In my younger days, I made great use of CNET’s download.com website. It was an excellent tool for finding legal software. Apparently, it has also become an excellent tool for finding malware. An article posted to insecure.org describes how CNET has begun wrapping packages with an installer that bundles unwanted, potentially malicious software with the desired package.
This is terrible, and not just for the obvious reasons. It’s bad for the free software community because it makes us look untrustworthy. There’s a perception among some people (especially in the business world) that software can only be free if it’s no good. I suppose that’s one reason some in the community use “libre” to emphasize the free-as-in-freedom aspect. (Of course, not all free-as-in-beer software is free-as-in-freedom. That’s another reason the distinction can be important.)
When this conveniently-bundled malware causes problems for users, it’s not CNET who gets the blame. Users will unfairly blame the package developer, even though the developer had nothing to do with it. For well-established and well-respected packages like nmap, this reputation damage may not be that important. For a new project just getting started — or for the idea of free software in general — this can be devastating.
How does this compare to FileHippo and Ninite?
Ernie, that’s a great question. I’ve not used either of those sites, but the Insecure.org page explicitly lists both of them as “superior alternatives” to download.com, so they’re either not doing it or they haven’t been caught doing it.
I’ve used both Ninite and FileHippo – definitely worthwhile. I’ve never had any problems with anything download from them. Ninite is a fully automated installer and does not install any extras that the developer offers either (toolbars and other junk).