You are linking to uBlock Origin ("uBO") -- that filter list is specific to uBO. The other "uBlock"[1] (abandonware) does not support strict blocking, which is what blocks SourceForge.
Sorry if I didn't make myself clear, what I was trying to point out is that for ublock origin to block sourceforge the badware risk filter list has to be enabled. Also I suppose this list can used with other blocking software.
Oh and gorhill, much much thanks for your time and work on this.
It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.
And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.
They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.
Oh, and here is an article that confirms the autoupdate:
You should generally not trust preinstalled OSs, regardless of vendor. Most (all?) of them shovel crap in there, often because they get paid to do it. It's sad, but it's just the world we live in.
The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).
The fact that there are ways to obtain passwords even when they are not stored unencrypted is not really a reason to make it as easy as possible for malware to get every password on your system.
No, you're wrong. If you've run malware on your machine then it's not your machine anymore.
This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.
> botg: All third-party offers can easily be declined. Nothing unwanted is being installed without your consent.
Talk like that can only mean that they know about the malware bundling.
Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."
The client needs them in plain text to be able to connect. "Remember password" is a feature, there. Like I said, correct solution is to use the keyring, but the dev team is incompetent, so ...
FTP is inherently insecure, everything is transmitted in plaintext. Because the server cannot check a password against a hash (due to the limitations of FTP), the client needs to store the password, and can't keep only a hash.
That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.
If the server checked against a client-provided hash, the hash would become the password, and the attacker could just use the hash as-is to login to the server. Hashing on the client solves nothing.
How would that work? If you would use a private key to authenticate to the server you would still need to protect this key with a password. Otherwise stealing the private key will get an attacker access to the server just as simple.
It's done intentionally to make the owners a bit of money. They have direct download links on their website (click show all on download page), avoid the green Sourceforge link.
Yes, all the downloads are hosted on Sourceforge, but Jonnerz is pointing out that the additional links come without the Sourceforge wrapper (the links will have "?nowrap" at the end).
We all wish FileZilla would just drop Sourceforge completely, but at least the non-wrapped versions are still available.
Something came up last time Sourceforge was discussed here, namely "why are projects still using it?"...
I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.
We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.
So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.
This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.
PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.
"It is a place for FOSS communities to discuss all the things they want without ads, censorship, signup requirements, bundled apps, or requirements that you use any particular email client or service."
Isn't this what Google Groups is used for? (what's different / lacking there? I'm of the age where I remember SourceForge as somewhere I would sometimes download things from as a young teenager but nothing more than that)
Yes, Google Groups is very close to what's needed - unfortunately, it's proprietary and Google doesn't really maintain it, it's only a matter of time it goes the way of Reader.
FWIW, Google Groups powers email distribution lists for Gmail for Work. Or at least, the two are strongly linked.
At this point, unlike Reader, there's real cash behind the functionality. It's possible they could just fold it into Gmail, I guess, but with other mail interfaces like Inbox popping up in the Google ecosystem it seems if anything they're trying not to shoehorn too much more into a flagship product.
My guess is Groups will stick around for a while yet.
As someone using Gmail for Work: This is one of the things I absolutely detest about Gmail for Work. The Groups interface is absolutely horrendous, and we don't want groups, we want simple email distribution lists.
Also, Groups doesn't have the ability to import archives from my previous list. (I'm in exactly the same position of wanting to migrate away from SourceForge, and the mailing list is the last thing remaining.)
How would you replace them? ( Please don't say Slack. That is just _not_ a good replacement, especially for projects that needs publicly searchable archives. )
IMHO a publicly/semi-publicly logged irc channel would do just as well, but that's even more oldschool.
The alternative is pretty much only online forums. Which imo. doesn't offer a lot of advantages, and most forum software is exceptionally bad (though yes, a few new and nicer ones
are coming along)
None of them appropriately support mailing lists, though. Email-based communication is a big deal for devs which contribute on maybe 5+ projects at once and have to manage comms in one central place.
As for Discourse's mockery of a mailing list mode, let's not even talk about it.
Are you familiar with DFeed [1] used by the D-Lang forum [2]? It is, in my opinion, one of the most usable web frontends for mailing lists (as well as a few other sources).
If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.
GitHub has email notifications for issues, but you can opt out of any particular discussion if it gets too pedantic or doesn't relate to you. This helps massively reduce inbox clutter.
The thing that bugs me about mailing lists the most is you get all the email, all the time, forever.
>If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.
This is a total non-issue. Mailing lists support daily digests if you want that, and email clients support folders and filters if you want that instead. Nobody managing 5+ mailing list-based projects at once is dumping all of that into an unsorted inbox.
Mailing lists are not just about issue tracking (and really shouldn't be about it). There's general discussion on them, release announcements, etc. pp.
Mattermost is a free and open-source alternative to Slack, giving users publicly searchable archives, great for sending images, files and code in chat. http://www.mattermost.org/
You can look at it this way: They're doing something that people want and which cannot be achieved through other means. What alternatives do you suggest?
(Personally, I use GMANE+NNTP for mailing lists, and NNTP is probably better than plain (public!) mailing lists for most purposes, but unfortunately that ship has sailed.)
If I want long-form messages delivered asynchronously, what other choices do I have (forums?) and why are they better than mailing lists? (everyone already has an email client.)
I have to ask, is the question because you don't understand the value of the communication? There are definitely a type of greenhorn codes that don't and have never worked on anything with the scale to understand it.
Or is it because you value the communication differently than the code? We've evolved distributed revision control to handle issues or geography, connectivity, and work styles effectively allowing you to be self-contained and then collaborate (push, pull, merge someone else's stuff) when you are ready to. Email is the only generally available method of communication that works the same way.
> Why mailing lists are still quite massively popular in 2015?..
IRC is still an underused tool in my opinion. The ability to just talk about one issue in a Mail List and keep track of the communication is great. I can't think of another tool that manages communication as well as a mail list (Forums are just not as good in communication notifications like a mail list.)
P.S. I still hate Mail List and don't use them anymore but nothing does it as well right now.
IRC, like other chat and IM tools is synchronous. That is useful to get an issue solved quickly. But mailing list are asynchronous. People can think before answering and don't have to be around at the same time. Also threaded nature of mail makes it better to archive discussions and referencing them later. An IRC log is full of other noise and little structure.
"Why mailing lists are still quite massively popular in 2015?.."
Because (your email client) is always going to be much, much faster and easier to navigate than "some dudes cute forum setup".
Replying to and managing conversations is much easier when you can do it with one or two keystrokes rather than mousey-mousing ten clicks all over the place (and oh their ad tracking js is stalling out again...)
I maintain that all web forums should have a mailing list interface so that you can use the forum without using the web at all ... but I suppose that breaks their revenue model ...
I've always found the Sourceforge mailing list archive interface to be one of the worst out there. Sure, it's a lot prettier than the raw, unstyled HTML of the Mailman default but it's just not nearly as usable.
Savannah provides mailing lists. I don't want to advocate savannah too much, because the site isn't pretty, their interface is sometimes strange, they don't default to https, there are lots of reasons not to like it technically.
But it's probably a place where you don't have to expect evils like supporting bundled Crapware. The FSF is behind it.
The cool thing about D's forums/feed is how amazingly fast they are. I wish more web apps were designed like this, with a fast backend framework.
Instead, it's all either slow, slow backend frameworks like Ruby, or even worse, these SPA applications that require extensive client-side JS processing before they show you the goods.
Node is a step in the right direction for both problems: for the first, Node-based backend applications are faster than Ruby and Python, and for the client-side rendering problem, because Node can pre-render these SPA apps (which everyone should do for a serious production app that uses a framework/library like AngularJS or React for major client-side rendering).
But a server application based on D or Rust, or even Go, is an even better solution to the slow backend framework issue. Unfortunately, no one has yet created a full-service framework like Rails or Django for any of those languages.
According to a quick check the forum.dlang.org initial page view takes 200ms. ruby-forum takes 738ms. If you want to talk RUM/page load metrics forum.dlang.org takes 800ms for the load event to fire, the ruby forum takes 1.6s.
