I wonder if they're actually more worried about having the EU go after them legally if some EU member loses data or money directly because of that malware?
A lot of AV engines use crowdsourced classifiers like virustotal to flag “potentially unwanted applications (PUA)” as a threat and quarantine, but the term “malware” is a category reserved for destructive or criminal application behavior. I’m not convinced that is what was or is bundled with “sponsored” Filezilla installers.
At some point the bundled adware was apparently something called OpenCandy related to ask.com, and the developer of FileZilla is alleged to have concealed rather than disclosed it.[2]
The adware-free installer was/is reported to be available for download freely on the same site, but for the extra browsing effort.
[1] https://web.archive.org/web/20190526065704/https://forum.fil...
[2] https://malwaretips.com/threads/sourceforge-net-adds-adware-...
Fundamentally, malware is about deception. If the user understands what is being done and why (we're tracking everything we can, then selling that to everyone) then it's not malware. The typical adware hosted on FileZilla shows a screen in the middle of the install process with multiple paragraphs of text in a font smaller than everything else, which vaguely refers to ad supported software and a link to a privacy policy that nobody reads or understands.
I don't know if there's a legal definition of malware, that's definitely malware in my understanding of the word.
Naturally the whole time they've tried to paint themselves as innocent victims, and wouldn't people PLEASE just try running the malware themselves to find out it's all an innocent misunderstanding.
Meanwhile, the several in-depth analyses of the various "extra" payloads delivered by their installer always come to: "It's 100% malware, delivered using evasion techniques that try to avoid system/virus detection, and have no place in legitimate software. DO NOT use this".
Please don't fall for their bullshit.
As an active user of FileZilla, can you elaborate on this? Any links or sources where I can read about it? Thank you.
i have had trouble with understanding the push for EVERYONE doing https even in localhost because "security". boo.
i live in a place where by law ISPs need to have DPI. they can access any communication regardless of SSL or https or anything in between so why should i bother with the added nonsense of "much security" when it is not supposed to even work?
i understand there are attempts to make https to be as transparent when it works but why should that not be restricted to banking transactions or login pages and payment links? again, DPI.
now this cyber resillience act which i am assuming wants to "security".
what kind of security?
> And what makes matters worse is that the type of open source organizations most affected are also exactly those that, today, tend to have very mature security processes, with vulnerabilities getting triaged, fixed, and disclosed responsibly with CVEs to match. While it generally is further downstream; with the companies that place the product on the market — that the CRA needs to drive significant improvement. It now risks doing the reverse.
But all organizations (ECLIPSE, LINUX, ...) raised alarms
https://news.apache.org/foundation/entry/save-open-source-th...
Edit: https://nitter.kavin.rocks/search?f=tweets&q=cyber+Resilienc...
> There is of course an elephant in the room: the well-oiled mechanism that “The internet treats censorship as a malfunction and routes around it” (John Perry Barlow).
The parliament position reads:
> Only free and open-source software made available on the market in the course of a commercial activity should be covered by this Regulation
> Whether a free and open- source product has been made available as part of a commercial activity should be assessed on a product-by-product basis, looking at both the development model and the supply phase of the free and open-source product with digital elements.
> (10a) For example, a fully decentralised development model, where no single commercial entity exercises control over what is accepted into the project’s code base, should be taken as an indication that the product has been developed in a non-commercial setting.
Which law? I know ISPs in India are mandated to record session information but I haven't heard of DPI being mandatory.
> they can access any communication regardless of SSL or https or anything in between
No, DPI can't magically break encryption. Your ISP can't access encrypted content.
they can if they require you to install a certificate and they man in the middle everything.
Of course this would be difficult because existing contributions can't be relicensed. But they could maybe start accepting new patches with a non-Eurpoe license. Or does the GPL prevent this as they are building on GPL code and need the same license? I double the EU would be ok with running on outdated Linux or trying to maintain their own.
There is a provision in section 8 of the GPLv2 that allows excluding certain countries, but it can only be activated in the face of copyright or patent restrictions on the distribution of the software. IANAL, but one approach to activate this provision might be to implement a patented technique within the kernel, for which the patent licence only allows implementations outside the EU.
Also, I don't see the problem myself:
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
I'm not sure where people get the idea that donations are considered commercial activity. Support subscriptions and such make you liable (but I don't see why that would be a problem). Ubuntus's Snap store is a platform through which the manufacturer monetises other services. Half open source (i.e. FileZilla Pro) also counts as closed source software, of course.
Most of the protests seem to come from people who operate a business that sells their open source software and wants to remain off the hook to get an advantage over their closed source competition.
You mean the European Union. The rest of the world will be fine.
If the EU wants this, they should use part of their budget to fund it.
This is the same argument for businesses using FOSS, if you want support, pay for it, otherwise you get what you pay for.
