Sourceforge deceived us but this problem seems to be more widespread. What are some steps we can take to avoid problems for users and inform them? (For purposes of defining malware below: A user wishes to install GIMP. The user does not expect the installer to side-load other software that is often undesirable, whether it does so without asking or not.) From The Free On-line Dictionary of Computing (20 July 2014) [foldoc]: malware <security> Any {software} designed to do something that the user would not wish it to do, hasn't asked it to do, and often has no knowledge of until it's too late. First, note that Sourceforge doesn't appear as that old project host. Even if we don't have a project there, they "mirror" projects with the side-loading malware installer so that they can profit from the work of others. They are able to do this because Sourceforge was once trusted by users as a reputed provider of free software. The installer that eventually gets used is ender's, so they are not even building GIMP for Windows. They have made no contributions to GIMP for Windows. We have not asked them to continue to update a mirror for GIMP. Sourceforge is not alone in making such side-loading malware installers. A Google web search for "gimp" or "gimp download" returns numerous crapware results and just 1 legitimate result. They all claim to make GIMP available for download. Note that you will not find free-as-in-beer commercial software like Google Earth for download through their malware installers on these websites (they link to the respective software's website for these), just free software projects which are not capable of defending themselves are chosen to exploit. The GNU GPL gives a lot of freedom to use, modify and redistribute software. Many developers/contributors of free software actually want this. They put their hearts and minds into improving software so that the general public can benefit from the software and don't face any restrictions. There is little that contributors expect. There are some who are taking advantage of that freedom by misrepresenting the creators of that software and fool the public in order to profit. Profiting from free software is a good thing, but there are right and wrong ways to do it. When it comes to software projects, copyright and name (the mark) are two rights that creators of the effects have. The GNU GPL gives a lot of rights away so that the software is free. But it doesn't exactly allow misrepresentation and masquerade. Many distros ship GIMP, even slightly patched versions for bugfixes or better integration into their environments. This improves the experience for users. Formally registering a GIMP trademark may not be seen in a good light by distributions, even if we readily wish to see them use the name. See Firefox vs. Iceweasel for example. Even though GIMP is an established project, we generally don't want to spend time as contributors to fight a legal battle. There are even questions of whether we *should*, i.e., whether an established free software project has to register trademarks and involve lawyers to protect it from being misused this way. Looking forward, we would like to protect our users in some way. This would actually make a difference to users, rather than fighting some battles. 1. Discourage wrapping of real installer inside a side-loading installer ------------------------------------------------------------------------ Red Hat distributes ISO images of its Enterprise Linux project to its customers. The ISO images contain RPM packages, which further contain compiled binaries of various projects licensed, among others, under the GNU GPL license. Though Red Hat distributes the sources for all software, the ISO images are not put up for redistribution. The GIMP installer EXE file is a binary archive, that contains, within it, the compiled object files from GIMP's source code, and various resources and other files. The installer EXE, though it is a program, is not technically a derived work as per the GNU GPL as it is not ever linked to GIMP. The installer EXE is also signed by ender (Jernej Simončič). It is non-trivial to make this GIMP installer EXE for those who have not spent a significant amount of time learning how to do this. The way that most side-loading malware installers like Sourceforge.net's operate, is that after installing crapware, when the time comes to actually install GIMP, they take ender's installer as-is and run it. Without losing sight of the principles of free software, we might add a notice alongside this binary installer about what kinds of activity are not allowed with this specific installer EXE so that our users don't end up being fooled. 2. Cleanup search results ------------------------- If a user searches for "gimp", they ought not to see downloads for GIMP that fool the user into installing other things on the machine. There is only one legitimate result for the actual stable release of GIMP, and several results for side-loading installers even within the first page on Google. All of these masquerade as GIMP. There are even results that show up with notices like "Trusted download of GIMP". Google has various categories on how to takedown such malware results that misrepresent projects. It seems that such side-loading installers fall into more than one category. Contacting someone at Google to ask about it would be best, as we'd have to maintain this as more such side-loading installers show up. I'm sure Google cares about whether it wants the general public to have a good experience by using its search engine and not get masquerading misrepresenting results that take advantage of naive users and do other things with the system, esp. for software executables. 3. Inform the user ------------------ Because the side-loading installer runs the actual GIMP installer as provided by the project, we could add a page in the installer wizard that informs the user of how some websites wrap the GIMP installer this way, and ask if they have downloaded GIMP by following a link from www.gimp.org. We can even ask users to report such websites as malware websites from their browsers, or in search engines. Mukund
Attachment:
pgpBTGwG_OwJV.pgp
Description: PGP signature