
Goodbye, Sourceforge - chris-at
http://helb.github.io/goodbye-sourceforge/
======
patio11
Sourceforge is essentially a gigantic set of Google doorway pages which MITM
downloads initiated by unsuspecting (largely non-technical) Internet users of
popular free-as-in-beer projects. They're open about doing this.
[https://sourceforge.net/blog/gimp-win-project-wasnt-
hijacked...](https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-
just-abandoned/)

These "mirror" (MITM) pages outrank the authoritative sites for many projects
because Sourceforge has been around for 10+ years and has superior
trust/backlink profiles compared to the newer author-blessed sites which
presently host the software. Gimp is actually fortunate in this regard --
gimp.org is stickied to the top spot when searching [gimp] and Sourceforge
floats around #8 or so.

Sourceforge should get hit with Google's standard penalty, which is "we smite
your rankings with the hammer of an avenging god." _Minimally_ , Google should
at least tighten up their enforcement of AdWords policies. Their "installers"
are per-se violations of the Unwanted Software Policy
([http://www.google.com/about/company/unwanted-software-
policy...](http://www.google.com/about/company/unwanted-software-
policy.html?hl=en)).

How about it, resident Googlers?

~~~
stfnppv
There you go.

[https://www.google.com/safebrowsing/report_badware/](https://www.google.com/safebrowsing/report_badware/)

~~~
gauravphoenix
Reported. If you report, please provide some reason. I provided- "embeds
malware/adware with downloads"

------
laurent123456
To be honest I can't say I have any good memory of Sourceforge. It used to a
heavy website with a confusing UI, and never really got better over the years.
When Google Code started, I was glad I could move to it, and then GitHub.

~~~
cmrdporcupine
Yeah I don't get this "SourceForge, once a trustworthy source code hosting
site" \-- that is simply untrue. Maybe for the 1st year or two after its
launch, but it has been subject to all sorts of crappy management since at
least 1999/2000\. I used to have projects there, and contribute to projects
there (argh memories of terrible CVS) and it was always slow, always had a
terrible UI, and very early in its history became submerged in bad ads and
out-links to bad content.

It should just die.

~~~
vsl
That you misremember it or are too young to know better doesn't mean that it
"is simply untrue". It's not, it was valuable for many years. It's your
revisionist history that is simply untrue.

~~~
cmrdporcupine
It's not revisionist, I'm 40 years old and have been consuming and
participating in OSS since before SF existed. It was painful to use, even in
the context of the times. Granted, there wasn't really any alternatives in the
first few years of its existence.

------
jongalloway2
If you're downloading open source software on Windows, friendly reminder to
get it via Chocolatey rather than ever clicking on a download button.
Chocolatey has reviewed, silent, direct, crapware free downloads of just about
anything you'd want.

[https://chocolatey.org/packages](https://chocolatey.org/packages)

~~~
adam12
Ninite is pretty slick and crapware free.

[https://ninite.com/](https://ninite.com/)

I can't wait for the new package manager in Windows 10, though.

~~~
raesene9
It would be cool to have a Windows "official" package manager, however I don't
think their initial launch is going to be that.

From what I understand, it's more of a "package manager-manager" so it manages
other systems (like Chocolatey) rather than running the repos itself.

~~~
chebum
There is Windows Marketplace for that.

~~~
zymhan
I have a $25 credit in the Windows Store, and I cannot for the life of me find
a single thing worth buying.

~~~
jongalloway2
Windows 10 will include desktop apps in the Windows Store:
[http://www.engadget.com/2015/04/29/desktop-apps-are-
coming-t...](http://www.engadget.com/2015/04/29/desktop-apps-are-coming-to-
the-windows-store/)

In the meantime, I'd drop $5 on Hitman Go:
[http://apps.microsoft.com/windows/en-us/app/hitman-
go/5fa3bb...](http://apps.microsoft.com/windows/en-us/app/hitman-
go/5fa3bb42-c32b-4b1f-9fde-bd2c3d5f3241)

------
xrstf
For a second there, I thought this was an official GitHub page and thought
"Wow, those GitHub guys really have balls to attack SF that directly". But
then I realized it is "helb" and not "help" in the URL.

~~~
yaph
Wonder how many others thought exactly the same, I did too.

