Sourceforge is essentially a gigantic set of Google doorway pages which MITM downloads initiated by unsuspecting (largely non-technical) Internet users of popular free-as-in-beer projects. They're open about doing this. https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked...
These "mirror" (MITM) pages outrank the authoritative sites for many projects because Sourceforge has been around for 10+ years and has superior trust/backlink profiles compared to the newer author-blessed sites which presently host the software. Gimp is actually fortunate in this regard -- gimp.org is stickied to the top spot when searching [gimp] and Sourceforge floats around #8 or so.
Sourceforge should get hit with Google's standard penalty, which is "we smite your rankings with the hammer of an avenging god." Minimally, Google should at least tighten up their enforcement of AdWords policies. Their "installers" are per-se violations of the Unwanted Software Policy (http://www.google.com/about/company/unwanted-software-policy...).
To be honest I can't say I have any good memory of Sourceforge. It used to a heavy website with a confusing UI, and never really got better over the years. When Google Code started, I was glad I could move to it, and then GitHub.
Yeah I don't get this "SourceForge, once a trustworthy source code hosting site" -- that is simply untrue. Maybe for the 1st year or two after its launch, but it has been subject to all sorts of crappy management since at least 1999/2000. I used to have projects there, and contribute to projects there (argh memories of terrible CVS) and it was always slow, always had a terrible UI, and very early in its history became submerged in bad ads and out-links to bad content.
That you misremember it or are too young to know better doesn't mean that it "is simply untrue". It's not, it was valuable for many years. It's your revisionist history that is simply untrue.
It's not revisionist, I'm 40 years old and have been consuming and participating in OSS since before SF existed. It was painful to use, even in the context of the times. Granted, there wasn't really any alternatives in the first few years of its existence.
Yeah. I started getting involved with OSS in the mid-00s. I suspect SourceForge's heyday was before that. So SF has always been a slightly shady repository of software in my view, though the adware bundling is a new low.
Yeah, they always had a horribly confusing UI that made it non-obvious how to get to a project's homepage, even -- the thing that should be front and centre! However, I did enjoy playing around with their compile farm when they had that. Think it only lasted a couple of years, though.
Agreed. I remember Sourceforge when it was just getting started and it always had a terrible interface and bad usability. I remember always being annoyed when I was forced to download something through them.
On a side note, looking now at their Wikipedia page, I'm shocked to see that they only started in 1999. I would have place them a year or two earlier in '97 or '98. Anyone else feel this way?
If you're downloading open source software on Windows, friendly reminder to get it via Chocolatey rather than ever clicking on a download button. Chocolatey has reviewed, silent, direct, crapware free downloads of just about anything you'd want.
Not too sure you can rely on Chocolatey to be direct..? Last time I installed WinDirStat using Chocolatey it got the install file from Sourceforge (over an unencrypted HTTP connection)
It links to official installers which are sometimes on SourceForge, but uses installer switches to set options to deselect crapware, do silent install, etc.
Correct. It can (will be able to) talk to npm, pip, RubyGems, cpan, the full gamut of package providers. Connecting to things like Windows Update, Microsoft Dev Center, etc. are also possible to implement.
What a complete wasted effort it has become. It could have been so much more. Plus it scared Steam so much that we now have Steam OS and have over 1200 Linux games now available.
I used Ninite for years and recommend it to non-techy friends. As a dev, I prefer Chocolatey since it offers a lot more dev-focused packages, meta-packages, can be scripted, works with BoxStarter, etc.
Reviewed by whom? This and ninite are MITM software providers just like SourceForge. Even if they're safe now, you can't be sure they won't installing crapware in the future.
I tried to make a package for a simple binary last year (I believe it was premake4 or something). It was annoying to use, and other software I installed with it didn't have an uninstall option.
Package managers make me happy (love Homebrew on OSX), but I don't see a point if I can't also uninstall. I rarely install things from sources that need vetting.
I've always installed putty through the mainstream installer. Chocolatey put some binaries somewhere deep in the FS and hardlinked these in the start menu, no full integration.
For a second there, I thought this was an official GitHub page and thought "Wow, those GitHub guys really have balls to attack SF that directly". But then I realized it is "helb" and not "help" in the URL.
Author here. Sorry about that confusion, i probably should host it elsewhere… Help/helb is not intentional, it's just my nickname since 2nd grade or so.
I think that was part of the reason to switch from github.com to github.io a while back. Their .io is user content and can be downgraded by Google independently from github.com.
Perhaps, but using a separate hostname github.io vs github.com is also a security mechanism. Project owners can supply rich content (read: HTML + JavaScript) on these .io pages. If these pages were on GitHub.com or subdomains of GitHub.com, this user supplied content can interact with and hijack the github.com cookies like session ids.
