138 comments

[ 2.9 ms ] story [ 111 ms ] thread
You'd think with all the bad press lately that they would lay a little low.
Looks like it's there since 2011-11-28.
The phrase "circling the drain" comes to mind. Last ditch attempt at pretending to be relevant by gaming the search industry.
So, this is Sourceforge mirroring a popular open source project that's hosted elsewhere in order to garner more traffic? Is that what's going on here?
Yeah. I'm okay with it because it says right there,

    Hey, this isn't a SourceForge project! Check out the 
    SourceForge Open Source Mirror Directory for more 
    information.
plus the url also clearly says ".mirror", so they're not pretending to be the authoritative page on the product. It's no more creepy than Tucows or C-Net at this point. Just a regular spam laden download site.
Except for the part where they add malware to the download. Mozilla has gone after various shady sites distributing "Firefox" with malware, and I hope they do so in this case too.
They don't add malware to the download, geez...
They have in the past. And, currently, they bundle additional, unrequested software with at least some of their downloads.
No, it wasn't malware, that's software intended to damage or disable a computer. SourceForge isn't trying to hurt anyone, please stop pretending like they are.
malware as in male, evil/bad.

You can try to draw a line between 'optional highly integrated offers that are hard to remove', 'crapware', 'bloatware' and 'malware' if you like, but .. it's really just one bucket. Bad → Malware.

It isn't though, because malware implies ill intent. There is no ill intent on the part of SourceForge. They're not trying to steal anything from you, they're not trying to lock you out of your own device, and they're not trying to exfiltrate company/personal secrets.

You dilute the meaning of the word by using it here.

Why does anybody care about intent? Intent is difficult to discern and has no effect on what actually happens as a consequence of someone's actions.

They say the road to Hell is paved with good intentions. Does that mean we should just ignore the fact that it goes to Hell?

There are plenty of reports of Sourceforge downloads, in the past, containing malware. I'm not saying they haven't removed those, or claiming - for a second - that they intentionally distributed them. Nor am I claiming first-hand evidence of such.

However, what's clear right now is that if you download an installer from Sourceforge, it could install software that is totally unrelated, that you didn't request. Yes, they might disclose that it's going to happen and give you the option not to install the unwanted software, but it's still clearly their intent that some people end up with unrequested software on their machines. That's pretty questionable behaviour in my book.

> I'm not saying they haven't removed those, or claiming - for a second - that they intentionally distributed them.

They've put out press releases explicitly admitting to such intent: that they hijacked "inactive" projects (which includes projects who intentionally left), and that they bundled "offers" (malware) with them.

And if you think there's a useful distinction between malware and what they're distributing, note that one of the bits of software they "offer" to install captures all network traffic and routes it via a third-party service without making that clear to the user.

(comment deleted)
Everything you say here is totally true.

That's not what malware is, though. The term isn't a scientific one, but the intent to harm is a pretty key component, and I am quite certain Sourceforge isn't trying to hurt its users.

Does it really bother no one else that the phrase "malware" is being thrown around antagonistically?

I get what you're saying and do agree to an extent. But you have to bare in mind that the bundles are presented in such a way to deliberately trick users into installing software they don't want installed. SF very much intentionally loads adware and other software that they know the vast majority of users wouldn't want; and very much do so in a covert way (eg having the "Install" button labelled "I agree" so users think they're signing a EULA).

So one could argue that their installer is a trojan since it's actual behaviour isn't the same as it's presented behavior. Thus even if the software they install isn't malware, their method of deployment is.

Bullshit.

You don't get to play that card.

By that logic I can run a botnet and distribute whatever I want over it and it can't be called malware as long as I say I have no ill intent and I keep myself blissfully unaware of what's being installed. NO. SF can and SHOULD be held responsible for bundling crap and malware to unsuspecting users. They don't get a pass just because you THINK there is no "ill intent". Ignorance of the law is not an excuse and neither is ignorance of the shit you are deploy. They don't get to stand back and shirk responsibility, it's on their site it's their problem, plain and simple. It doesn't matter AT ALL what there intent was it matters what they are doing and they are distributing malware. END OF STORY.