~~~
helb
Sorry about that…
[https://news.ycombinator.com/item?id=9624068](https://news.ycombinator.com/item?id=9624068)

------
nekopa
I was shocked the other day when I went to grab FileZilla from SF, and my
virus scanner tagged it for malware. I hadn't realized it had fallen so far as
to bundle crapware. SF used to be my goto site for looking for weird open
source stuff. Now I guess I will have to finally take SF off my list goto
sites.

You either die a hero or live long enough to become the villain.

~~~
laurent123456
It was FileZilla's developers who decided to bundle crapware with their
installer on SF so can't really blame SF on this.

See there: [https://forum.filezilla-
project.org/viewtopic.php?t=31127](https://forum.filezilla-
project.org/viewtopic.php?t=31127)

"This is by design. In any case, nothing is forced upon you, all offers are
entirely optional and are only being displayed during setup."

~~~
smegel
> See there: [https://forum.filezilla-
> project.org/viewtopic.php?t=31127](https://forum.filezilla-
> project.org/viewtopic.php?t=31127)

Strange, almost every comment on this page say the crapware was added by
SourceForge, e.g.

> The offers are added by SourceForge, they are borderline crapware to put it
> nicely.

~~~
laurent123456
SourceForge offers developers to add crapware to their installer in exchange
for a revenue. This is completely optional and I suppose most dev don't do it
(I distribute some semi-popular installer on SF and they've never forced me to
include adwares).

The FileZilla developers have never been very vocal about this so most of
their comments is a generic "Nothing unwanted is being installed without your
consent", but they are the ones who have accepted to add the adware. And even
though they also have clean installers, they put the ad-enabled link first.

------
na85
I find this state of affairs rather tragic. To see what was one of the
pioneers of the global open-source movement reduced to such infamy.

~~~
Cthulhu_
TBF, the way I see it they only did the hosting and making the money; I don't
remember them actively supporting open source or the ideals behind it, or
being open source developers themselves and contributing, or making their own
software open source. Having a revenue model that involves making your users
guess which DOWNLOAD button will actually download the application is not the
open source spirit.

~~~
Nullabillity
AFAIK their website was originally open source, with GForge, FusionForge, and
GNU's Savannah based on it. Then they had a longer stint staying closed, but
they opened back up a couple of years ago, and their current software, Allura,
is open source again, though (slightly ironically) now as part of Apache.

~~~
precision
The core developers behind it were always Open Source advocates.. but we were
always at a war with the corporate overlords.

------
wldlyinaccurate
I've found that Sourceforge is still the only place you can get a lot of good-
but-unmaintained software. I was there just the other week for the Saxon
project[1], and it was painful to see how low SF have sunk.

I wonder if it would be possible (and legal) for somebody who isn't the
project owner to copy some of these unmaintained projects into another system?

[1]
[http://sourceforge.net/projects/saxon/](http://sourceforge.net/projects/saxon/)

~~~
pan69
I remembered Saxon being an Apache project, but it's not. I must have
remembered wrong. Anyhow, it should be an Apache project.

[http://www.apache.org/#projects-list](http://www.apache.org/#projects-list)

~~~
guard-of-terra
Xalan is Apache project so there will be redundancy.

(I remember they had a dozen Java MVC frameworks 10 years ago tho)

~~~
pan69
I think I might have things mixed up with Xalan. It's been a long time since I
used it...

------
eterm
If I were a project manager who run a sourceforge account the last thing I
would do now is abandon it.

Why? Because SF have proven if I were to do so they'd take my work under my
name and bundle their crap into it. The only way to stop that is to keep it
active.

That feeling of being trapped into a terrible system because it'll screw over
people even worse if you leave.

~~~
nudpiedo
That's illegal (with the European laws).

~~~
maaaats
Which laws?

------
jsingleton
Perhaps it is worth asking the mirror services to put some pressure on as well
as the content creators?

These are two popular mirrors in the UK & Ireland (both academic
institutions):

[http://www.mirrorservice.org/](http://www.mirrorservice.org/) (University of
Kent)

[http://ftp.heanet.ie/](http://ftp.heanet.ie/) (Ireland’s National Education
and Research Network)

~~~
frik
As Github.com lacks afaik a binary hosting / download feature and Google Code
closed its service (no new projects) - it would be great if all the
Sourceforge mirrors (heanet, etc.) would be coordinated from an open source
community instead of coordinated by Sourceforge.org. There is definitely a
need for a binary hosting and mailing list website for open source projects,
to fill the hole that Sourceforge may leave behind.

