Does anyone still use SourceForge after they started embedding adware with their download links? I give them credit for being an early innovator and I know they are under new management as of 2016 and supposedly put that behind them[1] but they have permanently lost my trust.
It's actually worse than that. As an open-source developer deciding where to host a project, I not only need to trust the host, I also need to expect users to also trust the host. If I expect 10% of potential users to bounce when they see that it's hosted on Sourceforge, well, hosting is enough of a commodity that I have no reason to give up on that 10%.
In addition to the malware issues, when I land on a SourceForge project that pretty much tells me "this project is dead or on life support" nine times out of ten.
This is true for me as well. SourceForge stopped being the host for anything I cared about years ago. If I land on SourceForge today because they host project X that might solve my problem, I generally start looking for project Y somewhere else.
I was referring to the ongoing perception of malware issues even after the fact, but you're absolutely right. Guess I should have been clearer but it's too late to edit now.
As for the perception, I think it's going to be like those Red Cross donuts and it'll be very hard to live down.
My point was not to be insulting, it was to draw attention to the fact that I don't know this person, just like most people don't know what's going on behind the scenes at SourceForge, or just how healthy we are as a company.
Right, and that's actually a problem; people would be more willing to use SourceForge if they knew that other people knew that it had changed for the better.
They’re under different ownership; the new owners were apologetic about that nonsense and stopped it immediately. I don’t want to punish people for buying and fixing venerable Internet infrastructure, so though I was angry about the compromised downloads, I’ve no problem downloading from SourceForge since then.
I don't maintain code and description basically refers to GitHub for any issues, but there are still some people who use it, so I don't see any good reason for losing free traffic. Number of download has been falling for years though.
PortableApps.com is still hosted on SourceForge. I think we push around 40TB a month through their download servers. We can't afford that bandwidth on our own. Other hosts like Github aren't really designed for projects like ours that have hundreds of different open source apps.
Do you know we have nothing to do with the people that made the decisions to do that bad stuff? I, like you, didn't like it, so I bought SourceForge to remove the bad stuff. I still get shit for it. Kinda weird because the people giving me shit didn't put their financial wellness or reputation on the line to fix what they didn't like, but still armchair quarterback about it. It's like someone saw it fit to burn down a museum, and then someone stepped in to save it and everything inside of it, but still takes the blame for the person who wanted to burn it down. Very odd...
Hi. Much appreciated for your good deed. It's unfortunate that the previous owners put a seemingly permanent black mark on the once-beloved SourceForge brand, but I think you need to not take it personally. Most of us, me included, simply don't know what's going on inside SourceForge, or GitHub, GitLab or Bitbucket, our only view in being headlines and rumors.
We can't all be experts, but we all need to make a choice, and "that site that started posting malware" is not a compelling option no matter what happened afterwards. This is super unfortunate, but it's true, and I imagine it's the same reason why web filters and reputation indexes have been unkind.
But I think that's not even the worst problem. SourceForge was definitely on a decline before the adware incident. Like, many of us will feel uneasy about GitHub under MS, and I already don't know how much I trust young venture capitalist funded websites with my important data. Still, GitHub changed the game with their non-advertising-based profit model and now it feels weird to even consider going back. Frankly, I feel a bit dirty when downloading FOSS from a page with ads and a countdown even though SourceForge is not the only one doing that.
Truthfully, I do want to love SourceForge the way we all used to, but I find it challenging. The adware-supported installers just felt like a super evil extension of the profit model SourceForge already had, and the association in my head stuck. I doubt I'm the only one.
None of this is fair to you, the person trying to fix all of this, but of course whether it's fair or not isn't going to matter. Insulting people who aren't giving you a fair shake is probably not going to help your case, though I certainly sympathize with you.
Thanks for the input. I am not trying to be insulting to anyone here. If it came off that way, I apologize. I am just, maybe too frustratingly, trying to get the point across that we are not the same as the previous owners. I understand why the name might confuse people though.
Ship's still in port actually. Over a million users a day. They're on board and we're improving it for them. Bitbucket's cool too, but it's just a different ship.
I was going to reply to https://news.ycombinator.com/item?id=17281866, but Arc won't let me. I don't want to throw my reply out (which I typed before the comment in question became unanswerable), so I'll quote the context here, and then follow with what I was going to comment with.
>>> It's actually worse than that. As an open-source developer deciding where to host a project, I not only need to trust the host, I also need to expect users to also trust the host. If I expect 10% of potential users to bounce when they see that it's hosted on Sourceforge, well, hosting is enough of a commodity that I have no reason to give up on that 10%.
>> exikyut
>> I think you've unpacked why SF is - sadly - not quite dead, but not quite as alive as it used to be.
> loganabbott [flagged] [dead]
> I could probably say the same thing about you though
---
Wh-- uhh, no. To answer your statement, I've historically been in somewhat bad shape with various mental/other health issues that I've only begun to understand and properly remedy very recently. So, I'm the most alive I've ever been (and still improving).
Okay, maybe responding that way was a bit tangential. I'm honestly not sure how to interpret your comment though. (For what it's worth, I wasn't personally uploading anything to SF when it was in its heyday, kind of because I wasn't. I did know about and download stuff though, like other developers and power/ordinary users.)
I began mentally drafting a reply to your other comment https://news.ycombinator.com/item?id=17282035 before noticing this one. I think this is the more appropriate comment for me to reply to {I said this before the comment died}, and I'll fold in the sentiment I was going to say to the other here.
Reading the other comment, I understand your somewhat frustration. Here's my perspective as a would-be developer and general intermediate-advanced user (and particularly as a frequent lurker of HN): all I've (and presumably we've) got to work with are the dead-chewing-gum armchair opinions and cargo cult views and reiterations about "yeah someone bought it (nothing seems to have happened since then though)". That's literally the only noise being made around here in terms of "news" or "updates" we get about SF. It's as bad as the lowest-quality commentating on reddit (and I consider that very bad, considering the bent towards intellectualization and healthy debate on here).
IMO, you need to work on advertising your [new] position. It will probably be an uphill (even vertical?) slog for longer than likely comfortable (maybe even financially so - ie, it sounds like some decent, long-term social media management chops may be needed).
That's a bit of a broad statement, so let me add some more data to characterize what I mean.
The open source landscape's changed a lot. Or, in less words, "everyone switched to GitHub"; or at least "all" the developers did - but that means so did all the users wanting first-hand software updates from the devs who switched. Of course only power users (or those following scripts) likely actually clone; it'd be interesting to see what projects[' users] primarily use Releases or other mechanisms to get their updates. In any case GH is the core of a lot of operations nowadays (by "operations" I mean different projects).
I am genuinely interested to learn more about the million users a day you say visit SF. Let me clarify what I mean by "interested".
Firstly, to be frank, I'm kind of amazed that a million people a day visit SourceForge and want proof :) because that's truly impressive. I don't disbelieve you, note; I just kind of want to do a trust-but-verify.
Next, from my own perspective, when I think of GitHub I see it as something most other developers either understand or, at the very least, vaguely know about as "the scary place where you have to use the commandline to make it work" (hopefully this subgroup doesn't get stuck for too long :) ). Generally in terms of publishing libraries and small programs GH removes about 98% of friction, for two reasons. First it uses Git, which (once you at least learn the clone command) Just Works™ with GitHub because GitHub URLs can be pasted straight to Git, https:// and all, and it figures it out. Secondly everyone has at least a vague understanding of Git and GitHub and there are a billion (approximately) videos and websites so people can easily find 100 things all in their preferred presentational style to get started with.
So from a social networking standpoint GitHub provides a level of predictability; I as a publisher can partially know what to expect in advance in terms of userbase and social network. Okay, so you say SourceForge has a bunch of people on board; as a developer, or an artist, or $abstract_computer_person_with_arbitrary_agenda, what can I expect in terms of connections and demographic from SourceForge? The platform itself is a gateway and an enabler; I'm frankly less interested in SF itself (that it supports SVN, Git, etc; or that it supports wikis, etc) than who it can connect me with, and what I can expect of them.
I can opine/surmise a tiny tiny fraction of the kind of thing I'm getting at when I download random obscure computer-science related things and an eyebrow goes up when I see "18 downloads/week" and I think "...how?! lol" (I know the number is valid because my download bumps it up :P). It would be pretty cool for GitHub to publicize the same kinds of statistics, but it's (sadly) probably easier to single out a rogue browser than a Git client.
So, that's the demographic question. Here's something potentially trickier.
I can't say I'm a fan of SF's interface. My main problem is that it is very very heavy. On the 12-year old machine I'm using right now it takes a lot longer to load a SF page than a GH page. This isn't because of the ads, which I'll honestly say I have nuked via /etc/hosts, primarily as a sanity measure (if ads kill browsing on modern machines, try browsing with ads enabled on a single-core 32-bit Pentium M that takes 45sec to open a new tab :D)... it's just that the pages are really heavy. Besides system load (which isn't really a legitimate statistic, I'll accept that), I definitely far prefer GitHub's much more to-the-point approach. It seems faster and more fluid.
There is one specific area of the UI that bothers me a lot: the "recommended downloads", which seem to be the same for me, every time I visit, and include a link to... Apache OpenOffice. Um. This is... dishonest? Everyone knows LibreOffice is where the development is at.
I realize this last point be a hard one to answer. I'll offer two things. Firstly, I understand that GitHub was developed as a green-field from-scratch platform, it got to start again, and it started with a somewhat different, leaner approach: just offering a Git UI, with nothing else on the webpage. So there's that. Secondly, I understand that what you bought had a lot of, er, state in the air that needed to be maintained to keep the ecosystem running smoothly (and happily).
With the above said, I don't know what arrangements are in place behind the scenes, but I do think recommending OpenOffice is a tiny bit much from where I stand.
To sum up, I want to understand what I can get out of SF, I think it would be nice to clean the pages up (the redesign is nice, but I feel it removed a lot of info while retaining the "weight" (imposingness?) of the old design), it would be nice to understand some of the machninations behind SourceForge today, and it would be cool to better connect users and developers with each other. If a million people a day are visiting, learning about that hive of activity will attract me to the platform.
All of this doesn't need a direct reply; I would be very happy to see a highly-upvoted blog post or similar thing posted to HN sometime :)
(Obviously I can't express interest in the behind-the-scenes aspects of SF I don't know about. An in-depth exposé on how SF is currently run would probably be very interesting to some people here.)
Gotta feel bad for SourceForge the new owners reversed the malpractices of its previous owners immediately and yet the damage is permanently done. I'll never understand why some think distributing spyware / malware for money is even remotely right in any way, shape, and form. How is any of it legal half the time...
I find it slightly odd that sourceforge is so highly shunned after the malware incidents, while various other large companies [eg. microsoft (dodgy behaviour in skype, etc.), facebook (spying, selling data), lenovo (superfish), etc.] have been caught doing similar dodgy things and yet it feels like the general community has forgiven or at least grudgingly overlooking them.
May or may not be true - that's just the feel I'm getting.
We also need to think a little about how the times were. Sourceforge rose to popularity in the early 2000s. Free and open source software (FOSS) was not just a matter of pragmatism or convenience. It was an ideology, a philosophy, and a movement strongly pushed forward by FSF, Open Source Initiative, various LUGs, and various special interest groups. Open source enthusiasts used to have very active and influential LUGs all throughout the world. There used to be free and open source software conferences all over the world with the sole agenda of increasing open source awareness among the general public.
In those years, most of the developers who chose to host their projects on Sourceforge strongly believed in this ideology. GPLv2 was the most popular open source license then. Given all this, it makes sense that those early users who held freedom of software to be sacred were very pissed when Sourceforge decided to bundle closed source adware into the binaries of these open source projects without the explicit permission of these open source developers.