The individual posts load really quickly, but the main page doesn't (well not as fast as the other one mentioned). Either way, both are fast and I wish more websites were like this, not just forums!
> Instead, it's all either slow, slow backend frameworks like Ruby, or even
Usually this is a matter of bad coding or overprovisioning of whatever is being used to host the site and the DB. Most maintained languages running on modern hardware can sustain reasonable loads without any significant performance issues. While client-side bad-performing frameworks abound, the last I looked into it, Ruby+Rails isn't that much worse or better than any other.
It depends heavily on what you are doing.
Most CPU intensive Tasks are fast on everything. However on Memory intensive Applications Ruby and Python are really really aweful slow.
The language used for a server backend is far from a guarantee of efficiency and performance. It's very easy to write a D or Rust backend that doesn't optimize queries and handles caching badly; you'll get just as terrible response times from those as you would on the "typical" slow websites that you refer to.
Excessive pagination is annoying, but speed... the speed is amazing. 240 ms from initial mouse click to fully rendered page. Due to fast response, I really liked to use that site.
Self-hosting seems like overreaction for most open source project. I would just make regular backups/exports. Dealing with spam filters etc is a nightmare.
My project is using Google Groups just fine. Do not list your group in public directory to prevent spam.
Redis is moving from mailing list to Reddit. That seems to work for them.
High-profile projects actually can't stop. If you attempt to stop using Sourceforge, they will consider your account "abandoned" and continue mirroring the new site and serving downloads with their malware dropper included. So if you want to keep the malware out of your releases, you need to maintain control of your project by keeping SourceForge up to date.
Since they used to be the official source, their repository tend to have very high PageRank and they're essentially cashing in on it. Since the content they host is open-source, this is technically legal, but it's scummy as all hell.
When I had a project that I started on sf and later moved off, I kept the sf project technically alive, but removed all downloads. I updated with links to the project site.
This was a BlackBerry project, though, and it wasn't something you could install on a desktop - that may have been a contributing factor, but I never had any problems with them continuing to host the content after I deleted it.
"Since the content they host is open-source, this is technically legal, but it's scummy as all hell."
If the project is licensed under GPLv3 (or any other strong copyleft license), wouldn't they be illegally hosting it because they are bundling their malware dropper with software that isn't compatible with the license?
If there was, it wouldn't be open source. The Open Source Definition explicitly prohibits any license that restricts simple bundling [0]:
> The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Same with the Debian Free Software Guidelines [1]:
> The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Yeah I still can't believe how scummy sourceforge is. I wonder how new oss projects can protect themselves against this type of behavior. Anyone know if any oss licenses include a restriction against this kind of repackaging or any kind of malicious use clause?
In reality though there's a reason there are many different OSS licenses - many devs want options around attribution and yes, around use in limited ways. A please don't use this for abject evil clause may not meet the no true open source dictionary definition, but pragmatically speaking it's not necessarily a terrible idea.
Then we should all probably point our collective fingers at google. Let's not pretend they couldn't blacklist sourceforge links for pulling this kind of BS.
Regardless of the above, we're gonna be doing a significant push for better mailing list features during the months to come, so any feedback you or any other open source projects may have, please nudge me on meta.discourse.org or send me an e-mail (my first name, erlend, at the company domain).
"So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists."
Uggh ... really ?
So the simple, clean, extremely fast loading HTML indexes of mailman/majordomo[1] aren't going to do it for you anymore ?
Yes, I was getting so tired of one click getting me to a nice, clean index, ordered by year and month, and loading near-instantly. What a pain that's always been.
I agree. Mailman is fantastic as it is. There's a technical brevity and image it gives off, and that's an important aspect of design. This isn't really a statement about usability or what's beautiful in design.
I design user interfaces and creating a new UI for basically what mailman does would really just be an attempt at grabbing a different target audience.
mailman has an image behind it. People associate with different images, and certain looks and feels make certain people gravitate towards them.
The type of people I would want in my mailing list are the type of people that appreciate how mailman looks as-is.
I try to practice great design where it matters most. A reskin of such software would be more aligned with the goals of junior designers and people who rehash weather apps with nice gradients on dribbble.
Have you considered contacting Guiness World Records regarding the size of that horse you stand atop of?
If you genuinely do want to practice great design, start by considering user needs and the reason why "reskinning" as you call it might be wanted, instead of dismissing anything you don't immediately understand as "pah, must be junior designers, those with fancy gradients and far less experience than me".
You're not telling me no, most specifically because I'm not pitching this to you. You're telling yourself no. You say you don't need it, and extrapolate your view of the world to everybody else's.
I'm not touching your lawn. I'm not even in the same city. If what already exists does the job for you, good on you. It doesn't for us, and many other projects.
I'm not suggesting the existing software to change, I'm suggesting something new. Pitching something that doesn't exist today (the D-Lang forums linked here come quite close though). Our goal is to merge our current forums with our mailing list and not have to maintain both separately.
So I'll thank you to get off my damn lawn, you and the seven crates of entitlement you carry around.
Not only that, but the FileZilla Admin is posting in that thread denying any claim that there is anything wrong with the installer, despite repeated reports from multiple users.
FileZilla is maintained by people who want to push spyware to you because it's how they get paid. This isn't an accident.
SourceForge are adding the malware but the FileZilla people are acting as if it's not a problem and refusing to help people / accept that there is an actual virus in the executable they link on their site.
"It's not our problem, it's SourceForge" - stop f'ing using SourceForge then!
Their ambivalence and complicity in distributing this malware is probably the behaviour GP was talking about.
His statement about alternate download links was also incorrect, because I was asking about Filezilla server, which I could not find anywhere but sourceforge.
Well - you are trusting that Ninite doesn't include any crapware / malware, but until now I didn't had any problems with it. Makes updating Java Runtime much nicer too.
I think you can avoid the virus by downloading the zip but as I said I don't want to support this kind of behavior, so I have uninstalled Filezilla from my computer and will uninstall it on all computers at work too.
I use WinSCP. I cannot say much about technical differences, but it has worked well for me.
Also, PuTTY comes with a SFTP/SCP client, and unless there are strong reasons you cannot use SFTP, it is a lot better than FTP, security-wise (does not transmit passwords in plain text and allows using cryptographic keys rather than passwords; in fact, on OpenSSH you can configure the server to deny password authentication completely; and the entire connection is encrypted, of course).
It's funny I already use WinSCP but for SSH and SFTP connexions to Linux servers, it didn't even occurs to me that I could use it for regular FTP too. Thanks.
There's the argument that if someone has access to the passwords then they've already got enough control over the computer to do whatever other damage they like - like reading them out of memory after they're decrypted.
Base64 at least provides some protection against somebody looking at it with their eyes and memorizing them, which is perhaps a more likely scenario - family members, kids, etc.
Base64 provides no protection from malware that infects your machine and actively looks for this kind of stuff. Stored passwords from websites, ftp programs, key safes, etc.
On Windows, you don't always need a 3rd party FTP program. Windows Explorer (not IE) already does FTP. Just open any folder and type ftp://example.com into the path bar.
It doesn't come standard, not on all Windows flavours. It's a part of "Core networking utilities" package that used to have some really odd dependencies.
You're mis-remembering or something... There's no such thing as a "Core Networking Utilities" package on Windows (never has been) and ftp has been a command line tool since at least Windows 95.
I don't particularly like the built in FTP command line utility (even with scripts). But it has existed a very long time indeed.
Eh, yes, it is. On the Windows 7 Home Basic and Home Premium edition, it’s not pre-installed, and you have to go to System Settings -> Programs and Features -> Install or Remove Features to install it.
I have Windows 7 Home Premium on my Mac via Parallels, and just I just typed in "ftp" into cmd and it came straight up.
The only packages I have installed are "Media Features" ".Net Framework 3.5.1" "Print and Document Services" "Windows Gadget Platform" "Windows Search" and XPS Services/Viewer. All of which are default features.
Which package are you even suggesting contains the ftp.exe client? Because I don't even see one. Also why would anyone go to the trouble of putting a 47 Kb binary inside of a feature package? It makes absolutely no sense at all.
Are you sure you aren't mis-remembering and were installing the Unix Services for Windows, to utilise Linux-like command line utilities?
As the person said above, ftp.exe has been in Windows since the MS Dos days, and is a core utility. I've never seen it not been available on any version in any situation.
Now an FTP server definitely needs to be installed. Always has. But we're talking about the ftp.exe client.
ftp.exe should be there, but telnet.exe is no longer installed by default. One must go to "Add/Remove Features" (or similar) and enable it first. Maybe that's what he's confusing it with.
Please don't recommend chocolatey for this reason. While it's excellent, you should probably check the install file first: https://chocolatey.org/packages/filezilla (and click "show" on "tools\chocolateyInstall.ps1")
You don't see the installer UI, but it still downloads from sourceforge because that's where the executables are stored.
After the last Sourceforge malware-bundling debacle (Can't even remember who it was at this point--someone who said Sourceforge seized their repo from them and then repackaged it with malware), gorhill added Sourceforge to the uBlock blacklists.
About two hours ago I pondered installing the Diffuse merge tool[0] on a Windows box. Then I noticed that it was hosted on Sourceforge and thought "nah, not really worth the risk". Now that I see this post I feel even more content that I avoided Sourceforge.
I stopped using Filezilla on Windows a while back, due to this and other issues (passwords stored in plaintext, etc.) and switched to PSFTP and PSCP, which are MIT licensed and offered directly from the developer's page[1]. However, reading this article reminded me that Filezilla was actually still installed on that box, just not in use, so I decided to uninstall it while it was on my mind. Immediately after uninstalling it, it tried to force a shutdown on my computer. The only reason I was able to stop it was because I had a process running in the background that wouldn't terminate and I was given the choice by Windows to force shutdown or cancel.
Now, I've only ever installed it from ninite.com[2], so I know it didn't initially have the Sourceforge trojan/adware junk. However, I've since allowed it to download its own updates instead of doing it manually through the Ninite downloader. I've never, ever seen a program I've uninstalled via the Windows Control Panel with the ability to force a shutdown or restart without first notifying me or giving me the option to postpone. I'm starting to think there's something nefarious in Filezilla itself, perhaps in one of those "direct from the developer" updates, not just the Sourceforge wrapper.
Another interesting thing is that the built in Filezilla updater will first uninstall the app before reinstalling the updated version, and it never tried to restart or shutdown the computer during those updates, only during uninstallation from the Control Panel.
[2] Ninite strips out any malware or other crap from the installer and only installs the pure program with default settings, in the background, and sources the app directly from the developer's site when possible. It's my go-to tool for essential Windows utilities.
Unfortunately Filezilla has this trojan for some years now!
The trojan send all your identities to a server. This is tested 100%. We had many passwords stolen this way and we are 100% sure that it's filezilla.
Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link.
You will see that the direct download is clean but the other has the SF icon and it has a virus!
It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.
That's a pretty serious claim. Do you actually have evidence to prove it was FZ? Just because the SF executable includes spyware doesn't mean it's disclosing passwords.
You are kidding right? And what do you think that spyware does? They steal passwords!
Our DC warns us of stolen passwords every time a client is using this exactly "touched" version of FZ. The DC is informed by a security firm and 100% of the situations is the Filezilla that steals them!
You're 100% sure? I would expect to see registry diffs before/after FileZilla was installed, disassembled code of the subroutine accessing your passwords in the malicious program, and a network packet capture of your data being sent over the wire.
216 comments
[ 1.7 ms ] story [ 163 ms ] thread[1] https://github.com/chrisaljoudi/uBlock
Oh and gorhill, much much thanks for your time and work on this.
http://sourceforge.net/blog/devshare-relaunch-power-to-end-u...
It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.
And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.
They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.
Oh, and here is an article that confirms the autoupdate:
https://support.lenovo.com/au/en/documents/ht101178
The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).
At least Lenovo’s business lineup wasn’t affected.
http://www.computerworld.com/article/2909321/8th-grader-char...
Yes, much better.
Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.
OMFG...
This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.
Talk like that can only mean that they know about the malware bundling.
Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."
Looks like Filezilla will not die a hero's death.
That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.
I’ve thought about it for the last few hours, and decided that the best solution is to just use RSA in client.
And you could use a hardware key auth.
Like the German eID, where the key is signed by the government and on a special chipcard.
The software requests the card to sign, you need to type in your PIN on the reader itself, and the request will be signed with RSA.
The public key is world-readable on the card, so you can just send that to the server.
It seems like any credentials that can be automatically used after a program loads without the user authenticating are at risk for malware harvesting.
We all wish FileZilla would just drop Sourceforge completely, but at least the non-wrapped versions are still available.
I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.
We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.
So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.
This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.
PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.
"It is a place for FOSS communities to discuss all the things they want without ads, censorship, signup requirements, bundled apps, or requirements that you use any particular email client or service."
At this point, unlike Reader, there's real cash behind the functionality. It's possible they could just fold it into Gmail, I guess, but with other mail interfaces like Inbox popping up in the Google ecosystem it seems if anything they're trying not to shoehorn too much more into a flagship product.
My guess is Groups will stick around for a while yet.
So it’s possible.
IMHO a publicly/semi-publicly logged irc channel would do just as well, but that's even more oldschool.
As for Discourse's mockery of a mailing list mode, let's not even talk about it.
[1] https://github.com/CyberShadow/DFeed
[2] http://forum.dlang.org/
GitHub has email notifications for issues, but you can opt out of any particular discussion if it gets too pedantic or doesn't relate to you. This helps massively reduce inbox clutter.
The thing that bugs me about mailing lists the most is you get all the email, all the time, forever.
This is a total non-issue. Mailing lists support daily digests if you want that, and email clients support folders and filters if you want that instead. Nobody managing 5+ mailing list-based projects at once is dumping all of that into an unsorted inbox.
Because who doesn't like mucking around with their client's filtering?
Isn't there a decent mailing list package that hybridizes a GitHub "issue" type system with a traditional "email firehose" approach?
(Personally, I use GMANE+NNTP for mailing lists, and NNTP is probably better than plain (public!) mailing lists for most purposes, but unfortunately that ship has sailed.)
If I want long-form messages delivered asynchronously, what other choices do I have (forums?) and why are they better than mailing lists? (everyone already has an email client.)
Or is it because you value the communication differently than the code? We've evolved distributed revision control to handle issues or geography, connectivity, and work styles effectively allowing you to be self-contained and then collaborate (push, pull, merge someone else's stuff) when you are ready to. Email is the only generally available method of communication that works the same way.
IRC is still an underused tool in my opinion. The ability to just talk about one issue in a Mail List and keep track of the communication is great. I can't think of another tool that manages communication as well as a mail list (Forums are just not as good in communication notifications like a mail list.)
P.S. I still hate Mail List and don't use them anymore but nothing does it as well right now.
IRC, like other chat and IM tools is synchronous. That is useful to get an issue solved quickly. But mailing list are asynchronous. People can think before answering and don't have to be around at the same time. Also threaded nature of mail makes it better to archive discussions and referencing them later. An IRC log is full of other noise and little structure.
Because (your email client) is always going to be much, much faster and easier to navigate than "some dudes cute forum setup".
Replying to and managing conversations is much easier when you can do it with one or two keystrokes rather than mousey-mousing ten clicks all over the place (and oh their ad tracking js is stalling out again...)
I maintain that all web forums should have a mailing list interface so that you can use the forum without using the web at all ... but I suppose that breaks their revenue model ...
http://forum.dlang.org/
(The forum is a front-end to the mailing lists / newsgroups.)
The source code running it - https://github.com/CyberShadow/DFeed
Instead, it's all either slow, slow backend frameworks like Ruby, or even worse, these SPA applications that require extensive client-side JS processing before they show you the goods.
Node is a step in the right direction for both problems: for the first, Node-based backend applications are faster than Ruby and Python, and for the client-side rendering problem, because Node can pre-render these SPA apps (which everyone should do for a serious production app that uses a framework/library like AngularJS or React for major client-side rendering).
But a server application based on D or Rust, or even Go, is an even better solution to the slow backend framework issue. Unfortunately, no one has yet created a full-service framework like Rails or Django for any of those languages.
Usually this is a matter of bad coding or overprovisioning of whatever is being used to host the site and the DB. Most maintained languages running on modern hardware can sustain reasonable loads without any significant performance issues. While client-side bad-performing frameworks abound, the last I looked into it, Ruby+Rails isn't that much worse or better than any other.
Very nice.
My project is using Google Groups just fine. Do not list your group in public directory to prevent spam.
Redis is moving from mailing list to Reddit. That seems to work for them.
The GIMP project learned this the hard way: http://www.gimp.org/news/2015/05/27/gimp-projects-official-s...
Since they used to be the official source, their repository tend to have very high PageRank and they're essentially cashing in on it. Since the content they host is open-source, this is technically legal, but it's scummy as all hell.
This was a BlackBerry project, though, and it wasn't something you could install on a desktop - that may have been a contributing factor, but I never had any problems with them continuing to host the content after I deleted it.
If the project is licensed under GPLv3 (or any other strong copyleft license), wouldn't they be illegally hosting it because they are bundling their malware dropper with software that isn't compatible with the license?
> The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Same with the Debian Free Software Guidelines [1]:
> The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
[0] https://opensource.org/osd-annotated
[1] http://www.debian.org/social_contract#guidelines
In reality though there's a reason there are many different OSS licenses - many devs want options around attribution and yes, around use in limited ways. A please don't use this for abject evil clause may not meet the no true open source dictionary definition, but pragmatically speaking it's not necessarily a terrible idea.
Hi. I'm from the Discourse team, and I recently "soft-pitched" an idea that seems very much in line with what you're looking for.
https://meta.discourse.org/t/becoming-the-new-standard-discu...
Regardless of the above, we're gonna be doing a significant push for better mailing list features during the months to come, so any feedback you or any other open source projects may have, please nudge me on meta.discourse.org or send me an e-mail (my first name, erlend, at the company domain).
Uggh ... really ?
So the simple, clean, extremely fast loading HTML indexes of mailman/majordomo[1] aren't going to do it for you anymore ?
Yes, I was getting so tired of one click getting me to a nice, clean index, ordered by year and month, and loading near-instantly. What a pain that's always been.
Get. Off. My. Lawn.
[1] https://lists.freebsd.org/pipermail/freebsd-fs/
I design user interfaces and creating a new UI for basically what mailman does would really just be an attempt at grabbing a different target audience.
mailman has an image behind it. People associate with different images, and certain looks and feels make certain people gravitate towards them.
The type of people I would want in my mailing list are the type of people that appreciate how mailman looks as-is.
I try to practice great design where it matters most. A reskin of such software would be more aligned with the goals of junior designers and people who rehash weather apps with nice gradients on dribbble.
If you genuinely do want to practice great design, start by considering user needs and the reason why "reskinning" as you call it might be wanted, instead of dismissing anything you don't immediately understand as "pah, must be junior designers, those with fancy gradients and far less experience than me".
No, seriously, what the hell.
> "User needs"
Do you actually design anything?
Really dangerous.
I'm not suggesting the existing software to change, I'm suggesting something new. Pitching something that doesn't exist today (the D-Lang forums linked here come quite close though). Our goal is to merge our current forums with our mailing list and not have to maintain both separately.
So I'll thank you to get off my damn lawn, you and the seven crates of entitlement you carry around.
[1] https://news.ycombinator.com/item?id=8849950
FileZilla is maintained by people who want to push spyware to you because it's how they get paid. This isn't an accident.
"It's not our problem, it's SourceForge" - stop f'ing using SourceForge then!
Their ambivalence and complicity in distributing this malware is probably the behaviour GP was talking about.
If Google ranked them down, then they harm would be limited.
He let me know that bundling crapware was "intentional"
http://i.imgur.com/AvfDuOA.png
His statement about alternate download links was also incorrect, because I was asking about Filezilla server, which I could not find anywhere but sourceforge.
[1] https://www.virustotal.com/en/file/16e0ecda06ed98f835e449e1e...
Well - you are trusting that Ninite doesn't include any crapware / malware, but until now I didn't had any problems with it. Makes updating Java Runtime much nicer too.
Also, PuTTY comes with a SFTP/SCP client, and unless there are strong reasons you cannot use SFTP, it is a lot better than FTP, security-wise (does not transmit passwords in plain text and allows using cryptographic keys rather than passwords; in fact, on OpenSSH you can configure the server to deny password authentication completely; and the entire connection is encrypted, of course).
They have some issues with SSL certificate, though.
https://trac.cyberduck.io/ticket/2778
Juggling multiple windows is really annoying. The entire UI is awful besides that also.
Just don't use them.
Base64 at least provides some protection against somebody looking at it with their eyes and memorizing them, which is perhaps a more likely scenario - family members, kids, etc.
WinSCP is a decent alternative. As is Swish:
http://www.swish-sftp.org/ https://github.com/alamaison/swish
I don't particularly like the built in FTP command line utility (even with scripts). But it has existed a very long time indeed.
The only packages I have installed are "Media Features" ".Net Framework 3.5.1" "Print and Document Services" "Windows Gadget Platform" "Windows Search" and XPS Services/Viewer. All of which are default features.
Which package are you even suggesting contains the ftp.exe client? Because I don't even see one. Also why would anyone go to the trouble of putting a 47 Kb binary inside of a feature package? It makes absolutely no sense at all.
Granted, I haven’t used Windows in 4 years, but I remember fighting with getting ftp on Windows without admin.
As the person said above, ftp.exe has been in Windows since the MS Dos days, and is a core utility. I've never seen it not been available on any version in any situation.
Now an FTP server definitely needs to be installed. Always has. But we're talking about the ftp.exe client.
It does not support passive mode No queue No SFTP No FXP
An alternative to sourceforge implies not using sourceforge but swish does.
https://cyberduck.io
It hangs on start, randomly doesn't connect, does odd things with bookmarks (they don't work sometimes, but manually entering info does)
I don't recommend cyberduck on windows to anyone, I've been looking for an alternative for a while.
if a dev is reading my machine is:
* OS: Microsoft Windows 7 Enterprise * CPU: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz (3.00 GHz) * RAM: 32691 MB Total (16885 MB Free) * VGA: NVIDIA GeForce GTX 760 * Uptime: 123.24 Hours * Version: 4.7.3
> Then after installation is complete install Malware bytes and Avira. Scan with both and restart the computer.
> Then run with ADWcleaner and and remove the infections and restart. should be good from there and enjoy FileZilla.
Do people really think this works? I mean, there's no-one on HN who thinks this works, right?
https://ninite.com/filezilla
Chocolatey nuget is similar to Linux package managers but for Windows programs
https://chocolatey.org choco install filezilla
You don't see the installer UI, but it still downloads from sourceforge because that's where the executables are stored.
http://www.fosshub.com/FileZilla.html
Good riddance, I say.
[0] hxxp://diffuse.sourceforge.net/
Now, I've only ever installed it from ninite.com[2], so I know it didn't initially have the Sourceforge trojan/adware junk. However, I've since allowed it to download its own updates instead of doing it manually through the Ninite downloader. I've never, ever seen a program I've uninstalled via the Windows Control Panel with the ability to force a shutdown or restart without first notifying me or giving me the option to postpone. I'm starting to think there's something nefarious in Filezilla itself, perhaps in one of those "direct from the developer" updates, not just the Sourceforge wrapper.
Another interesting thing is that the built in Filezilla updater will first uninstall the app before reinstalling the updated version, and it never tried to restart or shutdown the computer during those updates, only during uninstallation from the Control Panel.
[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...
[2] Ninite strips out any malware or other crap from the installer and only installs the pure program with default settings, in the background, and sources the app directly from the developer's site when possible. It's my go-to tool for essential Windows utilities.
Don't worry, it's just an "offer". They're totally not distributing malware via their installer.
Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link. You will see that the direct download is clean but the other has the SF icon and it has a virus!
It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.
If you want clean software you must not install directly from Sourceforge.