I think maybe I've touched a nerve here, and I'm sorry for that (I'm trying to do that less often on HN in particular) -- all I'm trying to say is that I don't think Sourceforce wants to hurt its users, and that, to me, a guy who works in the computer security industry, is a standard for "malware".

It just seems to me that the term "malware" is being used here intentionally to antagonize, rather than to accurately classify the software being installed by Sourceforge.

Please understand that I am casting no judgement or assessment whatsoever of what Sourceforge is doing -- personally I think they're a dying website that's trying to do whatever they can to make money and stay relevant.

It just intuitively feels wrong to classify China in the same category as Sourceforge.

There are certainly different understandings of the term 'malware', even within the technical community, let alone the wider world. The fact that a large number of people use it to describe "software that ended up on my computer that I wasn't expecting", no matter what it's doing, means that companies need to be very careful how they go about using this practice. Even if you have the very best possible intentions in the world, you're probably going to damage your reputation by bundling unrelated software, so why not just offer it as a separate download in the first place?
I get where you're coming from, and ultimately I agree that Sourceforge screwed up by doing this whole "bundling" thing, and probably because they're scrambling desperately to make money in a GitHub world.

There is, however, a meaningful difference between the kinds of things my antivirus picks up and the software Sourceforge was bundling.

Calling the Sourceforge bundles "malware" masks that difference, and I think that's harmful, and maybe a little childish.

I've seen multiple reports of people's antivirus software blocking downloads of the "installers" provided by SourceForge, or warning about the resulting downloaded executable. And rightfully so.

Scrambling to stay in business, or being under new management, is not an excuse to suddenly become user-hostile or otherwise turn to shady activities.

Similarly, many companies start throwing around litigation when they begin to fail, since that's the only way the purchasers of the various patents/etc owned by the company into money.

Finally, the only "harm" it could do to classify all such software as "malware" is to make it more difficult for vendors of software who would prefer not to be classified in the same bucket as people who maliciously break into computer systems. And I have zero sympathy for any such companies; the sooner they go out of business, and the more they're viewed as universally unacceptable, the better off both users and the computing industry will be.

You've been caught acting as a shill for SourceForge. The least you could do is admit it and slither away.
Accusations of shilling without evidence are not allowed on Hacker News. An opposite opinion is not evidence. The vast majority of the time, people just sincerely disagree with each other. I've written about this frequently [1] if anyone wants more information.

> admit it and slither away

Totally not ok. Please comment civilly and substantively or not at all. [2]

1. https://hn.algolia.com/?sort=byDate&prefix=true&page=0&dateR...

2. https://news.ycombinator.com/newsguidelines.html

He's accused people who disagree with him of being liars. That, along with his general behavior, is good enough for me.

Oh, and don't bother trying to spam my email account. I set up a filter to automatically delete any email from hn@ycombinator.com long, long ago.

Your response "Why are you lying?" elsewhere in this thread, now deleted, certainly doesn't help make your actions seem genuine.

And attempting to trick users into installing software that you know they don't want is definitely ill intent and attempting to hurt users.

Sure, some security professionals make distinctions between a variety of different subtypes of bad software, with varying definitions, including adware, malware, badware, ransomware, backdoors, viruses, trojans, and any number of other terms. But outside of the security industry, people trying to make fine-grained distinctions or introduce different terms are often malware vendors themselves, hence why you've "touched a nerve".

For instance, when Lenovo started pre-installing the Superfish malware on their systems, they persistently called it "Potentially Unwanted Programs", to obfuscate what they were actually doing.

On top of that, as the Superfish case indicates, even software that "just" serves ads tends to escalate, such as by MITMing and utterly breaking HTTPS. And any such software has the potential to introduce bugs.

We have quite enough bugs in software that does what its users want it to do, without introducing more software that nobody wants and that can only further reduce user security and privacy.

