It's very heavy handed. It has not been 100% verified that the site was compromised, and a lot of very technically smart PHP community members are looking hard at this. It may prove to be a false positive or otherwise, but in the meantime:

1. Google is blocking access to the site in Chrome.

2. Firefox is warning users that php.net is not to be trusted (it uses the same list of infected sites provided by Google).

3. Google is warning users on Google Search that "This site may harm your computer.".

4. Google's appeals process is slow and cumbersome.

So yeah, that is a lot of power for one company.

If this happened to your website due to, for example a false positive, you would be pretty unhappy. Only a high profile project like PHP gets this kind of attention, but I'd happily wager that many smaller websites suffer the same faith every day.

This is exactly what happens when your website serves malware. Unhappy about it? Don't serve malware from your website.

When your website serves what Google considers malware, you mean.

And what about the false positive scenario?

A site we once had under development was incorrectly flagged. I reported the error via the webmaster tools and after less than 20 minutes, the warning went away.

I don't know. Any examples? Perhaps, you should ask the victims of such false positives.

If you can find any.

Google doesn't notify anybody, you have to find out for yourself the hard way.

And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged. And that is after the owner even figured out how and where to contact Google.

Yes, they do. If you've signed up for Webmaster Tools, you'll get notified by email.

They don't force anyone to sign up. If you do nothing other than fixing your website, eventually Google will check it again and remove from blacklist.

Seriously, what's your complaint? If you don't want to get blacklisted, don't let your site be hacked. If your site is hacked, and you're complaining that Google blacklisted it and notified you about it, you're dumb.

And guess what -- they provide this service (and also pay the real person to review your re-listing request) for FREE.

Google sends out emails to a bunch of different addresses like webmaster@domain.com, abuse@domain.com, etc and notifies anyone signed up through Google Webmaster tools. The only improvement I can think of would be if they notified whoever was listed after doing a WHOIS of the domain but that's a little hard to automate.

>And after that, it forces the owners of the site to register with Google and use Google services just to even figure out why, and to get their sites unflagged.

Google forces you to prove that you own the domain before they give you any information that they don't release publicly. How else do you suggest they go about not releasing everything publicly? Also, all you have to do as a site owner is click on the safe browsing diagnostic link and go from there.

In our case the email alerts went out 12 hours after they identified our site and started giving the warning to users. We got several calls from customers before being notified by Google.