Hacker News new | comments | ask | show | jobs | submit login
A Brief History of SourceForge, and a Look Towards the Future (sourceforge.net)
89 points by jontro 7 months ago | hide | past | web | favorite | 71 comments

Personally, I feel that the SourceForge brand has negative value right now. For me they burnt almost all of their goodwill during their long, long period of neglect and stagnation, then went sharply negative when they started distributing malware.

I'm willing to give the new team the benefit of the doubt; let's just assume they want to create a high quality product. That's great, but I think the first step is starting over with a non-tainted brand.

It may make sense to migrate existing projects and accounts across, or even to build on top of the existing code base, just don't call it SourceForge.

Completely agree. Sourceforge, the brand, is so tainted I can’t even read this on my phone, since a content blocker List I have installed has apparently blocked the entire domain. The brand has been shit in my own mind for a while. Not even going to bother reading this. Why does it still exist? Replaced by GitHub, Bitbucket, and Gitlab.

> Why does it still exist?

Well, we are using Sourceforge... For one particular reason - free mailing list [for our open source project]. The code is on GitHub, but we want to do things the "old way" - send a patch to the mailing list, let people review it.


There's still old source code on Sourceforge that hasn't been moved elsewhere.

Some of that is 100% stagnant, some of that is lightly maintained with a bug fix once every few years, and a little of it is somewhat actively maintained.

I always thought that Freshmeat, while not a hosting site and therefore not comparable, was an ok brand, and didn't necessarily have to go inactive, even though, yes, it couldn't keep up with everything. It could've continued to play some interesting role.

I was just thinking of Freshmeat, that was a big loss to me as I found it much easier to navigate compared to SF, at least back in the days: I rarely used SF in like 10 years and stopped completely after they added malware to archives.

Since the FileZilla fiasco I don't trust projects on Sourceforge any longer either as I cannot tell which projects are complicit in distributing malware and which use Sourceforge as an innocent software repository.

At this point would even a rebrand matter? Github has such an unspoken strong hold on the developer community that I find it hard to believe that SF will be able to make any dent at all. Github has at least been a respectable stakeholder in the whole process. No shady downloads, ads or stepping over the users in any way. The worst they did was not developing features that would have helped simplify open source development and even that was largely addressed when "Dear Github" rolled around. Even Gitlab and Bitbucket, which are far better products than SF ever was, have not been able to shake GH. Lastly, every package manager developed in the last decade has millions of its packages with repos pointing to GH. If GH shuts down open repos, npm would probably fold up overnight.

You raise some very valid arguments, but every powerful incumbent seems unstoppable right until they're stopped. The same case for why you shouldn't compete with Github now applied to, eg, MySpace. No product is eternal; someday Github will fade and be replaced, and we'll be having a discussion about how pointless to compete with their successor is instead. :)

...that being said, I don't think SourceForge is the product to supplant Github. But I think that says more about SourceForge that it does Github.

History of SourceForge according to me:

- forced users to look at ads and go through two steps in order to download projects

- when that was not enough, injected malware into the files users were downloading

- irrecoverably lost project information

I don’t think they can do anything to salvage their image at this point. The last incident didn’t even inflict too much damage because there wasn’t much left to SourceForge.

Many years ago me and a friend wrote an open source game and we hosted the project on Sourceforge. This was some time in the late 90's. The project got dropped as so many others do because both of us found more interesting things to do.

Now, if you were in this situation and you decided to come back to the old project a few years later (we're now in the early 2000's) wouldn't you expect to be able to continue where you left off?

Not so with Sourceforge. I found that the entire project was deleted. I contacted them and got the answer that it was indeed deleted because it hadn't been touched in however many years it had been.

To give credit where credit is due, they were actually able to recover my code from a backup and restore the project.

The point of this post was just to point out that they've done some user hostile things for a very long time.

>Now, if you were in this situation and you decided to come back to the old project a few years later (we're now in the early 2000's) wouldn't you expect to be able to continue where you left off?

