Is sourceforge still a reliable partner for OpenSource projects ?

[titi]

I have serious concerns about sourceforges latest behaviour!

read this:
http://www.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/

and in german here:
http://www.golem.de/news/sourceforge-streit-um-adware-installer-1308-101219.html

And try it for yourself with the well known filezilla project! You click on a link to download the filezilla installer executable and you get another exe with another name. ....

As usual these kind of things are windows only at the moment

[will]

Yeah I can't remember the last time I wanted to spend time on sourceforge.  It was a fad that died because they didn't move in a github direction.

Github have started supporting "releases".

[tomreyn]

Hmm nasty. But I think the real problem is not so much sourceforge but projects who opt in to this program. "Bribing" only works when there's someone who is happy to be bribed.

Personally I think it's a bad decision on the part of sourceforge / Dice to offer and market those "bundlers" but I don't think it makes it necessary to move away from sf.net just yet, as long as it remains opt-in and they don't start marketing it aggressively towards us. Their file distribution system and project services in general are still the best free (as in monetary compensation not required) ones I'm aware of.

[Ishmaru]

While I (and current players & modders) know MegaGlest would never agree to this, I'm a bit worried that if new players still see our downloads hosted on sourceforge, they may chose not to download MegaGlest out of fear of getting the malware.

Also can we trust that they just wouldn't just add their bloatware to our downloads without us knowing? Maybe not now but further down the road.

Or maybe I'm just paranoid...

[tomreyn]

The correct counter measures there would be GPG signing releases and, if we really wanted to go that far, deterministic builds.
But then, this depends on people actually checking those against what they download, and in reality hardly anyone does.

[will]

Re signing etc, by the time you've downloaded something to check, its already too late?

SF used to get sponsored by big companies keen to promote their OS goodness e.g. IBM.  But these days its a backwater, and that actually goes back to the Apple app-store and how that changed how many developers aimed their free-time.  But practically, it means SF have nothing to lose and I'd expect a creeping-up-on-you strategy as Ishmaru fears.

I recommend MG moves to github, uses github releases, and hope all other live projects vote with their feet too.  I don't think SF will ever see any error in their ways.

[Coldfusionstorm]

I think ishmaru and willare are spot on on this one.

I was very suprised when i downloaded "filezilla" and got something i identified as adware. And in my world theres not long from adware to malware.

Seriously, Bundling is nasty. If users are unaware of bundling it's even worse. If you know something is bundled you can at least chose not to download or run it in a virtual box.

[John.d.h]

I second the motion to relocate to Github.  Not only is distributed version control a good idea, but the site is easy to navigate and makes the project easy* to contribute to.

* "easy" does not include the actual coding and/or content generation

[MoLAoS]

I'm probably going to release the non-provisional Alpha of Mandate through Github rather than than Sourceforge, both for the reasons in this thread and because its one less thing to manage.

I definitely think its the better option.