This project has moved. For the latest updates, please go here.

Sourceforge isn't trustworthy any more

Topics: Users Discussion
Aug 1, 2015 at 11:35 PM
Hi there! Did you read the recent incidents on sourceforge? The site operators modified some installers of projects without the agreement and knowledge of the developer of the project.
Here some detailed info:
http://arstechnica.com/information-technology/2015/06/sourceforge-locked-in-projects-of-fleeing-users-cashed-in-on-malvertising/

http://helb.github.io/goodbye-sourceforge/

Are you guys aware of this events? A lot of developers already moved away from sourceforge (e.g. https://mpc-hc.org/ etc.) because they won't support operators with such an untrustworthy behavior.
Coordinator
Aug 2, 2015 at 11:16 PM
Hi,

I'm aware of the Sourceforge story. They did a stupid move by changing the installers of some unmaintained projects.
As for VeraCrypt they never touched the binaries and they will never do for a simple reasons: All VeraCrypt binaries are PGP signed and more importantly, the Windows binary has an embedded digital signature that is automatically checked by Windows.

Moreover, Sourceforge only modified unsigned installers for unmaintained projects and afterwards they backtracked, so I don't see any issue for the future.

If you want to avoid Sourceforge, you can use Codeplex as it contains exactly the same binaries.

Sourceforge provides a wonderful hosting infrastructure that is not equaled anywhere else in the free open source hosting offering. If you want to want to have the same download quality (they have multiple mirrors across the glob) and statistic services they provide, you'll have to pay extra cash or your need to be sponsored by some business. I suspect that there are some entities that want to profit from this Sourceforge mistake in order to take them down and thus force many projects to pay extra money for services that are free with Sourceforge.

In all cases, no matter what download source you are using, always check the signature of the files as described here: https://veracrypt.codeplex.com/wikipage?title=Digital%20Signatures