That's unfair. Back then, storage was expensive, backups were expensive, bandwidth was expensive, server CPU time was expensive. You can't fault them for removing unsupported projects in an era when Microsoft and Yahoo were only giving you 10MB of email storage (you might get an extra 15MB for $10/mo) and similarly aggressive purge policies.

That's a fair argument, but couldn't they at least have sent an email about it?

I don't disagree with that. That would have been the right approach.

Nit: Given that Sourceforge launched in November, 1999, that would have been the very late 1990s.

More likely early 2000s.


You're right. We started our project in the late 90's but it was only later we moved it to Sourceforge.

Sometimes when things get broken, they're broken forever.

To me, this is just another website. There is no history, that was burned when it became an enormous cash grab. I understand they've been making a lot of changes, but if they want tabula rasa, then they have it -- and they have to offer something that entices people to use the product, not rely on the name they inherited.

As someone else already pointed out, I don’t think they’ll be able to rely on the name as it’s been severely tarnished beyond repair. They’ll have to rely on something that is significantly better than what the GitHubs, Bitbuckets, and Gitlabs are offering.

At least it does not belong to Microsoft yet. That seems to be important for some people. ;-) (I actually laughed when I saw that SourceForge has a GitHub importer now... SourceForge! Ha!)

On a more serious note: SourceForge has surely improved a lot, including not shipping malware anymore. The only things that I'd improve are:

1) More reliable SVN servers. Yes, I "still" have SVN projects on SourceForge because I lack motivation to change either the VCS or the hoster. But SourceForge's servers sometimes don't like my attempts to pull from or push to them. I blame the server admins, not the VCS.

2) A better code view. Just like Bitbucket's, SourceForge's code view (especially for diffs) is a mess. That's the one big thing I always liked with GitHub: Reading and comparing commits is perfectly clean.

3) A better project page. It always takes me a while to find the "Code" link on those - although it's always in a similar place.

Good luck, SourceForge.

In the late 90s, I was part of a project, which later became a non-profit called Tux.org, who was trying to be an umbrella organization to help Linux related FLOSS projects. We weren't quite at the model of a fiscal sponsor, but Tux had mirrors of projects and the goal of helping others.

Then Sourceforge came out and I remember as a 20 year old trying to talk with them about where they saw themselves in the community, and they were basically dismissive of the work that we were doing.

Nonetheless, they had (at the time) flashy software that made them attractive and many projects used them. They were genuinely the Github of their day.

The ultimate lesson of Sourceforge is three fold for me:

1. Never trust a commercial entity that you aren't paying to be your single repository

This applies to Sourceforge and Github, ultimately.

2. Never use proprietary software as your core

Sourceforge, like Github, was proprietary and used that to keep people in. Like Github, the interface to the internals were FLOSS (Subversion in SF's case, git in Github's case).

2. We need better verification/validation methods to handle malware

We need verified builds

who even owns sourceforge now? it's like coming across an antique toy, who knows how many garage sales and antique stores it must have been living in over the decades - a quick google reminds me it's been at least owned by VA Software, Geeknet, Dice.com (!) and now apparently some company called BIZX. from a usability standpoint, including the release process, the mailing list, and everything else, the site was always of course awful, which wasn't so unreasonable in 2002 but as the years and owners went by it just got worse and worse. Along with the ads/malware, I took issue with it's silly practice that you could never delete a project from it, because that would somehow be denying the fact that you've promised your project is open source. Never mind this means if you wanted to move to some other platform that an ancient fossilized version of your code would stay on Sourceforge forever and confuse users who were unfortunate to find it there first.

One of the principals posts about sourceforge occasionally:


There was an article about their (last?) acquisition a couple of years ago where they commented at some length.


If SF wants to attract developers, they should support alternative version control systems like fossil and darcs. I can't think of any reason to use SF for a new project except possibly that you use mercurial and don't like bitbucket. The market for git hosting is extremely competitive and they don't bring much to the table.

They also have SVN. There are not many SVN hosters left. A good competitor for Darcshub would be appreciated though.

That means a UI that has to take into account the idiosyncrasies of different tools. It seems like a recipe for disaster, if focus is what SF needs now.

It works for Bitbucket (Mercurial and Git, although they don't advertise Mercurial nearly as much as Git).

I wish them good luck and hope they can be a good competitor to gitlab and github. Some competition is always good. I do hope, as unlikely as it is, though that they move away from the Ad based revenue model.

I personally, am not interested in returning to SourceForge due to all reasons articulated in other comments.

Hi, president of SourceForge here. Glad this is trending, albeit a few months later. These articles seem to trend on HN every few months, with many people not realizing SourceForge changed ownership in 2016 and that the new team's been working hard on improving.

To be clear, we had nothing to do with the bundled adware decisions of 2015, and when we took over in 2016, the first thing we did was remove the bundled adware, as well as institute malware scans for every project on the site.

We're working hard to restore trust, so if we win some of you back that would be cool. However, we're just focused on doing right by our million daily users.

Recent history of SourceForge: they migrate data centres, and some things got broken and went missing for several months, and in one of the two cases I’ve checked ended up just disappearing completely, though that could be the project’s decision (specifically, when audacity.sourceforge.net started working again, it didn’t actually, because links that used to work just redirect to the project page).

Sourceforge is something I used extensively, they burned their reputation. I don't care about new management or new owners. I will never use their site again. When I find a package or library that is available only hosted there, I look for an alternative. That is how bad their reputation is.

What’s your FOSS alternative to FlightGear? MinGW? TortoiseSVN? PortableApps? Code::Blocks? 7Zip? QBittorrent? DeSmuME? WinSCP? XAMPP? Boost? The list goes on and on...

These are all applications I’ve used that distribute through SourceForge. This isn’t a snarky comment; It’s a legitimate question. I use most of these programs a lot, and if SourceForge’s brand is so tainted, what is one to do? (Never using these programs is not an answer)

I've used SourceForge for a while for my hobbyist game development. I've never had a problem with them product wise; their tools work well and they're really making solid progress on the redesign.

The malware incident was really bad, but I'm surprised more people won't give them a look given the fact it is new ownership and a much smaller team.

What's strange, to me, is that last week there was a thread with a majority of commenters defending Microsoft and their new attitude towards open source, when Microsoft has been making terrible products whilst being hostile to developers and consumers alike for decades (just my opinion).

Everyone has different grudges for different reasons, I guess. It's a tough and complex problem as a business.

I wish I could upvote you more. I have been a Sourceforge user for the last 15 or so years. There is some software like SQL Squirrel which[1] that I use on a daily basis. The Lazarus[2] project that was on HN front page a few days ago and ART - A reporting tool [3] which are great tools. I presume the developers of these tools are too busy to migrate to other platforms. I understand because these are Open Source applications and I presume the developers have day jobs and family competing for time. I wish Sourceforge well and hopefully they will in time shrug off all the negative sentiments.

If any other Sourceforge team is reading comments, I am a happy user and thank you for providing an alternative platform for Open Source projects.

[1]https://sourceforge.net/projects/squirrel-sql/ [2]http://www.lazarus-ide.org/ [3]http://art.sourceforge.net/

> defending Microsoft and their new attitude towards open source

What’s odd about that? Isn’t their new attitude better than the old, and perhaps “good enough” (at least compared to other giants)? Are you saying nothing they do should be considered good enough by devs, based on the previous history?

Personally, I'm a big believer in second chances in any facet of life, but people seem to act the way you're describing to Sourceforge, despite giving a pass to other entities. It's all a matter of personal perspective.

I can see the point of both views but I do think the behavior of sf was worse than that of ms (in the case of sf it was a criminal breach of trust).

