Tragic, but I see no reason to shed any tears. Sites come and go, and when they change hands the new operators are often sleazy. Today we have Github. If they end up doing the same thing, there will be a new VCS site. Nerds won't tolerate crapware.
I remember when they were bought by VA (I think?), the same time as Slashdot changed hands I think.
I remember signing up for an account years ago and having to use Putty and SSH keys to upload data which was revolutionary to FTP-aware me.
There was an awful lot of software on there (who remembers visiting freshmeat.net to look for daily updates or search for software too????) but I think it would be sad to not realise how great it was that they offered free hosting and tools. They used to have a compile-farm that you could use to build software on different platforms and architectures but this got retired a long time ago.
For the free tools you got, it wasn't bad! I think "nerds" are quick to forget that. It was FREE
SourceForge wasn't bought by VA, it was started as a skunkworks projects by 4 developers inside of VA. Once the site started to get traction is when the corporate overlords started taking notice and forcing the horrible Ads, and now crapware onto the site.
TBF, the way I see it they only did the hosting and making the money; I don't remember them actively supporting open source or the ideals behind it, or being open source developers themselves and contributing, or making their own software open source. Having a revenue model that involves making your users guess which DOWNLOAD button will actually download the application is not the open source spirit.
The code running the site was original open source but they closed it a long time ago. Probably as part of one of the many buy outs over its history. GForge came from it.
AFAIK their website was originally open source, with GForge, FusionForge, and GNU's Savannah based on it. Then they had a longer stint staying closed, but they opened back up a couple of years ago, and their current software, Allura, is open source again, though (slightly ironically) now as part of Apache.
The guess the download crap appeared in the past 8-10 years. Before that the site was fairly trustworthy even though there was always ads and the like.
I was shocked the other day when I went to grab FileZilla from SF, and my virus scanner tagged it for malware. I hadn't realized it had fallen so far as to bundle crapware. SF used to be my goto site for looking for weird open source stuff. Now I guess I will have to finally take SF off my list goto sites.
You either die a hero or live long enough to become the villain.
I guess this is what happens when people aren't willing to pay for software, there are plenty of really good ftp clients out there for not very much money.
Well, Steam seems to be growing pretty nicely... Also, for most users a good Browser is all they need. Which is why I love Chromebooks as an option for most people.
This doesn't detract from your point, but... there are plenty of games for Linux nowadays. It cannot compete with Windows, of course, but thanks to Steam, the Humble Bundle, etc., we can now enjoy a multitude of videogames, including AAA titles. And plenty of indies, of course.
There are! It's exciting to see so many games coming to Linux. I don't generally play games in my spare time, but I am glad the state of the art is beginning to make its way to this side.
The thing is open source programs often build their success on the fact they are free, get a lot users quickly, feedback and discussions on their forums on how to improve it, free translations from users, sometime patches, etc. Then when they suddenly exploit all this by adding ads, people are understandably upset.
It's just a fact of life that open source software won't make you rich. Either they are ok with it, or they create a commercial product from the start. But adding crapware afterwards is not a proper solution.
I disagree, paying customers wouldn't put up with a malware infested version of FileZilla, this stuff only really exists at the "free" end of the market.
This is empirically false. Video games have shipped with highly-intrusive rootkits and malware disguised as DRM for years, and it tends to be worse on the higher-end products, vs the shovelware/free-to-play/open-source.
You can find a few counter examples but they never last because the commercial pressure is too high, the obvious example is Sony, are they still deploying rootkits? Lenovo is another example that has started cleaning up its act.
Would these companies change if their only source of funds was the malware? I don't think so.
Not really, It's just that it's obvious at the free end of the market.
Proprietary software can do whatever it feels like on your computer and you would be hard pressed to know until it was too late.
A few large companies have been implicated in root-kits / backdoors / random horrible deliberate security practices. These are probably just as destructive as replacing your browser search bar or installing some fake AV software.
Free isn't the problem. Bundling crap-ware with otherwise audit-able open source software is the problem.
FileZilla has other issues as well: for example, for the longest time they refused to encrypt stored passwords, although the bug's been reopened now so they may change their mind: http://trac.filezilla-project.org/ticket/5530
This isn't "wow", it's true. The plaintext password is required to login to servers, so if you store it locally in an encrypted form then the decryption key must also be stored locally. If an attacker was able to get your encrypted password then the attacker is just as easily able to get your encryption key.
For the same reason, Pidgin and many other IM programs also do not encrypt the password.
The windows crypto APIs can encrypt secrets secured by the windows account. This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it, as well as protect against offline reading of the files.
It doesn't stop every attack, but it's not useless.
>This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it
Outside of enterprise environments, most windows installations are single user. Even if it's a multi-user system, the data would already be protected by NTFS permissions if it was stored in the user's profile folder.
>as well as protect against offline reading of the files
They may be operating under Pidgin's logic whereby if they can decrypt the password without user intervention, then all the information needed by a malicious user to decrypt the password is already on the system to be grabbed.
Still should go with the browser/password manager approach of using a master password to decrypt the password database.
SourceForge offers developers to add crapware to their installer in exchange for a revenue. This is completely optional and I suppose most dev don't do it (I distribute some semi-popular installer on SF and they've never forced me to include adwares).
The FileZilla developers have never been very vocal about this so most of their comments is a generic "Nothing unwanted is being installed without your consent", but they are the ones who have accepted to add the adware. And even though they also have clean installers, they put the ad-enabled link first.
If I were a project manager who run a sourceforge account the last thing I would do now is abandon it.
Why? Because SF have proven if I were to do so they'd take my work under my name and bundle their crap into it. The only way to stop that is to keep it active.
That feeling of being trapped into a terrible system because it'll screw over people even worse if you leave.
GIMP-win owner actually did upload new binaries to SF account. There hasn't been a GIMP release for a while, but the SF repo was never abandoned. SF is blatantly lying about this. So no, not abandoning the account won't save you.
> they'd take my work under my name and bundle their crap into it.
Oh, is that a thing? I was surprised when the Lobo project's admin rights were handed over to some relatively unknown developer. I had a long and confusing discussion with the new project admin here: https://github.com/UprootLabs/gngr/issues/87#issuecomment-86...
I've found that Sourceforge is still the only place you can get a lot of good-but-unmaintained software. I was there just the other week for the Saxon project[1], and it was painful to see how low SF have sunk.
I wonder if it would be possible (and legal) for somebody who isn't the project owner to copy some of these unmaintained projects into another system?
Saxon has a free version and an "enterprise" version, and the developer also operates a consulting business around it, so it's not a likely candidate for an Apache project.
The project is licensed under the MPL 2.0 (and 1.0) which states:
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license ... to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work;
So the answer (at least for Saxon) is yes! Just make sure you conform to the licence requirements and you're good to go.
I recently needed SourceForge to get ahold of a usbtb binary, an alternative USB printer driver for OS X part of GutenPrint. Despite being unchanged for 7 years, it still works on Yosemite.
To be honest I can't say I have any good memory of Sourceforge. It used to a heavy website with a confusing UI, and never really got better over the years. When Google Code started, I was glad I could move to it, and then GitHub.
Yeah. I started getting involved with OSS in the mid-00s. I suspect SourceForge's heyday was before that. So SF has always been a slightly shady repository of software in my view, though the adware bundling is a new low.
Yeah, they always had a horribly confusing UI that made it non-obvious how to get to a project's homepage, even -- the thing that should be front and centre! However, I did enjoy playing around with their compile farm when they had that. Think it only lasted a couple of years, though.
Yeah I don't get this "SourceForge, once a trustworthy source code hosting site" -- that is simply untrue. Maybe for the 1st year or two after its launch, but it has been subject to all sorts of crappy management since at least 1999/2000. I used to have projects there, and contribute to projects there (argh memories of terrible CVS) and it was always slow, always had a terrible UI, and very early in its history became submerged in bad ads and out-links to bad content.
That you misremember it or are too young to know better doesn't mean that it "is simply untrue". It's not, it was valuable for many years. It's your revisionist history that is simply untrue.
It's not revisionist, I'm 40 years old and have been consuming and participating in OSS since before SF existed. It was painful to use, even in the context of the times. Granted, there wasn't really any alternatives in the first few years of its existence.
Agreed. I remember Sourceforge when it was just getting started and it always had a terrible interface and bad usability. I remember always being annoyed when I was forced to download something through them.
On a side note, looking now at their Wikipedia page, I'm shocked to see that they only started in 1999. I would have place them a year or two earlier in '97 or '98. Anyone else feel this way?
Can Archive.org/etc backup all the open source projects from Sourceforge.org and Google Code? It would be a big loss if the unmaintained but often still very useful source code get lost forever.
I still land on SF now and then, to download sources that are hosted there. But that only happens because another site's “Download” button sent me there. In the beginning I was very impressed with SF. But as others have said, the UI is rather confusing and those ads they've been showing would devalue any site they run on to “lower-tier crap you need rubber gloves for”. A sad development.
If you're downloading open source software on Windows, friendly reminder to get it via Chocolatey rather than ever clicking on a download button. Chocolatey has reviewed, silent, direct, crapware free downloads of just about anything you'd want.
Not too sure you can rely on Chocolatey to be direct..? Last time I installed WinDirStat using Chocolatey it got the install file from Sourceforge (over an unencrypted HTTP connection)
It links to official installers which are sometimes on SourceForge, but uses installer switches to set options to deselect crapware, do silent install, etc.
What a complete wasted effort it has become. It could have been so much more. Plus it scared Steam so much that we now have Steam OS and have over 1200 Linux games now available.
Correct. It can (will be able to) talk to npm, pip, RubyGems, cpan, the full gamut of package providers. Connecting to things like Windows Update, Microsoft Dev Center, etc. are also possible to implement.
I used Ninite for years and recommend it to non-techy friends. As a dev, I prefer Chocolatey since it offers a lot more dev-focused packages, meta-packages, can be scripted, works with BoxStarter, etc.
Reviewed by whom? This and ninite are MITM software providers just like SourceForge. Even if they're safe now, you can't be sure they won't installing crapware in the future.
I've always installed putty through the mainstream installer. Chocolatey put some binaries somewhere deep in the FS and hardlinked these in the start menu, no full integration.
I tried to make a package for a simple binary last year (I believe it was premake4 or something). It was annoying to use, and other software I installed with it didn't have an uninstall option.
Package managers make me happy (love Homebrew on OSX), but I don't see a point if I can't also uninstall. I rarely install things from sources that need vetting.
They haven't injected their own installer on downloads so for the time being I leave it there because I'm too lazy to move it off.
A while back I did move the main project page to its own domain, so I'm only really using Sourceforge for downloads and source control (although the project is stable and hasn't had commits for a long time so not even that really).
For a second there, I thought this was an official GitHub page and thought "Wow, those GitHub guys really have balls to attack SF that directly". But then I realized it is "helb" and not "help" in the URL.
I think that was part of the reason to switch from github.com to github.io a while back. Their .io is user content and can be downgraded by Google independently from github.com.
Perhaps, but using a separate hostname github.io vs github.com is also a security mechanism. Project owners can supply rich content (read: HTML + JavaScript) on these .io pages. If these pages were on GitHub.com or subdomains of GitHub.com, this user supplied content can interact with and hijack the github.com cookies like session ids.
Yes, GitHub can use the domain attribute on a cookie to prevent this, but then you have designed a system that will fail open if you mess up. (i.e. potentially malicious user content would always be able to access a cookie, unless GitHub does something).
Better to just stick it on a separate domain entirely, and this is a commonly used practice. For example, Google does this with their googleusercontent.com domain
Author here. Sorry about that confusion, i probably should host it elsewhere… Help/helb is not intentional, it's just my nickname since 2nd grade or so.
Well, to be honest, this is exactly where Sourceforge has been headed for years and years. You could look at its behavior years ago and say "Yeah, follow this out on a line" and see this exact situation in the crystal ball. Sourceforge has been scummy (and getting scummier) for years and years.
I remember actually keeping a couple of service accounts on services that served as mirrors for SF for years just because they backed the service (early on, before a lot of the sleazy stuff started).
Unfortunately, short of registering a trademark with the PTO, it'd be difficult to get a lot of this crapware removed from SF.
I agree that this would be the best recourse if we could manage to muster some sort of coordinated exodus of mirrors. Mirror providers have at least some sort of power over SF due the service they are providing, something that project authors do not have. Many of the mirrors I think are academic and I don't think they too happy about SF being such leech that they are.
As Github.com lacks afaik a binary hosting / download feature and Google Code closed its service (no new projects) - it would be great if all the Sourceforge mirrors (heanet, etc.) would be coordinated from an open source community instead of coordinated by Sourceforge.org. There is definitely a need for a binary hosting and mailing list website for open source projects, to fill the hole that Sourceforge may leave behind.
I remember the "BerliOS" from a Germany's Fraunhofer institute that was a kind of clone of Sourceforge, a open source project hosting service. It was closed in 2013 and some valuable code and binaries are lost forever.
Github does have a pretty good binary hosting / download feature, it's called Releases. There's even an API to automate it. It's not very widely used, perhaps because it only rolled out it 2013.
As for mailing lists, I guess their excuse is that they already provide possibilities for discussion in the issue tracker (which can be also interacted with entirely by mail). This is appropriate as a forum for developers - but not a forum for users, which would be out of Github's scope, IMO.
Collab ended up with the business version, SourceForge Enterprise Edition (SFEE), which was a Java rewrite of sourceforge.net shipped as installed software.
Guilt by association? Perhaps SF is not the true source of badness/malware but instead they tend to host the projects most likely to include such malware.
If they also added a Mercurial bridge, that would be the final nail in SF's coffin.
It's sad that with Google Code going away, a lot of projects that chose Google Code for Mercurial are being pushed to switch to git (e.g. vim) because Google is pushing so hard for projects to be migrated to GitHub,
Sourceforge is essentially a gigantic set of Google doorway pages which MITM downloads initiated by unsuspecting (largely non-technical) Internet users of popular free-as-in-beer projects. They're open about doing this. https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked...
These "mirror" (MITM) pages outrank the authoritative sites for many projects because Sourceforge has been around for 10+ years and has superior trust/backlink profiles compared to the newer author-blessed sites which presently host the software. Gimp is actually fortunate in this regard -- gimp.org is stickied to the top spot when searching [gimp] and Sourceforge floats around #8 or so.
Sourceforge should get hit with Google's standard penalty, which is "we smite your rankings with the hammer of an avenging god." Minimally, Google should at least tighten up their enforcement of AdWords policies. Their "installers" are per-se violations of the Unwanted Software Policy (http://www.google.com/about/company/unwanted-software-policy...).
Wikipedia says SourceForge launched November of 1999. I remember as early as 2003 thinking it was sleazy how it tried to trick you into downloading adware with their big "Download Now!" ads. So maybe not literally "always", but certainly the majority of time.
Author here. Thanks for your pull requests, I added some of the suggested services. Maybe some comparison table (like the one at Wikipedia) would be better than a simple list.
About that help/helb confusion mentioned here – sorry about that, it's not intentional, it's just my nickname since 2nd grade or so.
I like how you don't have an option to shut down your project to help clear those links from Google. Either you keep it up to date or SF will "step in" and do it for you.
That's the whole point of open source. If a developer abandons a project, someone else can pick it up and keep it going. And if you disagree with some of the developer's choices, you can fork the project and make your own version. Sourceforge is a great example of how someone evil can take advantage of the features of open source to do bad things.
I'd amend that to "someone evil who's built up a 'good' reputation for long enough that they dominate search rankings...." I don't know that what sourceforge is doing is a unique situation, but it's AFAIK not a common one. It's not going to have the same effect if I start bundling open source installers with malware and hosting them on my own, for example.
Ah the old days when Sourceforge and Freshmeat were some of the go to places for OSS when I was learning Linux in the 90s. Occasionally I'll end up back at SF somehow and man how terrible it has become. Makes you really appreciate places like Github now a days.
This is the biggest issue for me --- project hosting is easy, mailing lists are not. Particularly, migrating people to the new list is going to be hard. I've been looking at Google Groups but it doesn't seem to support import, although it does support a nice web interface (good for people who expect forums).
gitalternatives.com is still available. By the way, thanks for including GitLab so prominently on your site. Any chance of including a column for free private repo's with unlimited collaborators? :)
158 comments
[ 3.9 ms ] story [ 267 ms ] threadI remember signing up for an account years ago and having to use Putty and SSH keys to upload data which was revolutionary to FTP-aware me. There was an awful lot of software on there (who remembers visiting freshmeat.net to look for daily updates or search for software too????) but I think it would be sad to not realise how great it was that they offered free hosting and tools. They used to have a compile-farm that you could use to build software on different platforms and architectures but this got retired a long time ago.
For the free tools you got, it wasn't bad! I think "nerds" are quick to forget that. It was FREE
You either die a hero or live long enough to become the villain.
See there: https://forum.filezilla-project.org/viewtopic.php?t=31127
"This is by design. In any case, nothing is forced upon you, all offers are entirely optional and are only being displayed during setup."
It's just a fact of life that open source software won't make you rich. Either they are ok with it, or they create a commercial product from the start. But adding crapware afterwards is not a proper solution.
Bad people do bad things. Paying or not paying has nothing to do with it.
Would these companies change if their only source of funds was the malware? I don't think so.
Proprietary software can do whatever it feels like on your computer and you would be hard pressed to know until it was too late.
A few large companies have been implicated in root-kits / backdoors / random horrible deliberate security practices. These are probably just as destructive as replacing your browser search bar or installing some fake AV software.
Free isn't the problem. Bundling crap-ware with otherwise audit-able open source software is the problem.
For the same reason, Pidgin and many other IM programs also do not encrypt the password.
It doesn't stop every attack, but it's not useless.
Outside of enterprise environments, most windows installations are single user. Even if it's a multi-user system, the data would already be protected by NTFS permissions if it was stored in the user's profile folder.
>as well as protect against offline reading of the files
no, it doesn't[1][2]
[1] http://passcape.com/windows_password_recovery_dpapi_decoder
[2] http://www.dpapick.com/
Still should go with the browser/password manager approach of using a master password to decrypt the password database.
Software that encrypts passwords without a master password are just selling you sneak-oil.
Strange, almost every comment on this page say the crapware was added by SourceForge, e.g.
> The offers are added by SourceForge, they are borderline crapware to put it nicely.
The FileZilla developers have never been very vocal about this so most of their comments is a generic "Nothing unwanted is being installed without your consent", but they are the ones who have accepted to add the adware. And even though they also have clean installers, they put the ad-enabled link first.
Why? Because SF have proven if I were to do so they'd take my work under my name and bundle their crap into it. The only way to stop that is to keep it active.
That feeling of being trapped into a terrible system because it'll screw over people even worse if you leave.
Oh, is that a thing? I was surprised when the Lobo project's admin rights were handed over to some relatively unknown developer. I had a long and confusing discussion with the new project admin here: https://github.com/UprootLabs/gngr/issues/87#issuecomment-86...
I wonder if it would be possible (and legal) for somebody who isn't the project owner to copy some of these unmaintained projects into another system?
[1] http://sourceforge.net/projects/saxon/
http://www.apache.org/#projects-list
(I remember they had a dozen Java MVC frameworks 10 years ago tho)
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license ... to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work;
So the answer (at least for Saxon) is yes! Just make sure you conform to the licence requirements and you're good to go.
