I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.
I'm absolutely sick of them. It's not the first time this has happened. I've been pushing for us to move off SF for a while and this is a good occasion to push for it harder.
I've sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.
If you have similar migration problems to solve as the ones I've highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].
Have you checked your site on an iPad? It's alternating the font size between small and large several times a second, resulting in a strobe effect that never stops. Yikes!
I had those scammy sourceforge links, I guess I haven't been lucky enough to write a project that will scale that big but I'll host it myself until I simply can't afford it anymore. Vlc is great by the way.
One reason is discoverability as they have a rather extensive searchable directory of open source software.
Another reason for quite a while was binary hosting, which github originally supported, then discontinued, but finally added again in July 2013. Additionally, the ability to use any open source license or combinations of licenses, as Google Code supported binary downloads during the time github didn't but only permitted one license per project and only from a subset of open source licenses (originally a small subset, later expanded). Google Code, of course, is sunsetting now. And github now supports multiple licenses as well as binary releases.
I will second the Discovery aspect as being something that I like about SF when I first used it in the early 2000s. The reason I liked it so much was because I was a kid looking for free games to play on my PC, who soon learned to equate opensource == free, who then started browsing SF's games category (played a lot of BZflag).
That said, with projects and people leaving SF, and their UI leaving a lot to be desired, there are so many more options I'd first use for project discovery.
Oh right, the other reason I forgot to mention is lack of volunteer time/enthusiasm to deal with a move. If you already bounced between Google Code and SourceForge two years ago, chances are you're probably not completely excited about jumping ship to GitHub right now.
(But yes, right now, if you're on Git, GitHub will give you binary downloads and all licenses.)
Actually you can easily import your code into repos now. Also considering Google code is shutting down you can easily move your project to github from google code.
Right. I meant it as a comparison to Google Code, hence mentioning it during the time period that Google Code supported binary downloads but github did not.
GIMP did move off Sourceforge back in November 2013[1]. Unfortunately, because there were a bunch of links pointing there it still ranks very highly in searches for GIMP. I'm not sure if there's even any way to delete a Sourceforge project.
Doesn't matter. Someone elsewhere in the discussion found out what they're doing - Sourceforge now has a policy of taking over the project pages of projects that've moved off Sourceforge and running the pages themselves as mirrors (apparently with added extras in the installers): http://sourceforge.net/mirror/ If you remove all the installers, they'll just get them off your website instead. If anything, removing everything from the project page would just give them even more of an excuse to take it over.
It appears they switched the GIMP project on SF back to directly downloading the standard GIMP installer, at least that's what I see right now in Firefox at 3:30pm NYC time.
Does anybody have a copy of the "value added" installer?
How did it work? Was it a wrapper which contained a copy of the official installer? Did it have the same filename? Was there some identifier in the URL? A cookie?
In other words, can we programmatically identify other hijacked projects?
It's a 730KB downloader installer as used by FileZilla, Angry IP Scanner, and other apps on SF that participate in the Dev Share program. You run it, it shows offers, then downloads the actual GIMP installer and runs that. I did a Virus Total scan of it earlier and the results are here: https://www.virustotal.com/en/file/a63a337b0aa6b2686440802eb...
It seems they've disabled the ability for the GIMP downloader installer posted earlier today to be able to download GIMP now. Possibly so other sites don't distribute it further thinking it's the real GIMP installer?
It was a small wrapper that downloads the actual installer, loaded from a different site to their usual mirrors because they outsourced the whole "bundling unwanted software" functionality to a third party. I don't still have a copy because I downloaded it in a temporary test VM, sorry.
I don't see how the phrase 'Bad Thing' alone is a copyrightable work. And even if it was (say, it was typeset in a particular fashion, or part of a greater work), registration would be unnecessary.
Sarcastic use of the trademark (™) and registered trademark (®) symbols is a common rhetorical device, but copyright doesn't make much sense. The "intellectual property" propagandists do their best to confuse people into thinking that copyright, trademarks and patents are the same thing, perhaps that's why you're confusing the two?
It would be a shame if a young entrepreneur thought their trademark was protected by the Berne convention and someone came and took it. It would be a shame if the Mickey Mouse lobby went completely unopposed because people can't think critically about what they don't know. It would be a shame if a large corporation could grab the trademark of a small free software charity because people don't think it's "a big deal".
Is there anything suggesting it's SourceForge itself doing this and not just (an improbably widespread, admittedly) set of account breaches? It makes sense -- acquire accounts, enable ads, profit.
"The Open Source Mirror Directory is an extension to our existing software directory, where we'll be mirroring projects that are not hosted on SourceForge, and SourceForge projects that have been abandoned."
Why are we doing this?
We want the SourceForge software directory to be as useful as possible. When you come here to search for a piece of software, we want you to be able to find it, and find the most up to date releases. And if that software isn't hosted on SourceForge, we still want you to be able to find it. Or if a SourceForge project has been abandoned, we want it moved to the mirror and maintained, so you can always find the newest releases. Millions of people use SourceForge every day to search for Open Source software, and we want to give them the best experience possible, even if the best answer to their search is a project hosted elsewhere, or an abandoned project newly maintained by the SourceForge team.
So...they're claiming to "maintain" projects, and that means turning them into adware?
That's so underhanded and nasty that it's difficult to believe. If true, it means SourceForge has effectively become the nemesis of every software developer who ever used their services. And, it means every software developer who cares about software freedom and privacy must move everything off of SourceForge.
We host Webmin on SF.net, still, and it is downloaded over 3 million times per year, making it one of the most popular packages in the system administration category for over a decade (last I checked a few years ago, it was second only to phpmyadmin). They've never done anything weird or underhanded with our stuff (but most of our packages are signed and setup in such a way that fiddling with them would be somewhat challenging). Given its popularity, I would assume it would be a likely target for this sort of thing. But, maybe it's only "abandoned" projects? (Whatever that means, since it sounds like the original author in this case did not consider their project abandoned.)
Abandoned projects and "projects that are not hosted on SourceForge", which appears to include projects that still have a Sorceforge page that's actively maintained if the project has moved elsewhere. So if you move off SF.net, they'll take over your page there and use it to distribute adware-enhanced versions of your software. Incredibly underhanded.
Moving doesn't prevent this or protect users, and it actually would potentially trigger such a takeover by SF.net? So, there is no escape?
I'm really finding this hard to believe. It's just incredible. I mean, I've had a bit of a love-hate relationship with SF.net forever, but it's always been the kind of thing you might have with a bratty sibling (i.e. you wish they were doing more with their lives, but you still love them). This is such a massive betrayal of trust that I can't even swallow it.
I mean, the evidence seems to be there, and more than one major project has reported this behavior, so it's not really something I can just ignore. But, it's also just so horrible. (I'm beginning to become repetitive. I just really find this unbelievably awful.)
I don't know anyone involved in SourceForge, and haven't in more than a decade, so I don't even know who to reach out to for some kind of clarification about WTF they think they're doing. Their mirror page doesn't explain anything about distributing malware in these projects they "maintain", so they're already not being forthright about it.
Shame really: for a while SourceForge was THE place to go for open source software.
They claim (at the bottom of http://sourceforge.net/mirror/) that "If you have an Open Source project outside of SourceForge, we'd like to hear from you. If you want your project mirrored on our site, or if you don't want your project mirrored on our site, please let us know. Or there's any other service that we can extend to your project community, we'd like to hear that, too. Contact us at communityteam@sourceforge.net and we'll be sure the message gets to the right people."
People should email them at communityteam@sourceforge.net and ask to be un-mirrored. Maybe that will work.
The number of people casually suggesting github for large binaries on HN is incredible and funny. They should try downloading something from github in Asia and they'll learn why local mirrors are useful.
I think this pretty much explains why this happened, a quote from their parent company here: "2005 - IN AUGUST, WE ARE ACQUIRED BY DICE HOLDINGS, INC., WHICH IS OWNED EQUALLY BY GENERAL ATLANTIC LLC AND QUADRANGLE LLC, PRIVATE EQUITY FIRMS IN NEW YORK CITY." via: http://www.dhigroupinc.com/our-company/default.aspx
Any other projects affected ? Would be nice to start a list of all affected projects. This could also be a case of targeted attack on the gimp account.
Several of those are projects that were never hosted at SourceForge, aren't they? Firefox, for example, I don't believe was ever an SF project. WordPress, I don't recall ever seeing on SourceForge. Are they altering the binaries they are posting on their "mirror"?
I download the bitcoin .exe, and it came clean, with the right signatures, but who knows how they are distributing the stuff. I have a Ubuntu computer. If they're at least a bit smart they will use their download redirects to serve the spyware only to Windows computers or something, so that could be why I got a clean binary. Bitcoin devs investigated, at my request. They removed the sf-editor1 user from the project owners and checked the binaries to see if sigs matched, and they did. But like I said, they could be filtering who they serve the "spyware" to.
The official win32 gimp installers were not made by sourceforge, but by the GIMP contributor now locked out of managing the relevant sourceforge account. The same win32 installers that used to be provided on sourceforge are now provided from gimp.org directly http://download.gimp.org/pub/gimp/v2.8/windows/ the problem is the nice binaries being replaced by sourceforge made installers that also install adware.
wget at least isn't affected, as long as you copy the link from the files page (the one that normally displays ads and a countdown timer in browser - it'll download the file directly with wget, since they apparently do user-agent sniffing).
What does the SourceForge shell access get you? If it's only the ability to edit your website and maybe your code (and not install, compile, etc. things), is it valuable in a world with git-push-to-deploy and with web-based editors?
Trivial, technically, but can still be an unwanted cost for projects that push a lot of bits out. Our software at SF.net burns through several terabytes of bandwidth each year for several million package downloads. We've always appreciated their network of mirrors. But, it seems like it's time to move away from SourceForge.
We already relocated our revision control to github (though I'm considering another move to a self-hosted thing on Phabricator or gogs or gitlab, as I'm more cautious about using third party services for this kind of stuff these days).
The thing is, it's not exactly "their" network of mirrors. They mostly rely on third-party mirrors run by universities and other organisations that offer mirroring for free to a bunch of major open source projects and sites.
In this age of GitHub being huge, and GitLab being the purely open-source choice, this can't really end well for SF.
They really really need to up their game if they want to stay relevant. Most of the stuff I find pointing me to SF these days is usually abandoned (GIMP and Pidgin are probably notable exception).
I'll still never understand why people don't move off of SourceForge; GitHub and Bitbucket (among others) are almost feature complete, and for the things that they're missing (mailing lists) there are plenty of free alternatives out there that are fairly easy to port.
I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.
I'm absolutely sick of them. It's not the first time this has happened. I've been pushing for us to move off SF for a while and this is a good occasion to push for it harder.
I've sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.
If you have similar migration problems to solve as the ones I've highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].
[1] http://sourceforge.net/p/lxde/mailman/message/34148903/ [2] https://github.com/jleclanche