I am a systems administrator and organization lead with experience in software licensing and have read many EULAs and understand their provisions. I also have information security experience.
We (I can't officially name my organization at this time) find Sourceforge and its current path to be very much like that of download.com where the site has become very top-heavy where commercial interests have outstripped the interests of the Internet community and puts users at unnecessary risk. Especially those users who do not have legal experience and may not completely understand provisions of EULAs and may not even speak English as a first language. This has created a toxic environment where users are left walking a minefield of contract terms and "offers" that are never in their favour.
These commercial interests are the same interests that would willingly violate the GPL should it further their goals. These interests do not have Filezilla, its creators or its users in mind. These are the same interests that want the Internet to be nothing but billboards and other forms of advertisement. These interests in fact want a closed Internet where only commercial organizations may participate in that publishing process because it means that they can more easily gather marketing data on users, including of their most intimate of secrets. They don't like the prospect that their advertisements may not be seen because users can go to a website without them; they think that's stealing from them. They don't like the prospect of non-companies publishing content because it means their own content and brands become less known.
We often speak about government being intrusive, but we seldom actually talk about who is the greater threat: private institutions that are not bound by the US Consitution and related documents in other jurisdictions that can indeed quash free speech should we apply to "too-big-to-fail" websites like Facebook that control information flow of hundreds of millions of people; that can indeed search and seize our computers should we accidently hit the wrong button agreeing to contract terms that never in the computer owner's favour.
The issue is that commercial malware is seldom actually called into question because it has company names attached to them, they have tonnes of assurances that "they're optional", they ride on the coat tails of reputation. Reputation on sites like download.com and Sourceforge where big names and media proclaims that they're legitimate. Thing is, because they're a business and not some virus programmer in some basement or by some terrorist organization that the government warns us about, things don't change. Lawyers will proclaim that there's a EULA and ask if the user read it, police will never arrest the executives of these organizations because they skirt the law. It's the new normal when it comes to malicious software: Be as legitimate as possible so it's harder to question activities.
The implications are scary.
Before I continue, let us for a moment define malware:
And let's define trojan horse:(from http://www.merriam-webster.com/dictionary/malware )
software designed to interfere with a computer's normal functioning
To take a break from the wall of text, please note this image here, to which this is Google's classification of the software:(from http://www.merriam-webster.com/dictiona ... an%20horse )
: someone or something that is used to hide what is true or real in order to trick or harm an enemy
computers : a seemingly useful computer program that is actually designed to harm your computer (such as by destroying data files) if you use it
I would contend that users downloading Filezilla have a defined normal expectation of how their computer will operate after installation of Filezilla's software, that the offers are indeed malware as it interferes with what the user is expecting of the functionality of their computers after installation. Ergo, these offers are offers of malware. In specific of the Trojan Horse class where they are offered under the guise of being software to enhance user experience but once installed immediately begin attempting to sell products and services to users or transmitting personal information to remote servers with questionable permission. The only acceptable download is a clean download, one free of trojan horses that degrade performance or cause barriers to user experience.
This venue of providing "offers" with a large panel with "ACCEPT" and "DECLINE" buttons ignores and violates convention standards of installers where such a panel is reserved for the software package's own licensing and other offers are offered usually after that point. This is potentially legally important as if as a user installed the malware/offers but upon installation of the third party software they chose to abort before the Filezilla EULA is presented, it may still leave the Filezilla Project open to liability of distributing that software and potentially render void the Filezilla warranty disclaimer as it was never presented to the user to virtually sign via the Filezilla EULA "Accept" button.
This violation of standards also has a side-effect of presenting Sourceforge and the Filezilla Project as participating in bait-and-switch schemes where the initial offer panel does not make it sufficiently obvious that the offer panel is for third-party software, especially considering the title bar is "Sourceforge" and subtitle is "Filezilla" with only the contents of the window indicating anything to the contrary. The third party "offers" make minimal effort to notify that they are optional with it being in the smallest print possible. This false advertising that relies on fine print manoeuvres may fall afoul of consumer protection law as not being sufficiently up-front, regardless or not if it is a free software or paid.
I understand that the Filezilla Project has no control over how SourceForge designs its wrapper, however these elements, including installer design standards should be in consideration of continuance to support Sourceforge or its decisions and if Sourceforge is adequately protecting Filezilla's administration from liability issues.
With this all said and foregoing additional lamentation, we need a solution.
Setting aside the above issues, Filezilla's software is stable and easy to use; excellent for its purpose with a large feature set in an easy-to-use UI. Not something that can be said for everything. I wager that many organizations with network infrastructure would be willing to step forward and offer mirroring services pro-bono to the Filezilla Project so that it does not have to distribute through a toxic platform and can encourage an open and free Internet. Especially considering FileZilla is used with web hosting services in ISPs and datacenters or even universities and colleges how even if a few were to commit resources it could stablize and rectify this issue.
All it would take is a location to rsync from and the mirrors could pull from there and distribute to users, frills free.
We need to keep an open Internet where its stakeholders — not commercial interests alone decide what goes on.
But for now,
I along with my organization have been monitoring this situation for some time now and have advised our users and clients to cease using any Sourceforge-provided download source. Since Filezilla is only officially available through Sourceforge (Even those "?nowrap" links), we will have to discontinue suggesting it at this time.