Yes, GitHub can use the domain attribute on a cookie to prevent this, but then you have designed a system that will fail open if you mess up. (i.e. potentially malicious user content would always be able to access a cookie, unless GitHub does something).
Better to just stick it on a separate domain entirely, and this is a commonly used practice. For example, Google does this with their googleusercontent.com domain
In addition to that, putting user-supplied content on separate domains allows GitHub to list those domains in https://publicsuffix.org/, which they did:
// GitHub, Inc.
// Submitted by Ben Toews <…@github.com> 2014-02-06
github.io
githubusercontent.com
Apple/Google/Microsoft/Mozilla use this list to restrict cookies -- foo.github.io can't set a cookie for github.io, even though it normally would be permitted. This list is also used to highlight the address bar, so "foo" would be emphasized, rather than "foo.github".
I was shocked the other day when I went to grab FileZilla from SF, and my virus scanner tagged it for malware. I hadn't realized it had fallen so far as to bundle crapware. SF used to be my goto site for looking for weird open source stuff. Now I guess I will have to finally take SF off my list goto sites.
You either die a hero or live long enough to become the villain.
FileZilla has other issues as well: for example, for the longest time they refused to encrypt stored passwords, although the bug's been reopened now so they may change their mind: http://trac.filezilla-project.org/ticket/5530
This isn't "wow", it's true. The plaintext password is required to login to servers, so if you store it locally in an encrypted form then the decryption key must also be stored locally. If an attacker was able to get your encrypted password then the attacker is just as easily able to get your encryption key.
For the same reason, Pidgin and many other IM programs also do not encrypt the password.
The windows crypto APIs can encrypt secrets secured by the windows account. This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it, as well as protect against offline reading of the files.
It doesn't stop every attack, but it's not useless.
>This would protect against attacks by other users on the system who don't have permissions to impersonate the user who encrypted it
Outside of enterprise environments, most windows installations are single user. Even if it's a multi-user system, the data would already be protected by NTFS permissions if it was stored in the user's profile folder.
>as well as protect against offline reading of the files
They may be operating under Pidgin's logic whereby if they can decrypt the password without user intervention, then all the information needed by a malicious user to decrypt the password is already on the system to be grabbed.
Still should go with the browser/password manager approach of using a master password to decrypt the password database.
SourceForge offers developers to add crapware to their installer in exchange for a revenue. This is completely optional and I suppose most dev don't do it (I distribute some semi-popular installer on SF and they've never forced me to include adwares).
The FileZilla developers have never been very vocal about this so most of their comments is a generic "Nothing unwanted is being installed without your consent", but they are the ones who have accepted to add the adware. And even though they also have clean installers, they put the ad-enabled link first.
I guess this is what happens when people aren't willing to pay for software, there are plenty of really good ftp clients out there for not very much money.
The thing is open source programs often build their success on the fact they are free, get a lot users quickly, feedback and discussions on their forums on how to improve it, free translations from users, sometime patches, etc. Then when they suddenly exploit all this by adding ads, people are understandably upset.
It's just a fact of life that open source software won't make you rich. Either they are ok with it, or they create a commercial product from the start. But adding crapware afterwards is not a proper solution.
I disagree, paying customers wouldn't put up with a malware infested version of FileZilla, this stuff only really exists at the "free" end of the market.
This is empirically false. Video games have shipped with highly-intrusive rootkits and malware disguised as DRM for years, and it tends to be worse on the higher-end products, vs the shovelware/free-to-play/open-source.
You can find a few counter examples but they never last because the commercial pressure is too high, the obvious example is Sony, are they still deploying rootkits? Lenovo is another example that has started cleaning up its act.
Would these companies change if their only source of funds was the malware? I don't think so.
Not really, It's just that it's obvious at the free end of the market.
Proprietary software can do whatever it feels like on your computer and you would be hard pressed to know until it was too late.
A few large companies have been implicated in root-kits / backdoors / random horrible deliberate security practices. These are probably just as destructive as replacing your browser search bar or installing some fake AV software.
Free isn't the problem. Bundling crap-ware with otherwise audit-able open source software is the problem.
Well, Steam seems to be growing pretty nicely... Also, for most users a good Browser is all they need. Which is why I love Chromebooks as an option for most people.
This doesn't detract from your point, but... there are plenty of games for Linux nowadays. It cannot compete with Windows, of course, but thanks to Steam, the Humble Bundle, etc., we can now enjoy a multitude of videogames, including AAA titles. And plenty of indies, of course.
There are! It's exciting to see so many games coming to Linux. I don't generally play games in my spare time, but I am glad the state of the art is beginning to make its way to this side.
TBF, the way I see it they only did the hosting and making the money; I don't remember them actively supporting open source or the ideals behind it, or being open source developers themselves and contributing, or making their own software open source. Having a revenue model that involves making your users guess which DOWNLOAD button will actually download the application is not the open source spirit.