I remember the "BerliOS" from a Germany's Fraunhofer institute that was a kind
of clone of Sourceforge, a open source project hosting service. It was closed
in 2013 and some valuable code and binaries are lost forever.

~~~
pierrec
Github does have a pretty good binary hosting / download feature, it's called
Releases. There's even an API to automate it. It's not very widely used,
perhaps because it only rolled out it 2013.

About Releases: [https://github.com/blog/1547-release-your-
software](https://github.com/blog/1547-release-your-software)

An example:
[https://github.com/adobe/brackets/releases/](https://github.com/adobe/brackets/releases/)

As for mailing lists, I guess their excuse is that they already provide
possibilities for discussion in the issue tracker (which can be also
interacted with entirely by mail). This is appropriate as a forum for
developers - but not a forum for users, which would be out of Github's scope,
IMO.

------
frik
Can Archive.org/etc backup all the open source projects from Sourceforge.org
and Google Code? It would be a big loss if the unmaintained but often still
very useful source code get lost forever.

~~~
anc84
There is some work being done by the (unaffiliated) Archiveteam to do that,
see
[http://archiveteam.org/index.php?title=SourceForge](http://archiveteam.org/index.php?title=SourceForge)
and
[http://archiveteam.org/index.php?title=Talk:SourceForge](http://archiveteam.org/index.php?title=Talk:SourceForge)

Help if you can, it's fun! #archiveteam on EFNet.

------
fapjacks
Well, to be honest, this is exactly where Sourceforge has been headed for
years and years. You could look at its behavior years ago and say "Yeah,
follow this out on a line" and see this exact situation in the crystal ball.
Sourceforge has been scummy (and getting scummier) for years and years.

~~~
tracker1
I remember actually keeping a couple of service accounts on services that
served as mirrors for SF for years just because they backed the service (early
on, before a lot of the sleazy stuff started).

Unfortunately, short of registering a trademark with the PTO, it'd be
difficult to get a lot of this crapware removed from SF.

------
helb
Author here. Thanks for your pull requests, I added some of the suggested
services. Maybe some comparison table (like the one at Wikipedia) would be
better than a simple list.

About that help/helb confusion mentioned here – sorry about that, it's not
intentional, it's just my nickname since 2nd grade or so.

------
eps
What's unsettling about this is that Slashdot also belongs to the same company
that turned SF into the crapware distributor that it is now.

~~~
dredmorbius
Slashdot split from Thinkgeek a few years back.

~~~
simoncion
Both Slashdot and SourceForge are currently owned by the company that owns
Dice.com.

~~~
dredmorbius
Good point. Thanks.

I'd thought Collab.net ended up with them. Need to review the history.

~~~
dbellizzi
Collab ended up with the business version, SourceForge Enterprise Edition
(SFEE), which was a Java rewrite of sourceforge.net shipped as installed
software.

------
cube00
I like how you don't have an option to shut down your project to help clear
those links from Google. Either you keep it up to date or SF will "step in"
and do it for you.

~~~
LLWM
That's the whole point of open source. If a developer abandons a project,
someone else can pick it up and keep it going. And if you disagree with some
of the developer's choices, you can fork the project and make your own
version. Sourceforge is a great example of how someone evil can take advantage
of the features of open source to do bad things.

~~~
grayclhn
I'd amend that to "someone evil who's built up a 'good' reputation for long
enough that they dominate search rankings...." I don't know that what
sourceforge is doing is a _unique_ situation, but it's AFAIK not a common one.
It's not going to have the same effect if I start bundling open source
installers with malware and hosting them on my own, for example.

------
yAnonymous
It's high time that SF lands on malware blocklists.

------
bnferguson
May be worth noting that GitHub supports SVN as well
([https://help.github.com/articles/support-for-subversion-
clie...](https://help.github.com/articles/support-for-subversion-clients/)), I
believe some of the others do as well IIRC.

May be important to some legacy projects trying to get off of SF.

~~~
amyjess
If they also added a Mercurial bridge, that would be the final nail in SF's
coffin.

