
Firefox download on SourceForge - eridal
http://sourceforge.net/projects/firefox.mirror/
======
apendleton
A notable difference here (as opposed to other open source projects that have
received the same treatment on SourceForge) is that Mozilla owns the "Firefox"
trademark, and has specific policies governing its use and the distribution of
software that uses its name or branding:

[https://www.mozilla.org/en-
US/foundation/trademarks/policy/](https://www.mozilla.org/en-
US/foundation/trademarks/policy/)

It specifically precludes distributing modified versions of the software or
installer and still calling it "Firefox" (with which they seem to be complying
for the moment), and also specifies the manner in which the name and branding
are to be used in website copy, like putting a "TM" symbol after the first
mention (with which SF seems not to be complying at the moment). In other
words: Mozilla has power here and could force them to take it down if they
wanted. And they should, in my view, if for no other reason than because SF
have been jerks about this whole thing and this is finally a situation where
someone can actually do something about it.

~~~
qbrass
[http://slashdotmedia.com/terms-of-use/](http://slashdotmedia.com/terms-of-
use/)

"By sending or transmitting to us Content, or by posting such Content to any
area of the Sites, you grant us and our designees a worldwide, non-exclusive,
sub-licensable (through multiple tiers), assignable, royalty-free, perpetual,
irrevocable right to link to, reproduce, distribute (through multiple tiers),
adapt, create derivative works of, publicly perform, publicly display,
digitally perform or otherwise use such Content in any media now known or
hereafter developed. You hereby grant the Company permission to display your
logo, trademarks and company name on the Sites and in press and other public
releases or filings. Further, by submitting Content to the Company, you
acknowledge that you have the authority to grant such rights to the Company.
PLEASE NOTE THAT YOU RETAIN OWNERSHIP OF ANY COPYRIGHTS, TRADEMARKS AND
SERVICE MARKS IN ANY CONTENT YOU SUBMIT."

~~~
apendleton
Mozilla didn't submit it. SF took it upon themselves to republish Mozilla's
content and marks. Mozilla isn't bound by these terms, and SF _is_ bound by
whatever terms Mozilla attaches to the use of its marks, since it owns them.

~~~
qbrass
>Mozilla didn't submit it.

I admit I missed that.

------
sirn
Slightly unrelated, I clicked the link and saw this:
[http://i.imgur.com/OpbdFfs.png](http://i.imgur.com/OpbdFfs.png)

Apparently this is done by the uBlock Origin's own "uBlock Filters"[1][2] with
this reason:

    
    
        # http://libregraphicsworld.org/blog/entry/anatomy-of-sourceforge-gimp-controversy
        # https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/
        # Using `other` will cause the whole site to be blocked through strict blocking,
        # yet the site will render properly if a user still decide to go ahead.
        ||sourceforge.net^$other
    

I'm a little bit unsure whether this is a good thing or not. But personally,
given SourceForge's recent behavior, I'm kinda happy that uBlock Origin did
this (as SourceForge have clearly stepped into the ranks of malware-spreading
sites).

[1]:
[https://github.com/gorhill/uBlock/blob/ed130afc6f3a70e2c2a68...](https://github.com/gorhill/uBlock/blob/ed130afc6f3a70e2c2a68fb1e716cc1300adeabd/assets/ublock/filters.txt#L101-105)

[2]:
[https://github.com/gorhill/uBlock/commit/c4e82357efaf18bac3f...](https://github.com/gorhill/uBlock/commit/c4e82357efaf18bac3f04900efb304f5a092ffe0)

~~~
samch
Did you happen to turn on strict blocking behavior? I'm using ubo in Firefox
with strict blocking off, and I'm not having any issues.

EDIT: Just tested strict blocking on my install and nothing prevents the link
from displaying. I wonder what is different in my version.

~~~
jug
I went into the extension's settings and forced a filter update. That did it.
It's such a recent addition, that it probably hasn't had time to auto update
itself yet. I actually just installed it too, which means that it is _not_
using the latest filters on a first install.

------
jordigh
Argh, we really need to get Octave-Forge off SF. Octave itself is hosted on
GNU servers, but all of the Octave-Forge add-on packages are in SF.

The thing is, there isn't really anything that easy to move to. No, no github,
because we don't like git. We have a bunch of Mercurial repos. We could try
moving them to bitbucket, but this also leaves the question of what to to do
with our webpage hosting, which is currently on SF.

And no matter what we decide doing, it's all a bunch of work that nobody
really wants to do.

At least when SF first approached us with their "revenue sharing" bullshit we
refused. I think this means our downloads are clean so far.