AFAIK their website was originally open source, with GForge, FusionForge, and GNU's Savannah based on it. Then they had a longer stint staying closed, but they opened back up a couple of years ago, and their current software, Allura, is open source again, though (slightly ironically) now as part of Apache.
The code running the site was original open source but they closed it a long time ago. Probably as part of one of the many buy outs over its history. GForge came from it.
The guess the download crap appeared in the past 8-10 years. Before that the site was fairly trustworthy even though there was always ads and the like.
Tragic, but I see no reason to shed any tears. Sites come and go, and when they change hands the new operators are often sleazy. Today we have Github. If they end up doing the same thing, there will be a new VCS site. Nerds won't tolerate crapware.
I remember when they were bought by VA (I think?), the same time as Slashdot changed hands I think.
I remember signing up for an account years ago and having to use Putty and SSH keys to upload data which was revolutionary to FTP-aware me.
There was an awful lot of software on there (who remembers visiting freshmeat.net to look for daily updates or search for software too????) but I think it would be sad to not realise how great it was that they offered free hosting and tools. They used to have a compile-farm that you could use to build software on different platforms and architectures but this got retired a long time ago.
For the free tools you got, it wasn't bad! I think "nerds" are quick to forget that. It was FREE
SourceForge wasn't bought by VA, it was started as a skunkworks projects by 4 developers inside of VA. Once the site started to get traction is when the corporate overlords started taking notice and forcing the horrible Ads, and now crapware onto the site.
I've found that Sourceforge is still the only place you can get a lot of good-but-unmaintained software. I was there just the other week for the Saxon project[1], and it was painful to see how low SF have sunk.
I wonder if it would be possible (and legal) for somebody who isn't the project owner to copy some of these unmaintained projects into another system?
The project is licensed under the MPL 2.0 (and 1.0) which states:
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license ... to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work;
So the answer (at least for Saxon) is yes! Just make sure you conform to the licence requirements and you're good to go.
Saxon has a free version and an "enterprise" version, and the developer also operates a consulting business around it, so it's not a likely candidate for an Apache project.
I recently needed SourceForge to get ahold of a usbtb binary, an alternative USB printer driver for OS X part of GutenPrint. Despite being unchanged for 7 years, it still works on Yosemite.
If I were a project manager who run a sourceforge account the last thing I would do now is abandon it.
Why? Because SF have proven if I were to do so they'd take my work under my name and bundle their crap into it. The only way to stop that is to keep it active.
That feeling of being trapped into a terrible system because it'll screw over people even worse if you leave.
GIMP-win owner actually did upload new binaries to SF account. There hasn't been a GIMP release for a while, but the SF repo was never abandoned. SF is blatantly lying about this. So no, not abandoning the account won't save you.
> they'd take my work under my name and bundle their crap into it.
Oh, is that a thing? I was surprised when the Lobo project's admin rights were handed over to some relatively unknown developer. I had a long and confusing discussion with the new project admin here: https://github.com/UprootLabs/gngr/issues/87#issuecomment-86...
As Github.com lacks afaik a binary hosting / download feature and Google Code closed its service (no new projects) - it would be great if all the Sourceforge mirrors (heanet, etc.) would be coordinated from an open source community instead of coordinated by Sourceforge.org. There is definitely a need for a binary hosting and mailing list website for open source projects, to fill the hole that Sourceforge may leave behind.
I remember the "BerliOS" from a Germany's Fraunhofer institute that was a kind of clone of Sourceforge, a open source project hosting service. It was closed in 2013 and some valuable code and binaries are lost forever.
Github does have a pretty good binary hosting / download feature, it's called Releases. There's even an API to automate it. It's not very widely used, perhaps because it only rolled out it 2013.
As for mailing lists, I guess their excuse is that they already provide possibilities for discussion in the issue tracker (which can be also interacted with entirely by mail). This is appropriate as a forum for developers - but not a forum for users, which would be out of Github's scope, IMO.
I agree that this would be the best recourse if we could manage to muster some sort of coordinated exodus of mirrors. Mirror providers have at least some sort of power over SF due the service they are providing, something that project authors do not have. Many of the mirrors I think are academic and I don't think they too happy about SF being such leech that they are.
Can Archive.org/etc backup all the open source projects from Sourceforge.org and Google Code? It would be a big loss if the unmaintained but often still very useful source code get lost forever.
Well, to be honest, this is exactly where Sourceforge has been headed for years and years. You could look at its behavior years ago and say "Yeah, follow this out on a line" and see this exact situation in the crystal ball. Sourceforge has been scummy (and getting scummier) for years and years.
I remember actually keeping a couple of service accounts on services that served as mirrors for SF for years just because they backed the service (early on, before a lot of the sleazy stuff started).
Unfortunately, short of registering a trademark with the PTO, it'd be difficult to get a lot of this crapware removed from SF.
Author here. Thanks for your pull requests, I added some of the suggested services. Maybe some comparison table (like the one at Wikipedia) would be better than a simple list.
About that help/helb confusion mentioned here – sorry about that, it's not intentional, it's just my nickname since 2nd grade or so.
Collab ended up with the business version, SourceForge Enterprise Edition (SFEE), which was a Java rewrite of sourceforge.net shipped as installed software.
I like how you don't have an option to shut down your project to help clear those links from Google. Either you keep it up to date or SF will "step in" and do it for you.
That's the whole point of open source. If a developer abandons a project, someone else can pick it up and keep it going. And if you disagree with some of the developer's choices, you can fork the project and make your own version. Sourceforge is a great example of how someone evil can take advantage of the features of open source to do bad things.
I'd amend that to "someone evil who's built up a 'good' reputation for long enough that they dominate search rankings...." I don't know that what sourceforge is doing is a unique situation, but it's AFAIK not a common one. It's not going to have the same effect if I start bundling open source installers with malware and hosting them on my own, for example.
If they also added a Mercurial bridge, that would be the final nail in SF's coffin.
It's sad that with Google Code going away, a lot of projects that chose Google Code for Mercurial are being pushed to switch to git (e.g. vim) because Google is pushing so hard for projects to be migrated to GitHub,
They haven't injected their own installer on downloads so for the time being I leave it there because I'm too lazy to move it off.
A while back I did move the main project page to its own domain, so I'm only really using Sourceforge for downloads and source control (although the project is stable and hasn't had commits for a long time so not even that really).
gitalternatives.com is still available. By the way, thanks for including GitLab so prominently on your site. Any chance of including a column for free private repo's with unlimited collaborators? :)
Ah the old days when Sourceforge and Freshmeat were some of the go to places for OSS when I was learning Linux in the 90s. Occasionally I'll end up back at SF somehow and man how terrible it has become. Makes you really appreciate places like Github now a days.
Whenever I've had to go to a sourceforge page to download software I always think, ugh I have to deal with this crap again? (UI, annoying redirects, can't find correct versions, etc) I honestly never understood why developers used the website for distributing binaries, I understand code hosting, but not the distribution (this was before they hijacked stuff).
Hopefully, this will hit a chord with enough projects that they will altogether stop using sourceforge.
Guilt by association? Perhaps SF is not the true source of badness/malware but instead they tend to host the projects most likely to include such malware.
I still land on SF now and then, to download sources that are hosted there. But that only happens because another site's “Download” button sent me there. In the beginning I was very impressed with SF. But as others have said, the UI is rather confusing and those ads they've been showing would devalue any site they run on to “lower-tier crap you need rubber gloves for”. A sad development.
I'm really surprised at how many people in this thread are Windows users frankly. I just presumed that most YC commenters were OS X/Linux people with a few FreeBSD, etc.. OSes floating around.
Two nights ago I went to a "bleeding edge web" meetup. I was really struck by how universal, unspoken, and simply taken as a given it was that modern web development is done on a Unix box. Thus there was no room for any discussion about Windows alternatives, or even explanation for us third-worlders about what role certain tools - that at least I had never heard of - play in the ecosystem. I was completely alienated.
In my experience, some things that Just Work on *nix systems or OS X either plain don't work on Windows or kinda-sorta-work after you do a weird workaround. Not all things, certainly, but enough to be a massive pain in the ass.
Unless you're coding for Windows only (eg C#, .Net, etc), Windows is the red-headed stepchild of development environments. I'm somewhat hopeful that this will start to change with the release of Windows 10.
This is the biggest issue for me --- project hosting is easy, mailing lists are not. Particularly, migrating people to the new list is going to be hard. I've been looking at Google Groups but it doesn't seem to support import, although it does support a nice web interface (good for people who expect forums).
Wikipedia says SourceForge launched November of 1999. I remember as early as 2003 thinking it was sleazy how it tried to trick you into downloading adware with their big "Download Now!" ads. So maybe not literally "always", but certainly the majority of time.
These "mirror" (MITM) pages outrank the authoritative sites for many projects because Sourceforge has been around for 10+ years and has superior trust/backlink profiles compared to the newer author-blessed sites which presently host the software. Gimp is actually fortunate in this regard -- gimp.org is stickied to the top spot when searching [gimp] and Sourceforge floats around #8 or so.
Sourceforge should get hit with Google's standard penalty, which is "we smite your rankings with the hammer of an avenging god." Minimally, Google should at least tighten up their enforcement of AdWords policies. Their "installers" are per-se violations of the Unwanted Software Policy (http://www.google.com/about/company/unwanted-software-policy...).
How about it, resident Googlers?