
SourceForge: Third party offers will be presented with Opt-In projects only - Xylemon
https://sourceforge.net/blog/third-party-offers-will-be-presented-with-opt-in-projects-only/
======
captaindiego
"As a company, we at SourceForge pride ourselves on being highly responsive to
our community members and, with that in mind, do our best to respond to all
communications and address all concerns in a timely manner."

"Comments are closed."

~~~
gojomo
...and the post is unsigned.

------
gcb0
i use one program with frequent updates which distributes from sourceforge.

the installer is a piece of work.

first, it is a fake-installer (that installs nothing) with the actual
installer inside. that program first offers you "standard" and "advanced"
fake-install options (remember, it install nothing)... when you click
"advanced" it now shows 3 checkboxes, checked, that will 1. install a browser
toolbar, 2. set your default homepage, 3. set your default search engine. You
uncheck them all and click accept (it is also showing a terms and conditions).
now it will show something like "also install this tracking or browser or i
don't even know what it was?" and there is only the same buttons as before on
the fake-installer: "decline" and "accept". Now you have to remember to go
against all your knowledge of install wizards and click the left button
"decline" to proceed with your desired program only. now you click accept or
finish, don't remember, one last time, and the fake-installer forks to the
actual installer that you wanted from the beginning.

~~~
userbinator
Opening in 7-zip and extracting the contents manually has worked in the past
for me when encountering such things.

(Incidentally, many people don't know that 7-zip can extract installer
executables and various other formats too...)

~~~
psykovsky
So does WinRar and Ubuntu's Archive Manager.

~~~
gcb0
i tried with winrar. i don't think it worked.

------
SwellJoe
This is nice and all, but...the mere fact that SourceForge, an _Open Source
community site_ , ever thought it was even close to OK to intentionally
distribute malware to anyone under any circumstances (whether with the
permission of the developer, or not). AFAIK, by calling themselves and Open
Source community site, SourceForge has opted into an ethical obligation not
just to their developers who build the software but the entirety of the Open
Source software community to protect their users from malicious code.

This episode was indicative of a severe loss of direction and guiding
principles.

~~~
hrnnnnnn
This is where the distinction between "Open Source" and "Free Software"
actually matters.

~~~
jrochkind1
Say more, what do you think the distinction is? I think I know what 'open
source' means (any software released under a license that complies with OSI's
definition of open source[1]), but I'm not sure what you mean by 'free
software' and the distinction.

[1]([http://opensource.org/osd](http://opensource.org/osd))

~~~
hrnnnnnn
I'll leave it to Stallman: [http://www.gnu.org/philosophy/free-
sw.en.html](http://www.gnu.org/philosophy/free-sw.en.html)

But simply - "“Free software” means software that respects users' freedom and
community." This carries with it ethical obligations that Open Source software
does not.

In the extreme case, you could have Open Source pacemaker software which kills
you if you don't keep up your payments, but the same thing would not be Free
Software.

------
greenyoda
Some context, for those who haven't been following this story:

[https://news.ycombinator.com/item?id=9612152](https://news.ycombinator.com/item?id=9612152)

------
jacquesm
Sourceforge has killed itself by completely breaking the trust with their
developers and their end-users.

~~~
bigiain
100 times this.

Way too little, way too late.

And this is a typical corporate-speak fauxpology "Sorry you were
offended"-style. _Maybe_ if they'd confessed to unethically pushing shit-ware
via dark patterns, they might regain some trust, but "3rd party offers" and
"easy-to-decline" are not the phrases they need to be saying to turn around my
opinion/advice of "Download from Sourceforge? No chance, I wonder if there's
an alternative way to get that software, or if I have to find an alternative?"

------
mindcrash
Oh right, like a project such as the GIMP ( _GNU_ Image Manipulation Program)
would "opt in" with having "third party offers" (e.g. spyware) in their
distribution packages. Just pull the plug, SourceForge. You are done.

------
bobwaycott
>>> "At this time, we present third party offers only with a few projects
where it is explicitly approved by the project developer, _or if the project
is already bundling third party offers_."

Uhhhh ... I'm undoubtedly being way too cynical, but that sure sounds like a
back-handed way of saying they're going to "present" these third-party
"offers" _on top of_ any projects that are already bundling such "offers".

Also, "present" ... really? What a horrible word choice, given the UX patterns
involved here. Total bullshit.

