News A heads-up to all developers using SourceForge as platform

[Face]

As I know that there are many developers here that use SourceForge as a development platform, I'd like to share this news for consideration: http://www.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/

SourceForge, once a mighty force for the good of Open Source, has fallen far from its previous lofty heights. Dice, the new owners, bribe strongly encourage the top projects to use a new (closed source only) installer that pushes spyware / adware / malware.
Developers using SourceForge should migrate away from it if they want to keep their integrity. End users using projects hosted on SourceForge should immediately find an alternative.

I'm not sure how relevant that issue is to certain Orbiter-related projects, so please find your own opinion about it.

 

[Urwumpe]

No such suggestion here, but I am pretty sure, that the SSU team as whole would rather move to a new server, than distributing potential malware.

But I am not sure, if this is a sourceforge problem or rather a FileZilla project problem. I don't know of any more projects with such installers. Also Dice was not known yet for building up a "low quality" image for PR, as job market for overpaid IT professionals.

 

[Shifty]

Github has seemed like a good alternative recently.

 

[Face]

Github has seemed like a good alternative recently.

But Github only supports Git, and this is not everybody's cup of tea. I think many Orbiter projects on SF either use CVS (e.g. NASSP) or SVN (e.g. OVP, SSU).

---------- Post added at 21:17 ---------- Previous post was at 20:06 ----------

No such suggestion here, but I am pretty sure, that the SSU team as whole would rather move to a new server, than distributing potential malware.

But I am not sure, if this is a sourceforge problem or rather a FileZilla project problem. I don't know of any more projects with such installers. Also Dice was not known yet for building up a "low quality" image for PR, as job market for overpaid IT professionals.

According to a comment in HN, this installer was introduced 3 weeks ago, and already discussed in reddit: http://www.reddit.com/r/technology/comments/1jk1gz/sourceforge_starts_using_enhanced_adware/ . The comments there make it looks like it is not a FileZilla problem, but an opt-in "service" of SF.

 

[Enjo]

It's good to know but if you decide not to use this installer then there's no difference between the competition.

 

[Pablo49]

But Github only supports Git, and this is not everybody's cup of tea. I think many Orbiter projects on SF either use CVS (e.g. NASSP) or SVN (e.g. OVP, SSU).

Google code!

 

[Linguofreak]

Is there a list anywhere of projects known to use this installer?

I don't use Windows much at home anymore, but it would be nice to know which FOSS projects I should consider boycotting on account of their use of the installer for their Windows releases.

 

[Face]

It's good to know but if you decide not to use this installer then there's no difference between the competition.

Of course there is a reasonable chance that opt-in becomes opt-out, and eventually opt-out becomes mandatory. If this "beta program" is successful, you can bet on it going this route. After all, a company wants to make money, and this is - in their own words - "a sustainable way to fund open source software".

IMHO, an open source software development platform that allows - and even encourages - crap-ware stub installers that download the actual software from untrusted sites is a security risk. Of course an expert user will identify such blatant scam early enough to be a danger to him, especially if only a small set of projects there have it. Standard users, though...

Therefore SF lost all credits in my book, and I'll approach it like other dubious download sites out there: with caution. So any Orbiter project hosted there will naturally get the same suspicion, just as any web-site hosted on a free hoster with black background and blinking tags. Well, maybe not that bad, actually :lol: .

regards,
Face

 

[Urwumpe]

Therefore SF lost all credits in my book, and I'll approach it like other dubious download sites out there: with caution. So any Orbiter project hosted there will naturally get the same suspicion, just as any web-site hosted on a free hoster with black background and blinking tags. Well, maybe not that bad, actually :lol: .

I find it worse, that such practices undermine the core values of open source software. What is the worth in having a software that you can trust because many people can look at the source code and see bad code in it, when you get malware secretly by the installer? Malware isn't just damaging your computer and stealing your money... malware is also spying on you and gathering information about you, without asking you.

Thus, I think we should observe things carefully. Sourceforge was a good home for Orbiter add-ons and I don't want to break with them based on few rumors on tech-sites.

Heise Online did not even report about such practices at Sourceforge yet, and I trust Heise much more than your sources there, because they are not subject to editorial control. Nobody risks much there, when he reports something wrong or spreads lies. Its different with the more classical medias, that have a name to loose.

 

[Face]

Thus, I think we should observe things carefully. Sourceforge was a good home for Orbiter add-ons and I don't want to break with them based on few rumors on tech-sites.

Heise Online did not even report about such practices at Sourceforge yet, and I trust Heise much more than your sources there, because they are not subject to editorial control. Nobody risks much there, when he reports something wrong or spreads lies. Its different with the more classical medias, that have a name to loose.

Well, if SF itself admits it, I don't need Heise to believe it is true. But I agree that this needs observation to see if they backtrack from or proceed with this strategy. If it really is only the FileZilla project as beta tester, and they later on announce an official ending of the "program", I'd be inclined to trust the site again. Until then I'll default to distrust anything coming from SF.

 

[Urwumpe]

Well, if SF itself admits it, I don't need Heise to believe it is true. But I agree that this needs observation to see if they backtrack from or proceed with this strategy. If it really is only the FileZilla project as beta tester, and they later on announce an official ending of the "program", I'd be inclined to trust the site again. Until then I'll default to distrust anything coming from SF.

No, they admit something different, like I said above: That this is the projects choice. Not the "evil DICE turning Sourceforge into whorehouse"

Filezilla wanted money and SF helps them there... for a small financial gain for them as well.

If more projects follow Filezilla, it is also ok. Its THEIR choice. But if Sourceforge makes this silently opt-out or mandatory, we would have a situation.

PS: even with 8000 downloads for a Orbiter add-on, the income for the project would be a few cents. Not really enough for selling your soul.

 

[Face]

My comment was based on this statement:

IMHO, an open source software development platform that allows - and even encourages - crap-ware stub installers that download the actual software from untrusted sites is a security risk.

This they admitted. They actively encourage this kind of practice, and this is enough for me.

SF with its rather strict ToS regarding FLOSS gained much respect for being a trustworthy project host. With this move, they are not anymore.

Of course there is a long way to go until they are "evil DICE", but this is not the point.

---------- Post added at 12:17 ---------- Previous post was at 11:45 ----------

Some more level-headed article about it from LWN: http://lwn.net/SubscriberLink/564250/0a106d6379c0d741/

 

[SolarLiner]

But Github only supports Git, and this is not everybody's cup of tea. I think many Orbiter projects on SF either use CVS (e.g. NASSP) or SVN (e.g. OVP, SSU).

I've been able to commit to Git using TortoiseSVN. So I guess it works.

I'm not sure what to think about this. Shoulld *everyone* go away to others platforms, or only the ones that uses closed-source installers?
If I use NSIS for my Shuttle PB Mk2, will it be okay? Or even with a zip file?

 

[Face]

I've been able to commit to Git using TortoiseSVN. So I guess it works.

Github and Bitbucket (and I think Codeplex, too) use a bridging system to fake a SVN server to clients. The repository itself is the native VCS (Git in Github's case).

Those bridges often are mere crutches, suitable for the occasional committer, but not for advanced users of SVN or even admins. I also think that locks and file-granular permissions as well as externals and properties are not supported by most of these bridge implementations (for the obvious reason of dealing with different VCS paradigms).

I'm not sure what to think about this. Shoulld *everyone* go away to others platforms, or only the ones that uses closed-source installers?
If I use NSIS for my Shuttle PB Mk2, will it be okay? Or even with a zip file?

I don't think that it is necessary to jump the ship head-over-heels now. Keep in mind that project hosting involves more than just binary releases and source code. Issue trackers, wiki pages, static home pages, screenshots... everything needs consideration.

Having a good migration strategy and alternative hosting sides ready, however, is certainly a handy thing when/if hits the fan. I would also suggest doing releases via OHM instead of the SF download service.

The system works with a stub installer. Instead of giving you the real file at download, it gives you a small installer that downloads and runs the actual file for you. Unfortunately, this small installer is closed source and tries to get you to also install other software on your machine. Ask.com is one of those, apparently. So even if you only have some kind of self-extracting ZIP archive, the system theoretically works. Fortunately it is opt-in AFAIK. I.e. you have to administer your project to enable this "feature".

 

[Enjo]

Of course there is a reasonable chance that opt-in becomes opt-out, and eventually opt-out becomes mandatory. If this "beta program" is successful, you can bet on it going this route.

And only this would give enough reason to finally switch. And this only if I used SF for binary releases. My projects there are kept in source form, so no installer can be attached. I use OH for the binary releases. Besides Orbiter projects' user base is very small compared to that of FileZilla. No sane person would even try to make money on Orbiter projects. And this also brings us to another general rule: it's hard to make money on more intelligent people, because they usually are able to find/build free alternatives. The FileZilla author must have thought that he's got enough dumb, greedy users so that he can charge them money. He might also be aware of the rule that I've presented, as he has left the door open for cleverer people, by still hosting a portable (zip) release without the installer. And there's no reason to think that somebody has outsmarted the author by downloading the zip (re: comment in this blog). I believe it's fully intentional from the author's perspective.

As for having some burden of the SF's shame on my own projects - I don't care in case of Orbiter. OH and O-F serve as the faces of my addons for Internet communities. My potential employers don't even care where they are hosted.

 

[Face]

And only this would give enough reason to finally switch. And this only if I used SF for binary releases. My projects there are kept in source form, so no installer can be attached. I use OH for the binary releases.

So if it happens you would still keep your projects there, because you don't have anything to fear due to it being source form only?

Besides Orbiter projects' user base is very small compared to that of FileZilla. No sane person would even try to make money on Orbiter projects.

We already had some folks trying that, and one of them was even part of a team creating a much respected add-on. I would not go so far as calling them insane, just... well... tempted to monetize from their valuable work.

And this also brings us to another general rule: it's hard to make money on more intelligent people, because they usually are able to find/build free alternatives. The FileZilla author must have thought that he's got enough dumb, greedy users so that he can charge them money. He might also be aware of the rule that I've presented, as he has left the door open for cleverer people, by still hosting a portable (zip) release without the installer. And there's no reason to think that somebody has outsmarted the author by downloading the zip (re: comment in this blog). I believe it's fully intentional from the author's perspective.

I think we all agree that this way of monetizing from FLOSS is not OK. It is designed intentionally to trick people into installing unwanted software.

Of course there will always be people that think it is OK to get money from dumb people, just because they can. My point is that this happened with the full acknowledgment of a formerly respected open source development platform. Thus it somehow legitimates this practice for hesitating project owners who may "feel" it to be a scam (and rightfully so IMHO !), but now think it is a perfectly fine way to treat their user-base.

I also think that the possibility of circumventing the stub installer is just an excuse. Of course "clever" users will always find a way to go around such restrictions. It is the openly impertinent way this is introduced as a feature.

As for having some burden of the SF's shame on my own projects - I don't care in case of Orbiter. OH and O-F serve as the faces of my addons for Internet communities. My potential employers don't even care where they are hosted.

That's cool if it works for you.

I fortunately switched away from SF long ago, and just now deleted my account on SF as well as my project mirrors there, as I certainly don't want to be responsible for putting malware on anybody's computer by means of my work.

 

[Urwumpe]

I think we all agree that this way of monetizing from FLOSS is not OK. It is designed intentionally to trick people into installing unwanted software.

Yes. It gives the impression that this other software is needed or recommended for the intended software.

Bit still, I think the blame should first of all go to the projects, which leave the open approach behind for money. You can also make money with transparency. Maybe not that much, but enough.

 

[Enjo]

So if it happens you would still keep your projects there, because you don't have anything to fear due to it being source form only?

Probably yes. For the reason that I don't want to spend too much time on moving here and there. I'm lazy and I have other priorities.

We already had some folks trying that, and one of them was even part of a team creating a much respected add-on. I would not go so far as calling them insane, just... well... tempted to monetize from their valuable work.

What I really meant is that Dice wouldn't be so insane to force using their installers on something so $mall as Orbiter projects. As for the project you are talking about - you can see that it didn't work, which proves my latter point. It may be a sad story, but it's not a proper community to make money on. It will fail here. It's a free sim, and a more clever user base.

I think we all agree that this way of monetizing from FLOSS is not OK. It is designed intentionally to trick people into installing unwanted software.

I'm trying not to judge it. It's the author's thing what he does with his software. But to the same extent he also has to face consequences of lost trust.

I fortunately switched away from SF long ago, and just now deleted my account on SF as well as my project mirrors there, as I certainly don't want to be responsible for putting malware on anybody's computer by means of my work.

The alternatives look very newscool and progressive. At some point I will switch, but rather just for the fun of doing it, not from fear. As I said, I need to prioritize my tasks.

 

[kamaz]

Well, once again we see that if you want to provide something to the world for free, you have to pay for it

Anyway, if you are using SVN and looking for alternatives, this page will be useful: http://www.svnhostingcomparison.com/

And, if you're thinking about setting your own server, then this page has a lot of offers for cheap (<$5/month) virtual servers: http://lowendbox.com/

---------- Post added at 08:59 PM ---------- Previous post was at 08:50 PM ----------

No, they admit something different, like I said above: That this is the projects choice. Not the "evil DICE turning Sourceforge into whorehouse"

But this does a lot of damage to anyone still using SF.

Network admins know that you don't download stuff from untrusted sources (and they teach that to users -- at least, they are supposed to). Until now, SF was a trusted source, because you could be virtually sure that stuff downloaded from SF contains no adware.

Since SF now puts adpware in downloads, the only logical response (at the policy level) is to treat SF as untrusted source. Doesn't matter if it's opt-in or opt-out. All that matters is that stuff downloaded from SF can contain adware/malware.

 

[Quick_Nick]

Amazon Web Services has a free tier for one year. I've been using a 'micro' Linux server for SVN for a couple months. (I started an account for some actual processing jobs, but that is finished)