It's sad that with Google Code going away, a lot of projects that chose Google
Code for Mercurial are being pushed to switch to git (e.g. vim) because Google
is pushing so hard for projects to be migrated to GitHub,

------
imron
I still have a project hosted on Sourceforge
([http://sourceforge.net/projects/pinyinput/](http://sourceforge.net/projects/pinyinput/)).

They haven't injected their own installer on downloads so for the time being I
leave it there because I'm too lazy to move it off.

A while back I did move the main project page to its own domain, so I'm only
really using Sourceforge for downloads and source control (although the
project is stable and hasn't had commits for a long time so not even that
really).

------
helb
So i changed the service list into a simple table. Also, Gitlab providers are
listed separately. Any ideas for a domain name? :)

~~~
sytse
gitalternatives.com is still available. By the way, thanks for including
GitLab so prominently on your site. Any chance of including a column for free
private repo's with unlimited collaborators? :)

------
jimwalsh
Ah the old days when Sourceforge and Freshmeat were some of the go to places
for OSS when I was learning Linux in the 90s. Occasionally I'll end up back at
SF somehow and man how terrible it has become. Makes you really appreciate
places like Github now a days.

------
bougiefever
GitHub has been the go-to online source control for so long, I'm sure no one
will miss SF.

------
Sleaker
Whenever I've had to go to a sourceforge page to download software I always
think, ugh I have to deal with this crap again? (UI, annoying redirects, can't
find correct versions, etc) I honestly never understood why developers used
the website for distributing binaries, I understand code hosting, but not the
distribution (this was before they hijacked stuff).

Hopefully, this will hit a chord with enough projects that they will
altogether stop using sourceforge.

~~~
vsl
10-15 years ago, there weren't that many other options.

------
wyldfire
Guilt by association? Perhaps SF is not the true source of badness/malware but
instead they tend to host the projects most likely to include such malware.

~~~
connor4312
No, they definitely are... [http://arstechnica.com/information-
technology/2015/05/source...](http://arstechnica.com/information-
technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-
in-bundle-pushing-adware/)

~~~
wyldfire
Tsk, that's pretty damning.

------
billsix
I like that they open-sourced their engine.
[https://allura.apache.org/](https://allura.apache.org/)

------
tempodox
I still land on SF now and then, to download sources that are hosted there.
But that only happens because another site's “Download” button sent me there.
In the beginning I was very impressed with SF. But as others have said, the UI
is rather confusing and those ads they've been showing would devalue any site
they run on to “lower-tier crap you need rubber gloves for”. A sad
development.

------
helb
Someone posted it to Reddit, discussion here:
[http://www.reddit.com/r/programming/comments/37pz5x/](http://www.reddit.com/r/programming/comments/37pz5x/)

------
AdamN
I'm really surprised at how many people in this thread are Windows users
frankly. I just presumed that most YC commenters were OS X/Linux people with a
few FreeBSD, etc.. OSes floating around.

~~~
bunderbunder
I'm really surprised you'd think it's standard for YCers to only use one
operating system.

~~~
cgh
He mentioned three in his comment, not one.

------
coherentpony
What about mailing lists?

~~~
david-given
This is the biggest issue for me --- project hosting is easy, mailing lists
are not. Particularly, migrating people to the new list is going to be hard.
I've been looking at Google Groups but it doesn't seem to support import,
although it does support a nice web interface (good for people who expect
forums).

Does anyone have any recommendations?

~~~
helb
There were some suggestions in yesterday's thread –
[https://news.ycombinator.com/item?id=9617824](https://news.ycombinator.com/item?id=9617824)

------
jasonhansel
Maybe GitHub should start mirroring Sourceforge projects :)

------
moron4hire
>> SourceForge, once a trustworthy source code hosting site...

No, SourceForge was always sleazy.

~~~
helb
It wasn't in 90s and early 00s… Along with Freshmeat (and The Linux Game Tome
:)), they were pretty useful websites.

~~~
moron4hire
Wikipedia says SourceForge launched November of 1999. I remember as early as
2003 thinking it was sleazy how it tried to trick you into downloading adware
with their big "Download Now!" ads. So maybe not literally "always", but
certainly the majority of time.

~~~
helb
Seems about right, maybe my memory tricked me. Thanks.

