There is zero excuse for what they did, and zero excuse for what they have been doing for the past years.
Once again reposting what I said in the other thread (which seems to have been modded off the frontpage, sad).
I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.
I'm absolutely sick of them. It's not the first time this has happened. I've been pushing for us to move off SF for a while and this is a good occasion to push for it harder.
I've sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.
If you have similar migration problems to solve as the ones I've highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].
It's unfortunate there aren't many good hosted mailing list services out there. Google Groups makes it hard to use without a google id, and mailman is tricky to setup/maintain.
I wish Github would get into that business. Easily set up MLs for organizations/projects and integrate them, do what they do in regular issues (markdown processing, autolinking issues etc).
In fact, I wish anyone would do that. I've had detailed plans of what a service like that would look like for over two years, and no time to take a stab at it myself. If someone here is actually interested, feel free to contact me.
Let's not make it appear easier than it really is. Email is hard. Mailing lists are even harder. There's a lot of non-obvious things you have to know about email before you even start to tackle things like these and on top of it you have to handle spam, registration/security, moderation, etc. It's a lot of hard, dirty problems.
But like a lot of successful people will tell you, if you want to be successful too, solve the dirty problems.
Why does it have to be a mailing list? Can a software project communicate with an interface platform more like HN/Reddit? For that matter, could you use a subreddit for the purpose without obviously violating Reddit's TOS?
Some do. It depends on the nature of the development. Mailing lists are a very popular format. One of the other projects I manage communicates near-exclusively through IRC. But good mailing lists have the main feature of topic-centered discussion, usable with just an email address (very low barrier of entry, easy to add new people to the conversation, easy to continue a topic in private).
Voting isn't generally a feature you want for discussions - voting provides visibility over a short period of time, and then the topic dies off, which is a very big issue with reddit-likes being used for discussion. Newcomers to a highly popular topic are on equal footing with the rest of the participants, while on Reddit/HN the topic is overwhelmed and only the highly popular, old comments get visibility.
This is very suitable if you don't want everyone to have equal footing. For example, discussions centered around video games, politics, social issues, etc. For open source it tends to be bad. This is an off-topic meta-discussion I'd love to take further, in private, if only it'd take me a click to do so. :)
Then there is the spam. Once targeted the spam can get really bad. Meteor JS suffered this and moved to the open source forum software http://www.discourse.org.
I have a bunch of minor projects on SF, which I'm now going to look into moving, and yes, migrating the mailing list is the hard part. Project hosting on my own server is easy; mailing list hosting is not. (I used to run my own mailing lists. Never, ever, again.)
One option is to migrate away from mailing lists and towards something like a forum; but forums, while they provide very low barrier-to-entry, produce a fundamentally terrible user experience. (Yes, including HN. This text box I'm typing into is an embarrassment.)
What I'd really like, I suppose, is a service which provides an easy-to-use web forum with an SMTP gateway for those people who hate forums. And then have it all hosted via my project website so that I don't have to redirect people to some dubious third pary site. Bet I'm not going to find one, though...
> I have read and agree to the above terms , and agree that if I ask FreeLists for email addresses or send SPAM using their resources, they have permission to inflict severe pain on me with large, blunt objects.
FreeLists is a great, "no bullshit" service. It's ran by a geek friend/ex-co-worker of mine. The only "caveat" is that everything must be public (i.e. no private/closed lists).
If your project uses GPL-compatible licenses, then you can use gna.org [1]. Unfortunately the website is a bit old fashioned and git isn't supported for version control, but it's fine for web and mail hosting for Free software.
Zero screenshots or anything of the kind. When I want a demo, I don't want to take extra steps just to be able to look at that demo, I just want to take a look right now.
Those prices are really high too for what it presents itself doing. And I don't care about all the people talking about how awesome it is, really I don't. Show me the sausage.
If this project wants to go anywhere it's going to have to severely review its strategy.
Based on the pricing it doesn't look like this is aiming to be a replacement for mailman or majordomo public mailing lists, but more for internal private lists.
150 members before you're in the "if you have to ask you can't afford it" bracket -- even small, niche projects would have more people than that subscribed to the announce list -- and that's $129/month. You could run a majordomo list with no member limits on a VPS for less than $10/month.
>I am urging everyone who still has projects on Sourceforge to do the same.
Where is that other great free service which hosts large binary assets, web sites, wikis, forums, and trackers i.e. everything you need for a project.
Github is only a solution for software without meaningful binary assets where the user is expected to build the software himself and no community interaction beyond pull requests and issue reports is desired.