Times have changed a lot since then. GPLv2/v3 license is now considered too restrictive and the MIT license is more popular. Most of the tech community understands the concept of open source more or less. The movement in favor of software freedom has begun to lose momentum. Open source software makes a lot of business sense, so we don't need the push for open source software anymore like we used to in the early 2000s.
Even some people like me who once would run nothing but completely free operating system with free tools have now begun to use proprietary drivers because as we have grown older, got busy, with kids and family, the time spent tinkering with open source drivers is not worth it, we would rather use something that just works. When we use Microsoft and Facebook we know what we are getting into and most of us are more or less okay with it. It's different times and different kinds of users. That explains why Microsoft and Facebook do not get penalized as heavily as Sourceforge did. Sourceforge violated something that was held sacred during those times. Microsoft and Facebook have no notion of sacred-anything.
SourceForge gets shunned first because it’s easy. There are lots of great alternatives to SourceForge. SourceForge was already on the decline before their adware bundling fiasco so continuing to not use SourceForge is no burden for most devs.
Second, what SourceForge did was worse than your examples. They modified trusted applications to add essentially a malware payload. This is worse than Facebook collecting too much data and being shady with it. SourceForge was installing spyware on machines without permission. This betrayed the trust of both users and publishers and even damaged users’ trust in those publishers.
The only one of your examples that is comparable is Lenovo’s Superfish mess, and in that case they only betrayed users, not publishers. Not that it actually makes it better, but it changes the impact to Lenovo.
It's worth noting that SourceForge didn't modify trusted applications. They switched their download buttons on the site to download an "installer app" by default that would act as the installer, offer bundleware, and then live download the actual app installer as part of the install process. Apps like GIMP etc were never, to my knowledge, modified to bundle GIMP and bundleware within a single installer.
Source: I was hosted on SourceForge at the time and approached about participating in DevShare. I researched it extensively and saved copies of the stub installers for things like GIMP as part of that research.
Thanks for sharing the highly relevant piece of information. It always bothered me someone had to go through the effort to download the original source and rebuild the projects, just the thought of all the effort taken to do that... It seemed odd, I can imagine some projects having some obscure build processes (it happens) and the amount of effort taken to add in their spyware installer seemed a little crazy to me.
That is an interesting piece of info. I was under the impression that they had actually delivered modified installers. From a practical standpoint, though, this is an implementation detail and the effect was largely the same.
Yeah we're profitable now without DevShare. Lotta people hated what happened to SourceForge, including me. That's why I bought it and removed DevShare.
Other than these uninformed HN threads, most people can distinguish between the owners that did the bad stuff, and the owners that bought it specifically to undo the bad stuff.
Why would you feel bad for us? We removed the malpractices right away, became profitable, improved the experience for over a million daily users, and are growing at a rate not seen since before the problems. I'd say we have the opposite of a problem. A few random armchair quarterbacks on Hackers News aren't gonna get us down.
... which is exactly what you're expected to say. It's extremely rare to come across any meaningful projects these days that decide to associate themselves with sourceforge.
That just tells me your breadth of knowledge of the open source landscape is limited. You can scroll down this thread to see plenty of big projects still at SourceForge.
You said his company was permanently cursed. He showed up to cheerfully deny the curse existed, then you called him a liar and said no one important used Sourceforge.
Now you say he is “publically attacking” you just by saying you are wrong.
Ok.
I am going to give him the benefit of the doubt and not believe you.
I meant the negative view that will remain for those who are not aware of the U-turn that you've done for SourceForge. I agree. Care to share some of the future goals you have for SourceForge? Or link to any public statements of such? Would love to see where SourceForge is headed.
I feel bad for you because you (naively?) have no idea about what you're talking about. We bought the ship to save it. You can give us flak if you want, but we felt strongly enough about the projects on SourceForge to put our neck on the line to save it. Didn't see anyone else doing that, despite their complaints.
We have nothing to do with the previous owners. In fact, FileZilla from their own official site still has a bundled installer, but we made them remove it from SourceForge. SourceForge FileZilla is cleaner than the official site. Check VirusTotal to verify.
That's really interesting. Thanks for pointing this out.
