Quote:
Originally Posted by planetdoc
1. It can allow a 3rd party to take over a project and push out malicious code.
|
All projects on SourceForge are open source and the source code can be reviewed by anyone at any time. Malicious code would have to be exposed right out in the open.
Quote:
Originally Posted by planetdoc
2. Although software that they host is open source, most people do not check MD5 checksum's of the software that they download, few check that the available executable matches one compiled independently, and few have the capability to audit the millions of lines of code of each version.
|
Not checking MD5 checksum's is a user problem and question of sheer laziness. I have very little sympathy for people that don't follow standard procedure.
Quote:
Originally Posted by planetdoc
Thus, when the chain of trust is potentially broken (such as when SourceForge has been compromised), than any software hosted from the site becomes potentially suspect and should be viewed with suspicion.
|
All software, from all sources, should be viewed with suspicion. Even legitimate software sources like Oracle and Google occasionally try to slip stuff into their installers that the average doesn't want or need.
As a source of open source software, SourceForge gives the user the ability to inspect the actual code and make informed decisions all on their own. If the users aren't doing that, shame on them.