If you use a computer and you use the Internet, chances are you’ll eventually find some software that, for whatever reason, is still hosted on Sourceforge. In case you’re not familiar with it, Sourceforge is a publicly-available malware vector that also sometimes contains useful open source binary downloads, especially for Windows.
In addition to injecting malware into their downloads (a practice they claim, hopefully truthfully, to have stopped), Sourceforge also presents an initial download page over HTTPS, then redirects the user to HTTP for the download itself, snatching defeat from the jaws of victory. This is fantastically irresponsible, especially for a site offering un-sandboxed binaries for download, especially in the era of Let’s Encrypt where getting a TLS certificate takes approximately thirty seconds and exactly zero dollars.
So: if you can possibly find your downloads anywhere else, go there.
But, rarely, you will find yourself at the mercy of whatever responsible stewards1 are still operating Sourceforge if you want to get access to some useful software. As it happens, there is a loophole that will let you authenticate the binaries that you download from them so you won’t be left vulnerable to an evil barista: their “file release system”, the thing you use to upload your projects, will allow you to download other projects as well.
To use it, first, make yourself a sourceforge account. You may need to create a dummy project as well. Sourceforge maintains an HTTPS-accessible list of key fingerprints for all the SSH servers that they operate, so you can verify the public key below.
Then you’ll need to connect to their upload server over SFTP, and go to the
path /home/frs/project/<the project’s name>/.../
to get the file.
I have written a little Python script2 that automates the translation of a
Sourceforge file-browser download URL, one that you can get if you right-click
on a download in the “files” section of a project’s website, and runs the
relevant scp
command to retrieve the file for you. This isn’t on PyPI or
anything, and I’m not putting any effort into polishing it further; the best
possible outcome of this blog post is that it immediately stops being
necessary.
Are you one of those people? I would prefer to be lauding your legacy of decades of valuable contributions to the open source community instead of ridiculing your dangerous incompetence, but repeated bug reports and support emails have gone unanswered. Please get in touch so we can discuss this. ↩
Code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
#!/usr/bin/env python2importsysimportossfuri=sys.argv[1]# for example,# http://sourceforge.net/projects/refind/files/0.9.2/refind-bin-0.9.2.zip/downloadimportrematched=re.match(r"https://sourceforge.net/projects/(.*)/files/(.*)/download",sfuri)ifnotmatched:sys.stderr.write("Not a SourceForge download link.\n")sys.exit(1)project,path=matched.groups()sftppath="/home/frs/project/{project}/{path}".format(project=project,path=path)defknows_about_web_sf_net():withopen(os.path.expanduser("~/.ssh/known_hosts"),"rb")asread_known_hosts:data=read_known_hosts.read().split("\n")forlineindata:if'web.sourceforge.net'inline.split()[0]:returnTruereturnFalsesfkey="""web.sourceforge.net ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2uifHZbNexw6cXbyg1JnzDitL5VhYs0E65Hk/tLAPmcmm5GuiGeUoI/B0eUSNFsbqzwgwrttjnzKMKiGLN5CWVmlN1IXGGAfLYsQwK6wAu7kYFzkqP4jcwc5Jr9UPRpJdYIK733tSEmzab4qc5Oq8izKQKIaxXNe7FgmL15HjSpatFt9w/ot/CHS78FUAr3j3RwekHCm/jhPeqhlMAgC+jUgNJbFt3DlhDaRMa0NYamVzmX8D47rtmBbEDU3ld6AezWBPUR5Lh7ODOwlfVI58NAf/aYNlmvl2TZiauBCTa7OPYSyXJnIPbQXg6YQlDknNCr0K769EjeIlAfY87Z4tw=="""ifnotknows_about_web_sf_net():withopen(os.path.expanduser("~/.ssh/known_hosts"),"ab")asappend_known_hosts:append_known_hosts.write(sfkey)cmd="scp web.sourceforge.net:{sftppath} .".format(sftppath=sftppath)print(cmd)os.system(cmd)