~~~
JoshTriplett
> No, no github, because we don't like git. We have a bunch of Mercurial
> repos.

Any particular reason?

> We could try moving them to bitbucket, but this also leaves the question of
> what to to do with our webpage hosting, which is currently on SF.

You could move your repositories to bitbucket but mirror the single repository
for your webpage content to GitHub to use their hosting. (And if that
repository is currently Mercurial, see git-cinnabar by Mike Hommey:
[https://github.com/glandium/git-cinnabar/](https://github.com/glandium/git-
cinnabar/) )

Or, it looks like bitbucket may have a similar feature:
[http://pages.bitbucket.org/](http://pages.bitbucket.org/)

~~~
jordigh
> Any particular reason?

Lots of reasons. I'd rather not go into an argument about it. It's not
something that can be fixed: git is a no-go for us.

> but mirror the single repository for your webpage content to GitHub to use
> their hosting.

I'd rather break free, not change masters.

~~~
JoshTriplett
> Lots of reasons. I'd rather not go into an argument about it. It's not
> something that can be fixed: git is a no-go for us.

I'm not interested in getting into an argument, but I'm genuinely curious what
reasons remain for people preferring mercurial. At the moment, apart from "got
used to the UI", the main one I know of is more "native" Windows support
(without needing a Cygwin-like environment to work in). I don't know if that's
an issue for your project.

> I'd rather break free, not change masters.

Fair enough. In terms of repository hosting, moving to Savannah seems like the
obvious choice there then. And assuming you have people available to do the
work, you could always move to gnu.org or nongnu.org, depending on your tastes
and the nature of the software your directory links to.

~~~
jordigh
> I'm genuinely curious what reasons remain for people preferring mercurial

Top-level answers here:

[https://news.ycombinator.com/item?id=9467096](https://news.ycombinator.com/item?id=9467096)

> moving to Savannah seems like the obvious choice there then.

The only issue is that Savannah is static hosting. We have a bit of PHP that
generates one page. We might be able to replace that with Jekyll, though.

~~~
JoshTriplett
> The only issue is that Savannah is static hosting. We have a bit of PHP that
> generates one page. We might be able to replace that with Jekyll, though.

Does it do so from dynamic server-side data, or could you run it on each new
commit and serve the result as a static page?

~~~
jordigh
Yeah, we can probably do some sort of commit hook. It's not an impossible
problem, just annoying.

------
metasean
On the linked page:

>Hey, this isn't a SourceForge project! Check out the SourceForge Open Source
Mirror Directory for more information.

which links to:
[http://sourceforge.net/mirror/](http://sourceforge.net/mirror/)

>The Open Source Mirror Directory is an extension to our existing software
directory, where we'll be mirroring projects that are not hosted on
SourceForge, and SourceForge projects that have been abandoned.

~~~
ChuckMcM
Exactly this, and it is why I think they really are trying to be download.com.
By 'mirroring' anything and everything and some SEO magic (they have a lot of
residual link authority with the big G) they get themselves to the top of the
list of links where to get package <x>.

Perhaps its time for Google to "adjust" their host rank?

~~~
kubiiii
Especially when chrome considers sf downloads as hazardous.

------
ksk
It is quite sad to see this happen to Sourceforge. IIRC Sourceforge was bought
for $20M or so. I wonder how GitHub plans to repay the $100M (+ interest) VC
'loan' and generate profit without 'whoring out' to google/other advertisers.