And furthermore, how exactly will SourceForge gain this explicit approval by
the project developer? I'd like to hear more on that note. Do they modify
their terms & conditions to make this an auto-opt-in for all new accounts? Are
existing accounts grandfathered into this by a default opt-in, on account of
having been notified by email of newly updated Terms, the way various
companies like to engage in wrong patterns for implied approvals by-means-of-
using-our-service that benefit the bottom-line first, and preference typical
user sentiment second?

[EDIT: wording correction]

------
hliyan
In my mind, the damage is already done. And as damage control goes, this
leaves something to be desired:

    
    
       While we had recently tested presenting easy-to-decline
       third party offers...
    

That sounds almost like "you should have read the fine print". They could have
at least started the announcement with "We're very sorry for the problems
caused by our recent..."

------
simplexion
On top of this /. is burying articles critical of this:
[http://danluu.com/slashdot-sourceforge/](http://danluu.com/slashdot-
sourceforge/)

~~~
FlaceBook
Slashdot still exists?

------
sudeepj
With the likes of github around and offering much better experience,
sourceforge seems outdated anyway. The damage is already done.

------
t_fatus
Oh thank you SF, that's really nice.

------
zeruch
SF.net died years ago. This remnant that continues is a farce.

------
ratfacemcgee
damage is already done, its a real shame too.

------
neuromute
The death throes of a company.

------
bobwaycott
Why is it so hard for many online companies/services that desire to monetize
their product(s) to accept that, given the choice, _nobody_ opts-in to ads,
marketing, privacy invasion, and other shit that turns them into a product?
I've been reading HN for years, and this news cycle of OMG-Custom-Whizbang-
Inc-has-opted-you-in-to-Shady-Feature-Fizzbuzz seems to break on the regular.

Want to monetize your product? Start on Day Fucking One, with User Number One.
Make them pay.

Want to start off free, and worry about monetizing your product later? Don't
fucking automatically opt your users into being the product you sell to
advertisers. Don't snoop on them, or otherwise invade their privacy. Don't be
an asshole to them and force something on them they haven't already agreed to.
Default to every new & existing user being opted _out_ of any of these things.
Make it an organizational principal that explicit opt-in behavior is The Right
Way™ -- such as signing up for a paid tier of service, like Github and many
other good actors do in this regard.

I seriously cannot think of many things that happen in the lifecycle of an
online service in which automatically opting users into some process is the
best and most honest experience, and the thing most people want. That people
accept this crap is beyond me.

Nobody would allow this to happen in their non-digital lives:

"Hey, John, Jerk Pest Control here. You've been using our quarterly service
for a while now. We're rolling out a new service that visits every month, and
we're going to keep the price the same as before by selling your information
to some other local businesses that want you as their customer. We've opted
you into the service automatically. Why? Well, we're looking to break out of
our cyclic dependency on quarterly fees to help hit business growth targets.
There was a small note informing you of this opt-in that went out with your
last bill."

 _grumbling and swearing commences. phone beeps with another call..._

"Hey, Mary. Dick's Accounting Service. You left a message about phone calls
received from other companies who say we shared your number. We've been taking
care of your taxes for the past few years, and are testing out a new service
of presenting easy-to-decline third-party financial services to you, based on
how well we think they fit what we know about your annual financial picture.
We've carefully chosen our partners, and we only share just enough information
to help them verify your viability as a candidate for service. We opted you
into this service for your convenience. Why? Well, we're trying to maximize
the returns of providing excellent service for your needs beyond just the
once-yearly tax visits. We sent you an email about new Terms of Service around
tax time, and you agreed to them when you used us to file your taxes this
year."

 _grumbling and swearing. inquire about opting out of the service._

"Oh, that's _easy_. To decline the offers, just tell them you're not
interested in the service. When they ask if you would like to confirm you are
sure you're not interested in being removed from their call list, or would
like to decline being removed from their call list, tell them you're not
interested and would like to decline. Piece of cake."

Yes, SourceForge are being total assholes with this whole debacle. But let's
maybe take a minute to ponder where they even got the ideas from, and why we
are only offended when a once-free service that markets itself as having
something to do with "open source" or "free software" is the bad actor.

 _Too many online companies and services think this behavior is perfectly
acceptable, and build up their services in a tech culture that accepts it_.
It's a bit ridiculous to draw lines in the sand and have so much outrage only
for the likes of SourceForge. None of this ought to be _that_ surprising.

</tangentially_related_rant>

