Something came up last time Sourceforge was discussed here, namely "why are projects still using it?"...
I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.
We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.
So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.
This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.
PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.
High-profile projects actually can't stop. If you attempt to stop using Sourceforge, they will consider your account "abandoned" and continue mirroring the new site and serving downloads with their malware dropper included. So if you want to keep the malware out of your releases, you need to maintain control of your project by keeping SourceForge up to date.
Since they used to be the official source, their repository tend to have very high PageRank and they're essentially cashing in on it. Since the content they host is open-source, this is technically legal, but it's scummy as all hell.
When I had a project that I started on sf and later moved off, I kept the sf project technically alive, but removed all downloads. I updated with links to the project site.
This was a BlackBerry project, though, and it wasn't something you could install on a desktop - that may have been a contributing factor, but I never had any problems with them continuing to host the content after I deleted it.
"Since the content they host is open-source, this is technically legal, but it's scummy as all hell."
If the project is licensed under GPLv3 (or any other strong copyleft license), wouldn't they be illegally hosting it because they are bundling their malware dropper with software that isn't compatible with the license?
If there was, it wouldn't be open source. The Open Source Definition explicitly prohibits any license that restricts simple bundling [0]:
> The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Same with the Debian Free Software Guidelines [1]:
> The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Yeah I still can't believe how scummy sourceforge is. I wonder how new oss projects can protect themselves against this type of behavior. Anyone know if any oss licenses include a restriction against this kind of repackaging or any kind of malicious use clause?
In reality though there's a reason there are many different OSS licenses - many devs want options around attribution and yes, around use in limited ways. A please don't use this for abject evil clause may not meet the no true open source dictionary definition, but pragmatically speaking it's not necessarily a terrible idea.
Then we should all probably point our collective fingers at google. Let's not pretend they couldn't blacklist sourceforge links for pulling this kind of BS.
The cool thing about D's forums/feed is how amazingly fast they are. I wish more web apps were designed like this, with a fast backend framework.
Instead, it's all either slow, slow backend frameworks like Ruby, or even worse, these SPA applications that require extensive client-side JS processing before they show you the goods.
Node is a step in the right direction for both problems: for the first, Node-based backend applications are faster than Ruby and Python, and for the client-side rendering problem, because Node can pre-render these SPA apps (which everyone should do for a serious production app that uses a framework/library like AngularJS or React for major client-side rendering).
But a server application based on D or Rust, or even Go, is an even better solution to the slow backend framework issue. Unfortunately, no one has yet created a full-service framework like Rails or Django for any of those languages.
The language used for a server backend is far from a guarantee of efficiency and performance. It's very easy to write a D or Rust backend that doesn't optimize queries and handles caching badly; you'll get just as terrible response times from those as you would on the "typical" slow websites that you refer to.
According to a quick check the forum.dlang.org initial page view takes 200ms. ruby-forum takes 738ms. If you want to talk RUM/page load metrics forum.dlang.org takes 800ms for the load event to fire, the ruby forum takes 1.6s.
The individual posts load really quickly, but the main page doesn't (well not as fast as the other one mentioned). Either way, both are fast and I wish more websites were like this, not just forums!
> Instead, it's all either slow, slow backend frameworks like Ruby, or even
Usually this is a matter of bad coding or overprovisioning of whatever is being used to host the site and the DB. Most maintained languages running on modern hardware can sustain reasonable loads without any significant performance issues. While client-side bad-performing frameworks abound, the last I looked into it, Ruby+Rails isn't that much worse or better than any other.
It depends heavily on what you are doing.
Most CPU intensive Tasks are fast on everything. However on Memory intensive Applications Ruby and Python are really really aweful slow.
Excessive pagination is annoying, but speed... the speed is amazing. 240 ms from initial mouse click to fully rendered page. Due to fast response, I really liked to use that site.
Regardless of the above, we're gonna be doing a significant push for better mailing list features during the months to come, so any feedback you or any other open source projects may have, please nudge me on meta.discourse.org or send me an e-mail (my first name, erlend, at the company domain).
"So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists."
Uggh ... really ?
So the simple, clean, extremely fast loading HTML indexes of mailman/majordomo[1] aren't going to do it for you anymore ?
Yes, I was getting so tired of one click getting me to a nice, clean index, ordered by year and month, and loading near-instantly. What a pain that's always been.
I'm not touching your lawn. I'm not even in the same city. If what already exists does the job for you, good on you. It doesn't for us, and many other projects.
I'm not suggesting the existing software to change, I'm suggesting something new. Pitching something that doesn't exist today (the D-Lang forums linked here come quite close though). Our goal is to merge our current forums with our mailing list and not have to maintain both separately.
So I'll thank you to get off my damn lawn, you and the seven crates of entitlement you carry around.
I agree. Mailman is fantastic as it is. There's a technical brevity and image it gives off, and that's an important aspect of design. This isn't really a statement about usability or what's beautiful in design.
I design user interfaces and creating a new UI for basically what mailman does would really just be an attempt at grabbing a different target audience.
mailman has an image behind it. People associate with different images, and certain looks and feels make certain people gravitate towards them.
The type of people I would want in my mailing list are the type of people that appreciate how mailman looks as-is.
I try to practice great design where it matters most. A reskin of such software would be more aligned with the goals of junior designers and people who rehash weather apps with nice gradients on dribbble.
You're not telling me no, most specifically because I'm not pitching this to you. You're telling yourself no. You say you don't need it, and extrapolate your view of the world to everybody else's.
"It is a place for FOSS communities to discuss all the things they want without ads, censorship, signup requirements, bundled apps, or requirements that you use any particular email client or service."
Self-hosting seems like overreaction for most open source project. I would just make regular backups/exports. Dealing with spam filters etc is a nightmare.
My project is using Google Groups just fine. Do not list your group in public directory to prevent spam.
Redis is moving from mailing list to Reddit. That seems to work for them.
Isn't this what Google Groups is used for? (what's different / lacking there? I'm of the age where I remember SourceForge as somewhere I would sometimes download things from as a young teenager but nothing more than that)
Yes, Google Groups is very close to what's needed - unfortunately, it's proprietary and Google doesn't really maintain it, it's only a matter of time it goes the way of Reader.
FWIW, Google Groups powers email distribution lists for Gmail for Work. Or at least, the two are strongly linked.
At this point, unlike Reader, there's real cash behind the functionality. It's possible they could just fold it into Gmail, I guess, but with other mail interfaces like Inbox popping up in the Google ecosystem it seems if anything they're trying not to shoehorn too much more into a flagship product.
My guess is Groups will stick around for a while yet.
As someone using Gmail for Work: This is one of the things I absolutely detest about Gmail for Work. The Groups interface is absolutely horrendous, and we don't want groups, we want simple email distribution lists.
Also, Groups doesn't have the ability to import archives from my previous list. (I'm in exactly the same position of wanting to migrate away from SourceForge, and the mailing list is the last thing remaining.)
How would you replace them? ( Please don't say Slack. That is just _not_ a good replacement, especially for projects that needs publicly searchable archives. )
IMHO a publicly/semi-publicly logged irc channel would do just as well, but that's even more oldschool.
The alternative is pretty much only online forums. Which imo. doesn't offer a lot of advantages, and most forum software is exceptionally bad (though yes, a few new and nicer ones
are coming along)
None of them appropriately support mailing lists, though. Email-based communication is a big deal for devs which contribute on maybe 5+ projects at once and have to manage comms in one central place.
As for Discourse's mockery of a mailing list mode, let's not even talk about it.
Are you familiar with DFeed [1] used by the D-Lang forum [2]? It is, in my opinion, one of the most usable web frontends for mailing lists (as well as a few other sources).
If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.
GitHub has email notifications for issues, but you can opt out of any particular discussion if it gets too pedantic or doesn't relate to you. This helps massively reduce inbox clutter.
The thing that bugs me about mailing lists the most is you get all the email, all the time, forever.
>If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.
This is a total non-issue. Mailing lists support daily digests if you want that, and email clients support folders and filters if you want that instead. Nobody managing 5+ mailing list-based projects at once is dumping all of that into an unsorted inbox.
Mattermost is a free and open-source alternative to Slack, giving users publicly searchable archives, great for sending images, files and code in chat. http://www.mattermost.org/
Mailing lists are not just about issue tracking (and really shouldn't be about it). There's general discussion on them, release announcements, etc. pp.
"Why mailing lists are still quite massively popular in 2015?.."
Because (your email client) is always going to be much, much faster and easier to navigate than "some dudes cute forum setup".
Replying to and managing conversations is much easier when you can do it with one or two keystrokes rather than mousey-mousing ten clicks all over the place (and oh their ad tracking js is stalling out again...)
I maintain that all web forums should have a mailing list interface so that you can use the forum without using the web at all ... but I suppose that breaks their revenue model ...
You can look at it this way: They're doing something that people want and which cannot be achieved through other means. What alternatives do you suggest?
(Personally, I use GMANE+NNTP for mailing lists, and NNTP is probably better than plain (public!) mailing lists for most purposes, but unfortunately that ship has sailed.)
> Why mailing lists are still quite massively popular in 2015?..
IRC is still an underused tool in my opinion. The ability to just talk about one issue in a Mail List and keep track of the communication is great. I can't think of another tool that manages communication as well as a mail list (Forums are just not as good in communication notifications like a mail list.)
P.S. I still hate Mail List and don't use them anymore but nothing does it as well right now.
IRC, like other chat and IM tools is synchronous. That is useful to get an issue solved quickly. But mailing list are asynchronous. People can think before answering and don't have to be around at the same time. Also threaded nature of mail makes it better to archive discussions and referencing them later. An IRC log is full of other noise and little structure.
If I want long-form messages delivered asynchronously, what other choices do I have (forums?) and why are they better than mailing lists? (everyone already has an email client.)
I have to ask, is the question because you don't understand the value of the communication? There are definitely a type of greenhorn codes that don't and have never worked on anything with the scale to understand it.
Or is it because you value the communication differently than the code? We've evolved distributed revision control to handle issues or geography, connectivity, and work styles effectively allowing you to be self-contained and then collaborate (push, pull, merge someone else's stuff) when you are ready to. Email is the only generally available method of communication that works the same way.
I've always found the Sourceforge mailing list archive interface to be one of the worst out there. Sure, it's a lot prettier than the raw, unstyled HTML of the Mailman default but it's just not nearly as usable.
Savannah provides mailing lists. I don't want to advocate savannah too much, because the site isn't pretty, their interface is sometimes strange, they don't default to https, there are lots of reasons not to like it technically.
But it's probably a place where you don't have to expect evils like supporting bundled Crapware. The FSF is behind it.
On Windows, you don't always need a 3rd party FTP program. Windows Explorer (not IE) already does FTP. Just open any folder and type ftp://example.com into the path bar.
It doesn't come standard, not on all Windows flavours. It's a part of "Core networking utilities" package that used to have some really odd dependencies.
You're mis-remembering or something... There's no such thing as a "Core Networking Utilities" package on Windows (never has been) and ftp has been a command line tool since at least Windows 95.
I don't particularly like the built in FTP command line utility (even with scripts). But it has existed a very long time indeed.
Eh, yes, it is. On the Windows 7 Home Basic and Home Premium edition, it’s not pre-installed, and you have to go to System Settings -> Programs and Features -> Install or Remove Features to install it.
I have Windows 7 Home Premium on my Mac via Parallels, and just I just typed in "ftp" into cmd and it came straight up.
The only packages I have installed are "Media Features" ".Net Framework 3.5.1" "Print and Document Services" "Windows Gadget Platform" "Windows Search" and XPS Services/Viewer. All of which are default features.
Which package are you even suggesting contains the ftp.exe client? Because I don't even see one. Also why would anyone go to the trouble of putting a 47 Kb binary inside of a feature package? It makes absolutely no sense at all.
Are you sure you aren't mis-remembering and were installing the Unix Services for Windows, to utilise Linux-like command line utilities?
As the person said above, ftp.exe has been in Windows since the MS Dos days, and is a core utility. I've never seen it not been available on any version in any situation.
Now an FTP server definitely needs to be installed. Always has. But we're talking about the ftp.exe client.
ftp.exe should be there, but telnet.exe is no longer installed by default. One must go to "Add/Remove Features" (or similar) and enable it first. Maybe that's what he's confusing it with.
The fact that there are ways to obtain passwords even when they are not stored unencrypted is not really a reason to make it as easy as possible for malware to get every password on your system.
No, you're wrong. If you've run malware on your machine then it's not your machine anymore.
This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.
> botg: All third-party offers can easily be declined. Nothing unwanted is being installed without your consent.
Talk like that can only mean that they know about the malware bundling.
Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."
FTP is inherently insecure, everything is transmitted in plaintext. Because the server cannot check a password against a hash (due to the limitations of FTP), the client needs to store the password, and can't keep only a hash.
That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.
If the server checked against a client-provided hash, the hash would become the password, and the attacker could just use the hash as-is to login to the server. Hashing on the client solves nothing.
How would that work? If you would use a private key to authenticate to the server you would still need to protect this key with a password. Otherwise stealing the private key will get an attacker access to the server just as simple.
The client needs them in plain text to be able to connect. "Remember password" is a feature, there. Like I said, correct solution is to use the keyring, but the dev team is incompetent, so ...
I stopped using Filezilla on Windows a while back, due to this and other issues (passwords stored in plaintext, etc.) and switched to PSFTP and PSCP, which are MIT licensed and offered directly from the developer's page[1]. However, reading this article reminded me that Filezilla was actually still installed on that box, just not in use, so I decided to uninstall it while it was on my mind. Immediately after uninstalling it, it tried to force a shutdown on my computer. The only reason I was able to stop it was because I had a process running in the background that wouldn't terminate and I was given the choice by Windows to force shutdown or cancel.
Now, I've only ever installed it from ninite.com[2], so I know it didn't initially have the Sourceforge trojan/adware junk. However, I've since allowed it to download its own updates instead of doing it manually through the Ninite downloader. I've never, ever seen a program I've uninstalled via the Windows Control Panel with the ability to force a shutdown or restart without first notifying me or giving me the option to postpone. I'm starting to think there's something nefarious in Filezilla itself, perhaps in one of those "direct from the developer" updates, not just the Sourceforge wrapper.
Another interesting thing is that the built in Filezilla updater will first uninstall the app before reinstalling the updated version, and it never tried to restart or shutdown the computer during those updates, only during uninstallation from the Control Panel.
[2] Ninite strips out any malware or other crap from the installer and only installs the pure program with default settings, in the background, and sources the app directly from the developer's site when possible. It's my go-to tool for essential Windows utilities.
You are linking to uBlock Origin ("uBO") -- that filter list is specific to uBO. The other "uBlock"[1] (abandonware) does not support strict blocking, which is what blocks SourceForge.
Sorry if I didn't make myself clear, what I was trying to point out is that for ublock origin to block sourceforge the badware risk filter list has to be enabled. Also I suppose this list can used with other blocking software.
Oh and gorhill, much much thanks for your time and work on this.
Unfortunately Filezilla has this trojan for some years now!
The trojan send all your identities to a server. This is tested 100%. We had many passwords stolen this way and we are 100% sure that it's filezilla.
Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link.
You will see that the direct download is clean but the other has the SF icon and it has a virus!
That's a pretty serious claim. Do you actually have evidence to prove it was FZ? Just because the SF executable includes spyware doesn't mean it's disclosing passwords.
You are kidding right? And what do you think that spyware does? They steal passwords!
Our DC warns us of stolen passwords every time a client is using this exactly "touched" version of FZ. The DC is informed by a security firm and 100% of the situations is the Filezilla that steals them!
You're 100% sure? I would expect to see registry diffs before/after FileZilla was installed, disassembled code of the subroutine accessing your passwords in the malicious program, and a network packet capture of your data being sent over the wire.
It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.
So SourceForge has gone from terrible to (somehow) even worse than that.
It makes me wonder; why don't we have a good site for Windows programs yet?
Ideally, it'd be run by volunteers (not a company with a profit motive), would manually moderate the programs posted them (and remove any adware/spyware/bundled programs by force if necessary) and tell every malware ridden sleazy ad network to sod off.
It exists in more niche subject areas. If I look for game making resources, a lot of those sites actually do proper moderation and try and make sure viruses aren't present in uploads. Places like MFGG are pretty good about this. So why don't we have that for software in general?
I mean, there's GitHub and package managers, but it's disappointing how this market has no honest people in it.
It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.
And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.
They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.
Oh, and here is an article that confirms the autoupdate:
You should generally not trust preinstalled OSs, regardless of vendor. Most (all?) of them shovel crap in there, often because they get paid to do it. It's sad, but it's just the world we live in.
The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).
It's done intentionally to make the owners a bit of money. They have direct download links on their website (click show all on download page), avoid the green Sourceforge link.
Yes, all the downloads are hosted on Sourceforge, but Jonnerz is pointing out that the additional links come without the Sourceforge wrapper (the links will have "?nowrap" at the end).
We all wish FileZilla would just drop Sourceforge completely, but at least the non-wrapped versions are still available.
I use WinSCP. I cannot say much about technical differences, but it has worked well for me.
Also, PuTTY comes with a SFTP/SCP client, and unless there are strong reasons you cannot use SFTP, it is a lot better than FTP, security-wise (does not transmit passwords in plain text and allows using cryptographic keys rather than passwords; in fact, on OpenSSH you can configure the server to deny password authentication completely; and the entire connection is encrypted, of course).
It's funny I already use WinSCP but for SSH and SFTP connexions to Linux servers, it didn't even occurs to me that I could use it for regular FTP too. Thanks.
Not only that, but the FileZilla Admin is posting in that thread denying any claim that there is anything wrong with the installer, despite repeated reports from multiple users.
FileZilla is maintained by people who want to push spyware to you because it's how they get paid. This isn't an accident.
SourceForge are adding the malware but the FileZilla people are acting as if it's not a problem and refusing to help people / accept that there is an actual virus in the executable they link on their site.
"It's not our problem, it's SourceForge" - stop f'ing using SourceForge then!
Their ambivalence and complicity in distributing this malware is probably the behaviour GP was talking about.
His statement about alternate download links was also incorrect, because I was asking about Filezilla server, which I could not find anywhere but sourceforge.
Well - you are trusting that Ninite doesn't include any crapware / malware, but until now I didn't had any problems with it. Makes updating Java Runtime much nicer too.
I think you can avoid the virus by downloading the zip but as I said I don't want to support this kind of behavior, so I have uninstalled Filezilla from my computer and will uninstall it on all computers at work too.
The Filezilla forum admin in that thread obstinately blames users for "accidentally" accepting a bundeled "offer", when users are clearly warning project admins that the installer is infected with malware.
Does sourceforge share revenue from bundeled installs with projects?
so yeah, it seems like there's kind of a conflict of interest here. if there's no way for a user to know whether the project opted in to revenue sharing, then how can they trust the project?
in other words, in my view, a project that opts in to revenue sharing with crapware bundlers who are known to sometimes distrubute malware, is behaving unethically.
so now i don't trust filezilla dev's in general, even if i get an package signed by my distro or whatever. very dissapointing. worse still, it makes projects that didn't opt in suspect in my view, simply because they are on sourceforge; if i can't find out whether they opted in, how can i know any project isn't taking kickbacks?
For your information, currently sourceforge "usually" only bundles the crapware with projects where either the person opted in, or where sourceforge has "seized" the repo.
If it bundles crapware, and the maintainer listed on sourceforge.net is sourceforge itself, they didn’t opt in.
There's the argument that if someone has access to the passwords then they've already got enough control over the computer to do whatever other damage they like - like reading them out of memory after they're decrypted.
Base64 at least provides some protection against somebody looking at it with their eyes and memorizing them, which is perhaps a more likely scenario - family members, kids, etc.
Base64 provides no protection from malware that infects your machine and actively looks for this kind of stuff. Stored passwords from websites, ftp programs, key safes, etc.
About two hours ago I pondered installing the Diffuse merge tool[0] on a Windows box. Then I noticed that it was hosted on Sourceforge and thought "nah, not really worth the risk". Now that I see this post I feel even more content that I avoided Sourceforge.
What really gets me is the glib attitude of the FileZilla maintainers to this news. Whether trojan or adware, the "just uncheck the boxes" mindset is rather insulting.
Move your stuff off Sourceforge! What the hell is wrong with your people?
It's funny, I literally just messaged the maintainer of the Minibian project, politely asking that he move the Minibian project away from Sourceforge, when I saw this post on HN. It's too bad to see Sourceforge ending up like this, after it was so useful years back.
Slightly O/T, but has anyone experienced similar problems with downloads from PortableApps.com? They use SourceForge as well, and I am now hesitant to recommend PortableApps to friends and co-workers.
It would seem that more projects would benefit from running their own free software on their own virtual server infrastructure. A decade ago, there was GNU Mailman and it's still around - http://www.list.org.
Yes, this means that a self-contained project needs the funds for basic hosting and also someone with system admin experience. But that should not be unreachable for major projects.
a) Certainly if a site is distributing malware/virus/trojans it needs to be flagged as such -- whether it is intentional or not.
b) Sourceforge's policies indicate it they are no longer a trusted source for official files and is probably being ranked far too highly on Google and other search engines.
c) If Dice fails to promptly and adequately address the distribution of malicious files for profit the appropriate government agencies should become involved.
Please don't recommend chocolatey for this reason. While it's excellent, you should probably check the install file first: https://chocolatey.org/packages/filezilla (and click "show" on "tools\chocolateyInstall.ps1")
You don't see the installer UI, but it still downloads from sourceforge because that's where the executables are stored.
After the last Sourceforge malware-bundling debacle (Can't even remember who it was at this point--someone who said Sourceforge seized their repo from them and then repackaged it with malware), gorhill added Sourceforge to the uBlock blacklists.
I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.
We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.
So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.
This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.
PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.