I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.
We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.
So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.
This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.
PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.
The GIMP project learned this the hard way: http://www.gimp.org/news/2015/05/27/gimp-projects-official-s...
Since they used to be the official source, their repository tend to have very high PageRank and they're essentially cashing in on it. Since the content they host is open-source, this is technically legal, but it's scummy as all hell.
This was a BlackBerry project, though, and it wasn't something you could install on a desktop - that may have been a contributing factor, but I never had any problems with them continuing to host the content after I deleted it.
If the project is licensed under GPLv3 (or any other strong copyleft license), wouldn't they be illegally hosting it because they are bundling their malware dropper with software that isn't compatible with the license?
> The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
Same with the Debian Free Software Guidelines :
> The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.
In reality though there's a reason there are many different OSS licenses - many devs want options around attribution and yes, around use in limited ways. A please don't use this for abject evil clause may not meet the no true open source dictionary definition, but pragmatically speaking it's not necessarily a terrible idea.
(The forum is a front-end to the mailing lists / newsgroups.)
Instead, it's all either slow, slow backend frameworks like Ruby, or even worse, these SPA applications that require extensive client-side JS processing before they show you the goods.
Node is a step in the right direction for both problems: for the first, Node-based backend applications are faster than Ruby and Python, and for the client-side rendering problem, because Node can pre-render these SPA apps (which everyone should do for a serious production app that uses a framework/library like AngularJS or React for major client-side rendering).
But a server application based on D or Rust, or even Go, is an even better solution to the slow backend framework issue. Unfortunately, no one has yet created a full-service framework like Rails or Django for any of those languages.
Usually this is a matter of bad coding or overprovisioning of whatever is being used to host the site and the DB. Most maintained languages running on modern hardware can sustain reasonable loads without any significant performance issues. While client-side bad-performing frameworks abound, the last I looked into it, Ruby+Rails isn't that much worse or better than any other.
The source code running it - https://github.com/CyberShadow/DFeed
Hi. I'm from the Discourse team, and I recently "soft-pitched" an idea that seems very much in line with what you're looking for.
Regardless of the above, we're gonna be doing a significant push for better mailing list features during the months to come, so any feedback you or any other open source projects may have, please nudge me on meta.discourse.org or send me an e-mail (my first name, erlend, at the company domain).
Uggh ... really ?
So the simple, clean, extremely fast loading HTML indexes of mailman/majordomo aren't going to do it for you anymore ?
Yes, I was getting so tired of one click getting me to a nice, clean index, ordered by year and month, and loading near-instantly. What a pain that's always been.
Get. Off. My. Lawn.
I'm not suggesting the existing software to change, I'm suggesting something new. Pitching something that doesn't exist today (the D-Lang forums linked here come quite close though). Our goal is to merge our current forums with our mailing list and not have to maintain both separately.
So I'll thank you to get off my damn lawn, you and the seven crates of entitlement you carry around.
I design user interfaces and creating a new UI for basically what mailman does would really just be an attempt at grabbing a different target audience.
mailman has an image behind it. People associate with different images, and certain looks and feels make certain people gravitate towards them.
The type of people I would want in my mailing list are the type of people that appreciate how mailman looks as-is.
I try to practice great design where it matters most. A reskin of such software would be more aligned with the goals of junior designers and people who rehash weather apps with nice gradients on dribbble.
> "User needs"
Do you actually design anything?
"It is a place for FOSS communities to discuss all the things they want without ads, censorship, signup requirements, bundled apps, or requirements that you use any particular email client or service."
My project is using Google Groups just fine. Do not list your group in public directory to prevent spam.
Redis is moving from mailing list to Reddit. That seems to work for them.
At this point, unlike Reader, there's real cash behind the functionality. It's possible they could just fold it into Gmail, I guess, but with other mail interfaces like Inbox popping up in the Google ecosystem it seems if anything they're trying not to shoehorn too much more into a flagship product.
My guess is Groups will stick around for a while yet.
So it’s possible.
IMHO a publicly/semi-publicly logged irc channel would do just as well, but that's even more oldschool.
As for Discourse's mockery of a mailing list mode, let's not even talk about it.
GitHub has email notifications for issues, but you can opt out of any particular discussion if it gets too pedantic or doesn't relate to you. This helps massively reduce inbox clutter.
The thing that bugs me about mailing lists the most is you get all the email, all the time, forever.