The Usenet group alt.comp.freeware converted several people to the idea of open source by having links to sourceforge posted there.
It should just die.
https://web.archive.org/web/20010418143406/http://sourceforg...
On a side note, looking now at their Wikipedia page, I'm shocked to see that they only started in 1999. I would have place them a year or two earlier in '97 or '98. Anyone else feel this way?
Help if you can, it's fun! #archiveteam on EFNet.
[1]http://www.archiveteam.org/index.php?title=SourceForge
https://chocolatey.org/packages
http://imgur.com/fajFMUA
https://ninite.com/
I can't wait for the new package manager in Windows 10, though.
From what I understand, it's more of a "package manager-manager" so it manages other systems (like Chocolatey) rather than running the repos itself.
In the meantime, I'd drop $5 on Hitman Go: http://apps.microsoft.com/windows/en-us/app/hitman-go/5fa3bb...
and a donate button at the bottom of the front page. I wonder how much money that can generate though.
Pretty similar to npm.
I tried to make a package for a simple binary last year (I believe it was premake4 or something). It was annoying to use, and other software I installed with it didn't have an uninstall option.
Package managers make me happy (love Homebrew on OSX), but I don't see a point if I can't also uninstall. I rarely install things from sources that need vetting.
They haven't injected their own installer on downloads so for the time being I leave it there because I'm too lazy to move it off.
A while back I did move the main project page to its own domain, so I'm only really using Sourceforge for downloads and source control (although the project is stable and hasn't had commits for a long time so not even that really).
Yes, GitHub can use the domain attribute on a cookie to prevent this, but then you have designed a system that will fail open if you mess up. (i.e. potentially malicious user content would always be able to access a cookie, unless GitHub does something).
Better to just stick it on a separate domain entirely, and this is a commonly used practice. For example, Google does this with their googleusercontent.com domain
Unfortunately, short of registering a trademark with the PTO, it'd be difficult to get a lot of this crapware removed from SF.
These are two popular mirrors in the UK & Ireland (both academic institutions):
http://www.mirrorservice.org/ (University of Kent)
http://ftp.heanet.ie/ (Ireland’s National Education and Research Network)
I remember the "BerliOS" from a Germany's Fraunhofer institute that was a kind of clone of Sourceforge, a open source project hosting service. It was closed in 2013 and some valuable code and binaries are lost forever.
About Releases: https://github.com/blog/1547-release-your-software
An example: https://github.com/adobe/brackets/releases/
As for mailing lists, I guess their excuse is that they already provide possibilities for discussion in the issue tracker (which can be also interacted with entirely by mail). This is appropriate as a forum for developers - but not a forum for users, which would be out of Github's scope, IMO.
I'd thought Collab.net ended up with them. Need to review the history.
May be important to some legacy projects trying to get off of SF.
It's sad that with Google Code going away, a lot of projects that chose Google Code for Mercurial are being pushed to switch to git (e.g. vim) because Google is pushing so hard for projects to be migrated to GitHub,
These "mirror" (MITM) pages outrank the authoritative sites for many projects because Sourceforge has been around for 10+ years and has superior trust/backlink profiles compared to the newer author-blessed sites which presently host the software. Gimp is actually fortunate in this regard -- gimp.org is stickied to the top spot when searching [gimp] and Sourceforge floats around #8 or so.
Sourceforge should get hit with Google's standard penalty, which is "we smite your rankings with the hammer of an avenging god." Minimally, Google should at least tighten up their enforcement of AdWords policies. Their "installers" are per-se violations of the Unwanted Software Policy (http://www.google.com/about/company/unwanted-software-policy...).
How about it, resident Googlers?
https://www.google.com/safebrowsing/report_badware/
No, SourceForge was always sleazy.
About that help/helb confusion mentioned here – sorry about that, it's not intentional, it's just my nickname since 2nd grade or so.
Does anyone have any recommendations?