Hacker News new | past | comments | ask | show | jobs | submit login
How far the once-mighty SourceForge has fallen (gluster.org)
364 points by danparsonson on Aug 23, 2013 | hide | past | favorite | 166 comments

For the youngins out there, 10-15 years ago SourceForge was like GitHub is now. It was extremely popular and reputable for open-source hosting. I remember thinking that one of the first considerations when naming a new project was: is MYPROJECTNAME.sourceforge.net available?

Never expected to see it decline into the spammy sketch-ville that it is now.

It's like a swanky hotel in a nice neighborhood deciding to start renting rooms by the hour.

What might be really dangerous is I think they also run rpmforge (aka repoforge) and many people use them on servers for yum updates as they have newer packages sometimes.

If they start messing with the releases for servers, we've got big problems.

Wait, no I might be wrong about this, I really thought they were related but rpmforge might be a completely different project.

Yeah I am probably wrong based on this old page:


They just re-used the "forge" name which fine but confused me and I guess I assumed it was run by sourceforge awhile back.

Sourgeforge however is owned by Slashdot's parent company, of that I am virtually positive.

That parent company would be GeekNet, Inc. http://finance.yahoo.com/q/pr?s=GKNT+Profile

"In September 2012, Dice Holdings acquired SourceForge from its previous owner Geeknet" says Wikipedia.


Correct - the various companies have been re-orged into a slightly separate entity called "Slashdot Media":


But Slashdot is also listed on the Dice Holdings page.


Short version; our author objects to how SourceForge has been monetizing their traffic.

I didn't particularly like the tone, it seemed pretty mocking to me. I did not feel like that was called for.

I will suggest that at some point, if you live long enough, you will cross paths with someone you knew as a young person, someone you liked and respected, who was either charged with robbery or who was earning money in a way that you don't condone. I would ask that you judge carefully at that point. It happened to me when I drove by a friend from high school who was in the median strip asking stopped traffic for money.

Living in the world requires things, supplies, water, food, housing. Unless you can make those things on your own, you're stuck trading money for them. And to trade money, you have to get money. The longer you don't have enough money the lower and lower your standards tend to go. Some folks sadly decide to simply stop trying and check out of the system permanently. Life is real.

So when you see a site like SourceForge, you might ask what happened, or perhaps what changed, but it doesn't get you any points for judging them harshly for trying to survive. GitHub is the new hawtness and I love what those folks are doing, but I've not seen the press release that says they are operationally profitable yet, or even cash flow positive. That will change, and when it changes you may see them having to push "partner" software your way, they may have some other plan by then, or they may just sort of evaporate in some giant acqui-hire [1].

[1] Personally I think that Github being bought by, or displaced by, an infrastructure service play like Amazon's AWS is the most likely outcome.

As far as I know Github has always been profitable.

That is entirely possible, I found this definitive statement from their press release when they raised $100MM from Horowitz:

"We've done all this without any outside investment. Our company has been profitable for years, is growing fast, and doesn't need money. So why bother?"

And they went on to raise $100M. Presumably their business model scales with their feature set. I hope this continues for them as I like their service and their approach.

SourceForge has been a POS and dead to me for many years.

I'm not sure it ever achieved "mightyness". Back when VA failed at what they were trying to do and started SourceForge, it was needed and they deserve praise for trail-blazing / attempting something big. But, I never really felt they carried through successfully.

The sad thing is that strategy works and it works quite well. Most people that are not very technical will just click "Next" and "Agreed" blindly to complete software installation. I've seen numerous PCs plagued with toolbars and crapware for that specific reason. I always try to educate them to always read what's on screen and never agree for the "toolbar thing", but it's mostly a lost fight.

After some resistance from my family (and 8 virus infections), I managed to steer my grandad onto Linux.

He wasn't a hugely skilled computer user to start with, just knowing a few patterns of clicks to open a web browser or a word document. I made him a little laminated card next to his screen explaining how to do the few things he needed to do.

It's been 2 years, and not a support call.

My only regret is checking his history to figure out where the viruses were coming from.

This my experience also. In Norway if you want to log in to your bank you need a friggin Java Applet. With all the security issues with the Java applet this year, maintaining the Java installation became really painful for my grandfather.

So I suggested Ubuntu with Unity, configured for automatic updating of software in background. I first gave him a new computer with a fresh installation, so he could try it for a few weeks first. Surprisingly it went very well (I usually have a few minor problems myself). He learned to use Unity within just a few minutes. He could use it with the Norwegian language(as he don't know english), and it worked great with increased DPI for less strain on his eyes.

Now it's been a few months, and he has not complained once! In fact, he tells me only good things about it! About how much faster it is, how much easier it is to read and how much easier it is to use the computer now.

While Unity is not a very useful desktop environment for myself, it is certainly great for people who mostly need easy access to a few applications.

> In Norway if you want to log in to your bank you need a friggin Java Applet. With all the security issues with the Java applet this year, maintaining the Java installation became really painful for my grandfather.

Oh this sounds painfully familiar. Every time I assist my father I notice Ask toolbar. I occasionally uninstall it, but of course it reappears with the updates. Well, at least I know that he is installing the updates so that's a good thing. But seriously Oracle, do you really need those couple of bucks from Ask?

One way to block it -- create a file in the place of the directory where Ask instlals (such as c:\Program Files\Ask). Give the file read only / system attributes. Most installers don't know how to deal with failing to create directory because a file exists by that name. I've used this trick to block a number of regular malware from reinstalling, along with Ask, and whatever else.

> He learned to use Unity within just a few minutes

I'm an expert and I still haven't figured out how to use Unity. If I have so much trouble that every time I've tried it, within a few hours I give up and install traditional Gnome, LXDE, or Mint with Cinnamon, I can scarcely imagine how bad it would be for a novice.

First of all, it crashes a lot.

Secondly, you have to use some magical key combination to start multiple instances of an application.

Thirdly, Unity has no easy discoverability of apps. If I want to see what I have installed on my system using a traditional desktop, I can just read through the Start menu [1] and its submenu. Unity has no way to do this that I can figure out.

Yes, you can type an app name, but a novice user might not know their Internet browser is called "Firefox" or their email client is called "Thunderbird." (Heck, when I started using Ubuntu, it took me a while to figure out that Totem was a media player, Nautilus was a file manager, and Vinagre was a remote desktop client.) The point is that typing "video" or "file" or "vnc" won't point you in the right direction.

In short, Unity sucks and I wouldn't recommend it to anyone.

[1] I heard Windows 8 is ditching it too, at least by default.

"I'm an expert..." Lacks taste.

You may say substance not style, but I prefer style & substance.

> In Norway if you want to log in to your bank you need a friggin Java Applet.

Not with Skandiabanken. Their only special requirement is a phone for doing two-factor authentication by SMS.

If you wanna use the horridly flawed BankID, which they do also offer, you probably need Java as you say.

Rant to foreigners about BankID: The conversation must have gone like this at a meeting of Noreay's major banks:

- Public key crypto is good.

- Yes!

- But users are too stupid/lazy to safeguard their private keys...

- Good point. How 'bout some trusted party taking care of those for the users?

- Yes! And you know who you can trust? Banks!

- Agreed then, we'll sit on the private keys, and when the customer wants so sign for say a mortgage, they just authorize us to do so for them.

- That last step sounds cumbersome...

- Nah, we'll just do it over the Internet.

- But won't that put us back where we started?

- Hush! I can't hear you over the sound of future income!

Yea, most Linux distros has a package manager which provides a centralized repository of software making updates easy and requires approval before they are let in.

It happened to a 9 yo nephew of mine last weekend - he ended up with a fake antivirus + search engine hijacker on his laptop - reduced him to tears. Pretty disgraceful stuff.

Your 9 yo installed fake antivirus + search engine hijacker. First of all, what the hell are you doing letting a 9 yo browse on a machine with root privileges? Secondly, that has nothing to do with this story. As the article is wrongly accuses DevShare of being drive-by and malware. It is neither.

An article written by someone with more than 2 brain cells can be found here: http://lwn.net/SubscriberLink/564250/0a106d6379c0d741/

I wasn't much older than 9 when I first used a computer, and certainly had root access (I guess that's what you'd call it, because the machine had no notion of multiple users).

I was trying to download FileZilla as well when I first encountered the 'installer'. I stopped the download a couple of times, then searched around and found a direct download link in a thread in FileZilla forum. Second time I was in a hurry, I just downloaded the installer anyway, then carefully opted out of installing those crapwares.

However I encountered the new installer when trying to download FileZilla only. I had to download a couple of different software since then, but those did download directly, no installer.

I just switched to CyberDuck.

No, it is not a lost fight. You did the right thing to rise their awareness at least once, what they will do after is their responsibility. It is one thing when they are not technical and unaware, and it is a totally different thing when they chose to be ignorant, do stupid things and support the consequences. In the second case they just are deserving it.

Yes I was struggling with my dads pc trying to get rid on the stuff installed on his pc in the end we gave up and he brought a new pc as it was getting on a bit.

The mighty gluster blog seems to have fallen as well.

"error establishing database connection"

> With their recent changes, users downloading from SourceForge now receive a special closed source installer which attempts to foist unrelated third party software onto them.

I think this deserves an obligatory "if you aren't paying for the product, you are the product." It seems to always turn out that way. After all, these projects are popular because they are good, and they are good because the developer or developers commit the time to develop, test, and support these projects. Naturally, there has to be a way to make money in order to keep these projects going, hence the Dice move. I'm not saying I agree with it, but I think it's reasonable. In other words, there is no such thing as a free lunch.

LWN had a similar feature posted yesterday which has significantly more background information. http://lwn.net/SubscriberLink/564250/0a106d6379c0d741/

Agree entirely. SourceForge is unfortunately one of those places that puts me off projects these days. It's a baron land of advertising and poorly maintained products that just add noise.

A baron land would be a land ruled by a baron, a barren land is what you see Sourceforge as.

I thought that SourceForge was a barren land years ago, at least ever since they started putting interstitial ads in the downloads.

As someone who sits in front of Windows but does a lot of development over ssh in Unix this is slap in the face. There are both manual and automatic ways to get the real url that you could type into axel, curl or wget, but it just shows a lack of respect for customers.

I made a point to keep open source projects away from sourceforge because it was a ghetto, the same reason I didn't want to be seen on myspace. Just knowing a project is on sourceforge would bias me to think the project is not worth thinking about.

Right click and copy the url at the top of the page? I don't understand what the problem is with showing an ad underneath it.

i'm confused. don't you need to take 10 seconds to choose a mirror while we show you these ads? /s

Just an eggcorn, everybody has them:)

Thank you for the correction! Much appreciated.

I cannot access the article as the server is down right now, but saw a summary on a forum. [0] Was this not one of the first major no-no's of computer law in the user, starting with cases like Specht vs. Netscape? [1]

[0] http://inagist.com/all/370801094563467264/

[1] https://en.wikipedia.org/wiki/Specht_v._Netscape_Communicati....

The article gets a few things very wrong. First off, there are no drive-by installers. It's an offer-based installer. Meaning that when you run it, you get a single offer of an additional product. Second, it's offering you either trialware (a trial version of a for-sale product that they hope you buy after trying) or adware (like an Ask.com toolbar to ad to your browser). The author of this blog post is either outright lying about it doing drive-by-installers and malware or is clueless about what the terminology actually means.

The last time this was posted on HN, I did a quick writeup on my understanding of it (reposted here):

"For the curious, this is an optional program at SourceForge being offered to developers as a way to monetize their work. The developer needs to specifically request it. SourceForge gets a cut, so does the developer. The installer is their first stab at this process and is using the bundling technology from Ask.com. As offer-based installers go, this one is about as good as it gets. It makes a single offer and has an Accept and Decline button with the user selecting whichever one they want (not a pre-checked box accepting the offer above a Next/Continue button). If accepted, the installer installs the offered software and it gets a standard entry in Windows' Add/Remove Programs that works as expected. If declined, the installer continues. The installer then downloads the originally-requested software.

The two issues with the current installer are that (1) it is served in place of the requested file with no indication that a substitution is made as the user downloads and (2) it requests admin rights before it starts downloading the software, which can be a security issue. Roberto (who posted the article) has stated that they are working on #1 in terms of the text shown on SourceForge as you select to download and download. As for #2, there may be some ways to rework the installer so this is not an issue. I'll mention it to him when I speak to him.

SourceForge has one other revenue-share program with developers where you place the SourceForge-branded download buttons on your own website that link to your downloads on SourceForge and you get a small cut of the ad revenue made from the download page.

If I recall correctly, SourceForge has been losing money for a few years now. Dice Holdings picked up SourceForge and Slashdot while Geek.com kept ThinkGeek.com, so they are now separate entities. These new experiments are attempts to get SourceForge to be self-sustaining/profitable. Ad revenue alone likely won't cut it.

Unfortunately, Google Code, Github and others don't offer the full breadth of services that SourceForge does for open source projects. Google Code, Github, and others have all ditched binary downloads, so SourceForge is one of the only providers to make binary downloads available to Windows and Mac user at no charge. This is why SourceForge is popular for real apps (FileZilla, Pidgin, PortableApps.com, etc) and Github is popular for components (node.js, jquery, rails, etc). The code zips available at other providers are of no use to end users.

As full disclosure, I run PortableApps.com, one of SourceForge's largest projects pushing quite a few TBs of downloads through their mirror network. We make use of the SF-branded download buttons revenue share program but do not make use of nor have any plans to use the "enhanced" installers. Everything I've discussed here is already publicly available, I just thought it would be handy to have in one place."

After that post, it was pointed out to me that Github has added in the ability to host binaries, but I would wager they wouldn't take kindly to the kind of bandwidth that the major SF projects like PortableApps.com push through. I've also been in touch with Roberto who made the mentioned post on SourceForge about some suggestions and options including doing an open source installer that the end-user/sysadmin can verify before installing instead of it being a downloader installer with the offer built in but not the app you want.

I agree with you that the situation isn't as dire as portrayed in the article, but frankly, I'm quite willing to call toolbars and the like malware. I have come across various pieces of such things (Babylon, Ask, Yahoo!, Google and half a dozen other ones) installed on various computers in both Australia and India, and have never seen anyone who appreciated them—they don't tend to know why it got there and didn't know how to, or couldn't manage to, get rid of them. These users are always glad to see them go and have their browser released from being a hostage.

Normal (viz., non-computer-literate) users are used to clicking the big green button in the position the "next" button is in installers. A frighteningly high proportion of the populace simply do not notice the contents of the screen. My experience with real users is quite sufficient to lead me to call it drive-by installation: that was never the intent of the user.

(Sure, in a case like FileZilla you're dealing with slightly more competent people, but you'll still get a surprising number of undesired installations, and—my guess—no desired installations.)

i appreciate your argument, but semantics are important. malware is software that is malicious. a toolbar that i did not intend to install, but is not malicious, is not malware.

The argument against the use of the word "malware" also assumes that the "mal" is "malicious". The prefix "mal" comes from the french word and indicates "illness" or "affliction" which most certainly matches with the regard for these pieces of software.


"software that is intended to damage or disable computers and computer systems. origin: blend of malicious and software ."

The regard that people hold for these pieces of software aside, most of them are not actively malicious. Yes, they're annoying, but most of them are not doing anything worse to you than what the major ad networks are doing.

I hate that, I block that behavior with noscript and adblock, etc. But it's a stretch to call that malicious.

It is not a stretch. These programs slow down the users browser experience. Though they may not be actively in collusion, more and more of these tool bars are installed and the browser almost grinds to a halt. I have opened the browser on my parents laptop to fin the top half of the screen cut off because it was full of tool bars. While they may not be intentionally malicious the result is malicious. Therefore they are malware.

Toolbars definitely damage software.

Mal. That's "bad", in the Latin.

Where do you draw the line of malicious? I guess somewhere between selling your usage patterns vs selling your passwords as you type them into websites.

selling our usage patterns is something that nearly every major site does. anybody who's displaying ads is complicit if not active, and Google is a friggin' ring leader. do you consider these major players to be malicious?

these toolbars don't have backdoor downloaders, they don't display pop-ups, they're not damaging our devices. they suck, i hate them, i uninstall them for my friends and family. but they're no more malicious than ads on the washington post, and they're there for the same reasons.

for the record, i think this is a bad move on SourceForge's part. it's misleading, it's abusive of user's goodwill and trust, and most users are going to accidentally install these toolbars that they don't want or need. but just because it's a bad idea and it's intrusive and rude, doesn't make it malicious.

"they suck, i hate them, i uninstall them for my friends and family."

Then they are malware.

malicious software is programs that runs against the wishes of the person who owns the hardware. They try to illegally gain access to private computer systems and do this either through social engineering which depend on tricking the users, or by exploiting a bug. Toolbars are of the first kind, in that they depend on tricking the user into installing them, and by obfuscate how to remove them.

Ads on the washington post that runs code in my browser is in the same boat. They depend on tricking the users computer into running code contrary to the wishes of those who own the computer. Software like ad-block, ghostery, no-script, disconnect and many other are designed to prevent said malware from running. They are the antivirus tools of 2010s, and is thankfully so far free.

Last, lets just put down Micrsoft own definition of malware: 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software

Not malware, granted. Let's call it scumware, then.

Or possibly spamware. In the same way spam ends up uselessly clogging up your inbox, spamware ends up uselessly clogging up your computer.

Crapware. Shovelware. You know what he means.

Even if it is not malware those toolbars are a scam.

An accept/decline button on installing additional software is just as bad as a pre-ticked box.

If you've ever done user studies with people installing software you'll notice 90% click the next button until it's done without reading the pages

The way that the accept button is positioned in these "optional" offers makes it look like you have to click it to proceed. This is exactly what a dark pattern is (http://darkpatterns.org/ or http://www.90percentofeverything.com/2013/07/23/the-slippery...).

I downloaded Filezilla from Sourceforge to see how this offer system is implemented - http://i.imgur.com/7tZuUoE.png. From quickly glancing at the window it looks like accept is the only valid way of continuing with the installer. Furthermore the program installs Hotspot Shield which will constantly show the user ads after it's installed, I doubt even 1% of the people installing Hotspot shield through this offer want it on their PC.

I doubt even 1% of the people installing Hotspot shield through this offer want it on their PC.

No, nobody wants it, that's why it's there. Your optimism presupposes that there has ever been a such thing as a person who wouldn't mind more commercials on TV. These people aren't out there, people only tolerate the advertising they do see, and software like this only exists to inflict itself on the user.

I have a technically literate friend who chose not to install Adblock in their web browser because they find it entertaining to see ads on the web while they browse. There's probably lots of people who enjoy these things.

Do they search out more ads, and install more sources of advertising, no matter what they are? There's a difference between liking interesting commercials as a distraction or hobby, and having an appetite for advertising in general.

In other words, Nike and Budweiser don't advertise on Sourceforge crapware toolbars, but have you suggested to him that he might want to install that kind of thing?

It's not just as bad, i would call it worse than a pre-ticked box. As you say accept or abort everything looks like the only two options. There is no decline and continue option.

Good write-up, thanks.

But this isn't a sustainable strategy. You're basically asserting SourceForge's unique selling point/competitive advantage is its ability to host files. You've got to be kidding.

GitHub has taken off like a rocket whose thrust show no signs of abating. SourceForge is going down the drain with a passiveness that shows no sign of abating--unless it is conceptually rethought, from the ground up. You know, does something new and innovative to address project needs from a contemporary point of view. Dice certainly doesn't seem to have an appetite for that kind of risk, just an appetite for the last drops of life sucked out of a dying carcass by throwing leeches on it.

Take a look at some of SourceForge's top projects at http://sourceforge.net/top and you'll see a collection of very well known projects which GitHub cannot serve in its current form. That is a rather important aspect of SourceForge.

VLC, 7-Zip, PortableApps.com, FileZilla, MinGW, Apache OpenOffice, GIMP, Notepad++, ...

SourceForge's old strategy of having ads on-site shown on project pages and as an interstitial when you download a file in a browser (but not via wget, NSIS, etc) was unsustainable. With ad revenue declining across the web, freeware/open source developers and hosters will need to find other avenues to support things. SourceForge was in a very precarious position financially a few years ago as ad revenue fell and there was whisperings of them shutting down entirely.

Offer-based installers are one way of monetizing and have become exceedingly popular, especially with closed-source freeware. Unfortunately, most of these installers are designed to trick users into installing (or go so far as to install without use consent). To SourceForge's credit, they make a single offer which is clearly defined and even have a link to a page explaining why the offer is made. Compare this to your typical download from Download.com which includes multiple offers including several tricks to get you to install (pages that seem to be license agreements for the main software but install adware when you click agree, pages that list a standard and a custom install type and you'll get adware unless you pick custom and uncheck the offer, etc).

The other option is freemium pricing, free for smaller users but bigger users pay. To go this route, you basically need to go after the enterprise to make money. Github has taken this route from the beginning and achieved profitability in 2009 if I recall. I'm not sure if Github is still profitable, but they got $100m in funding last year, so they have money to burn. That could be why the added binary hosting back in. They had it originally but removed it due to costs years ago. Still, I'm unsure if they would put up with a project as large as the ones on SourceForge (PortableApps.com, FileZilla, GIMP for Windows, etc) as that is quite a bit of bandwidth to give away for free as a loss leader (since Github wouldn't even make money on ads for those downloads). Unfortunately, SourceForge has no enterprise offerings at present, so this isn't a viable revenue source today. They could explore this route in the future as a competitor to Github, though. It would be a bit of a pivot for them and not without its own risks. But, even if they go down this route, they still need to have the revenue today to keep going. So, it's a bit of a catch 22.

Thanks for your reply. First off, you're right, cheers for resuscitating SF.

Not that it would by any means be easy, I was suggesting a conceptual re-think of SF to attract and enthrall new users/projects. However your response (and the refrain I hear from others) indicates a strategy of monetizing the big binary projects you already have. That's cool, and that's a market. But I would fear

- those projects being coaxed away by innovations from services in adjacent markets (GitHub using enterprise revenue to cover download costs), and

- those big binary projects eventually dying (as projects sometimes do), without replacement from new young projects (because they will prefer to start on GitHub and will then mature there).

Perhaps go after the conceptual strategy of "SF is where you go when you've grow out of GitHub".

Good luck.

First off, SourceForge isn't me :) I just run one of the largest projects hosted on SourceForge.

Second, Github doesn't really offer what the big binaries on SourceForge need which is tons of bandwidth to host downloads. Github ditched downloads back in December but appears to have added them back in with 'Releases' last month. It remains to be seen how much bandwidth a free and open source project can actually push through Github, though. And whether Github will keep Releases/downloads around at all since they've only been around for a month and were unceremoniously killed off just 8 months prior.

SourceForge is a known quantity with download mirrors all over the world that you can push 10s of TBs per month through for free as long as you're a fully open source project. Github, on the other hand, is an unknown quantity with respect to big downloads.

SourceForge used to have an enterprise edition, but it looks like they sold it off ( http://en.wikipedia.org/wiki/SourceForge_Enterprise_Edition )

> quite a bit of bandwidth to give away for free as a loss leader

Really naive question, I'm sure, probably a simple answer for anyone working in providing services at this scale, but...

Why is everyone's business so dependent on funding expensive bandwidth? We've had bandwidth sharing for over a decade, what didn't P2P solve?

Bandwidth sharing isn't quite the panacea that a lot of people think it is.

For starters, you have to get the end user to download and install a piece of software first (torrent client, etc) and then direct them to the larger downloads of the actual software you're distributing.

Next, you can't just build this feature into something like our PortableApps.com Platform (with it's built in software downloader/app store/updater) as many end users are prohibited from running P2P software by their ISPs and we can't depend on them being technically knowledgeable enough to know whether or not they're allowed to.

Then you have the issues with routers and firewalls and punching holes in them to allow people to upload to others as well as download (which is a bit easier with upnp but not always automatic).

Then you have the issue that much of the world is still on metered connections. Here in NYC I have the choice between slow DSL provided by one company (and some resellers that use the same line), fast but unreliable cable provided by one company (no resellers or competitors), no fiber (Verizon cancelled FiOS buildouts), or wireless (which carries a limit of 5GB per month and you pay $10 per GB after that). I opted for the fast but unreliable cable and a wireless hotspot as a backup for the several hours a month the cable goes down. Lots of the world has even fewer options than I do.

And finally, most legitimate webhosts prohibit any kind of P2P hosting on their networks, so you can forget about running a torrent tracker on your regular web server. You can go with a second tier provider that is more forgiving (or clueless) but then you have the issues associated with such a provider (likely illegal activities on the same network, likely security issues, etc).

There are other issues and some workarounds for the above, of course, this is just my personal experience with researching it for PortableApps.com over the years.

Solid overview, makes a lot of sense.

Some parts of the problem sound like they could be described as a tragedy of the commons. Things would be more efficient all around if we just allowed intelligent bandwidth sharing through P2P, but network administrators concerned about the impact on their particular networks prevent such moves, actually making everything less efficient.

Not to understate the other technical hurdles.

Good points, thanks.

> GitHub has taken off like a rocket

I think this is in part because they charge. I like this model. Its simple. You want to use GitHub for free then you have to make your code freely available. You want to keep it proprietary then you have to pay for your account.

Where this doesn't translate well with SourceForge is that it was designed from the start to be of, by, and for Open Source projects. So the vast majority of projects would be non-paying.

However, they may be able to add some features that appeal to proprietary projects who are willing to pay and use that revenue to offset any losses. It would be hard work but ultimately I think it would be be better than the appearance (if indeed it is just that) of distributing malware.

I think this is in part because they charge. I like this model. Its simple. You want to use GitHub for free then you have to make your code freely available. You want to keep it proprietary then you have to pay for your account.

Agreed. I was a happy user of GitHub for solely public (free) repos, since all our startup projects are OSS. But as soon as we ran into the need for repos for private internal projects, or OSS stuff that we aren't ready to announce yet and want to keep private, it was a very natural, and seamless, process for us to sign up for a paid GitHub account. GitHub have, IMO, found a nice sweet spot in terms of taking advantage of the "freemium" model. And it's one paid service I totally don't mind paying for in the slightest. It just feels like they really got it right with their model.

That said, we don't need a large number of private repositories in our model. I know some people prefer BitBucket's model, if they need a larger number of private repos.

> You want to use GitHub for free then you have to make your code freely available.

Clarification: they do not offer gratis service based on free code, they offer gratis service based on public code. If you are public, it's no charge, even if you are using a proprietary license.

I agree. Along with that I'd add that they've taken off because of their expert marriage of the concepts of social networking with open source development, to harness Metcalfe's Law. By providing such a good social experience, they've pulled all developers into the fold. Once there, they have their foot in the door (doors?) whenever it comes time for private SCM. It's a great strategy pulled off well.

That seems to be SF's existential problem. What's their strategy? Adware installers are certainly interesting, perhaps even "innovative", but seem to be a near-term monetization tactic that doesn't address the strategic problem of community stagnanation. What happens in the hypothetical situation when all the big projects die or leave (perhaps because they've become so successful they can now support their own infrastructure costs)?

The vast majority of projects on github also do not pay. The two major features you pay for on github are larger repositories, and private repositories. The free offering is good enough for almost all open source projects.

The big issue would be downloads when it comes to real apps, though. Github discontinued binary downloads in December of 2012. But, they then added the 'Releases' functionality last month. I don't think they'd put up with the large numbers of downloads (and the associated bandwidth) of big projects like FileZilla, though.

If those projects are looking for a new home, we'd be happy to welcome them at GitHub.

From a quick look, SourceForge pushed out about 19TB of FileZilla bandwidth in the last 30 days in terms of binary downloads. I'm not sure any projects on GitHub are pushing that kind of bandwidth for binary downloads yet. Or are they?

In terms of PortableApps.com, I don't think we'd be a good fit for GitHub since we're a project that's a conglomeration of apps made portable (for USB and cloud use). I think we're around 90TB of bandwidth for downloads in the last month for our open source apps via SourceForge (some of our open source apps the publishers self-host like Inkscape and LibreOffice so we don't push those through our SourceForge project).

You can get 100TB/month for under €100 on Leaseweb. Couldn't you raise this in donations each month? I'm sure with your traffic it'd be possible.

I generally don't trust anything that sells 'unmetered' bandwidth as it nearly always ends in disaster. Their metered accounts seem to be 10TB for $95 which is about what we're paying for freeware downloads now (we can't host those on SourceForge, of course).

PortableApps.com on sourceforge reports they had 943799 downloads last month. Popular files include Firefox portable (20mb) and chrome portable (2mb). Assuming the average download is half way between those (10mb) you're looking at about 480,000 GB of downloads a year. If you store that on S3 you'll be looking at about $46,800 of bandwidth charges a year.

Surprisingly expensive business.

Quite true. The total is quite a bit higher as some popular apps like GIMP (136,000 downloads in the last month) are 64MB and July and August are our slowest months. Additionally, apps like Inkscape are hosted on their own SourceForge project and LibreOffice is hosted by The Document Foundation (not included in the above numbers). Then there's all the freeware we host elsewhere that doesn't show in the SourceForge stats (which we pay the bandwidth on). All told, I think we're easily exceeding a petabyte a year. I used to actually keep those stats, maybe I should look into it again.

They are bundling in the Ask toolbar, a known piece of malware/spyware. See: http://www.benedelman.org/spyware/ask-toolbars/

Whenever you see the word "toolbar," just think "virus," because that's pretty much what they amount to. See: http://www.cracked.com/blog/6-reasons-guy-whos-fixing-your-c... (#2)

An organization claiming to be for "open source" should not be distributing KNOWN malware, by ANY means. PERIOD.

I have one major project on SourceForge that is pretty much inactive. If I ever do the rewrite of it I'm thinking of, that new code will not be hosted there. It'll probably be on GitHub.

Actually GitHub does have a binary release system. You can upload binaries tagged to a commit and provide a markdown description for the download.

Actually, they removed that feature in December. [1]

GitHub is a developer tool. Users not interested in viewing/changing/building the source code should get the software from the project's website.

[1] https://github.com/blog/1302

They added in "Releases" again last month after discontinuing file downloads in December: https://github.com/blog/1547-release-your-software

The examples all only show Zips but you can apparently add in EXEs, MSIs, DMGs, etc. I'd wager that they won't put up with high numbers of downloads on free projects ala FileZilla, GIMP, PortableApps.com on SourceForge, though.

"I'd wager that they won't put up with high numbers of downloads"

Pure speculation. More speculation: I'd wager they'd be OK with it. Bandwidth is practically free.

Except that bandwidth is not actually free. Setting up on a high quality network of mirror servers around the world is usually ~$50 per TB (on something like MaxCDN that we use) but more like $100+ per TB on something like Akamai. That's buying commercial bandwidth on server networks. I mention that as SourceForge has a worldwide network of servers they get from all sorts of companies in exchange for advertising and that we can use for free.

We could setup on something like an unmetered host. We'd lose the worldwide network and geographic closeness of the servers to the downloaders, of course. You can get a 1gbps dedicated unmetered connection for around $800+ a month (not including the actual server) at several providers. A 100mbps dedicated unmetered would not be sufficient for PortableApps.com as it would only total 20TB a month used fulltime (of the theoretical ~32GB max it could push if you discount overhead, etc).

They brought it back, under the name 'Releases', in July:


I was unaware of that with the original quoted post from a few weeks ago but it was pointed out when I posted so I included a mention in the last paragraph of my post here.

How far the gluster server has fallen. Here's the text of the article:


How far the once mighty SourceForge has fallen…

[Editor's note: This post is the opinion of the author and not necessarily that of the Gluster Community]


SourceForge, once a mighty force for the good of Open Source, has fallen far from its previous lofty heights.

Dice, the new owners, bribe strongly encourage the top projects to use a new (closed source only) installer that pushes spyware / adware / malware.

Developers using SourceForge should migrate away from it if they want to keep their integrity. End users using projects hosted on SourceForge should immediately find an alternative.

Full version:

When people download software from SourceForge, or any major repository of Open Source software, they expect the software to be trustworthy. (baring unintentional bugs)

They do not expect the software to be a source of “drive by installer” style malware, spyware, adware, or any other unrelated/unintended software.

SourceForge’s new owners, Dice, have consciously and deliberately moved to a model violating this trust.

With their recent changes, users downloading from SourceForge now receive a special closed source installer which attempts to foist unrelated third party software onto them.

For example, when a user clicks on this:

They instead receive this:

This is a “drive-by installer”, designed to catch less technical users and the unwary, to fill their computers with malware / junk ware / crime ware. As abused by the notorious ask.com toolbar and others:


It gets worse.

When SourceForge introduced this, it bribed encouraged the top projects to participate by giving them a cut of the take. So these co-operating projects are also knowingly selling their users down the river.

I’m not against monetisation at all, we all have lives and need to pay our bills. But not through abusing user trust. Not through preying on the unskilled or unwary.

To misquote Marge Simpson; “They not only crossed the line, they threw up on it.”

If you’re a developer or contributor to a SourceForge project, please ask them to move to a new project host (there are several). And cease all further involvement until it’s complete. I’ve already done so with mine.

If you’re a user of a SourceForge project, please find and use an alternative project instead.

We should all demonstrate our commitment to user safety and personal integrity around this issue.

> This is a “drive-by installer”, designed to catch less technical users and the unwary, to fill their computers with malware / junk ware / crime ware... To misquote Marge Simpson; “They not only crossed the line, they threw up on it.”

And after a little research, it's clear that this article throws up on the truth.

1) “drive-by installer” Drive-by installers don't require user to download and intall, and are definatelly not OPT-IN like this one

2) "malware / junk ware / crime ware" - He listed all of the wares, except the one that it is, offer-installer is adware.

I'm no fan of opt-in adware, but plenty of quality apps depend on it. I've been using daemon tools for almost 5 years now, and I've never had an issue with it. For such a trivial tool with opensource alternatives, most people won't pay, but developers needs to pay their bills and a little adware gets the job done.

For click bait garbage articles like this I wish HN had someway to unvote.

Your objection is a matter of degree, not definition. The author's point is that we are better than this in the OSS community... and it's a valid point. Peole shouldn't get things they didn't want when they use OSS. I join the author in calling shenanigans on this.

There is a clear distinction between malware (virus, trojans, and worms) and adware in the antivirus community. As this is neither drive-by nor malware, it's no stretch; it's an outright lie.

Who are you to say how open source authors make their money? While I'm not happy about this shady move by Dice, it's the sensationalist writing, full of misinformation that I was calling out.

> There is a clear distinction between malware (virus, trojans, and worms) and adware in the antivirus community.

Fortunately for everyone, the "antivirus community", which produces software I would also classify as malware, does not get to dictate how the rest of us use words.

>Fortunately for everyone, the "antivirus community", which produces software I would also classify as malware

Why? I know some are better or worse than others, but...

>There is a clear distinction between malware (virus, trojans, and worms) and adware in the antivirus community. As this is neither drive-by nor malware, it's no stretch; it's an outright lie.

To a user who has their machine slow to a creeping halt or behave in unexpected ways because of these "opt-in" daemon adware suites, that "distinction" breaks down very quickly.

If you use those kinds of tactics, you are taking CPU cycles from people who did not want them taken. Where I come from , we call that stealing - and it makes you something less than an honorable individual if you do it. I spent years working in tech support, so I have the understanding necessary to make that statement.

I am also a developer and I know there are more honest - and proven - ways to make a living with OSS that don't fall on that side of the "shady" line.

I repeat my charge of Shenanigans.

It's malware. No one wants adware and toolbars. Even if you ask politely and they say yes, no one wants that, and no one should have it. A spade is a spade.

More than that, when I see those kind of opt in/out adware or toolbar things in an installer, I immediately lose trust in the underlying software I'm trying to install. Guilt by association.

as i said in response to another post, i hate adware and toolbars as much as the next person, but semantics is important: malware is malicious software. a toolbar that i did not intend to install, but is not malicious, is not malware.

What do you think those toolbars do? Inspect and Inject javascript into webpages, send my web browsing history to their master servers. It cant imagine a toolbar that isn't malicious.

I consider this sort of software harmful, but there is definitely an important distinction between it and software that actively tries to steal your credit card numbers, run a botnet, or send spam email. We need a word specifically for software that makes an attempt to abide by the law and avoid any outright malice, yet exists in a sort of moral gray area.

I propose "grayware."

"Malware" as I understand it is basically a catch-all term for software that is harmful (hence "mal").

Don't these toolbars usually report your browsing habits anyway though? If so they are spyware which clearly makes them malware.

How about "junkware" or "crapware"?

And I thought these were already the terms we use for this type of software...


Adware becomes malware when it resists removal.

Malware distributed by IAC / Ask.com, which is Google's largest distribution partner. Some Googlers should pressure them with some do no evil.

Seems like the author just didn't really understand the most common definition of "drive-by installer".

Either way, I find those installer "offers" are pretty distasteful even when they are deployed by good people with good motives. Roughly what percent of the people who installed the Ask toolbar actually understood what it was and wanted it to be installed? Surely a minority...

Your objection to OP is semantics, the gist of his point is true. Asking for one thing and getting unnecessary other crap that eats your time removing is completely against the ethos of OSS. Who cares if it is "offer-installer adware", it is UNREQUESTED, UNWANTED, TIME CONSUMING and TRUST ERRODING.

If you're only using DT for mounting, give Virtual Clone Drive a shot. That with ImgBurn seems to take care of everything I need.

Last I checked, Virtual Clone Drive didn't have any sneaky opt-in/ out ad-ware in the installer.

ImgBurn recently changed to an adware / crapware installer which is set for opt-out. However, the dev was nice enough to post instructions in his forum on how to de-crapify the installer.

Good for Lightning UK! Growing up he was one of my heroes with DVD Decrypter. I hope he can make a few bucks on advertising with its spiritual successor.

This article is sensationalist BS. After a little research it's clear that DevShare is adware not malware.

Adware is a form of Malware.

Its not "opt-in" if you explicitly click "NO" and still get the malware installed all over your machine. Getting rid of it is not as simple as an uninstall..

That is what happened the very last time I tried to download something from SourceForce.. (SourceForge).

Yes, everyone please ban SourceForge.

The article may get some things twisted with some warez definitions, but the main problem is: a once trusted site lets users download a different software than anyone is searching for - this leads to confusion at first because users don't know what they are downloading and installing anyway...

HN has downvotes if you have over 500 karma. There's always the flag button to report content you consider unfit for HN (this article would match that criterion in your case).

There's no downvotes for stories only for comments. Or at least there isn't for me (3k karma).

Exactly and I wanted to "un-vote", remove my previous vote. I'm not happy about the adware, so I initially voted for the story, but after checking some sources I discovered the article was full of inaccuracies.

If correct, that's really, really bad. Trying to download some random project from there just gives me a .deb, though, which I am hardly going to install.

I imagine it's OS-sniffing, so any Windows users around to confirm?

This was discussed on Reddit after Sourceforge announced the new installer three weeks ago: http://www.reddit.com/r/technology/comments/1jk1gz/sourcefor... , several users confirmed the crapware in the installers.

I mentioned on Reddit that the Ask digital signature shows in the UAC dialog.

It appears to be some opt in program called DevShare.

Here's a link to the filezilla forums where the dev team appears to be justifying its use: https://forum.filezilla-project.org/viewtopic.php?f=2&t=3024...



No, I don't think it's OS sniffing since downloading the windows version of for example Filezilla doesn't allow you to change mirror and as the article explained, downloads from some other url than Sourceforge (or a mirror).

I'm on OSX and when downloading the windows version from the repository, I get the same file as the author. Try it yourself here and download the .exe: http://sourceforge.net/projects/filezilla/files/FileZilla_Cl...

Okay. So SourceForge is pooping in the fishbowl at it's own party. Instead of picking up and leaving, maybe we could just make a concerted effort to ask Sourceforge to stop doing this? You don't have to demand everyone boycott a useful service like this every time something you don't like happens.

Are you serious ? Because you can't possibly think that asking SourceForge to "please stop making money" in order to please a handful of users will actually work.

It's all gone download.com

- new cockney rhyming slang anyone?

What does download.com rhyme with?

Pete Tong

which, for non-cockneys, is slang for "quite wrong".

* just "wrong"

Can you recommend alternatives that offer all their features? We use currently for example sourcecontrol, forums, bugtrackers, a wiki, the image galleries and their website hosting. I'm often unhappy with SF, but it's not quite that easy finding that kind of service elsewhere.

A few old projects of mine (including code, binaries, screenshots and mostly static webpages) are hosted on SourceForge, as are a live demo and stable snapshots of one actively maintained project. None of those use an installer but users may now (quite reasonably) come to expect software, especially software for Windows, to be shady by sheer association with SourceForge.

Now, the stable snapshots could go on Bitbucket and the code's remove origin is already on GitHub. That leaves me with two questions:

1. Where to can I move the old projects that can be reasonably expected to stay up for another decade?

2. Where do I host the live demo? I'd prefer a free or near-free service since this is a not-for-profit FOSS project. I have the option of waiting for my Raspberry Pi to come online [1].

The closest thing to SourceForge in terms of features that I know of is http://developer.berlios.de/. Can anyone share their experiences with it?

[1] https://news.ycombinator.com/item?id=5946940

AFAIK, there is no drop in replacement. We use:

  * GitHub for SCM and wiki docs.
  * SourceForge for mailing lists
  * Self-hosted Redmine for bug tracking
  * Freenode IRC for realtime collaboration

Bitbucket has git & mercurial, bugtracker, wiki and a download feature for binaries. Not sure about forums.

Try a self-hosted Gitlab installation [1] [2] for a project management interface with Git integration.

For hosting file downloads, I recommend nginx. If the bandwidth is more than your server's connection can handle and you don't want to upgrade it, you could either use AWS or other cloud vendors, or provide your download as a torrent.

[1] https://news.ycombinator.com/item?id=6270446

[2] http://gitlab.org

Well, it is possible to host it yourself (this isn't an alternative if you just want something as a service, obviously):


We had bad experiences in the past with parts that were privately hosted. The problem is that people always are motivated for a while and then tend to move on after a few years because they have new interests. Having a server that's not depending on individuals in the team just works better in the long run.

I think Assembla does. I know it has sourcecontrol, forums (well messages), bugtrackers, and wiki. Not sure about Image Galleries and website hosting.

github has source control, a bug tracker, and website hosting. Don't know about forums and wikis.

wikis yes. forums.. not really unless you abuse the bug tracker. Github+Google Groups seems to be the complete package these days. BitBucket also provides website/wiki/issue tracker/source control features.

Yeah, it's probably a good solution for new projects. The problem with existing projects is when you already have a quarter million posts in your forum and don't want to lose them. Although maybe a mix of providers - keeping forums on SF and moving the rest of the project might be a solution.

Forum is one area Github is in a great position to enter right now. Wrangling bug tracker to act as a forum is a bit of a hack so a proper place for developers to interact and discuss projects would be most welcome.

I have a product I'll be launching soon in exactly this space: mailing lists/forums/chat with github integration.

Email me if you're interested in alpha/beta testing (see my profile).

GitHub certainly has wikis, I often use project wikis to document various bits and bobs.

I recommend LaunchPad.net. It's open-source so you can always host it yourself.

At least SourceForge still offers a download option for the hosted projects, unlike Google Code...

As someone who was once part of the original "Ignition Team" at VA Linux for SF.net, and who is still close friends with two of the original core SF team (the first iteration of SF.net was done by just four people in <120 days IIRC) we're all pretty much in sad agreement that it's just a husk of what it once was.

It's certainly dead to me.

I'm not sure if it's possible to get the released file out of SourceForge, but my complaint would be (as a user that generally verifies cryptographic checksums) that what I downloaded didn't match what the project advertised.

Looks like some remedy in the case of FileZilla is that they host their own installer as well:


(Which matches the SF.net hosted FileZilla_3.7.3.sha512 list.)


Looks like the original files can be gotten if you make your own direct link, e.g.:


I was just thinking the other day how much I like sourceforge. Their site has continued to improve. It's much more usable now than it used to be. I'm ok with sf monetizing their site the best they can. They've long been an advocate of open source and I appreciate an alternative to github. It's too bad the shakeup with Dice and split off of ThinkGeek, but it makes sense. Keep in mind, sf was the alternative to sites like Cnet and download.com which were/are far worse. I'm thankful for what they've done for driving FOSS adoption over the years, especially for authors on $0 budgets before the era of abundant cloud computing on the cheap, which we realize now had significant hidden costs, including human rights.

So SourceForge downloads are becoming as bad as Cnet? Even the once-reputable members of the download hosting industry seem to be heading towards a rather unfortunate Nash equilibrium... Hopefully Github can sustain their model without it.

Github has plenty of customers who pay for private repos. They're profitable and have had some serious investment dollars injected.

The decline started years ago with the "Wait five seconds and we will redirect you to the real download page" filled with fake download buttons describing "Tired of waiting? DOWNLOAD" et cetera. They never improved their core product (repositories are still hell to navigate through) and only added interface elements and tweaked the UI to get you to.click on ads. A shame, because before that Sourceforge was the go-to place to download homebrew, free alternatives to proprietary software.

Github is great, but as it looks right now they fail to pull in those big legacy software packages. Their main audience seems to be web dev.

This article is full of hyperbole and exaggerations. I downloaded the latest filezilla with the offer-installer "malware" and scanned it with Avira free antivirus, and MS Security Essentials. Both of them reported no problem.

I then was able to install filezilla without the offer-installer just by not clicking on the checkmark. After the installation, my VM ran normally, no pop-ups, no changed homepage in firefox or IE.

People that write this drivel make the open source community look like a bunch of nutjob, hippy zealots with no grasp of reality. Ads pay the bills and sadly some open source developers have mouths to feed.

The problem with these install "wrappers" is that they run with elevated privileges and you do not know what they're doing.

This wrapper presents the same problems as OpenCandy. Can you get the source to the installer? No. Can you guarantee the wrapper only does what they say it's doing. No. Do you have a fiduciary or contractual relationship with the publisher upon which you can rely if their software causes you harm? Probably not.

Avira Free and MS Essentials are certainly not the be-all, end-all to code verification, so don't feel too secure after using them, either.

And people who identify security hazards for the unknowing masses (a group into which your apparent ignorance places you) aren't nutjobs or hippies anymore than you are a shrill dilettante.

There are honest ways to monetize development without jeopardizing the safety of a tremendous number of users; unfortunately, this ain't it.

Next time, present your argument without the name calling. It works better.

Edit: Typo

There's a lot of good software on SourceForge still. How long before SF starts holding it ransom? Sounds like a good time to fork your favourite SF-hosted code to another service as a backup.

> I’m not against monetisation at all, we all have lives and need to pay our bills.

OK, I'm game. How should SourceForge monetize?

Just about everyone here is running ad blocking software, not that display ads pay much anymore. Not that anyone will tolerate seeing an ad for the free software they're downloading.

Should SourceForge charge a monthly fee to projects? To users? Perhaps SourceForge should arrange licensing deals to make white label SourceForge clones? Maybe they should just start doing consulting on the side?

Don't they already have paid commercial hosting (along with a paid self-hosted version of their site)? I thought it was free only for software meeting one of their approved free licenses. Otherwise you have to pay.

Most of their projects are free licenses.

The web installer was initially not detecting the proxy at my workplace. Hopefully popular projects like Filezilla will move their download binaries off Sourceforge.

SourceForge is to github

what myspace is to facebook

what gm is to tesla

and what slashdot is to digg, now to reddit

and so on

I also posted this some time ago.

wait. sourceforge is still around? i doubt those that use it read hacker news.

Hey guys, do you know an alternative service that provides mailing lists (no Ggle groups please)?

I don't know why you don't want to use Google Groups, but depending on your reasons you may like http://librelist.com/

There's also Yahoo! Groups.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact