This is the sort of behavior you get from a company that's lost, and is now trying to extract every penny they can from whatever shenanigans they can get away with.
If they have no future brand value to be concerned about, then, from a game-theoretic approach, it's actually a pretty rational profit seeking move. (As long as they don't incur any downstream liabilities from outright illegal activity for which they might be fined, or successfully sued - if there is any entity left to sue)
Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"
Has Archiveteam, Internet Archive or anyone else taken a shot at mirroring Sourceforge, including binaries? Since its founding there have been a hell of a lot of small projects hosted there whose sites have gone down since. 430,000 projects have been hosted on SourceForge at some point. At least a few tens of thousands of them represent the only remaining copy of a program needed to read a certain sort of data. Maintaining that capability in the face of a company circling the drain represents an extreme historical utility.
Even if you now need a VM to handle the crapware, that's better than losing the apps entirely. If somebody maintained a time-diffed mirror of SourceForge, they could pinpoint the last version before the bundling event occurred in an automated fashion, as well.
We need a open source community website that manages and links to the download-mirrors (HEANET, etc.). There is no need to backup the downloads, just back up the source code and friendly take over the control over the mirrors.
This is a bit controversial because people like to remember Sourceforge fondly for some reason, but it was never good. It was merely unchallenged.
Google Code was never good either, but people gladly moved from SF to Google Code. And when something actually good came along (Github), Sourceforge simply vanished.
Sourceforge was never a hero. It was a horrible website, with horrible UX. It always had pretty terrible ads and for the past couple of years it has been repeatedly abusing its users' trust, serving malware, been involved in countless drama.
People remember Sourceforge fondly because the service they offered, for the time, was good.
Everything internet sucked around 2000. Search engines where either semi-curated listing or covered a fraction of what was a much smaller internet. Free hosting was a joke, affordable paid hosting was not much better. Your bandwidth at home was not good and anyway your computer was not the powerhouse it is today - you needed to upgrade just to run the next version of Excel, not to play the next AAA game. A lot of websites had terrible UX.
So Sourceforge was not great, but it offered a great package of functionality that basically solved in one shot all the problem of managing a OSS project and gave one roof where to search for new tools and libraries.
What happened is that they stagnated and their utility eroded over the time starting by Google removing any reason to have everything in a central place.
>Everything internet sucked around 2000. Search engines where either semi-curated listing or covered a fraction of what was a much smaller internet.
I disagree, and in fact preferred the internet of 2000 to the internet of 2015.
Google search worked fine in 2000: although SEO existed in 2000, it was much less refined and extensive than in 2015. The main problem in search results today is that profit-motivated content crowds out and makes it difficult to find not-profit-motivated superior content.
Not all the changes are bad, of course. Video in particular (not just bandwidth, but the convenience for consumers and amateur producers provided by Youtube) is much better (but text is more important to me than video). A computer with adequate performance is a lot cheaper in real dollars.
>A lot of websites had terrible UX.
I preferred the UX of the web of 2000 to the UX of the web of today. Searching a web page for a string, copying from a web page, then pasting, scrolling, use of keyboard shortcuts, bookmarking (some sites today have all content sharing the same URL, making bookmarking virtually impossible) all were simpler and more consistent across web pages, therefore requiring less deliberative thought to use, and IMHO thereby better.
In other words, on the web of today, I have to direct my attention to the mechanics of the web page, e.g., how to dismiss the interstitial asking me to follow them on Facebook or whatever so that I can start to see the actual content, which keyboard shortcuts have been overridden by the site, how to scroll and whether scrolling even works. In the web of 2000, I spent more of my time and attention on the actual content (particularly, textual content).
For those who remember the web of 2000: what about the UX of the web of today do you prefer? I have a theory that some people are more easily bored than others and that those people appreciate the web of today because the increase in variety, color and motion (of elements on the page) helps keep them from getting bored. Is that it?
(I remember the Sourceforge of 2000, but have nothing to say about it.)
ADDED. I neglected to consider that Wikipedia did not exist in 2000, which significantly changes the balance. I still disagree with "Everything internet sucked around 2000". In particular, I miss web sites created by individuals not expecting to make money from their writings. Although many (most?) of those web sites still exist, they've become vastly harder to find with a search engine because of content farms and other professionally-produced professionally-SEOed content.
You probably mean that you like the good design from 2000 (and well I share your opinion on that). But there was also the bad ones and there was a lot of them.
The majority of banking sites required you to use ActiveX, very frequently the shopping websites would use weirdo content plugins or have their content in PDF.
Those were the times of multi-frame abuse, webpage with sound and no control, site trying to be clever and disabling right-click. Pop-ups everywhere, site hijacking your browser window and resizing, moving it around. Stupid cursor that make your computer grind to a halt. Site designed for 640x480 and nothing else.
Remember the "blog"-like personal website on geocities and the like ?
Remember the portals ?
What I remember most from the time is how much superior I thought the newsgroups were to find anything.
Those were the times of multi-frame abuse, webpage with sound and no control, site trying to be clever and disabling right-click. Pop-ups everywhere, site hijacking your browser window and resizing, moving it around. Stupid cursor that make your computer grind to a halt. Site designed for 640x480 and nothing else.
A lot of these still happen, except they are using different technologies and look slightly different. We have parallax scrolling, Bootstrap-like modal windows, unlinkable single-page apps, websites that screw up "back" button and above all we have pages that require you to download several megabytes of junk and execute tons of JavaScript just to read several kilobytes of text.
Wholly agree on the state of searching. These days pretty much any important words in my technical queries are ignored, and the results end up with the same landing pages for the project I'm searching about mixed in with pop culture trash and autogenerated spam pages rather than anything relevant to the narrower query. It's not a library of knowledge, but a wall of noise.
I've tried eg Yandex and it's not much better, mostly just different (although they do return a good amount of results for things that Google's thought police have vanished). The unfortunate truth is that with the "internet" entering pop culture, pop culture has watered down the Internet.
I was thinking it would be interesting experiment to take adblock one step further and hack something up that retrieved all the Google results and filtered out everything with any advertising. It seems like I'd come across those hard-wrought dense-knowledge textual pages far quicker, since the author's motivation is to share knowledge.
Any time you have a "theory" about other people that implies that you have a natural superiority to them based on your belief that you have superior taste, you're almost certainly full of yourself
I can usually stay engaged and interested in static documents consisting of black text on a white background for many hours in a row. Some of the people in my life need more mental stimulation than that can provide, and spontaneously tell me as much. (Their main source of mental stimulation is social interaction.)
What part of that or my other comment implies that I think I have superior taste?
Well "...need more..." implies you are superior because you don't. As well as "... and spontaneously tell me as much." which implies they give you facts you didn't ask for and coupled with the rest of the comment implies you had no interest in knowing i.e. are time wasters.
Wikipedia and Stack Exchange provide only one kind of information. There are several other types of websites that either went extinct or turned to garbage. Dr. Dobbs is a good example. StackOverflow might be the thing that helps you find a workaround for some API stupidity, but you are not going to "read" StackExchange on daily basis.
Whats worse is that they never had to spend a penny on hosting opensource files, the likes of HEANET in Ireland paid out of their pocket (well me and other Irish taxpayers did in end) to host terabytes of files and use gigabits on downloads at a time when bandwidth was expensive (10 years back bandwidth was a lot more and HEAnets downloads were always fast and I know the guys used a lot of hardware back then for the mirror to support open source).
This doesn't seem quite fair. I don't remember anything else like sourceforge when it came out in 1999. If you ran a project, you found a host somehow or paid for one, and you effectively managed and setup all of the services. From just the web site for the project itself, to the source code control, to mailing lists and bug tracking if you need them, forums. Further, colocation was common but VPS wasn't, if you rolled your own host you were on the hook for a computer for it. Now there may have been something else out there but I don't remember it and sourceforge was embraced because of it. They dramatically lowered the cost and effort to putting an opensource project out there. I assume that they basically created the model google code and github and the others have followed.
They've been in trouble, effectively since VA Linux's stock crashed...
Sounds like a wise saying that I've read on every submission about Sourceforge, problem is that I think it is in general bullshit.
If we'll look down in history, I think there are very few villains that have acted as heroes when starting out. The signs that such companies are assholes are in general there, from the start. As an example, I don't remember a time in which Sourceforge was the hero, as much as I try. Since as long as I remember Sourceforge, it was always the "necessary evil", the nuisance you have to deal with because bandwidth was (and still is) very expensive.
> I don't remember a time in which Sourceforge was the hero, as much as I try
No offense to you personally, but this is a case where it's about grey hair more than ability.
There was certainly a time when Sourceforge was the wham-bam-snickety-snack boom-blam bomb. It was when Slashdot was the Hacker News, when "LAMP" was a new term, when 10Gbps across the U.S. (vs. your living room) was a Big Deal.
> If we'll look down in history, I think there are very few villains that have acted as heroes when starting out.
This is called playing "I told you so." In reality every organization begins with high ideals then adjusts to reality. The elegance of this transition defines how villainous they've become. Consider McDonalds and Whole Foods. Both seemed delightful at the beginning. We see how McDs is now cancerous (or at least diabetesacious) and Whole Foods is anti-union, but surviving anyway, a "mundane evil."
You can't predict which company will become evil or not.
Well, it was a joke based on a cliche from a Batman film. In terms of wise sayings, it's on the level of fortune cookies.
But the underlying point is similar to "you are the product". People chose Sourceforge because it offered free hosting. It was for a long time the "default" choice, back in the early 2000s. They had banner ads, usually from other Linux companies, and that seemed to pay for it. It was easier to use than FTP sites.
The question always remains: who is going to pay for it? If a company is sinking, then they have only two options, to close it down or to engage in ever-shadier chasing of monetisation options. Can you imagine the outrage if they'd put up a paywall? It's basically the same politics as has made "free to play (with gouging IAPs)" the default mode of paying for mobile apps.
Not sure how profitable GitHub is, but there are users paying for private repositories or for the Enterprise version and the revenues thus far seem to be enough to support the free users as well and to an outsider like me being a win-win situation, since GitHub is now the place to be on, with open-source projects giving them free exposure, with the Enterprise version starting to win against other established solutions because "everybody knows GitHub". I used to be a paying customer of GitHub, now I'm enjoying the free benefits and pushing for the Enterprise edition in my organization. Am I the product in this case?
I do hate the "free to play (with gouging IAPs)" model and I actually prefer ads with an option to go ad-free. However even with this business model there are heroes. See for example Path of Exile, a free game in which the in-app purchases do not have an impact on your ability to win: https://www.pathofexile.com/
I do agree with you, the chosen business model makes the difference. I do believe that ads aren't inherently evil, it's just the status quo that is. Yes, today ad-supported means that we are the product, but this product has a free will, a fact that some companies are forgetting. At the very least there are some signs of change. Google for example is at least trying to play it both ways - you can be a paying customer of Google Apps and they'll introduce subscriptions to YouTube for going ads free (with the ability to cache content for offline viewing on mobile devices being the incentive needed for regular folks).
Github are indeed the heroes of the day and have an enterprise revenue model. So far, so good. But Sourceforge is sixteen years old. Will Github still be the good guys in 2030? It's impossible to know.
SourceForge used to have an enterprise revenue model, too. They bet the company (or at least the name) on it - VA Research -> VA Linux -> VA Software -> SourceForge -> GeekNet -> {Dice and HotTopic^WGameStop}.
SF/VA gave Linus and ESR stock. I believe ESR and several others were on some sort of community advisory committee to them. Part of SF's problem was that they didn't want to pick winners so much as create and facilitate "community" they had multiple choices for different tools they hosted. They had build servers and such as that seemed at the time like problem space (how do you know if your code runs on Itanium?) They made, what at the time was, an unprecedented effort to engage community and not be evil.
Ultimately someone needs to pay some bills though, a few transactions later and this seems remarkably far from their start. It's embarrassing and shocking.
> I think there are very few villains that have acted as heroes when starting out.
The logical implication in that line flows in the other direction. It's not that every villain started out a hero, but that every hero (that survives long enough) ends up a villain. Of course, it's untestable as there's no limit on "long enough", but then again, it's just a line from a movie...
I remember a time when it was a fantastic resource, that it was one of the primary places to get FOSS - my earliest bookmarked link is for AFPL Ghostscript from 2004. IIRC I started using it around 1999 when I first installed Linux. There was Freshmeat too but that IME had far fewer of the major projects. Searching SourceForge was the best way to find projects for a particular need at the time.
The last FOSS project I downloaded there that isn't available elsewhere was last month.
And ask them to stop mirroring SF because they distribute Malware. I don't know how many of them provide the mirror for free though. I remember quite a few universities provided SF mirrors back in the day.
I doubt this would ever happen. A large portion of Google's own ad revenue comes from companies distributing adware. I worked for a company that was in the adware distribution business and we funnelled millions to Google--to the point that we had dedicated account reps at Google who helped us to make sure we stayed compliant with Google's adwords policies so we could keep peddling our adware installers.
No it isn't. The site was relevant before as it served what people needed, and was ranked high. It no longer is serving folks' interests, so it can be ranked lower, or de-listed. Completely fine.
I agree with you. To clarify my slippery slope comment, it applies in general to all users of censorship powers. Who is a fit judge to decide what you and I get to see?
D-listing from Google is basically being taken off the internet, so wielding that power too often might get Big G into alot of trouble with agencies like the European Commission.
On balance I think SourceForge deserves a browser level "here be malware" warning, trusting that most users will make the right choice if informed.
>Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"
That's a nice idealistic response, but what about when you can't find a file anywhere else?
So that's when we start downloading Sourceforge's files en masse (with ad-blockers enabled so that they're not rewarded for their misbehavior), stripping out the malware, and rehosting them somewhere.
This is a solution for me. It's not a solution for the hundreds of people I've told about GiMP over the years. Some of whom I no longer have contact with. Those people don't know how to edit their hosts file.
Sharing the same owner as Sourceforge let's see if it gets "buried" [2] (or "late released due to an editor vacation" [3] as it was their explanation) or if they publish it in a timely manner and within the spirit of the submission.
The submission was accepted on Slashdot [1] but with several modifications that changes "Fyodor accuses Sourceforge of hijacking nmap account" to "Fyodor warns that he doesn't control Sourceforge nmap mirror", among other things.
I detailed the changes made and why they were biased in a comment on the same submission. [2]
Granted it's been, uh, a little while since I've last tried, but my recollection is that Slashdot's submission process has always been arbitrary and frustrating. I wouldn't necessarily attribute lost submissions to malice.
I didn't know they did this at this scale. I'm suprised by all the big names in the projects they've highjacked: I see apache, drupal, firefox, libreoffice, mysql, postgresql, redmine, sqlite, thunderbird, vlc, virtualbox and many, many others.
From what I remember, even though Firefox is open-source, you can't use the Firefox name on distributing it without getting approval from Mozilla. This is why Debian went at some point with the Iceweasel name. So Mozilla controls what gets distributed with the Firefox name and they could sue for trademark violations if they want to.
IMHO, all open-source projects should protect their name. For example last time I tried, VLC for iOS was banned from the iTunes Store, yet there were dozens of obscure apps using VLC's name or logo on iTunes Store (this was happening in January). Especially given that there is such a thing as an unregistered trademark, that is valid through usage. Even if you fork it, then authors should have the courtesy to use a different name.
If you have ever uploaded something to sourceforge you have given them the right to use your trademark in perpetuity, something to think about when posting on public sites like this.
To be clear - there is a difference between mirroring (which is good netizen behavior, and to be complimented), and trojaning (which is modifying the upstream sources before delivering them to users - which is decidedly not good netizen behavior).
It's important to understand which is which for those accounts.
As long as one of those accounts is trojaning (or even just suspected of possibly having been trojaning once) it instantly poisons all the mirrors. Even if they are perfect netizens 99% of the time, that 1% makes all their other efforts useless.
Whoa what. Are you suggesting that suspicion of possibly maybe having put a trojan in someone else's files somewhere is grounds to make all one's efforts useless and poisons everything else you do?
Geeze, I guess we should stop using Google. They've been accused and suspected of much worse by a lot of people. I hope that's not what you meant.
Are you suggesting that suspicion of possibly maybe having put a trojan in someone else's files somewhere is grounds to make all one's efforts useless and poisons everything else you do?
Short answer: Yes.
Downloading and running arbitrary binaries from the web inherently a quite dangerous thing do to, and I only feel comfortable taking such a risk with sites I trust. I no longer trust Sourceforge and there is very little they can promise me to make me start wanting to download from them again.
Well, I don't agree¹ with your method of evaluating trustworthiness (which seems to me rather too quantized and "chastity"-minded), but at least you know exactly what you're doing and who you're trusting.
[1] Read as "I believe it's sub-optimal for a given cost-benefit formula, after some assumptions about certain variables and certain opportunity costs, and other methods would likely be more useful in context."
Sourceforge's mirrors are a complete miss-use of the term mirror. A mirror should be an exact copy of the source and should be approved by the original project, which I doubt any of these 'mirrors' are.
Interesting weaseling of SourceForge is to add a "downloader" which fetches either the actual unmodified installer/sources. The "downloader" installs adware while fetching the real installer for the software. In the case of GIMP the filename of the downloader was made to be the same as the filename expected of the installer for a given version. This dirty approach might be thwarting ways of protecting with cryptographic signatures, or even trademarks/copyleft.
I remember thinking "I guess they want to get more of the tech community's mindshare to promote their job board" when Dice bought Slashdot. With the way they've alienated the tech community by trashing Slashdot and SourceForge, I wonder how many tech people will use their job board now.
We saw it, but why does it matter? They also claimed to never add adware without consent before. Even considering to bundle up malware with FOSS projects is offensive to me. They lost my trust and a simple blog post won't win it back.
The policy of taking over "abandoned" projects is super shady as well. That's what this mailing list post is about, isn't it?
PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.
He does know about the announcement, but he does not trust them anymore. That's fully understandable. Fool me twice, etc.
Additionally, you addressed people posting in this thread. The Sourceforge announcement was all over HN and reddit and a lot of people following the whole issue knew about it. It's simply not enough to win back user's trust. But I already addressed that - Yet you chose to critize my way of wording, not the very content.
But they've said that before. This amount to "we promise to stop breaking the promise we made earlier". I for one won't be trusting this new promise to last either.
This is definitely a possibility, and when sourceforge bundles nmap with malware I would deem it nessesary. nmap is protected in the US by trademark #78342532.
It feels a bit different here, at least to me. Nmap had a Sourceforge account, but now it's been taken away from them -- "hijacked", as the post describes it. And Sourceforge at least used to be a reputable site and has (had?) some lingering aura of trust around it.
Sure, but this is Sourceforge itself doing the taking over, and they're offering the same downloads (plus their wrappers and what-not) rather than reusing the name for a different project.
Sourceforge was, for a long time, the definitive home for many, many popular open source projects. That they've cached in on this historical trust, and in some cases the fact that the thing they are "mirroring" actually was hosted there at some point, makes this worse.
For example, for years, I've used winscp.sf.net to get to WinSCP when I need it. As of now it redirects to what I believe is WinSCP's actual site, winscp.net. In the past, Sourceforge was the actual location to get the binary. If at some point they set up a "mirror" for WinSCP, there's a good chance that people visiting that haven't in a long time might just accept that if they get a download link at a sourceforge page, it's likely legit.
I can't say the same about any of the sites you listed.
In spite of account hijacking, GIMP was still downloaded by almost 15k people this week.
Six days ago they took over Audacity project as well, which was downloaded by more than 150k this week[0].
If you have ignored the crapware dialogs of the installer, you should be. But even then there is no telling what they could install without prompting first.
If this is a windows install, do as you would normally do for a spyware infestation.
1. Go through installed programs and uninstall any that you don't want/ didn't know about. Google any you have questions about. (Clicking on date in upper right will sort from newest to oldest.)
2. Get rid of Audacity. We can only assume that this binary is infected as well as the installer.
3. Run something like malware bytes. Do be careful to get the right installer, as the website has many misleading links. Run this.
4. Install in browser: ad block edge for Firefox, or ad block plus for chrome or safari. Quit using IE if you use that.
That should take care of 99% of all problems on your windows machine. I have no clue if you should or should not be worried regarding bad binaries from scamforge. I haven't analyses the binaries.
You got the same download as you'd get from Audacity itself. SourceForge is acting as a mirror. Unfortunately, the Audacity installers are not digitally signed, but they are bit-for-bit identical on the SourceForge download to the Audacity website download.
SourceForge never modified installers of projects. Even of ones like FileZilla participating in the program. They push "download offer installers". So, if you try to download FileZilla, you get a 750K download that shows you offers when run and downloads the actual FileZilla installer in the background and runs that after you accept or decline the offers.
Well assume you now have some malware/spyware/adware on your pc now, and assume you need to clean it off.
Or check the hash of the installer with some reference bin from a trusted source.
It's worth noting that most of the open source software that self hosts becomes an ad page or malware site within a few years once it's abandoned. One advantage to hosting on a shared site is that the project can live on. Or, at least, the binaries and source are still available for interested parties years after the developers moved on, lost interest, or passed away.
A site like Github that hosts open source projects brings a lot of value to the community. Great search, and the same UI when going from project to project. This would be much more cumbersome and time consuming if every project was on a different site with a different interface.
Also, many open source projects don't have the money to afford bandwidth costs of providing large software downloads.
I'm not saying GitHub doesn't help. SourceForge did help at time. But if you value your freedom, you need to understand that, if you don't have the keys of your infrastructure, you are locked to the good will of the provider (and its stakeholders).
I don't buy the money argument. If you have the chance to be a successful enough open source project, you will find hosting companies ready to help you with free VMs.
If you are not that successful, you can use github & co without fear, nobody will try to insert crapware in your packages. And if you want to selfhost, even a raspberry pi will have enough power to serve your site.
I think the point here is "reasonably popular", which project would you place here ?
The costs are directly proportional to the traffic but nowadays most "reasonable popular" open source projects can get hardware (VMs) from hosting companies for free.
We need end to end security without this https insanity as a bandage more than ever. Ubiquitous signing and audit logs more than ever. Tools that, for normal end users, refuse to work if integrity is broken. What sourceforge is doing should be universally seen as damage and systematized intolerance should make the attempt pancake so hard and so fast that nobody ever even tries it.
It's excellent that the nmap people distribute gpg sigs. Now we need socialize the fact that "https does not mean I'm getting want I wanted from the original authors", and start building (yes, we need to get past the http://www.thoughtcrime.org/blog/gpg-and-me/ problems) and using tools that do better.
I think this is the time to remind people some projects (ie filezilla) are willingly distributing the malware with their projects. The developers reaction is basically "there is nothing wrong with it"[1].
I feel like there is a niche service to provide installers that have been decrapified. I'm not talking about ninite (which is private/commercial) but an open source repository of installers that you can "apt-get" for Windows. I know people have tried that in the past - but the problem is that the builds that are posted manually go out of date pretty quickly so I think this process would have to be automated.
Yeah, sad that I at one point thougthey were trustworthy. Hell, at one point I thought CNET was safe...until I downloaded and installed a "BestMp4ToMp3 converter" from there that infected the corporate network. Scumbag city, those sites. That's a major reason I support FOSS like VLC financially.
They were trustworthy at one point. I was a SF.net developer a long time ago and I can assure you that the number one consideration was the Open Source community. Sure there were ads but never once were we asked to compromise any project to increase ad sales.
Honestly, in hindsight I wish we had gone to a model more like Github.
What I don't understand about any of this is why anyone wouldn't just either move their project to Github or self host. Why would you even still have your project hosted on SourceForge?
I understand the author's grief and anger. I feel bad for them really as this will hurt the NMap brand, but come on, avoid the whole situation and just remove the project from SourceForge completely.
> What I don't understand about any of this is why anyone wouldn't just either move their project to Github or self host. Why would you even still have your project hosted on SourceForge?
> At SourceForge.net, we feel a commitment to ensuring the long-term availability of the Open Source code released by the projects we host. We will weigh requests for project removal against the community value of leaving the project intact...Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value.
I think the problem is that abandoning your project on Sourceforge doesn't have the intended effect.
"SourceForge, the code repository site owned by Slashdot Media, has apparently seized control of the account hosting GIMP for Windows on the service, according to e-mails and discussions amongst members of the GIMP community—locking out GIMP's lead Windows developer. And now anyone downloading the Windows version of the open source image editing tool from SourceForge gets the software wrapped in an installer replete with advertisements."
They won't because I'm not abandoning my projects.
People who complain have one thing in common - they abandoned their projects on SF. It's kinda like letting the domain name expired and then complaining that somebody took over. Always keep an eye on your hosting and your domain names, folks.
DigitalOcean feels wrong for this purpose since they provided VPS not storage per se. I would suggest hosting the website on Digital Ocean, github or something similar and hosting files on S3 or some similar service that specializes in storing files rather than providing VPSs.
The problem isn't really in the overall bandwidth usage though, it's the concurrency.
Would the $5/month droplet stand up to a surge of people coming in for a latest release, or a bit of press coverage? Would there be enough bandwidth that everyone gets the file fast or would they all slow to a crawl
What about providing a BitTorrent link? The main server could provide a backstop seed, and presumably enough other people would seed too for any decent-sized project.
P2P downloads would help cover some of the costs, but popular projects probably need a direct download link with load balancing as well.
If the project doesn't want to manage their own infrastructure, they're probably going to want a CDN or object storage provider. The most cost-friendly I've seen is OVH's RunAbove object storage, but I'd be interested to know if there is anything else comparable.
50000 downloads is ridiculously low for any popular software package. Besides, VPS are not that fast at serving static files as you think. My VPS-hosted site became like 10x as fast when I made it pull 100kb-ish javascript files from a CDN instead of off VPS harddrive.
Realistically, we need to move to decentralization for this. Same way that the distributed github project was like a, "Oh yeah, this is our insurance policy in case GitHub ever becomes garbage."
However, are SF really making money from these mirrors? As I understand it from other comments here, you can still download the tarballs, and they seem more 'official' that the non mirror-suffixed accounts? When does mirroring become bad practice, what is the line you need to cross?
I'm pretty sure they are earning some money off this, and taking into account the website was going to die anyway, I don't think this is negative thing for them to do.
Sourceforge needs to call it a day. Its day of relevancy is over, once upon a time it filled a need but we have Github, Bitbucket and much better choices now. What we are seeing is a site that is lost and will never be able to earn back the respect that it once had.
The world is calling it a day on Sourceforge - they are just hanging around to milk what they can out of past glories.
Of course they can't just turn off anyway: there would be outcry from people because their currently idle project that hasn't moved to being hosted elsewhere suddenly became unavailable.
This is not hijacking at all. They created a new account, the old one remains blank as the author says. Sure it's morally questionable and leads to having a very bad reputation. But it's not hijacking. GPL code can be forked, mirrored, bundled and distributed. As long as the terms of GPL are obeyed there's nothing technically wrong with what SF is doing.
Of course they've completely blown all trust and squandered their reputation.