~~~
schneidmaster
GitHub has paid plans for private repositories and it can add up to a fair bit
of MRR for enterprise organizations.
[https://github.com/pricing](https://github.com/pricing)

They also make money off of their job board ($450 a listing) and could
probably monetize a lot more here without angering too many users.
[https://jobs.github.com/](https://jobs.github.com/)

~~~
ksk
Yes, Hopefully it will add up to $100M+. Atleast one company must survive!

------
thomasfoster96
"229 downloads this week." "Last updated 2/6/2015"

Now, if you click the 'read more' link, you'll find that the Firefox download
available on sourceforge was actually last updated 10th June 2014. 53 weeks
ago. 10 major version numbers ago.

:(

~~~
rcthompson
Are you sure? It says version 38.0.5, which is the same as what I'm running
right now.

~~~
krisdol
I think there's a difference between "latest version" and "latest release". If
an admin forgets to update the release pointer, I guess it's possible for that
to get stale. Regardless, SF should absolutely not hijack any projects, let
alone ones that have pushed new binaries in the last few months (even if
they're not releases).

------
joshstrange
FYI, to any/all people saying "They aren't bundling malware with this" you are
forgetting a VERY important word: YET.

Their past indicates they will and what they have done so far fits the pattern
nearly perfectly. I'd put money down that malware will be in this by the end
of the year if not sooner.

~~~
colinbartlett
And, really, how do we know they are not? Unless we're checking the hash of
the download with that provided on Firefox's on website, who even knows what
we are installing?

From a company with a history of stuffing adware down our throats.

Edit:

    
    
      % md5 firefox-*
      MD5 (firefox-genuine.dmg) = 71c3d44cd5a612489a70e0f2ef825ba9
      MD5 (firefox-sourceforge.dmg) = 71c3d44cd5a612489a70e0f2ef825ba9
    

So they are the same binary. All we need to do is create a Chrome extension
that downloads the binary from both places and checks the hash then tells you
if it's safe to download the SF one. Simple!

Note that it took 8 times as long to download the binary from Sourceforge
compared to Firefox's own site.

------
zatkin
They also seem to have ownership over the openvz, MySQL, and PostgreSQL
projects, too.[1] (You have to click "Show More +" to see the full list.)

[1] - [http://sourceforge.net/u/sf-
editor/profile/](http://sourceforge.net/u/sf-editor/profile/)

~~~
frik
see also [http://sourceforge.net/u/sf-
editor1/profile/](http://sourceforge.net/u/sf-editor1/profile/) this SF
profile took over like a hundred high profile open source projects on SF
(incl. Apache HTTP Server, Apache Hadoop, OpenOffice, Audacity, Google Closure
Compiler, Epiphany, Evolution, Fedora, Fritzing, Gimp, HeidiSQL, Joomla, Lua
for Windows, MySQL, PostgreSQL, VLC media player, VirtualBox, ... and many
more)

Just yesterday VLC was on HN about moving away from SF "The story between VLC
and Sourceforge":
[https://news.ycombinator.com/item?id=9714250](https://news.ycombinator.com/item?id=9714250)

The mirrors (HEAnet & co) should refuse to add any new binaries from
Sourceforge and we need a community driven website that coordinates open
source download binary mirrors (based on what SF uses at the moment), and
Archive.org/ArchiveTeam/etc should backup all SVN/CVS/etc repositories on
Sorceforge, and Google then should remove them from their index or flag them
as adware/scam.

~~~
zatkin
Wow, this is a lot worse than I initially thought.

------
sj4nz
uBlock Origin appears to protect browser navigation to all sourceforge.net
links now.

------
rcthompson
So, this is Sourceforge mirroring a popular open source project that's hosted
elsewhere in order to garner more traffic? Is that what's going on here?

~~~
imglorp
Yeah. I'm okay with it because it says right there,

    
    
        Hey, this isn't a SourceForge project! Check out the 
        SourceForge Open Source Mirror Directory for more 
        information.
    

plus the url also clearly says ".mirror", so they're not pretending to be the
authoritative page on the product. It's no more creepy than Tucows or C-Net at
this point. Just a regular spam laden download site.

~~~
JoshTriplett
Except for the part where they add malware to the download. Mozilla has gone
after various shady sites distributing "Firefox" with malware, and I hope they
do so in this case too.

~~~
dimino
They don't add malware to the download, geez...

~~~
oneeyedpigeon
They have in the past. And, currently, they bundle additional, unrequested
software with at least some of their downloads.

~~~
dimino
No, it wasn't _malware_ , that's software intended to damage or disable a
computer. SourceForge isn't trying to hurt anyone, please stop pretending like
they are.

~~~
oneeyedpigeon
There are plenty of reports of Sourceforge downloads, in the past, containing
malware. I'm not saying they haven't removed those, or claiming - for a second
- that they intentionally distributed them. Nor am I claiming first-hand
evidence of such.

However, what's clear right now is that if you download an installer from
Sourceforge, it could install software that is totally unrelated, that you
didn't request. Yes, they might disclose that it's going to happen and give
you the option not to install the unwanted software, but it's still clearly
their intent that some people end up with unrequested software on their
machines. That's pretty questionable behaviour in my book.

~~~
JoshTriplett
> I'm not saying they haven't removed those, or claiming - for a second - that
> they intentionally distributed them.

They've put out press releases explicitly admitting to such intent: that they
hijacked "inactive" projects (which includes projects who intentionally left),
and that they bundled "offers" (malware) with them.

And if you think there's a useful distinction between malware and what they're
distributing, note that one of the bits of software they "offer" to install
captures all network traffic and routes it via a third-party service without
making that clear to the user.

------
th0br0
Also see [http://sourceforge.net/mirror/](http://sourceforge.net/mirror/) I
guess. Weird behaviour.

------
neomech
Are they including any "offers" with the installer?

------
AdmiralAsshat
Was it _just_ hijacked, or are we only now noticing? Also, is it a strict
binary mirror, or have they started to bundle it with crapware?

Considering the incidents involving Sourceforge in the last few weeks, I would
be rather surprised if they just did this, considering how hilariously tone-
deaf it would look.

------
wumbernang
The phrase "circling the drain" comes to mind. Last ditch attempt at
pretending to be relevant by gaming the search industry.

------
drtse4
Looks like it's there since 2011-11-28.

------
hobarrera
> uBlock₀ has prevented the following page from loading: >
> [http://sourceforge.net/projects/firefox.mirror/](http://sourceforge.net/projects/firefox.mirror/)

I can't honestly say I don't agree with it's behaviour

------
Drakim
You'd think with all the bad press lately that they would lay a little low.

------
dbcooper
A bug has been filed at Mozilla for countering this:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1174745](https://bugzilla.mozilla.org/show_bug.cgi?id=1174745)

------
afro88
> Description > The first thing you’ll notice in Firefox is

all the malware we try and install without you noticing

------
mdekkers
Why am I not surprised that the owner of Sourceforge, DHI Group Inc., is a
recruitment firm...

------
drift
"Millions of people use SourceForge every day to search for Open Source
software"

------
feld
uBlock Origin blocked this link for me. So thanks, uBlock.

------
monsterix
I have this weird feeling that there has been some bad force working up
against Firefox ever since they declared their all out war against user
tracking (was anti ad-bearers).

I could be wrong but there are signs and absurd behavior like umpteen number
of resignations at the top, Firefox Apps been published with strange love from
private players like telefonica/others etc.

Isn't there a smell somewhere here?

~~~
zabraxias
Nothing as interesting as that. Mozilla has had a "let's try and be friends"
approach with the ad industry for a few years (see 3rd party cookies) but the
recent introductions like pocket and Hello are simply features some group in
management decided were needed. The open governance approach means our source
of income (various search referrals) is all we'd need to stay afloat for quite
a while. Having said that it's a smart play to get into the mobile OS game and
continue on the browser-as-a-platform path.

The moment anyone decides to add bundleware to the official release would be a
golden age for tech recruiters since most of the engineering staff would be
already packed.

Source: Mozillian

------
zygy
sudo cat "127.0.0.1 sourceforge.net" >> /etc/hosts

~~~
cosarara97
I don't think this will do what you think it will do. First, you'd want to
echo, not cat, and second, the sudo won't affect the redirection, which is
done by the shell.

~~~
ytjohn
I use "tee" for these scenarios.

echo "127.0.0.1 sourceforge.net" |sudo tee -a /etc/hosts

