[Sparkle] Appfresh abuse

Charles D. H. Williams developer at macspice.com
Thu May 22 17:07:40 PDT 2008 

I am experiencing problems caused by an application called AppFresh 
which appears to be becoming quite popular and is already costing me a 
significant amount of bandwidth. This is because a lot of people 
download my application (MacSpice), never get to grips with it and have 
it lying around for a rainy day. I publish frequent updates.

I only want users to check my AppCast and download my application if 
they have actually run it recently. AppFresh seems to want to download 
every update even for dormant users. This is wasting  an 
ever-increasing amount of BW and is interfering with my ability to 
collect usage statistics.

I contacted the developer of AppFresh and asked him to modify the 
behaviour of AppFresh slightly and his reply was less than cooperative:

"I'm sorry if AppFresh leads to more downloads of up-to-date software, 
but that's exactly what our goal is."  "May I suggest using Amazon's S3 
hosting service ... hosting costs have never been an issue for me ... 
You might want to ask for donations on your website to cover the 
bandwidth costs incurred by the users of your software ..." "Should you 
choose to block the download, we'll be happy to inform complaining 
users about your decision, or we might need to stop using an 
AppFresh-specific User-Agent string to ensure user happiness."

Now, I am entirely happy to provide free downloads for active users 
(i.e. ca 2% of installed copies) of MacSpice but I object to having to 
cover the bill for AppFresh pointlessly inciting potentially ca 50,000 
dormant users to download every minor release versions which often 
appear at appear at weekly, sometimes daily, intervals.

As its author has threatened to use fraudulent User-Agent strings to 
defeat simple attempts to block AppFresh, I think it would be prudent 
to install some anti-parasite protection into Sparkle. I have in mind 
some form of authentication/authorization mechanism perhaps like a 
simplified form of kerberos.

What do others think?

Charles

More information about the Sparkle mailing list