This is a total non-issue. Mailing lists support daily digests if you want that, and email clients support folders and filters if you want that instead. Nobody managing 5+ mailing list-based projects at once is dumping all of that into an unsorted inbox.
Because who doesn't like mucking around with their client's filtering?
Isn't there a decent mailing list package that hybridizes a GitHub "issue" type system with a traditional "email firehose" approach?
Because (your email client) is always going to be much, much faster and easier to navigate than "some dudes cute forum setup".
Replying to and managing conversations is much easier when you can do it with one or two keystrokes rather than mousey-mousing ten clicks all over the place (and oh their ad tracking js is stalling out again...)
I maintain that all web forums should have a mailing list interface so that you can use the forum without using the web at all ... but I suppose that breaks their revenue model ...
(Personally, I use GMANE+NNTP for mailing lists, and NNTP is probably better than plain (public!) mailing lists for most purposes, but unfortunately that ship has sailed.)
IRC is still an underused tool in my opinion. The ability to just talk about one issue in a Mail List and keep track of the communication is great. I can't think of another tool that manages communication as well as a mail list (Forums are just not as good in communication notifications like a mail list.)
P.S. I still hate Mail List and don't use them anymore but nothing does it as well right now.
IRC, like other chat and IM tools is synchronous. That is useful to get an issue solved quickly. But mailing list are asynchronous. People can think before answering and don't have to be around at the same time. Also threaded nature of mail makes it better to archive discussions and referencing them later. An IRC log is full of other noise and little structure.
If I want long-form messages delivered asynchronously, what other choices do I have (forums?) and why are they better than mailing lists? (everyone already has an email client.)
Or is it because you value the communication differently than the code? We've evolved distributed revision control to handle issues or geography, connectivity, and work styles effectively allowing you to be self-contained and then collaborate (push, pull, merge someone else's stuff) when you are ready to. Email is the only generally available method of communication that works the same way.
> Then after installation is complete install Malware bytes and Avira. Scan with both and restart the computer.
> Then run with ADWcleaner and and remove the infections and restart. should be good from there and enjoy FileZilla.
Do people really think this works? I mean, there's no-one on HN who thinks this works, right?
WinSCP is a decent alternative. As is Swish:
An alternative to sourceforge implies not using sourceforge but swish does.
It hangs on start, randomly doesn't connect, does odd things with bookmarks (they don't work sometimes, but manually entering info does)
I don't recommend cyberduck on windows to anyone, I've been looking for an alternative for a while.
if a dev is reading my machine is:
* OS: Microsoft Windows 7 Enterprise
* CPU: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz (3.00 GHz)
* RAM: 32691 MB Total (16885 MB Free)
* VGA: NVIDIA GeForce GTX 760
* Uptime: 123.24 Hours
* Version: 4.7.3
It does not support passive mode
I don't particularly like the built in FTP command line utility (even with scripts). But it has existed a very long time indeed.
The only packages I have installed are "Media Features" ".Net Framework 3.5.1" "Print and Document Services" "Windows Gadget Platform" "Windows Search" and XPS Services/Viewer. All of which are default features.
Which package are you even suggesting contains the ftp.exe client? Because I don't even see one. Also why would anyone go to the trouble of putting a 47 Kb binary inside of a feature package? It makes absolutely no sense at all.
Granted, I haven’t used Windows in 4 years, but I remember fighting with getting ftp on Windows without admin.
As the person said above, ftp.exe has been in Windows since the MS Dos days, and is a core utility. I've never seen it not been available on any version in any situation.
Now an FTP server definitely needs to be installed. Always has. But we're talking about the ftp.exe client.
Yes, much better.
Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.
This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.
Talk like that can only mean that they know about the malware bundling.
Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."
Looks like Filezilla will not die a hero's death.
That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.
I’ve thought about it for the last few hours, and decided that the best solution is to just use RSA in client.
And you could use a hardware key auth.
Like the German eID, where the key is signed by the government and on a special chipcard.
The software requests the card to sign, you need to type in your PIN on the reader itself, and the request will be signed with RSA.
The public key is world-readable on the card, so you can just send that to the server.
It seems like any credentials that can be automatically used after a program loads without the user authenticating are at risk for malware harvesting.
Now, I've only ever installed it from ninite.com, so I know it didn't initially have the Sourceforge trojan/adware junk. However, I've since allowed it to download its own updates instead of doing it manually through the Ninite downloader. I've never, ever seen a program I've uninstalled via the Windows Control Panel with the ability to force a shutdown or restart without first notifying me or giving me the option to postpone. I'm starting to think there's something nefarious in Filezilla itself, perhaps in one of those "direct from the developer" updates, not just the Sourceforge wrapper.
Another interesting thing is that the built in Filezilla updater will first uninstall the app before reinstalling the updated version, and it never tried to restart or shutdown the computer during those updates, only during uninstallation from the Control Panel.
 Ninite strips out any malware or other crap from the installer and only installs the pure program with default settings, in the background, and sources the app directly from the developer's site when possible. It's my go-to tool for essential Windows utilities.
If you want clean software you must not install directly from Sourceforge.
Oh and gorhill, much much thanks for your time and work on this.
Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link.
You will see that the direct download is clean but the other has the SF icon and it has a virus!
It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.
It makes me wonder; why don't we have a good site for Windows programs yet?
Ideally, it'd be run by volunteers (not a company with a profit motive), would manually moderate the programs posted them (and remove any adware/spyware/bundled programs by force if necessary) and tell every malware ridden sleazy ad network to sod off.
It exists in more niche subject areas. If I look for game making resources, a lot of those sites actually do proper moderation and try and make sure viruses aren't present in uploads. Places like MFGG are pretty good about this. So why don't we have that for software in general?
I mean, there's GitHub and package managers, but it's disappointing how this market has no honest people in it.
It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.
And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.
They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.
Oh, and here is an article that confirms the autoupdate:
The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).
At least Lenovo’s business lineup wasn’t affected.
We all wish FileZilla would just drop Sourceforge completely, but at least the non-wrapped versions are still available.
Also, PuTTY comes with a SFTP/SCP client, and unless there are strong reasons you cannot use SFTP, it is a lot better than FTP, security-wise (does not transmit passwords in plain text and allows using cryptographic keys rather than passwords; in fact, on OpenSSH you can configure the server to deny password authentication completely; and the entire connection is encrypted, of course).
They have some issues with SSL certificate, though.
Juggling multiple windows is really annoying. The entire UI is awful besides that also.
FileZilla is maintained by people who want to push spyware to you because it's how they get paid. This isn't an accident.
"It's not our problem, it's SourceForge" - stop f'ing using SourceForge then!
Their ambivalence and complicity in distributing this malware is probably the behaviour GP was talking about.
He let me know that bundling crapware was "intentional"
His statement about alternate download links was also incorrect, because I was asking about Filezilla server, which I could not find anywhere but sourceforge.
If Google ranked them down, then they harm would be limited.
Well - you are trusting that Ninite doesn't include any crapware / malware, but until now I didn't had any problems with it. Makes updating Java Runtime much nicer too.
Does sourceforge share revenue from bundeled installs with projects?
If you say "no, I don’t want you to bundle your installer with my project", they will do so anyway (look at GIMP), and you get nothing.
in other words, in my view, a project that opts in to revenue sharing with crapware bundlers who are known to sometimes distrubute malware, is behaving unethically.
so now i don't trust filezilla dev's in general, even if i get an package signed by my distro or whatever. very dissapointing. worse still, it makes projects that didn't opt in suspect in my view, simply because they are on sourceforge; if i can't find out whether they opted in, how can i know any project isn't taking kickbacks?
i really hope i'm missing something here....
If it bundles crapware, and the maintainer listed on sourceforge.net is sourceforge itself, they didn’t opt in.
Otherwise they did.
Just don't use them.
Base64 at least provides some protection against somebody looking at it with their eyes and memorizing them, which is perhaps a more likely scenario - family members, kids, etc.
Don't worry, it's just an "offer". They're totally not distributing malware via their installer.
Move your stuff off Sourceforge! What the hell is wrong with your people?
Yes, this means that a self-contained project needs the funds for basic hosting and also someone with system admin experience. But that should not be unreachable for major projects.
Chrome and Firefox should add SourceForge to their malicious site list.
a) Certainly if a site is distributing malware/virus/trojans it needs to be flagged as such -- whether it is intentional or not.
b) Sourceforge's policies indicate it they are no longer a trusted source for official files and is probably being ranked far too highly on Google and other search engines.
c) If Dice fails to promptly and adequately address the distribution of malicious files for profit the appropriate government agencies should become involved.
Chocolatey nuget is similar to Linux package managers but for Windows programs
choco install filezilla
You don't see the installer UI, but it still downloads from sourceforge because that's where the executables are stored.
Good riddance, I say.