You (sourceforge) have been getting a lot of, imo, unfair flack in this thread and I just wanted to say thanks. Honestly sourceforge isn't the first place I think of when I need to host code, but I have downloaded a few projects from there in a past weeks and it was much nicer than I remember. Ill make a point to check it out one of these days :)
Websense blacklisted Sourceforge after the 2013 DevShare debacle. It has remained blacklisted since. It is blacklisted in many other web application firewalls and content gateways too. Sourceforge is inaccessible from many corporate networks due to this. It will remain inaccessible for many more years to come.
It's unfortunate how Sourceforge, once a leader in the open source community, lost the trust and reputation it built over 14 years in a matter of a few weeks. It may take another 14 years to regain this lost trust and even that may not be enough.
>It may take another 14 years to regain this lost trust and even that may not be enough.
That's absolutely absurd given how often the biggest names in 'tech' make headlines with one egregious act or another, on a seemingly weekly basis, and continue to march on. As if the tech community can sit atop some moral high ground, thumbing its nose at SourceForge. But nah, let's just keep crapping on a company no longer under the same ownership and no longer committing these acts and hasn't for some time.
> let's just keep crapping on a company no longer under the same ownership
I have no intention of crapping on SourceForge. I am merely making an observation. I think many would agree that users have lost trust in Sourceforge regardless of the history or current state of ownership.
In fact, I used to appreciate loganabbott's (the new president of Sourceforge) attempt to amend SourceForge until today when I see the same person posting insinuating and insulting comments towards potential users.
I have no intention of crapping on SourceForge because SourceForge is largely irrelevant to me. I host my projects on GitHub these days. If GitHub becomes untenable for any reason, I might move to Gitea. But I am definitely not coming back to Sourceforge after seeing these juvenile comments coming off from the president of Sourceforge in this thread. Don't know about others but he has definitely managed to piss me off as a user.
Regarding why Sourceforge gets the kind of flak other companies don't, I have commented about it here: https://news.ycombinator.com/item?id=17281519 (again this is merely a conversation, not a passing of judgement).
Sorry if my comments rubbed you the wrong way, but it's a bit frustrating when these threads pop up weekly, and people feel like it's open license to attack me and my company. We really are doing our best to make SourceForge a trusted destination, but still get the flack as if we were the previous ownership.
It's worth pointing out that SourceForge as we knew it back then ceased to exist quite some time ago. SourceForge was sold to DHI Group, Inc. (DICE's parent company) in 2012 and many of the staff were let go as part of the sale. DevShare came into play in 2014 and was originally billed as a way to help open source developers who wanted to sign up earn an income from their open source work. But then it wound up using dark patterns and then it was morphed into something more and started to be added to projects that didn't want it done (in violation of some trademarks and the like). This destroyed the good will that still existed around the brand even though most of the folks who made SourceForge SourceForge were long gone.
SourceForge was then sold again in 2016 to BIZX, LLC who killed the DevShare program and started scanning all downloads for malware and other baddies.
You're obviously very frustrated by how people see the service, but you can't blame them.
The GIMP incident made pretty big news, and for many people, the name "SourceForge" will stay equivalent to a malware-injecting host. Anyone who decided to keep the name should have anticipated that.
I'm not frustrated, but these threads show up on HN almost weekly now, with armchair quarterbacks who really are not current on the state of open source opining ill informed opinions. They even know we are new owners who immediately killed all the bad stuff, and still blame us. I cared about SourceForge, so I bought it and removed DevShare, and still get the blame. People know that we having nothing to do with the old owners, but recreational online outrage is fun, so they continue to blame us for saving it. Cognitive dissonance is en vogue right now. I guess if someone's lonely Sunday night is made better by shitting on the people who did everything in their power to save SourceForge, then go for it. I just think people's time can be used better.
Maybe change your name from source forge to something else.
You can rehabilitate the brand, but that will probably take a lot more money than just changing the name.
Edited to add:
On the front page I also see "Business VOIP" and "Cloud Storage" and "Internet speed test". Maybe you want to remove those links and focus on software development.
This diatribe just tells me Websense and you are not informed on the current state of the open source community. We bought SourceForge in 2016 specifically because we hated what happened with DevShare and killed it on day one. You can continue hating us simply because of the previous owners, but you can probably find better stuff to do with your time. Nobody uses WebSense anymore anyway except for high schools trying to stop students from watching porn during art history class.
You are insinuating both Websense and me that we are not informed about the current state of Sourceforge. Insinuating your potential users like this is in poor taste considering you are the president of Sourceforge.
I am very much aware and I followed the HN thread [1] when you acquired Sourceforge and when you commented extensively trying to reassure us that you will turn Sourceforge around. Sure you have made efforts but I think it is quite clear that the good measures you took came a little too late.
Frankly, your comments in that acquisition thread [1] were more balanced and matured. The comments you are posting in this thread are coming off as immature.
You also seem to be misinformed about Websense. Websense and other web application firewalls and content gateways are very much in use in many corporate networks including mine. Looks like I am not the only one with this issue.[2]
As a consumer of source code, I do not use a graphical web browser to search and download from Sourceforge. A relatively simple http/https client will do. (Occasionally I have used cvs or svn if that is the only access.)
Despite any changes in Sourceforge's ownership/management, I have not experienced any problems retrieving source code. I have not tried to use a graphical browser on Sourceforge since the 1990's. No need.
As an end user of source code, I access Github the same way, without graphics. I do not need to use a web browser or any git executable to fetch a .zip or .tar.gz archive. Will this sort of easy access continue under the new management? I guess time will tell.
Sourceforge still hosts a substantial quantity of what I consider educational/useful software. Of course, Github hosts exponentially more.
Out of curiousity, using archived Github data, I am making a list of Github users and will be monitoring changes as the acquisition progresses. Will they lose many users? Where will the users who leave put their code?
I am debating whether to also construct CSV files with repo names and descriptions for a personal Github database to aid in software discovery. I expect it might not be as easy to compile such a database in the future. I could be wrong, but it is impossible to predict what will happen. Time will tell.
> As a consumer of source code, I do not use a graphical web browser to search and download from Sourceforge. A relatively simple http/https client will do.
One caveat: all the file download links end in .../download, so if I throw the URL at wget it will save "download?verylongblahblah=blahblah1234567890". I have to use `wget --content-d` (short for content-disposition) to actually save the name correctly.
It's really annoying, but a behavior that has existed for many years.
GitHub fixed this with everything, from release downloads to raw gist links, by putting the "download" attribute further back in the URL, and having everything after the final slash be the uploaded file's filename.
Yes it is. There is a certain consistency/uniformity to the url and site structure with Github that Sourceforge does not have, for whatever reason. Not to mention the absence of the mirror choosing routine. I really appreciate the ease and simplicity of Github downloads, which is precisely why I am concerned about the future.
Setting aside the malware issue, and the project graveyard smell, and just looking at it like a new platform, the design just seems all wrong. The big comic ui elements are ugly and unprofessional, and the code is too hidden, not the central point of the project.
This! I didn't use it enough for the malware thing to anger me much, when it hit, I was already mostly using things from github, and sometimes bitbucket...
The design of sourceforge feels spammy and like early 2k's hotscripts or cnet/downloads.com. I want to click on a project and see the readme and a list of their files so I know what framework/language it's built on from a glance, is it node/php/rails?
I've been playing with gitlab a lot lately for my own projects, I love the way I can easily segment things by groups without doling out cash for my side projects and private repos are nice. You get a lot on their free tier.
Though a lot of my github usage is browsing projects for things I can use in my own code, like admin panels, or integrations of vue/react, vuex/mobx, an auth flavor and x web-framework.
Can you actually host code on SourceForge? I've been searching for 10 mins in a couple different projects and they only thing I've found is one link to a private SVN server.
You can do git, mercurial, and svn repositories under SourceForge. You are not required to do any of them, though, so some projects roll their own elsewhere or just post source code in compressed archives.
[1] https://arstechnica.com/information-technology/2016/06/under...
reply