I'm trying to be a better actor on this site, I'm sorry for the "Why are you lying?" comment. I deleted it because it completely undermines my argument, you're right to call me out on it. I'm sorry. :(

I think you and I are on the same page here. My only additional point I'd like to make is that there is value in differentiating between what Sourceforge did and what will happen if you download a bad torrent from TPB, or click the wrong ad on a porn website. Lumping them all together means my grandfather goes and buys identity protection services because the Ask toolbar on IE is "malware".

If you'd started out your comments in the way you're presenting them now, I think you'd have gotten a better response. It's still a hot-button topic, not least of which because as mentioned the main people that benefit from such distinctions are the companies writing software that users don't want (e.g. Lenovo's attempt to use the term "Potentially Unwanted Programs"). However, what is HN coming to if you can't argue about nitpicky distinctions? ;)

Also, the Ask toolbar is not the only thing SF is installing; they're also installing much worse software. And sure, it's less harmful to change a user's search engine or waste a few dozen vertical pixels on a distracting toolbar than it is to turn a user's system into a botnet node, but "less harmful" is still harmful.

For the record, I also think there are some bad actors in the "identity protection" and similar security spaces; not only is it ridiculous to need software or services to protect you from other software and services, but many such services are scamming novice computer users who know enough to be afraid. And the entire consumer antivirus industry is a bit ridiculous as well, not least of which in the sheer amount of resources such software tends to take up. I much prefer the portion of the security industry that's pushing for a sandboxed-by-default, principle-of-least-privilege world.

But at the same time, adware, malware, or whatever you want to call it (including the vast majority of IE toolbars and such) are good examples of software that needs to go away and never come back. I'm not interested in shady ways to scam and "monetize" users; as has been said many times elsewhere, "your failing business model is not our problem". And the existence of even worse software doesn't excuse slightly-less-awful-but-still-awful software. The only question is how much damage such companies will do in their death throes before they finally die.

I agree with everything you've written! All I wanted to make clear was that what Sourceforge is installing on people's systems is not on the same level as Duqu, for example.

I get what you're saying regarding "if we just call it all malware, people will get upset when companies install it", but I see that as a dishonesty to the public. In the computer security industry, it's very tempting to sell fear -- it's immensely effective as a sales pitch, but it's not honest. We can do better, I think.

They bundled user hostile software:

https://sourceforge.net/blog/advertising-bundling-community-...

Therefore, we evaluated a few Installer Partners to help us address end-users’ complaints related to one or more of the following reasons:

a) opaque installation flows providing little or no choice about secondary offering installations;

b) undocumented and difficult to uninstall procedures for those secondary offerings;

c) secondary offerings that are not always safe, trusted and secure applications.

We addressed points a) to c), and our approach was highly appreciated by eminent members of different open source communities.

Then they figured out that they had made a mistake and started bundling less user hostile software.

If they had not bundled stuff people didn't want, they would say that there instead of back peddling.

Argh, we really need to get Octave-Forge off SF. Octave itself is hosted on GNU servers, but all of the Octave-Forge add-on packages are in SF.

The thing is, there isn't really anything that easy to move to. No, no github, because we don't like git. We have a bunch of Mercurial repos. We could try moving them to bitbucket, but this also leaves the question of what to to do with our webpage hosting, which is currently on SF.

And no matter what we decide doing, it's all a bunch of work that nobody really wants to do.

At least when SF first approached us with their "revenue sharing" bullshit we refused. I think this means our downloads are clean so far.

> At least when SF first approached us with their "revenue sharing" bullshit we refused. I think this means our downloads are clean so far.

I think it means they just get to keep more money...?

I really don't see any malicious downloads here. Do you?

http://sourceforge.net/projects/octave/files/Octave%20Forge%...

I clicked one of the legitimate downloads. The link takes you to a new page and waits a few seconds before starting the download.

The most prominent element of this page, centered just below the header, is a large bright green "Start Download" button. That button is part of an advertisement, but is blatantly designed to get the majority of its clicks from users who intended to download software from the project hosted on SF. I see it as a malicious download.

