Author Topic: Is sourceforge still a reliable partner for OpenSource projects ?  (Read 923 times)

titi

  • MegaGlest Team
  • Airship
  • ********
  • Posts: 4,240
    • View Profile
    • http://www.titusgames.de
I have serious concerns about sourceforges latest behaviour!

read this:
http://www.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/

and in german here:
http://www.golem.de/news/sourceforge-streit-um-adware-installer-1308-101219.html

And try it for yourself with the well known filezilla project! You click on a link to download the filezilla installer executable and you get another exe with another name. ....

As usual these kind of things are windows only at the moment ;)
« Last Edit: 28 August 2013, 09:53:46 by titi »
Try Megaglest! Improved Engine / New factions / New tilesets / New maps / New scenarios

will

  • Golem
  • ******
  • Posts: 783
    • View Profile
Yeah I can't remember the last time I wanted to spend time on sourceforge.  It was a fad that died because they didn't move in a github direction.

Github have started supporting "releases".

tomreyn

  • MegaGlest Team
  • Airship
  • ********
  • Posts: 2,764
    • View Profile
    • MegaGlest - the free and open source cross platform 3D real-time strategy game
Hmm nasty. But I think the real problem is not so much sourceforge but projects who opt in to this program. "Bribing" only works when there's someone who is happy to be bribed.

Personally I think it's a bad decision on the part of sourceforge / Dice to offer and market those "bundlers" but I don't think it makes it necessary to move away from sf.net just yet, as long as it remains opt-in and they don't start marketing it aggressively towards us. Their file distribution system and project services in general are still the best free (as in monetary compensation not required) ones I'm aware of.
atibox: Ryzen 1800X (8 cores @3.6GHz), 32 GB RAM, MSI Radeon RX 580 Gaming X 8G, PCI subsystem ID [1462:3417], (Radeon RX 580 chipset, POLARIS10) @3440x1440; latest stable Ubuntu release, (open source) radeon (amdgpu) / mesa video driver
atibox (old): Core2Quad Q9400 (4 cores @2.66GHz), 8 GB RAM, XFX HD-467X-DDF2, PCI subsystem ID [1682:2931], (Radeon HD 4670, RV730 XT) @1680x1050; latest stable Ubuntu release, (open source) radeon / mesa video driver
notebook: HP envy13d020ng
internet access: VDSL2+

· · · How YOU can contribute to MG · Latest development snapshot · How to build yourself · Megapack techtree · Currently hosted MG games · · ·

Ishmaru

  • Behemoth
  • *******
  • Posts: 1,071
  • um wat??
    • View Profile
    • DelphaDesign
While I (and current players & modders) know MegaGlest would never agree to this, I'm a bit worried that if new players still see our downloads hosted on sourceforge, they may chose not to download MegaGlest out of fear of getting the malware.

Also can we trust that they just wouldn't just add their bloatware to our downloads without us knowing? Maybe not now but further down the road.

Or maybe I'm just paranoid...
Annex: Conquer the World Release 4 For Pc Mac + Linux
https://forum.megaglest.org/index.php?topic=9570.0
Annex is now on Facebook!
https://www.facebook.com/AnnexConquer

tomreyn

  • MegaGlest Team
  • Airship
  • ********
  • Posts: 2,764
    • View Profile
    • MegaGlest - the free and open source cross platform 3D real-time strategy game
The correct counter measures there would be GPG signing releases and, if we really wanted to go that far, deterministic builds.
But then, this depends on people actually checking those against what they download, and in reality hardly anyone does.
atibox: Ryzen 1800X (8 cores @3.6GHz), 32 GB RAM, MSI Radeon RX 580 Gaming X 8G, PCI subsystem ID [1462:3417], (Radeon RX 580 chipset, POLARIS10) @3440x1440; latest stable Ubuntu release, (open source) radeon (amdgpu) / mesa video driver
atibox (old): Core2Quad Q9400 (4 cores @2.66GHz), 8 GB RAM, XFX HD-467X-DDF2, PCI subsystem ID [1682:2931], (Radeon HD 4670, RV730 XT) @1680x1050; latest stable Ubuntu release, (open source) radeon / mesa video driver
notebook: HP envy13d020ng
internet access: VDSL2+

· · · How YOU can contribute to MG · Latest development snapshot · How to build yourself · Megapack techtree · Currently hosted MG games · · ·

will

  • Golem
  • ******
  • Posts: 783
    • View Profile
Re signing etc, by the time you've downloaded something to check, its already too late?

SF used to get sponsored by big companies keen to promote their OS goodness e.g. IBM.  But these days its a backwater, and that actually goes back to the Apple app-store and how that changed how many developers aimed their free-time.  But practically, it means SF have nothing to lose and I'd expect a creeping-up-on-you strategy as Ishmaru fears.

I recommend MG moves to github, uses github releases, and hope all other live projects vote with their feet too.  I don't think SF will ever see any error in their ways.

Coldfusionstorm

  • Golem
  • ******
  • Posts: 868
    • View Profile
Re: Is sourceforge still a reliable partner for OpenSource projects ?
« Reply #6 on: 3 September 2013, 19:45:22 »
I think ishmaru and willare are spot on on this one.

I was very suprised when i downloaded "filezilla" and got something i identified as adware. And in my world theres not long from adware to malware.

Seriously, Bundling is nasty. If users are unaware of bundling it's even worse. If you know something is bundled you can at least chose not to download or run it in a virtual box.
WiP Game developer.
I do danish translations.
"i break stuff"

John.d.h

  • Moderator
  • Airship
  • ********
  • Posts: 3,757
  • I have to go now. My planet needs me.
    • View Profile
Re: Is sourceforge still a reliable partner for OpenSource projects ?
« Reply #7 on: 6 September 2013, 08:58:43 »
I second the motion to relocate to Github.  Not only is distributed version control a good idea, but the site is easy to navigate and makes the project easy* to contribute to.

* "easy" does not include the actual coding and/or content generation

MoLAoS

  • Ornithopter
  • *****
  • Posts: 433
    • View Profile
Re: Is sourceforge still a reliable partner for OpenSource projects ?
« Reply #8 on: 6 September 2013, 20:29:00 »
I'm probably going to release the non-provisional Alpha of Mandate through Github rather than than Sourceforge, both for the reasons in this thread and because its one less thing to manage.

I definitely think its the better option.