It sounds more like a SourceForge issue than FileZilla. SourceForge used to provide clean binaries, but I guess they changed that process in the past year or two to bundle apps in the installer wrapper. You need to be extremely careful during the installation process to make sure that you do not accidentally install some extra software. The same happen to uTorrent - they also added tricky question during the install process to include advertisement, change default browser and such. That's a sad way to earn money - the end-users will definitely move on because of that.
FileZilla could choose to move away from SourceForge, to be honest - any party staying with SF after stunts like this (and this isn't the first one) are as corrupt as SF themselves are IMO
is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases
Unfortunately it must work because people keep doing it. If it didn't increase revenue companies would stop doing it.
It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.
If SourceForge want to stay afloat, they should reinvent themselves as a decent GitHub alternative or pivot. Bundling malware for kickbacks and keeping the old site design won't take them anywhere good.