There is no free alternative to SF for many users, that is the problem. And well, "free", that is the key word here, at the end of the day SF has to make money somehow. As a non-paying SF user I cannot really complain about ads.
> Github is only a solution for software without meaningful binary assets where the user is expected to build the software himself and no community interaction beyond pull requests and issue reports is desired.
GitHub Releases addresses this (i.e you can release compiled binary assets as your "release", rather than just an archive of the repository). Also, GitHub Pages is pretty useful if you want to build a user-facing site for your project.
Ad-supported business models are OK when the website is view-driven. When the site is download-driven, web ads will never make up for the bandwidth costs, so you'll often end up with sites distributing adware to make up for it (target the area of your product that is actually being used).
So this is a broken model that Sourceforge entered itself into. You absolutely can and should complain that a service has a broken business model resulting in a horrible user experience.
It seems like the obvious business model for SourceForge is to allow you get rid of ads with a LinkedIn account, then charge recruiters and tech companies looking for active developers or tech savvy individuals.
I'm not sure if that model would make people happier.
Software distribution used to be done via FTP sites, separate from the project web pages, documentation, issue tracker, etc. iBiblio [0] will still host stuff for distribution. There's also Savannah.nongnu.org [1] which is an old fork of the SF code.
Github is only a solution for software without meaningful binary assets where the user is expected to build the software himself and no community interaction beyond pull requests and issue reports is desired.
I have no experience with them, but I've seen some projects using Bintray:
For binary assets, why not just rent a cheap digital ocean box? You get a 20GB server for $5/mo.
Throw up an nginx install to forward part of the site to github, and downloads direct from disk, and you have a nice - and fully customizable - project setup.
Given that the parent company of SF.net was recently purchased by Hot Topic, of all companies (presumably primarily for ThinkGeek), I doubt SF.net is long for this world.
Edit: doh, I didn't realize they had been sold off already. Never mind. :)
>This one seems a matter of opinion. A lot of the world's most popular apps and sites seem like junk to us. But the users are choosing to install these things.
It's also worth mentioning that one reason for Chrome's market share is this exact practice. When you let Java automatically update itself and download the new version on Windows, if you don't uncheck a box, surprise... you get Google Chrome installed asking to be default browser. When you want to download Flash plugin for Opera or Mozilla and go to Adobe's site, if you don't uncheck a box, surprise... you get Google Chrome installed asking to be default browser. When you let the free version of Avast update itself on Windows, if you don't uncheck two boxes, surprise... you get Google Chrome installed asking to be default browser AND Google toolbar installed into IE.
Are they choosing? I've accidentally installed this crap on a number of occasions, and I'm typically very vigilant about it. But it's impossible to be perfect. That is where the adware market has gone: banking on the small-but-not-0 probability of someone forgetting to read installer wizards very closely, 100% of the time.
What systems are in place to prevent this from happening with package manager systems like apt-get, yum, or even npm? How often do we just blindly "sudo apt-get install blah-blah blah"? I know I don't read the dependencies.
> What systems are in place to prevent this from happening with package manager systems like apt-get, yum, or even npm? How often do we just blindly "sudo apt-get install blah-blah blah"? I know I don't read the dependencies.
Distributions don't typically package and distribute malware. And everything packaged in a distribution should be removable via the same package manager that installed it. So, while you might get a package you don't want, that package won't start showing you ads or harming your system, and you can always trivially remove it.
So the answer is "trust"? We're supposed to just trust Canonical, the company that put Amazon ads in our desktop search, to not figure out they could put adware in their package repository?
I didn't know about that. Too bad, and the way PG was defending a crapware installing product was really unconvincing. Any application which installs other ones by relying on accidental clicks by users is without a doubt doing wrong.
Only when the ads aren't coming from Microsoft themselves. Like how they pushed KB3035583, the advertisement to upgrade to Windows 10, as a "recommended" update that would be installed without user interaction if you had WU configured to download automatically.
The next OS update isn't really "adware", or an ad, especially when it's a free update that will most likely be updateable to the RTM build (based on how smooth build-to-build upgrades have gotten). If you're going to apply this standard, OSX does the same thing now, it'll prompt you to update to the latest 10.X. Ubuntu does it too, it lists it at the top of the software upgrade.
YC funding should not be taken as any kind of ethical seal of approval. It's not their job, and they are demonstrably bad at it. pg described AirBnB as "among the nicest of all the people we've funded" and their CTO was already a huge spammer and now a repeat offender.
I typically use the Ninite installer on a clean, freshly installed Windows machine because the installer can be ran again in the future to update those same apps. Chrome/Firefox/etc. will auto-update themselves but for those apps that don't, they will be updated to the latest version if/when you re-run the same installer that you originally downloaded.
If you already have them installed, you do not have to select them, but Ninite will update them to their latest versions if you do. You can also keep the installer it gives you and re-run it later to update the programs.
It had been over a year since I installed FileZilla, but I re-imaged one of my machines and needed it. Hopped out to SourceForge not thinking too much of it (not a fan of the UI and ads within, but I know my way around to avoid them at least). Started the install and it wants to install MacKeeper. Can't begin to describe how disgusted I was. I wasn't sure if that was caused by SF or FZ, though.
4) The reason why they did it is actually completely irrelevant. "I killed him because he slept with my wife" doesn't change the fact that you committed murder.
Doesn't GPL have to say something about this? Wouldn't this mean that the adware would need to be open sourced?
Edit: The difference between murder and manslaughter has now been explained, multiple, multiple times. Manslaughter is still a crime and in that way it is still the same. The comparison was used as a device to elaborate why the reasoning was unimportant, the difference between murder and manslaughter isn't important within that context. Suffice to say, now that I have been corrected repeatedly over this nonsense, this would have been a better anecdote:
> "I killed him because he slept with my wife" doesn't change the fact that you killed someone.
There's no need to assume. I searched the US trademark database. There was a registration for GIMP in 2001, number 78084356 ("computer programs for creating and manipulating graphic images on a computer. FIRST USE: 19990600. FIRST USE IN COMMERCE: 19990600"), but it's abandoned since June 7, 2002. There are no other relevant registrations that I can find.
As far as I can tell, there's no formal "GIMP organization".
True, although http://www.gimp.org/donating/ states that "The GNOME Foundation has graciously agreed to act as fiscal agents for us." Maybe they could hold the GIMP trademark?
By the way, the trademark you mention was Caughron, Mathew K. INDIVIDUAL UNITED STATES, who seems to have been responsible for the old WinGIMP and MacGIMP distributions that cost money.
The main way I know of would be through trademark infringement. That's why there's GNU IceCat/IceWeasel - Firefox contains trademarked material. I believe Mozilla uses trademark precisely to prevent third-parties from including user-unfriendly components in "Firefox".
"By sending or transmitting to us Content, or by posting such Content to any area of the Sites, you grant us and our designees a worldwide, non-exclusive, sub-licensable (through multiple tiers), assignable, royalty-free, perpetual, irrevocable right to link to, reproduce, distribute (through multiple tiers), adapt, create derivative works of, publicly perform, publicly display, digitally perform or otherwise use such Content in any media now known or hereafter developed. You hereby grant the Company permission to display your logo, trademarks and company name on the Sites and in press and other public releases or filings. Further, by submitting Content to the Company, you acknowledge that you have the authority to grant such rights to the Company. PLEASE NOTE THAT YOU RETAIN OWNERSHIP OF ANY COPYRIGHTS, TRADEMARKS AND SERVICE MARKS IN ANY CONTENT YOU SUBMIT."
And this is relevant because ... why? There's no trademark or service mark, and as we've already discussed, the GIMP copyright allows this sort of use.
The permission clause is "You hereby grant the Company permission to display your logo, trademarks and company name on the Sites and in press and other public releases or filings."
This does not appear to include the right to use the trademark in installers, as an installer is neither a site nor press release, etc.
>4) The reason why they did it is actually completely irrelevant. "I killed him because he slept with my wife" doesn't change the fact that you committed murder.
Hate, well, love to be pedantic, but it actually it does matter.
Courts and society alike take the reason for a murder (e.g. self-defense, revenge because of having been abused, being crazy or intoxicated etc.) into consideration for less harsh sentences or even acquital.
Self defense maybe, though good luck, but the rest won't help you any of you get into that much trouble. especially intoxication, you certainly can't use that as your defense for murder.
(not totally relevant but) technically that would be a crime of passion murder, and in some cases would result in a charge of "Voluntary Manslaughter" rather than "First Degree Murder". [1] Reason does matter, sometimes. Although in this case, Sourceforge just needs to stop.
Self defense, manslaughter, second degree, first degree...
Intent and reason is quite important. It is the difference between receiving no punishment and receiving the death penalty (in places that still have it).
Notwithstanding that the intricate technicalities of killing someone was what I was going for at all, how did you miss the two other comments that repeated this information nearly an hour before yours?
I get it. The anecdote had technical issues. Not-with-standing that being technically correct is not what anecdotes are about in the first place.
>how did you miss the two other comments that repeated this information nearly an hour before yours?
Honestly. I respond as I read. I tend not to keep reading and then go back to respond.
>Not-with-standing that being technically correct is not what anecdotes are about in the first place.
This is more than a mere technicality. The whole issue of mens rea is that one's state of mind is a factor is how someone is judged for their actions.
Your point, even without the analogy issue, is that the reason is irrelevant. That is simply not the case. Putting a security flaw in place to give the FBI a backdoor is vastly different than putting a security flaw in place due to poor coding. You may say they are both the same in that they both compromised security, but only one of these is backdooring and the damage to one's reputation is going to be different.
Now, in this particular case, the reason isn't sufficient to warrant a different judgment. But that is because of the details of this case.
I'm not sure the GPL allows you to fork something under the same name though, right? Copyright law still lets you own the name of your project?
That's why the typical workflow is to say in the header of your GPL license "Foo is copyright John Doe... Permission to modify is provided ..."
Sourceforge may be allowed to redistribute software with malware but as far as I can tell, copyright law should stop them from calling the software by the same name, right?
Does the author have a copyright on the gimp-win name? Maybe I don't understand the law correctly though, IANAL, etc.
> Copyright law still lets you own the name of your project?
Copyright doesn't apply to names. That's trademark laws. Contrary to copyright, trademarks have to be registered and cost money. There is no registered trademark for Gimp or gimp-win in the US or Europe.
You can't copyright a name. You can trademark it, but unlike copyrights, trademarks have to be applied for and registered, and have to be actively defended.
>I'm not sure the GPL allows you to fork something under the same name though, right? Copyright law still lets you own the name of your project?
Trademarking the name of your project is considered incompatible with Free Software by a number of people. It's one of the issues that lead to the creation of Iceweasel, after Mozilla Corporation told Debian to stop distributing their builds of Firefox[1]. The issue also resulted in RMS telling people not to use Firefox.
An open source license, such as the GPL, does not neccesarily give you the right to use the name, it's true. If the name is trademarked, the trademark holder can try to prevent you from using it, and that has happened.
But if we go back to the _point_ of open source, especially the GPL: It's to let users keep using and modifying and distributing modifications to the software, without needing the permission of the original authors. That's the whole point, for users to have that freedom, that the authors can not take away from you. That sourceforge can keep distributing the software without the permission of the original authors is the entire point.
To the extent that trying to prevent third parties from using the name makes it harder to distribute the software (for instance, would it require changing the source to take the name out? Would it make it harder for users to find software that the authors are _trying_ to suppress?), I think we could argue that it would be against the spirit of the GPL, regardless of what trademark law says.
They use the term abandoned when really, it sounds like the more correct description is that the client decided to go with a different service. In that case, it would be akin to G+ reviving your profile page after you moved to Facebook, and populating it with your Facebook posts without your permission. That doesn't seem ok
More like G+ reviving your profile page after you moved to Facebook, and populating it with your Facebook posts with injected product placement without your permission.
It could (and should) be clearer, of course, but doesn't basically every open source license allow doing what they're doing? Isn't this one of the FSF's four freedoms?
> 1) There is nothing clear and open about the project being abandoned by the author
Then you say:
> 2) The author left SourceForge...
Pretty sure if you left SF with the project still up on SF, any reasonable person could consider that abandoning the project. A more responsible thing would have been to remove the project entirely and shut it down.
> 3) Is SourceForge just going to maintain any project that leaves them and makes a mirror?
I assume you mean the only obvious option is to remove the project entirely (or disable from view) for those that leave. Leaving up old code at the scale of GIMP has the potential for leaving up unpatched code that is still downloaded and used. If your opinion is that nothing should have been done at all, I think that's far worse than what anything SF did.
What's interesting is that SF.net seems to not care if you have removed the project. Or, even if the project never existed at SourceForge, at all. In the previous thread about this issue, someone linked to the sf-editor1 account, which has projects for a huge swath of software, including software that has never been hosted at SourceForge.
It is part of their "mirror directory" project, which seems designed merely to get traffic from popular Open Source software, and occasionally inject malware into downloads that they can dupe people into getting from SF.net rather than the authoritative source.
And, of course, in this case, the author of Gimp-Win has plainly stated they did not abandon the SF project. They were locked out by SourceForge staff.
I'm all for caution before reaching for the pitchforks and the torches, but there's an awful lot of very large, very credible, projects saying, "Yes, SourceForge did this to our project."
I sent them an email yesterday asking for clarification, but have not received a reply.
Because using your power to do a hostile takeover of an open source project is just bad taste. They'd be free to make a fork of the project and host it on their site, but taking over someone's account / project without their permission is a case of power abuse.
This alone seems like reason enough not to use SourceForge even if just for mirroring a project. Which is what a lot of projects do including some Linux Distributions, what are alternative hosts at that point though?
It seems like there's an opportunity here for the big three.
I'm thinking something along the lines of, "Don't like the way services like SourceForge are handling your project nowadays? There are better services to use; here's a list. Obviously, we'd like you to use ours. We've already set up a home for you on our service in anticipation of your stay with us, which we think you'd enjoy. You'll find that it's already fully furnished, even. Here are the keys. Give us the go-ahead and we'll aggressively pursue the takedown of badware distributors."
The benefits to any of the three who go for this plan would be the host's association with such high-profile projects. GitHub may look at this and decide that at this point in their trajectory, there's just not enough in it for them, but it seems like either GitLab or Atlassian could benefit from it.
At GitLab we already have one-click importers for GitHub.com, Google Code and Bitbucket. We would love for someone to contribute a SourceForge importer.
That's not quite the angle he(?) was going for — he(?) is saying that an aggressive campaign from one of the Big Three in Git hosting to aggressively take down badware distributors while hosting your software would be one hell of a PR campaign.
I don't think any of the big three are hosting badware. We want people to choose GitLab, I don't want to start distributing software like Gimp without their blessing.
I think you're still not hearing what I'm getting at. The idea isn't that the big three are now peddling crapware-infested downloads, but there exist services like SourceForge and tons of download sites that are.
This is about aggressively courting existing projects that may still be on SourceForge out of nothing more than inertia. Migrating away is a process, even with importers. My original comment was about surveying the landscape for potential candidates that you'd like to see using GitLab, and then go ahead and set up a home for select projects before approaching them. This could include reserving accounts for the core developers, pre-seeding the project with whatever importing would be required, and just generally making it stupid-easy to migrate--as easy as just saying, "yeah, okay; we'll do that", and then setting up their password.
If you're worried about doing anything with their blessing, this could all happen in such a way as to not be publicly accessible until the project actually gives the go-ahead and confirms they would like to make the switch.
Making it easy is a great idea and our on-click importers are getting better all the time. Pre-creating all SourceForge accounts and content is wasteful, many good usernames will go unused and all our backups will contain many projects that are never accessed. So we'll focus on making in the import good and fast instead of doing it in advance and emailing people about it.
Whenever a download link (and more often than not, for me, it's usually for a server-based tool) goes to Sourceforge, I cringe - more than a little. For Linux based tools, its because a simple 'wget' for a file is going to end up with a comlex filename that I have to rename. This, at least, is a simple problem for me to fix.
For desktop software, I'm more concerned after hearing of projects being wrapped in Adware/malware. This is a particular problem on sites like http://download.cnet.com. I've been online since at least 1996, and those sites used to be great to be able to find useful software. Now, I prefer to not install much new software, in order to keep a stable desktop (and it does work - I've only had to wipe my desktop and install Windows from scratch once or twice in my entire online career, I get new PCs more often).
I've even seen jobs posted on some sites to work on open-source code - but then the project is hosted on sourceforge.net, and so it is using Subversion for version control. While I may be expert on the underlying technologies that particular project used (and the language) - its not something that would ever convince me to help them - not even while being well paid (and working remotely, which is what I'm aiming to do from now on).
So, this is a reminder (and a very harsh one) that trusting third parties with your projects may be a risky decision. I see many people suggesting moving off of SourceForge to Github. While we moved most of our stuff to github years ago, and I like github and have no major complaints about them today, I'm having doubts about the wisdom of staying on any third party hosting site, no matter how nice they seem today.
Let's put this in context: SourceForge was once (this was many, many years ago) a deeply trustworthy entity. They were excellent stewards of Open Source projects. They consistently took guidance from the community, and wouldn't have chosen profits over users or projects (though, certainly, they've profited).
Markets change, leadership changes, acquisitions happen. One day, we may not recognize github as the entity we know today, just as we don't recognize the entity that SourceForge has become.