I realize you may have been referring specifically to the recent SF malware bundling, but I want to stress that this ad came up for me on my first try clicking one of those links. Ad's like that have been regular on SF for years; it's impossible to believe that they have made it a priority to prevent them. The opposite seems more likely: the page design minimizes the legitimate controls and emphasizes the scam link.

Even if I know the installer is free of opt out malware I would hesitate to send a SF link to a friend or family member. The clearest call to action they are likely to see is a malicious download impersonating the software they want.

> it's all a bunch of work that nobody really wants to do

A lot of people don't want to do things they have to do. It's a question of if you're going to wait for SF to hyjack your downloads or move preemptivly.

Also, apperently bitbucket will host static pages, I don't know if that works for you.

> No, no github, because we don't like git. We have a bunch of Mercurial repos.

Any particular reason?

> We could try moving them to bitbucket, but this also leaves the question of what to to do with our webpage hosting, which is currently on SF.

You could move your repositories to bitbucket but mirror the single repository for your webpage content to GitHub to use their hosting. (And if that repository is currently Mercurial, see git-cinnabar by Mike Hommey: https://github.com/glandium/git-cinnabar/ )

Or, it looks like bitbucket may have a similar feature: http://pages.bitbucket.org/

> Any particular reason?

Lots of reasons. I'd rather not go into an argument about it. It's not something that can be fixed: git is a no-go for us.

> but mirror the single repository for your webpage content to GitHub to use their hosting.

I'd rather break free, not change masters.

> I'd rather break free, not change masters.

Unless you have the volunteer army necessary to run the hosting yourself, you're going to be changing to a new master anyway. You just need to make sure it's a master you can leave at any moment.

So get a domain name and point it at GitHub Pages, and deal with git for the timebeing. At any point (either if GitHub goes bad, or someone's enthusiastic about setting up something else), you can repoint that domain name to another host, far more easily than you can change octave.sf.net to point somewhere else.

I agree that switching to octave.github.io would not actually help anything other than the immediate problem.

Well, we do have those volunteers/employees on the GNU servers. We also can pay for our own hosting. We'll probably go one of those routes.
> Unless you have the volunteer army necessary to run the hosting yourself

You don't need an army (depending on the solution). But setting up gitlab/rhodecode/indefero/srchub/Gitolite/custom scripts for a single project is kind of overkill. I've used rhodecode and whenever they released an update it would take me hours to update it. I've never been happier to fork indefero and get off of google code.

GitLab CEO here, thanks for mentioning us. We care deeply about making updating fast. Our Omnibus packages should install in 2 minutes and we recently introduced a package server to make updates just as snappy.
RhodeCode CTO, thanks for mentioning us. With our new cross-platform installer, it takes just few minutes to update running instances, and it's actually a one-liner to run the upgrade. Thanks for providing feedback !
I'm actually curious -- I understand that you have tech debt that prevents you from moving to Git, and I'm not here to tell you your concerns are irrelevant. At what point do the compromises that tech debt forces you into hamper the visibility of the project?

This seems to be a continuous problem in the open source community. As tools, maintainers, and support platforms age, how do you deal with the tech debt of keeping them supported? It's an easier calculation for a business; I'm just curious how various open source projects make these kinds of choices absent a corporate benefactor that sets direction.

> Lots of reasons. I'd rather not go into an argument about it. It's not something that can be fixed: git is a no-go for us.

I'm not interested in getting into an argument, but I'm genuinely curious what reasons remain for people preferring mercurial. At the moment, apart from "got used to the UI", the main one I know of is more "native" Windows support (without needing a Cygwin-like environment to work in). I don't know if that's an issue for your project.

> I'd rather break free, not change masters.

Fair enough. In terms of repository hosting, moving to Savannah seems like the obvious choice there then. And assuming you have people available to do the work, you could always move to gnu.org or nongnu.org, depending on your tastes and the nature of the software your directory links to.

Can't speak for anyone else but I use Mercurial because it's fast, user friendly and easy to extend with your own plugins.
> I'm genuinely curious what reasons remain for people preferring mercurial

Top-level answers here:

https://news.ycombinator.com/item?id=9467096

> moving to Savannah seems like the obvious choice there then.

The only issue is that Savannah is static hosting. We have a bit of PHP that generates one page. We might be able to replace that with Jekyll, though.

> The only issue is that Savannah is static hosting. We have a bit of PHP that generates one page. We might be able to replace that with Jekyll, though.

Does it do so from dynamic server-side data, or could you run it on each new commit and serve the result as a static page?

Yeah, we can probably do some sort of commit hook. It's not an impossible problem, just annoying.
So host your own Mercurial and HTTP servers?

Because that's about the only way to genuinely "break free".

Can you use Alioth? If you have a few Debian developers involved, it should be straightforward to set up a project and get accounts for everyone else, and it's very much like SourceForge.

https://lists.debian.org/debian-devel-announce/2003/03/msg00...

"We'll approve ... free software/documentation where a Debian developer is heavily involved (part of the core team for example). The project request should ideally be done by a Debian developer."

Alternatively, can you get your webpage hosting onto gnu.org?

We actually have quite of a good rapport with our Debian packagers... so perhaps moving to Alioth could be a possibility, even though Octave itself is not a Debian package per se.

As for GNU, the problem is that we only have static sites there. It's not a huge problem, but it might be a good solution.

Look, just suck it up. git has won. The sooner you get to grip with this the easier your life will be. There are honourable and good fights and then there are stupid. Don't cling to hg like a retard to a lolly. Let it go.
Well, that's a good way to entrench the non-git position.
Mercurial works well with github, as it can communicate with git servers. I've used github in the past with several Mercurial projects without issue.

So you can move to github and keep hg.

Have you looked into hosting from universities? I recently read about plans to move Pure Data (flow-based audio programming environment) to Oregon State University's Open Source Labs. Maybe they would be open to hosting Octave-Forge.

http://osuosl.org/services/hosting

(comment deleted)
Why am I not surprised that the owner of Sourceforge, DHI Group Inc., is a recruitment firm...
uBlock Origin appears to protect browser navigation to all sourceforge.net links now.
"Millions of people use SourceForge every day to search for Open Source software"
On the linked page:

>Hey, this isn't a SourceForge project! Check out the SourceForge Open Source Mirror Directory for more information.

which links to: http://sourceforge.net/mirror/

>The Open Source Mirror Directory is an extension to our existing software directory, where we'll be mirroring projects that are not hosted on SourceForge, and SourceForge projects that have been abandoned.

Exactly this, and it is why I think they really are trying to be download.com. By 'mirroring' anything and everything and some SEO magic (they have a lot of residual link authority with the big G) they get themselves to the top of the list of links where to get package <x>.

Perhaps its time for Google to "adjust" their host rank?

Especially when chrome considers sf downloads as hazardous.
Interesting how they don't mention anything about the bloatware in that "SourceForge Open Source Mirror Directory" page.
It's bad in this case because the original was some random user's collection of modified Firefox for personal use. Mozilla have never used sourceforge to distribute Firefox. But they (or their auto tools) saw the name and activity and they mirrored the account and then linked it to the wrong content - not to the original modified firefox for personal use, but to official firefox.
Are they including any "offers" with the installer?
(comment deleted)
"229 downloads this week." "Last updated 2/6/2015"

Now, if you click the 'read more' link, you'll find that the Firefox download available on sourceforge was actually last updated 10th June 2014. 53 weeks ago. 10 major version numbers ago.

:(

Are you sure? It says version 38.0.5, which is the same as what I'm running right now.
I think there's a difference between "latest version" and "latest release". If an admin forgets to update the release pointer, I guess it's possible for that to get stale. Regardless, SF should absolutely not hijack any projects, let alone ones that have pushed new binaries in the last few months (even if they're not releases).
I see 8.0.1 and get to download that.
Firefox 8.0.1?
Yes, it's offering Firefox 8.0.1 to me also. Maybe that's the latest version they've "mirrored" for Linux?
I have a project on SourceForge that I haven't touched in 2-3 years. Its SourceForge listing says it was updated within the past month. Weird. The files have not been changed.
I have this weird feeling that there has been some bad force working up against Firefox ever since they declared their all out war against user tracking (was anti ad-bearers).

I could be wrong but there are signs and absurd behavior like umpteen number of resignations at the top, Firefox Apps been published with strange love from private players like telefonica/others etc.

Isn't there a smell somewhere here?

Nothing as interesting as that. Mozilla has had a "let's try and be friends" approach with the ad industry for a few years (see 3rd party cookies) but the recent introductions like pocket and Hello are simply features some group in management decided were needed. The open governance approach means our source of income (various search referrals) is all we'd need to stay afloat for quite a while. Having said that it's a smart play to get into the mobile OS game and continue on the browser-as-a-platform path.

The moment anyone decides to add bundleware to the official release would be a golden age for tech recruiters since most of the engineering staff would be already packed.

Source: Mozillian

sudo cat "127.0.0.1 sourceforge.net" >> /etc/hosts
I don't think this will do what you think it will do. First, you'd want to echo, not cat, and second, the sudo won't affect the redirection, which is done by the shell.
I use "tee" for these scenarios.

echo "127.0.0.1 sourceforge.net" |sudo tee -a /etc/hosts

Slightly unrelated, I clicked the link and saw this: http://i.imgur.com/OpbdFfs.png

Apparently this is done by the uBlock Origin's own "uBlock Filters"[1][2] with this reason:

    # http://libregraphicsworld.org/blog/entry/anatomy-of-sourceforge-gimp-controversy
    # https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/
    # Using `other` will cause the whole site to be blocked through strict blocking,
    # yet the site will render properly if a user still decide to go ahead.
    ||sourceforge.net^$other
I'm a little bit unsure whether this is a good thing or not. But personally, given SourceForge's recent behavior, I'm kinda happy that uBlock Origin did this (as SourceForge have clearly stepped into the ranks of malware-spreading sites).

[1]: https://github.com/gorhill/uBlock/blob/ed130afc6f3a70e2c2a68...

[2]: https://github.com/gorhill/uBlock/commit/c4e82357efaf18bac3f...

I was a little annoyed at ubo when I read the earlier article about it doing exactly this.

But this action made me install ubo. Two minutes ago.

Yup, I was looking at an open source recommendation engine and went to read their wiki when I discovered it was all hosted on sourceforge. Nope. I'll write my own, thank you very much!
Did you happen to turn on strict blocking behavior? I'm using ubo in Firefox with strict blocking off, and I'm not having any issues.

EDIT: Just tested strict blocking on my install and nothing prevents the link from displaying. I wonder what is different in my version.

I don't think so. I'm using the default settings. The filter come from the default uBlock filters‎ (the very recently-updated one, as it was added yesterday.)
I went into the extension's settings and forced a filter update. That did it. It's such a recent addition, that it probably hasn't had time to auto update itself yet. I actually just installed it too, which means that it is _not_ using the latest filters on a first install.
Deciding to completely censor (edit: in practice, since few users are likely to dare/bother to skip warnings) legitimate (although unethical) websites seems sketchy. What happens when the uBlock maintainers decide that Facebook/Google/etc goes too far with their ethics - will they block that?
What? You have complete control over which lists of filters to use.
My understanding is that this is the default though? How many people stray from the default.
uBlock has a lot of external lists as default. I don't think uBlock team maintains the lists, and it just makes sense to include lists created by others. If you made such extension how would you be sure the lists included by default works as intended if you are not going to maintain the lists?

I have today installed uBlock and it didn't block the whole page by default.

(comment deleted)
> completely censor

Hyperbole.

This merely acts as a warning. Notice the buttons at the bottom to disable the blocking temporarily or permanently.

Sure, and a number of anti-viruses allow you to ignore their warnings, but I'd bet the majority of users will trust their software to not steer them wrong
I don't use an ad blocker to be warned about unethical websites, I use it to block ads.
Then perhaps you should try a different ad blocker.
uBlock doesn't call itself an ad blocker, but a blocker. Also, checking the default block lists and/or removing some is the first thing I do after installing a new one. If that sounds like to much work, stick with the defaults and click the humongous "disable blocking permanently" button. Not sure what all the fuss is about.
Interesting, I normally use hosts files to block ads and tracking scripts but this ability to bypass on an as-needed basis makes this (if the CPU/memory usage is not an issue) look much better. When I get some time I'm going to have to try out uBlock. Thanks for letting me know this exists.
I love it. If I installed an uBlock on, say, my grandparent's computer to try to prevent them from getting malware, I would be happy with it blocking SourceForge.
I ran into that a few days ago and I was mildly annoyed. I didn't install uBlock to protect me from malware, I installed it to remove ads on pages that abuse my eyeballs with them. This just makes me wonder what else they'll do that goes outside the original scope of the software.

Disabling it was easy enough so I'm not too mad about it, but I still don't like it.

also unrelated, but I just installed ublock origin and tried http://dictionary.reference.com/ and it doesn't display correctly ... maybe I'll switch back to adblock-plus
Using the same filter lists in uBlock and ABP will results in the same blocking behavior: It's all in the filter lists.
uBlock Origin blocked this link for me. So thanks, uBlock.
Was it just hijacked, or are we only now noticing? Also, is it a strict binary mirror, or have they started to bundle it with crapware?

Considering the incidents involving Sourceforge in the last few weeks, I would be rather surprised if they just did this, considering how hilariously tone-deaf it would look.

They also seem to have ownership over the openvz, MySQL, and PostgreSQL projects, too.[1] (You have to click "Show More +" to see the full list.)

[1] - http://sourceforge.net/u/sf-editor/profile/

see also http://sourceforge.net/u/sf-editor1/profile/ this SF profile took over like a hundred high profile open source projects on SF (incl. Apache HTTP Server, Apache Hadoop, OpenOffice, Audacity, Google Closure Compiler, Epiphany, Evolution, Fedora, Fritzing, Gimp, HeidiSQL, Joomla, Lua for Windows, MySQL, PostgreSQL, VLC media player, VirtualBox, ... and many more)

Just yesterday VLC was on HN about moving away from SF "The story between VLC and Sourceforge": https://news.ycombinator.com/item?id=9714250

The mirrors (HEAnet & co) should refuse to add any new binaries from Sourceforge and we need a community driven website that coordinates open source download binary mirrors (based on what SF uses at the moment), and Archive.org/ArchiveTeam/etc should backup all SVN/CVS/etc repositories on Sorceforge, and Google then should remove them from their index or flag them as adware/scam.

Wow, this is a lot worse than I initially thought.
> Description > The first thing you’ll notice in Firefox is

all the malware we try and install without you noticing

It is quite sad to see this happen to Sourceforge. IIRC Sourceforge was bought for $20M or so. I wonder how GitHub plans to repay the $100M (+ interest) VC 'loan' and generate profit without 'whoring out' to google/other advertisers.
Its a test bed for their SaaS & Enterprise product lines.
I never paid SF a dime but I pay Github every month. I imagine that factors in heavily...
GitHub can always monetise the same way Stack Overflow does with ADs for their free users. An unintrusive AD you get if you're a free user wouldn't be too terrible or disturbing.

Another channel would be donations for hosting FOSS projects or something like that.

Very hard question indeed.

Well, but Stack Overflow itself is not profitable (AFAIK they have not repaid the $70M). Also, look at the scummy things that Q&A sites like Quora end up doing after they find it difficult to stay afloat. Certainly, I trust Jeff & Joel to be much more ethical, but the new owners might not be.
> Also, look at the scummy things that Q&A sites like Quora end up doing after they find it difficult to stay afloat.

Kind of what? I'm genuinely not aware of this. People seem to be hating Quora but I've never received a concrete answer; their having to select 'preference' at the beginning annoys the hell out of me, though.

Sure, not everyone dislikes quora. I know many people that like it quite a bit.

Forced sign-in for one. They used to show different versions of the the Q&A to crawlers vs people who click the search result. And then blur the answer. Also they didn't have an option to delete an account. You need to email them about that.

Some previous discussion

https://news.ycombinator.com/item?id=4377181

https://news.ycombinator.com/item?id=4332978

https://news.ycombinator.com/item?id=8379973

https://news.ycombinator.com/item?id=3812092

I know it's a late reply, but I wanted to thank you for the links. They are... eye-opening, to say the least.
GitHub has paid plans for private repositories and it can add up to a fair bit of MRR for enterprise organizations. https://github.com/pricing

They also make money off of their job board ($450 a listing) and could probably monetize a lot more here without angering too many users. https://jobs.github.com/

Yes, Hopefully it will add up to $100M+. Atleast one company must survive!
GitHub has paid plans in order for orgs to have private repos. Is that not enough?
Well, they have "a way" of charging users. Sourceforge had similar plans 11 years ago. Charge a premium for some extra project features. I guess a plan is something more detailed in my head. But sure, I'll cheer for their success.
(comment deleted)
FYI, to any/all people saying "They aren't bundling malware with this" you are forgetting a VERY important word: YET.

Their past indicates they will and what they have done so far fits the pattern nearly perfectly. I'd put money down that malware will be in this by the end of the year if not sooner.

And, really, how do we know they are not? Unless we're checking the hash of the download with that provided on Firefox's on website, who even knows what we are installing?

From a company with a history of stuffing adware down our throats.

Edit:

  % md5 firefox-*
  MD5 (firefox-genuine.dmg) = 71c3d44cd5a612489a70e0f2ef825ba9
  MD5 (firefox-sourceforge.dmg) = 71c3d44cd5a612489a70e0f2ef825ba9
So they are the same binary. All we need to do is create a Chrome extension that downloads the binary from both places and checks the hash then tells you if it's safe to download the SF one. Simple!

Note that it took 8 times as long to download the binary from Sourceforge compared to Firefox's own site.

A notable difference here (as opposed to other open source projects that have received the same treatment on SourceForge) is that Mozilla owns the "Firefox" trademark, and has specific policies governing its use and the distribution of software that uses its name or branding:

https://www.mozilla.org/en-US/foundation/trademarks/policy/

It specifically precludes distributing modified versions of the software or installer and still calling it "Firefox" (with which they seem to be complying for the moment), and also specifies the manner in which the name and branding are to be used in website copy, like putting a "TM" symbol after the first mention (with which SF seems not to be complying at the moment). In other words: Mozilla has power here and could force them to take it down if they wanted. And they should, in my view, if for no other reason than because SF have been jerks about this whole thing and this is finally a situation where someone can actually do something about it.

http://slashdotmedia.com/terms-of-use/

"By sending or transmitting to us Content, or by posting such Content to any area of the Sites, you grant us and our designees a worldwide, non-exclusive, sub-licensable (through multiple tiers), assignable, royalty-free, perpetual, irrevocable right to link to, reproduce, distribute (through multiple tiers), adapt, create derivative works of, publicly perform, publicly display, digitally perform or otherwise use such Content in any media now known or hereafter developed. You hereby grant the Company permission to display your logo, trademarks and company name on the Sites and in press and other public releases or filings. Further, by submitting Content to the Company, you acknowledge that you have the authority to grant such rights to the Company. PLEASE NOTE THAT YOU RETAIN OWNERSHIP OF ANY COPYRIGHTS, TRADEMARKS AND SERVICE MARKS IN ANY CONTENT YOU SUBMIT."

Mozilla didn't submit it. SF took it upon themselves to republish Mozilla's content and marks. Mozilla isn't bound by these terms, and SF is bound by whatever terms Mozilla attaches to the use of its marks, since it owns them.
>Mozilla didn't submit it.

I admit I missed that.