In any case it does seem like a double standard to not accept the “new people, new philosophy, new chance” in either both or neither case.

Well, the UI still sucks. They still have their weird download mirror page that reminds me of filesharing sites like RapidShare and Megaupload. So there's that. It doesn't exactly engender trust.

I love the guy challenging the big companies and so want them to succeed. But, when I look at their site I wonder about so many things:

- What do VoIP and Internet Speed Test have to do with what they do.

- I wish they have a business model that is not selling ads or my personal information to others. As long as they do that, it is hard to trust them, especially with their malware past.

- Who are their target users, is it me (a developer) or someone else?

- Why do they equate free to open source. Free means so much more in for developers. I use open source despite it being free to use, but because I know I can use it in interesting ways if I need to.

While redesigning the site was undoubtedly a good step, it still feels a bit "off" to me, anyone else?

It feels like it was designed in 2001. I don't think anyone cares about "history" as much as they care about the fact that the brand is old and tired, and even looks it.

No compelling differentiation, literally just worse than all alternatives.

There's still a lot of tools that exist nowhere but sourceforge because they were abandoned by the developers years ago

> We’ve already seen a huge surge in projects being imported to SourceForge from GitHub in the last few days

I wonder why?

> Comments disabled

That pretty much says it all.

SourceForge is controversial. I doubt they'd want to moderate the inevitable discussion. Nor would you.

If you want to rebuild trust, you need full free and frank dialogue.

If you "browse projects" on their website, they offer you categories, like ERM, CRM, HR, Ecommerce, Accounting.

They just don't work developers, they work for (unsuspecting) ERM software users, in capacity of an open-source app store. That's why it can succeed - if one makes a CRM software, he might mirror there in hope to be stumbled upon by category browsers.

edit: some grammar

I dont see any reason for this to still exist now that git is a thing... all github would have to do is make their release pages a bit more friendly to non devs and it would demolish sourceforge completely.

I don't think developers would ever pick SF because of how user friendly the release page looks.

Nah. Bridges burned.

New ownership — they didn’t burn the bridges but I agree that I think the name is too tainted now.

Did the new ownership fire every developer and middle manager? If not, that means there are folks at the “new” sourceforge that are perfectly happy bundling malware with OSS downloads. It was not addressed in the article at all so I’m not buying what they’re selling.

They do mention removing bundled installers and implementing virus scans, both of which seem targeted at removing malware from the site.

I think the issue was that people who thought that bundling malware was ok, are still employed there.

Not necessarily with any responsibilities though.

If you're employed somewhere, you have responsibilities. Otherwise what's the point?

If I'm a mere employee, my chance to decide about what happens around me (or on my employer's website) might be limited.

I’m a mere consumer, and my only option in reaction to the abdication of personal responsibility is to never use the product again.

Real networks


- Companies that torched their reputation by treating users like s#^t. Straight malware. Seriously, they would have been better off going quiet and then building back up later / selling a higher quality brand.

Developers are valuable to the big players - why drive them away with malware - seems like the malware was targeting wrong market.

And yes, I was part of friends and family IPO at SF.

Too late for a future - I suggest a rebrand.

Sourceforge was briefly free software, proprietary, unpopular and then now kinda-free but nobody trusts them.

Huh? Still completely free

It might be free now, but I believe there are some non-free parts. For a long time it was proprietary.

Nope it's still free and has always been free. And it's built on Apache Allura which is open source.

There were years when it wasn’t free and there was a proprietary enterprise edition sold for on-premises usage.

Sourceforge is one of the sketchiest/spammiest looking sites I've ever been to.

One of the guys who started SF taught me about Linux :)

Is that a good thing?

This sentence: "We have the most robust search and discovery system of any open source repository on the web, and offer an unparalleled experience for end-users looking for software binaries they can download and install with the click of a button."

What's wrong with it? GitHub's search isn't great, as I'm sure you're aware.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact