If they have no future brand value to be concerned about, then, from a game-theoretic approach, it's actually a pretty rational profit seeking move. (As long as they don't incur any downstream liabilities from outright illegal activity for which they might be fined, or successfully sued - if there is any entity left to sue)
Of course, the game-theoretic response from the entire internet community is to make sure they never, ever, for any reasons whatsoever, ever click on a link that starts with "sourceforge.net"
Even if you now need a VM to handle the crapware, that's better than losing the apps entirely. If somebody maintained a time-diffed mirror of SourceForge, they could pinpoint the last version before the bundling event occurred in an automated fashion, as well.
EDIT: It seems there's a project to begin this - http://archiveteam.org/index.php?title=SourceForge and an IRC channel, EFNet #coldstorage
Google Code was never good either, but people gladly moved from SF to Google Code. And when something actually good came along (Github), Sourceforge simply vanished.
Sourceforge was never a hero. It was a horrible website, with horrible UX. It always had pretty terrible ads and for the past couple of years it has been repeatedly abusing its users' trust, serving malware, been involved in countless drama.
Glad it's gone.
Everything internet sucked around 2000. Search engines where either semi-curated listing or covered a fraction of what was a much smaller internet. Free hosting was a joke, affordable paid hosting was not much better. Your bandwidth at home was not good and anyway your computer was not the powerhouse it is today - you needed to upgrade just to run the next version of Excel, not to play the next AAA game. A lot of websites had terrible UX.
So Sourceforge was not great, but it offered a great package of functionality that basically solved in one shot all the problem of managing a OSS project and gave one roof where to search for new tools and libraries.
What happened is that they stagnated and their utility eroded over the time starting by Google removing any reason to have everything in a central place.
I disagree, and in fact preferred the internet of 2000 to the internet of 2015.
Google search worked fine in 2000: although SEO existed in 2000, it was much less refined and extensive than in 2015. The main problem in search results today is that profit-motivated content crowds out and makes it difficult to find not-profit-motivated superior content.
Not all the changes are bad, of course. Video in particular (not just bandwidth, but the convenience for consumers and amateur producers provided by Youtube) is much better (but text is more important to me than video). A computer with adequate performance is a lot cheaper in real dollars.
>A lot of websites had terrible UX.
I preferred the UX of the web of 2000 to the UX of the web of today. Searching a web page for a string, copying from a web page, then pasting, scrolling, use of keyboard shortcuts, bookmarking (some sites today have all content sharing the same URL, making bookmarking virtually impossible) all were simpler and more consistent across web pages, therefore requiring less deliberative thought to use, and IMHO thereby better.
In other words, on the web of today, I have to direct my attention to the mechanics of the web page, e.g., how to dismiss the interstitial asking me to follow them on Facebook or whatever so that I can start to see the actual content, which keyboard shortcuts have been overridden by the site, how to scroll and whether scrolling even works. In the web of 2000, I spent more of my time and attention on the actual content (particularly, textual content).
For those who remember the web of 2000: what about the UX of the web of today do you prefer? I have a theory that some people are more easily bored than others and that those people appreciate the web of today because the increase in variety, color and motion (of elements on the page) helps keep them from getting bored. Is that it?
(I remember the Sourceforge of 2000, but have nothing to say about it.)
ADDED. I neglected to consider that Wikipedia did not exist in 2000, which significantly changes the balance. I still disagree with "Everything internet sucked around 2000". In particular, I miss web sites created by individuals not expecting to make money from their writings. Although many (most?) of those web sites still exist, they've become vastly harder to find with a search engine because of content farms and other professionally-produced professionally-SEOed content.
The majority of banking sites required you to use ActiveX, very frequently the shopping websites would use weirdo content plugins or have their content in PDF.
Those were the times of multi-frame abuse, webpage with sound and no control, site trying to be clever and disabling right-click. Pop-ups everywhere, site hijacking your browser window and resizing, moving it around. Stupid cursor that make your computer grind to a halt. Site designed for 640x480 and nothing else.
Remember the "blog"-like personal website on geocities and the like ?
Remember the portals ?
What I remember most from the time is how much superior I thought the newsgroups were to find anything.
I've tried eg Yandex and it's not much better, mostly just different (although they do return a good amount of results for things that Google's thought police have vanished). The unfortunate truth is that with the "internet" entering pop culture, pop culture has watered down the Internet.
I was thinking it would be interesting experiment to take adblock one step further and hack something up that retrieved all the Google results and filtered out everything with any advertising. It seems like I'd come across those hard-wrought dense-knowledge textual pages far quicker, since the author's motivation is to share knowledge.
Any time you have a "theory" about other people that implies that you have a natural superiority to them based on your belief that you have superior taste, you're almost certainly full of yourself
What part of that or my other comment implies that I think I have superior taste?
Also, in truth, I'm just tired of the "everything new is shitty, everything old is grand" comments on nerd sites, so I call them out habitually.
They've been in trouble, effectively since VA Linux's stock crashed...
If we'll look down in history, I think there are very few villains that have acted as heroes when starting out. The signs that such companies are assholes are in general there, from the start. As an example, I don't remember a time in which Sourceforge was the hero, as much as I try. Since as long as I remember Sourceforge, it was always the "necessary evil", the nuisance you have to deal with because bandwidth was (and still is) very expensive.
No offense to you personally, but this is a case where it's about grey hair more than ability.
There was certainly a time when Sourceforge was the wham-bam-snickety-snack boom-blam bomb. It was when Slashdot was the Hacker News, when "LAMP" was a new term, when 10Gbps across the U.S. (vs. your living room) was a Big Deal.
> If we'll look down in history, I think there are very few villains that have acted as heroes when starting out.
This is called playing "I told you so." In reality every organization begins with high ideals then adjusts to reality. The elegance of this transition defines how villainous they've become. Consider McDonalds and Whole Foods. Both seemed delightful at the beginning. We see how McDs is now cancerous (or at least diabetesacious) and Whole Foods is anti-union, but surviving anyway, a "mundane evil."
You can't predict which company will become evil or not.
But the underlying point is similar to "you are the product". People chose Sourceforge because it offered free hosting. It was for a long time the "default" choice, back in the early 2000s. They had banner ads, usually from other Linux companies, and that seemed to pay for it. It was easier to use than FTP sites.
The question always remains: who is going to pay for it? If a company is sinking, then they have only two options, to close it down or to engage in ever-shadier chasing of monetisation options. Can you imagine the outrage if they'd put up a paywall? It's basically the same politics as has made "free to play (with gouging IAPs)" the default mode of paying for mobile apps.
I do hate the "free to play (with gouging IAPs)" model and I actually prefer ads with an option to go ad-free. However even with this business model there are heroes. See for example Path of Exile, a free game in which the in-app purchases do not have an impact on your ability to win: https://www.pathofexile.com/
I do agree with you, the chosen business model makes the difference. I do believe that ads aren't inherently evil, it's just the status quo that is. Yes, today ad-supported means that we are the product, but this product has a free will, a fact that some companies are forgetting. At the very least there are some signs of change. Google for example is at least trying to play it both ways - you can be a paying customer of Google Apps and they'll introduce subscriptions to YouTube for going ads free (with the ability to cache content for offline viewing on mobile devices being the incentive needed for regular folks).
If Github ever pivots to selling t-shirts, run.
Ultimately someone needs to pay some bills though, a few transactions later and this seems remarkably far from their start. It's embarrassing and shocking.
The logical implication in that line flows in the other direction. It's not that every villain started out a hero, but that every hero (that survives long enough) ends up a villain. Of course, it's untestable as there's no limit on "long enough", but then again, it's just a line from a movie...
I remember a time when it was a fantastic resource, that it was one of the primary places to get FOSS - my earliest bookmarked link is for AFPL Ghostscript from 2004. IIRC I started using it around 1999 when I first installed Linux. There was Freshmeat too but that IME had far fewer of the major projects. Searching SourceForge was the best way to find projects for a particular need at the time.
The last FOSS project I downloaded there that isn't available elsewhere was last month.
Perhaps Google could step up and de-list them, but that is a pretty slippery slope.
Suggested reason is "embeds malware/adware with downloads".
And ask them to stop mirroring SF because they distribute Malware. I don't know how many of them provide the mirror for free though. I remember quite a few universities provided SF mirrors back in the day.
D-listing from Google is basically being taken off the internet, so wielding that power too often might get Big G into alot of trouble with agencies like the European Commission.
On balance I think SourceForge deserves a browser level "here be malware" warning, trusting that most users will make the right choice if informed.
That's a nice idealistic response, but what about when you can't find a file anywhere else?
Drag down SourceForge all you want (I applaud that) but don't drag down rationality with it.
I'm not worried for myself I'm worried for them.
Sharing the same owner as Sourceforge let's see if it gets "buried"  (or "late released due to an editor vacation"  as it was their explanation) or if they publish it in a timely manner and within the spirit of the submission.
I detailed the changes made and why they were biased in a comment on the same submission. 
Edit: added http://sourceforge.net/u/sf-editor/profile/ which includes MySQL and a few other high profile projects.
They're really going all in with that.
IMHO, all open-source projects should protect their name. For example last time I tried, VLC for iOS was banned from the iTunes Store, yet there were dozens of obscure apps using VLC's name or logo on iTunes Store (this was happening in January). Especially given that there is such a thing as an unregistered trademark, that is valid through usage. Even if you fork it, then authors should have the courtesy to use a different name.
http://sourceforge.net/projects/firefox points to some personal build of firefox. http://sourceforge.net/projects/firefox.mirror seems a lot more official. I have no idea what binary you get from either of them.
OpenOffice, Apache server, hadoop, Audacity, CDex, Colloquy, that's all projects I have at one at my computers, and I haven't gotten to "D" yet.
This is depressing
It's important to understand which is which for those accounts.
Geeze, I guess we should stop using Google. They've been accused and suspected of much worse by a lot of people. I hope that's not what you meant.
Short answer: Yes.
Downloading and running arbitrary binaries from the web inherently a quite dangerous thing do to, and I only feel comfortable taking such a risk with sites I trust. I no longer trust Sourceforge and there is very little they can promise me to make me start wanting to download from them again.
Well, I don't agree¹ with your method of evaluating trustworthiness (which seems to me rather too quantized and "chastity"-minded), but at least you know exactly what you're doing and who you're trusting.
 Read as "I believe it's sub-optimal for a given cost-benefit formula, after some assumptions about certain variables and certain opportunity costs, and other methods would likely be more useful in context."
Isn't it a hard fact at this point?
In general, the way the comment was worded? No, suspicion does not equal hard fact.
We were talking about the latter.
It is important to expose this behavior for what it is.
And in the process, remind everyone that abuse of power is a question of WHEN, not IF, whether it's a government entity or a corporate one.
The IT Job Board
There should be more regulation on the jobs market. It's a data-mining goldmine and fake job postings aren't illegal as far as I'm aware of.
The author, and a lot of the commentators here, don't seem to have seen that announcement.
The policy of taking over "abandoned" projects is super shady as well. That's what this mailing list post is about, isn't it?
we haven't caught them trojaning Nmap the way they did with GIMP
So stop trying to speak for 100s of thousands of people at once.
PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.
He does know about the announcement, but he does not trust them anymore. That's fully understandable. Fool me twice, etc.
Additionally, you addressed people posting in this thread. The Sourceforge announcement was all over HN and reddit and a lot of people following the whole issue knew about it. It's simply not enough to win back user's trust. But I already addressed that - Yet you chose to critize my way of wording, not the very content.
Fool me twice...
I took over APNG project in 2011, nice short name, it was really abandoned, and I don't feel bad about it:
For example, for years, I've used winscp.sf.net to get to WinSCP when I need it. As of now it redirects to what I believe is WinSCP's actual site, winscp.net. In the past, Sourceforge was the actual location to get the binary. If at some point they set up a "mirror" for WinSCP, there's a good chance that people visiting that haven't in a long time might just accept that if they get a download link at a sourceforge page, it's likely legit.
I can't say the same about any of the sites you listed.
echo "127.0.0.1 sourceforge.net" >> /etc/hosts
site:sourceforge.net/projects/ inurl:mirror -inurl:files -inurl:reviews -inurl:compare -inurl:support
I have done that an hour ago. Should I be concerned?
1. Go through installed programs and uninstall any that you don't want/ didn't know about. Google any you have questions about. (Clicking on date in upper right will sort from newest to oldest.)
2. Get rid of Audacity. We can only assume that this binary is infected as well as the installer.
3. Run something like malware bytes. Do be careful to get the right installer, as the website has many misleading links. Run this.
4. Install in browser: ad block edge for Firefox, or ad block plus for chrome or safari. Quit using IE if you use that.
That should take care of 99% of all problems on your windows machine. I have no clue if you should or should not be worried regarding bad binaries from scamforge. I haven't analyses the binaries.
SourceForge never modified installers of projects. Even of ones like FileZilla participating in the program. They push "download offer installers". So, if you try to download FileZilla, you get a 750K download that shows you offers when run and downloads the actual FileZilla installer in the background and runs that after you accept or decline the offers.
Also, many open source projects don't have the money to afford bandwidth costs of providing large software downloads.
I don't buy the money argument. If you have the chance to be a successful enough open source project, you will find hosting companies ready to help you with free VMs.
If you are not that successful, you can use github & co without fear, nobody will try to insert crapware in your packages. And if you want to selfhost, even a raspberry pi will have enough power to serve your site.
The costs are directly proportional to the traffic but nowadays most "reasonable popular" open source projects can get hardware (VMs) from hosting companies for free.
We need end to end security without this https insanity as a bandage more than ever. Ubiquitous signing and audit logs more than ever. Tools that, for normal end users, refuse to work if integrity is broken. What sourceforge is doing should be universally seen as damage and systematized intolerance should make the attempt pancake so hard and so fast that nobody ever even tries it.
It's excellent that the nmap people distribute gpg sigs. Now we need socialize the fact that "https does not mean I'm getting want I wanted from the original authors", and start building (yes, we need to get past the http://www.thoughtcrime.org/blog/gpg-and-me/ problems) and using tools that do better.
I feel like there is a niche service to provide installers that have been decrapified. I'm not talking about ninite (which is private/commercial) but an open source repository of installers that you can "apt-get" for Windows. I know people have tried that in the past - but the problem is that the builds that are posted manually go out of date pretty quickly so I think this process would have to be automated.
Honestly, in hindsight I wish we had gone to a model more like Github.
I understand the author's grief and anger. I feel bad for them really as this will hurt the NMap brand, but come on, avoid the whole situation and just remove the project from SourceForge completely.
They won't let you "move" a project.
> At SourceForge.net, we feel a commitment to ensuring the long-term availability of the Open Source code released by the projects we host. We will weigh requests for project removal against the community value of leaving the project intact...Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value.
"SourceForge, the code repository site owned by Slashdot Media, has apparently seized control of the account hosting GIMP for Windows on the service, according to e-mails and discussions amongst members of the GIMP community—locking out GIMP's lead Windows developer. And now anyone downloading the Windows version of the open source image editing tool from SourceForge gets the software wrapped in an installer replete with advertisements."
Personally, I like their download stats:
But generally, why would I move if I never had problems with the service?
Until they take that control from you.
> I'll make sure it won't happen
They won't because I'm not abandoning my projects.
People who complain have one thing in common - they abandoned their projects on SF. It's kinda like letting the domain name expired and then complaining that somebody took over. Always keep an eye on your hosting and your domain names, folks.
What makes you think that will make a difference? They'll hijack whatever they want that's hosted on their servers whenever they want to hijack it.
Clean up your mess when you're done and you won't have rats.
I see the nmap tarball is 20 Megabytes = 50,000 downloads.
The cost of hosting should be easily covered by your user base.
Would the $5/month droplet stand up to a surge of people coming in for a latest release, or a bit of press coverage? Would there be enough bandwidth that everyone gets the file fast or would they all slow to a crawl
If the project doesn't want to manage their own infrastructure, they're probably going to want a CDN or object storage provider. The most cost-friendly I've seen is OVH's RunAbove object storage, but I'd be interested to know if there is anything else comparable.
I'd be interested to see how sourceforge respond to DMCA requests.
FEDORA: http://sourceforge.net/projects/fedora/ points to some random software. http://sourceforge.net/projects/fedora.mirror describes Fedora the OS.
Not only scummy, but semi-competant too.
I think it's pretty clear that DHI has no shame, but what about the mirrors?
However, are SF really making money from these mirrors? As I understand it from other comments here, you can still download the tarballs, and they seem more 'official' that the non mirror-suffixed accounts? When does mirroring become bad practice, what is the line you need to cross?
The world is calling it a day on Sourceforge - they are just hanging around to milk what they can out of past glories.
Of course they can't just turn off anyway: there would be outcry from people because their currently idle project that hasn't moved to being hosted elsewhere suddenly became unavailable.
"Of course this goes directly against Sourceforge
CEO Michael Schumacher's promise less than two years ago:"
Michael Schumacher is not SourceForge's CEO, but a GIMP developer. The article quoted in the mail was written by Roberto Galoppini.
Of course they've completely blown all trust and squandered their reputation.
Alternately one could look into trademark law, perhaps?
And quite frankly, I prefer the rather diverse universe of stackexchange sites.
I think they removed the logged-in requirement. At least I have been able to see every answer even though I never registered.
For this device sourceforge now lives on 0.0.0.0. May it wither there forever.
I realize there's a good deal of handwaving here--particularly at 3 and especially 4. But, is this a bad idea? Seems like 4 can be replaced simply by the owner reforking, too.
As much as I hate malware, can we confirm it was sourceforge that got rid of the old page? Maybe someone set up the mirror after a data problem or error rendered the old page blank and just wanted to get it up, or that person was nefarious? (Occasionally people can be "too helpful" on community sites by registering other people's projects).
I guess the question is really who owns sf-editor1/2/3/4.
The reason being I can't see a lot of bonus for someone doing it this way. I'd just put adware in the margins. The site looks sketchy anyway these days so it's not doing them a lot of good...
I'm not saying I condone Sourceforge's actions, and this does deserve to be known widely, but what one person would consider privacy-invading malware could be another person's "helpful offers assistant" (or whatever)...
Ironically linking to a page served via SSL
Not really. It's just a quick guide to using gpg to verify a software distribution. Many people already know how to do this, or you could look at the manpage if you prefer.
Strange, it seems newer but the Windows version was the same as mine.
Google what up, randomly saw the Sourceforge controversy for GIMP in the news.
Went to straight to SourceForge and got my update. Because they could be bothered.
If you want Sourceforge to be evil, get your shit together GIMP. (Windows users are people too, plus appreciate all the work, but it'd be nice if you remembered us)
PS And remember that if you're GPL or whatever then don't complain when someone follows the rules but doesn't do what you want. Is it GPL or not?
You can't say you're anti censorship, as long as it's what you want. You can't say you're GPL as long as it's what you want.
People are free to add malware to the product. Account hijacking not so much.
> GIMP for Windows
> Via HTTP (.exe)
> Download GIMP 2.8.14
If I go to SourceForge.org (clicking first SF link on Google for "GIMP download"), I see this:
> Browse All Files
SourceForge has 2.8.6, GIMP.org has 2.8.14.
SourceForge has an older version. Where the hell did you go to?
(In fairness, SourceForge also has 2.8.14, but you have to go look at the file list rather than clicking the big green button. OTOH, GIMP.org's big button goes straight to the latest version.)
It's time for github to step up and start offering projects download hosting and the whole slew of other things that sourceforge gives a project.
I hope everybody still hosting there will take this reminder to finally move their stuff to a different host.