading
misrepresenting results that take advantage of naive users and do other
things with the system, esp. for software executables.


3. Inform the user
------------------

Because the side-loading installer runs the actual GIMP installer as
provided by the project, we could add a page in the installer wizard
that informs the user of how some websites wrap the GIMP installer this
way, and ask if they have downloaded GIMP by following a link from
www.gimp.org. We can even ask users to report such websites as malware
websites from their browsers, or in search engines.

                Mukund

Attachment: pgpBTGwG_OwJV.pgp
Description: PGP signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]