I'm not saying don't move to github. Obviously, nobody should be starting new projects on SourceForge and github is one of the better third party alternatives. But, it may be worth thinking about what happens when we as an Open Source community build up another SF.net like entity. A central repository for all the most popular Open Source software, controlled by one profit-driven corporation.
Maybe it was worth the tradeoff. Maybe SourceForge provided enough value over the years to where it's not worth belly-aching about having to rebuild our communities around new tools (maybe even another third party tool), and to educate users that SourceForge is now an untrustworthy provider that should be avoided. Maybe we have to just mourn the loss of a once great supporter of Open Source software and move on to another that will likely, someday, also turn its back on Open Source values in pursuit of profits.
I hate trash-talking SourceForge so harshly, as projects I've been involved in have been well-served by SF.net in the past (and even now, we're pushing out terabytes of downloads through their mirrors, even though we've moved our revision control to github long ago). But, the company as it exists today is nothing like what it once was. I must assume none of the original founders remain given how far this strays from the original vision of the thing, and certainly it's been through multiple acquisitions and leadership changes. Maybe I shouldn't feel so bad about it...maybe the SourceForge I knew has been dead for years, and I just didn't notice as it's taken a while to start to smell.
People, even hackers, get unreasonably attached to names. Your last paragraph is key. If the company operating SourceForge today were doing what they're doing today under any other banner, no one looking to evaluate the options available to them would come away with the conclusion that TAFKA SourceForge would be the thing to go with.
Why can't someone make a hosting site with a no crapware rule? I understand monetization is a big issue, but I'd be willing to sit through a 10-15 second forced ad to get a nice FOSS product. This mentality of installing random "utilities" and search hijackers on PC's needs to end. I can't imagine these things outpaying video ads directed right at our demographic.
In the age of cheap bandwidth and cheap servers, how is this not massively profitable?
> "Mirrored projects are sometimes used to deliver easy-to-decline third-party offers."
If they just mirrored the project, no one would be complaining. Having another place to download copies of the official releases is a good idea.
The issue is they changed the release. They advertised it as "mirror of Gimp-Win version X". And it wasn't. It was Gimp-Win version X with a boatload of adware / crapware. This made the Gimp-Win people upset that the crapware was being falsely associated with their product.
If SF had advertised it as "SF Version of Gimp-Win with magic crapware", people would be less upset. And fewer people would download it, of course. Which isn't what SF wants.
Their self-serving statement about "mirror" is a lie. The people who wrote it should be ashamed of themselves.
When would that have been, the year 2000? I remember as early as 2003 thinking they were junk because of the intrusive banner ads with no borders that only said "Download Now!" You actually had to look for the smallest download link, verify it was actual text, then hover over it to check to see if the URL ended in your expected file name.
Let's be blatant and honest: this is "SF-GIMP" not GIMP. It's being operated here under the guise of the authors and currently not sufficiently identified as a fork.
SF skirts "adoption responsibility" by simply writing a post to some unrelated blog article after the fact and create a collection of unrelated "deceptive ad blocking" website tools.
They show their true colors in the last paragraph:
We welcome further discussion about how SourceForge can best serve the GIMP-Win author.
Just stop. How disingenuous can you be? What a disgrace.
Do we really need to go there? Ok, how about: "completely suspend and remove the project, and don't let the name be reclaimed."
Source Forge is trying to convince us they never thought of that. Really? Give me a break. You knew. You just don't care. Fine, you don't. But don't try to play that off as ignorance. "Oh, yeah, please enlighten us with further discussion!" Get out of here, stop wasting our time.
They could just as well have done away with the blog post and put up an image of a giant middle finger, instead. At least that would have been honest.
I moved my project to github after one of their "enticing" offers installed a vpn client that redirected all my traffic and inserted ads into my browsing, when I installed filezilla. The installer they add is designed to make it very easy to install their "offers"without your realising it. I'm very wary of any code on sf now.
The Filezilla team also deserve some credit in that case, as they opted-in to the ads on purpose (the Filezilla team gets kickbacks from each adware install).
> My employer runs a sourceforge mirror – i am going to start some discussion if we can turn it off.
Please do. IIRC, most (all?) of their mirrors are provided by third-parties who are graciously offering their resources and SourceForge is taking advantage of them to serve up and profit from adware/malware installers.
In all fairness, the page for gimp-win on sourceforge clearly states it is a mirror of a project that is no longer distributed by the upstream author through sourceforge --
"Hey, this isn't a SourceForge project! Check out the SourceForge Open Source Mirror Directory for more information. " -> this links to a page that explains in detail what you are getting.
I don't have a windows installation handy so I can't 'test' the SF installer to see if the adware or add-on programs are easy to identify and accept or refuse -- has anybody tried that?
I've heard about how SF has been some financial trouble, but isn't all this adware nonsense just going to hurt them more in the end? Surely some crowdfunding option could've been more of a viable effort...
They've been getting scummier and scummier. They've been doing this ad bundling thing for years, and their entire website is basically unusable without adblock. Someone at Slashdot enterprises has no idea what they're doing. At any rate, SourceForge is going to die soon. I wouldn't be surprised if Google starts to delist them for distributing malware.
SF current administrator is a company despised by many of their end users. They had the option of crowfunding before it was sold, but do not have anymore.
Dice Holdings also bought Slashdot, and now there are things that look out of place, like the Kate Upton ad for God of War, Slashdot Deals [1], and annoying ads as tweets on the twitter account which made me unfollow.
That is some crazy amount of spin. SourceForge started their path down the scummy side a while ago but this is really taking it to a new level.
You'd think that if they really cared, they would back pedal on what they did, but no, instead, they double down by trying to justify what they did and "welcoming further discussions".
Also, this:
> deliver easy-to-decline third-party offers
How about delivering third-party offers that users need to opt in instead?
Adobe pull this same scummy move with Flash downloads; Oracle do it with Java too. Surprised me recently setting up someone's Win 8.1 laptop as I had thought that such moves were now illegal in the EU - perhaps they are?
Legally, no - after all, people give their express permission by leaving the box ticked.
The newish anti-spam measures in the Netherlands actually forbid the 'Yes I would like to receive spam' checkboxes to be pre-checked - has to be opt-in instead of opt-out.
I thought that was the ruling for applying whatever directive it was - that the box couldn't be pre-checked to install other software but instead the user had to check it (as in your spam example).
[research ensues!]
http://europa.eu/rapid/press-release_MEMO-11-675_en.htm see (3) "Banning pre-ticked boxes on websites". I'm sure Oracle - or whoever - would argue that as the consumer isn't paying they don't have to abide by the regulation but Oracle are being paid to do it so I don't see how that's any better (in fact it's worse really).
> It appears that +SourceForge took over the control of the 'GIMP for Windows' account and is now distributing an ads-enabled installer of GIMP. They also locked out original owner of the account, Jernej Simončič, who has been building the Windows versions of GIMP for our project for years.
It appears SF closed the abandoned 'gimp for windows' account, and opened a new account maintained by a sourceforge editor specifically labeled as a mirror which explained in detail what happened.
tl;dr "Hey, it's not our fault that we adopted policies so offensive to the project maintainer that they utterly washed their hands of us, but the license of GIMP basically prevents them from preventing us from distributing the software inside of our third-party shovelware bundle..."
Good job SourceForge. A++ would never download anything from again.
Why don't they (SourceForge but also all the other software vendors out there, even Oracle with the Java and Ask.com bundling) just have it so it automatically installs all the crapware instead of asking you? Last I checked, it was because this would get them treated as outright malicious. I suggest that we consider such offers where the default option is to install them to be considered as malicious as installing them without asking.
Source Forge has been doing this for a while now, not just gimp.
Pretty sure I downloaded Synergy and it deceivingly downloaded a common installer which was small and installed adware as it downloaded the proper executable which you desired to download in the first place
I'm sure we only hear about "easy to decline/opt-out/remove" software when it is something nobody ever wants. If the first feature of your software is that it's easy to decline, maybe it's time to pack up shop.
I have good memories of SF being the hub of OSS back in the day. I was particularly fond of how projects could actively post types of people they were looking for (artists, doc writers, etc) instead of just relying on being stumbled upon and/or just listing an issue.
However, recently, I cringe if I somehow end up at an SF link. Feels like I'm on the wrong side of the Internet and that I can't trust any downloads from them.
> Based on our prior outreach to the GIMP-Win author, we understand that they had concerns about the presence of misleading third-party ads on SourceForge. They were not alone in those concerns — we were also concerned — leading us to establish a program to enable users and developers to help us remove misleading and confusing ads.
Isn't this a problem with overly permissive licences used in most OSS? AFAIK there is nothing stopping any commercial entity to just resell you OSS as-is (in case of GPL they just have to link to sources as well). There's also nothing stopping them from putting ad- and malware in, correct? IMO it might be a good idea to put some limits into OSS licences - even if most projects wouldn't have the means for litigation, at least it would give pause to some legal departments of such companies trying to abuse OSS. I'd also advocate to have a standard license similar to creative commons for non-commercial use. Why not adding some semi-enforced sponsorship element into OSS projects that are heavily used commercially?
This is true of any software that's freely redistributable. There's nothing particular to FOSS that enables what's going on in this case. (In theory, the source allows them to change it at the source-level and bake the badware in, but SourceForge doesn't seem to be doing that.)
I wonder... Is bundling adware installers with GPL software a violation of the GPL? (If not, should it be? v2?/v3?) Where's the installer's source? It wraps it in one linked executable file and presents itself as an installer for it, so I am not clear that any "mere aggregation" defence would hold?
There's also a reasonable argument that this brings the official project into disrepute: The GIMP may not be trademarked, but would it have to be?
Firefox, of course, is trademarked. I dearly hope they've never wrapped Firefox installers with adware, because Mozilla would not like that.
I would assume that a non-GPL installer for GPL software would be fine, because it doesn't actually run the software, just installs it as a set of files (If it does run the program, generally it doesn't interact with it). I would equate it to using something like GNU 'indent' on proprietary software - I doubt using a GPL program to modify data would cause that data to have to be under the GPL or any other license.
What is very possible is that if they integrated their installer into GIMP's installer (Since GIMP already has it's own installer), GIMP's installer is GPL so their modification would be a GPL violation unless they make the code available. If all their installer does is run GIMP's installer though, then there's no violation AFAIK.
> I wonder... Is bundling adware installers with GPL software a violation of the GPL? (If not, should it be? v2?/v3?)
I would assume that adding in stipulations like this would actually be more of a hinderance. Who decides what is "crapware" vs legit software? I can see use cases where you would want an installer to install more than just 1 GPL app (ninite?) and I'm sure it has further implications...
Unfortunately this would break the idea of Linux distributions listing optional add-ons as dependencies of a package to make things easier for the user.
If this feature is abused enough to warrant review by whomever currently keeps download sites from just automatically installing the software (instead of their 'i'm technically not touching you' opt out crap) for any individual case, that case will feel the wrath of whatever banhammer the powers that be wield.
They have permission as long as they comply with the license (GNU GPL v3+) and the author can't revoke a license already granted unless the license allows to do so, and the GPL doesn't allow it.
They cannot file a DMCA because there are no copyright issues.
This is why popular open source projects should seek trademark protection on their names.
Sure, people get angry about Mozilla's protection of the Firefox trademark, but this demonstrates that there are legitimate reasons to trademark a name so you can protect it from malicious operators.
It is a pitty because I use SF often. I think that the problems could be solved if we could use something like pkgsrc on Windows.
Unfortunately this is not a reality or an option but it would be a good alternative.
Msys2 project gives a few of these apps as binaries. But it would be more user friendly if we could just download from a source repository and compile locally on windows.
Question what are the alternative solutions to distribute window binaries freely,without adware like sf or download.com ? github used to allow binary distribution but not anymore, and I don't feel like tags are a good way to do that.
I think I've recommended sourceforge.net be added to the webfilter global block list at every client I've worked with in the last 5 years. Once I pointed out the risk of their drive-by download strategy, no one has said no, and very rarely has an end-user complained (something almost always remedied by finding a legitimate download site for them).
Personally, I see this as one of the natural consequences of permissively-licensed software, and the freedom of being able to obtain such from the open Internet. This is a feature, not a bug.
If you want something with more security guarantees, then use the walled-garden app stores. It reduces your chances of getting malware, but also reduces the choices available to you.
Whether or not people like what SF is doing does not change the fact that it is legal under the GPL. I hate adware myself, but if someone chooses to distribute it legally, then I respect their freedom to... and the only thing I would do is tell the users so they can make an informed decision. The official GIMP site has made a notice about this already.
As long as computing platforms exist which allow users to install any software, from anywhere they choose, they will eventually install something they don't want (and even in walled-garden app store environments they still manage to.)
Something to think about: "Freedom is not worth having if it does not include the freedom to make mistakes."
Once again reposting what I said in the other thread (which seems to have been modded off the frontpage, sad).
I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.
I'm absolutely sick of them. It's not the first time this has happened. I've been pushing for us to move off SF for a while and this is a good occasion to push for it harder.
I've sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.
If you have similar migration problems to solve as the ones I've highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].
[1] http://sourceforge.net/p/lxde/mailman/message/34148903/ [2] https://github.com/jleclanche