They may well be GPL2/3 section 2a/5a (prominent notice that they have modified the program... in this case the installer) , and likely 2b/5b,c also (are they also providing the source code for the crapware?). If these are found not to apply (because the court finds it to be mere aggregation ) we may need a minor GPL update :-)
Alternately one could look into trademark law, perhaps?
Sourceforge is now on my personal blocklist for Google search results. Along with expertsexchange which I added years ago, and Quora which may surprise some.
Unless it changed recently, but I used to click there through Google search results and still get some blurred out page, or only one answer, or a timeout that tried to make me register.
And quite frankly, I prefer the rather diverse universe of stackexchange sites.
I wouldn't mind hitting Quora through Google on occasion, but sometimes they actually have just a stub page, where the question isn't answered at all, so it shouldn't rank so high.
You can see the answer if you go to the page via a google search result. If a friend sends you a link, they block the answer with that annoying login modal.
I might be asking too late, but what's stopping someone from:
1. Identifiying hijacked accounts
2. Forking to GitHub
3. Waiting for the inevitable ranking change
4. Handing over the project to the owner when/if they are identified.
I realize there's a good deal of handwaving here--particularly at 3 and especially 4. But, is this a bad idea? Seems like 4 can be replaced simply by the owner reforking, too.
The original nmap page in the article is back live now.
As much as I hate malware, can we confirm it was sourceforge that got rid of the old page? Maybe someone set up the mirror after a data problem or error rendered the old page blank and just wanted to get it up, or that person was nefarious? (Occasionally people can be "too helpful" on community sites by registering other people's projects).
I guess the question is really who owns sf-editor1/2/3/4.
The reason being I can't see a lot of bonus for someone doing it this way. I'd just put adware in the margins. The site looks sketchy anyway these days so it's not doing them a lot of good...
Maybe we should all learn something from this and also the thing about RadioShack selling of all their customer data. What will Google do when it gets shaky?
A reminder that this is just one of the consequences of open-source, free (as in libre) license software: It wouldn't be truly free otherwise.
I'm not saying I condone Sourceforge's actions, and this does deserve to be known widely, but what one person would consider privacy-invading malware could be another person's "helpful offers assistant" (or whatever)...
Not really. It's just a quick guide to using gpg to verify a software distribution. Many people already know how to do this, or you could look at the manpage if you prefer.
I went to GIMP to get the latest version for Windows (Mine was 2+ years old)
Strange, it seems newer but the Windows version was the same as mine.
Google what up, randomly saw the Sourceforge controversy for GIMP in the news.
Went to straight to SourceForge and got my update. Because they could be bothered.
If you want Sourceforge to be evil, get your shit together GIMP. (Windows users are people too, plus appreciate all the work, but it'd be nice if you remembered us)
PS And remember that if you're GPL or whatever then don't complain when someone follows the rules but doesn't do what you want. Is it GPL or not?
You can't say you're anti censorship, as long as it's what you want. You can't say you're GPL as long as it's what you want.
People are free to add malware to the product. Account hijacking not so much.
SourceForge has an older version. Where the hell did you go to?
(In fairness, SourceForge also has 2.8.14, but you have to go look at the file list rather than clicking the big green button. OTOH, GIMP.org's big button goes straight to the latest version.)
For many there are many projects that were hosted here before dying, and because of that, SF is both the official place to download and also SF sees it as fair game to take over and wrap with malware.
Hoovering up the inactive accounts is probably in automated process. There would be little point putting in extra code to exclude less trafficked areas.
The problem is that it is basically impossible to completely close and remove a software project from Sourceforge. The best you can do is tag it as "inactive" or "relocated" and provide a link to the new site, but the project site will still exist.
Let's say it becomes possible. Then what? If your project is popular, it would be on softpedia, filehippo, majorgeeks and many other "free software" aggregators. If your project license allows others to distribute your software, you can't stop them.
If they have no future brand value to be concerned about, then, from a game-theoretic approach, it's actually a pretty rational profit seeking move. (As long as they don't incur any downstream liabilities from outright illegal activity for which they might be fined, or successfully sued - if there is any entity left to sue)
Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"