The OSS project I maintained for several years was always in the top 10 downloaded lists on Sourceforge, but I got frustrated with how things were going and eventually moved the code to Github and hosted a simple website on my own.
Honestly, I can't think of a reason why an OSS project would choose Sourceforge in this day and age.
That article gets a lot of things very wrong as I pointed out when it was posted on HN last time (you'll see my comment at the top): https://news.ycombinator.com/item?id=6262347
Github is an option for some folks but not for us. We need solid file hosting with lots of bandwidth (pushing well over 50TB a month at SF) that will be sticking around next month and next year. In my comment linked above, I mention that Github ditched binary downloads (they did last year). In the ensuing discussion, it was pointed out that Github added the feature back in this year as 'Releases'. It remains to be seen if the feature will stick around, though, and I wouldn't put my all my eggs in that basket. When Github discontinued binary downloads last year, users were offered no alternative. So, it's not inconceivable that Github would pull the binary hosting feature again in the future as they stabilize their product offerings. SourceForge has been serving our binaries for 7 years now.
You should then consider a better host. SourceForge is clearly a scamware host now; maybe ever since Dice.com took over. And to be honest, just seeing a file hosted on SourceForge casts doubts on the quality of the app.
- Most users just click OK for installers, it is like the EULA
- I am yet to see a toolbar that does anything useful to anybody; other than make their system slower and buggy. I hold a very low opinion of people (like Ask.com) who bundle things with the clear knowledge that most people are unknowingly installing their app/toolbar. Much worse than spammers.
With your extensive experience with user behavior, it is interesting that you see this differently.
> And to be honest, just seeing a file hosted on SourceForge casts doubts on the quality of the app.
I couldn't agree more. Whenever a session of searching for a solution ultimately lands me on a sourceforge page, I feel a pit form in my stomach. When it happens it typically means one of two things, often both: I took a terribly wrong turn somewhere, and/or I am in for a world of hurt.
Contrast this with finding myself on a github page, which very often signals success.
My hypothesis is that a sourceforge page signals that the author is dated, the author has abandoned the software, or the author doesn't care much for the users.
I have to nod on this. Github is a great indicator for developers mostly, but from any user point of view, having a source dump is next to useless.
And by user, I do not mean a dumb user. I would consider myself the user of a library if I'm not planning to contribute. I can only contribute meaningfully to a dozen of OSS projects; for the others I'm pretty much an ordinary user. In that case I care much more about introduction, documentation and stable releases. Github is pretty much useless by itself in these cases, and the idea that you can just dump a half-assed readme and "call it a day" is something that I've only seen since github became popular.
Even if I'm not a contributor, GitHub hosting of projects is for me very valuable, as I can sneak peek quickly at the implementation. Many projects also have samples and good tests and taking a quick look at the implementation (and I'm talking about randomly selecting files and opening them), not to mention the list of commits, can tell you a lot of things about how the project is being maintained, about quality and so on.
Developers should really stop behaving like dumb users.
I really think designating torrenting as the primary method of downloading big binaries or really anything big is the way to go for OSS projects. I guarantee you more than a handful of people will offer seeding without asking anything in return. I certainly would be happy to seed any OSS project for a long time, I often have VPSs that are not being used (and in a way that really bugs me -- I'm paying money for things I'm not using fully. So I'm actually often on the lookout to see what OSS stuff I can seed).
Have a host as a secondary backup, for people who won't want to torrent.
(I shall ignore the toolbar installation matter; that has been discussed at length in the linked thread and there is little value in continuing that here.)
> You should then consider a better host.
Very well then; step one: identify a better host where PortableApps.com can get over 50TB per month for free. I'm not aware of any other than SourceForge which would do such a thing and John does not have the money to spend on commercial rates for such bandwidth. (Incidentally, donations are always welcome at PortableApps.com, because the rest of the infrastructure does still cost money, and quite a considerable amount.)
>identify a better host where PortableApps.com can get over 50TB per month for free
With those amounts of traffic for SF's larger projects I wonder how and if one could build a competing website for hosting binary FOSS today and have it be profitable without resorting to shady tactics. Clearly, making the projects themselves pay is not an option.
As for SF, even before the installer business under the current management it had really misleading banners everywhere. I doubt they would have resorted to those of they could have been comfortably profitable with AdWords.
One site that would have had the bandwidth would have been Google Code. But they just dropped binary hosting. And they didn't support projects that used multiple licenses (PortableApps.com has tons of apps under every open source license).
The only other one is Github as they're growing and have $100m they raised earlier this year. They added in binary hosting as "Releases" but it's relatively new (this year) and after they killed binary hosting last year with no path to move to, I'd worry about it happening again as Github stabilizes its product offerings.
I can't seem to find any details on it on their site (it's absent from Features and Documentation) and nothing relevant came up in a quick Google search.
It's there. When viewing your project's details, you've got a tab called "Downloads". You can then upload stuff like binaries, and I quote from that interface: "Add any file that you would like to make available to your users, such as app binaries"
Ah. I don't have an account. So, to me, there's nothing there at all. And if it's not documented (not even a mention in features or the documentation) other than just existing in the admin interface, I don't know that I'd trust it to be there next week.
No, it is not. It is mostly paid for by ads on the website. There are only a handful of SourceForge projects trying out this new, 100% optional, offer-based installer. PortableApps.com is not one of them. Bundling 3rd party offers is not permitted within PortableApps.com Format apps.
> - Most users just click OK for installers, it is like the EULA
This installer specifically has a separate page for the offer with a big Accept and Decline button along with a What's This link in between that links to a page explaining it.
> - I am yet to see a toolbar that does anything useful to anybody
They also offer trial versions of certain software like antivirus and were working on getting other software on board last I chatted with them.
Like I said, I'm not involved in the process at present and do not participate in the optional bundling program. Bundling 3rd party offers is prohibited within PortableApps.com Format.
Antivirus software is the perfect illustration of snake-oil. Antiviruses don't actually protect the user from anything, they just use tons of resources while making loud notifications, to make the user think she's continually under threat and oh look, this piece of shit is actually worth something.
I've got an old PC at home, with a ten year old installation of Windows XP, on which I play games. It never had an antivirus active, I just run ClamAV on it every couple of years. It was never virused either. My wife's laptop on the other hand is perpetually virused, in spite of the commercial antiviruses that she tried. That's because those antiviruses don't do shit for her, or for the hundreds of millions of users that get tricked into paying racketeering taxes.
That was one of the things I brought up with them and offered up a solution that would not require an offer-based installer that then downloaded the actual file the user wanted. It would be open source and based on work I've done with PortableApps.com for several years.
Unfortunatly your damn right. I would not trust anything coming from Sourceforge new ,yet it used to be THE place for open source projects...
Is their an opensource hosting service that provides a build service for binaries ? a little bit like Travis but just for builds , that would build bins for you and make it available to download ?
I dont know what kind of contract SF made out with his mirror providers but i have doubts that they can keep all of them under these circumstances. SF ability to push such amounts off bins comes from support from providers and edu facilities.
Souceforge had an enterprise edition (Disclaimer: I was a Sysadmin/support guy/developer of SFEE in my 7 years of working with that product). Unfortunately, SF.net's issue system is nothing compared to what JIRA or Redmine can do right now. While they have the File Release System or downloads, in theory, most places want that handled by a CI system -- something that Jenkins can do rather well with just about any type of file system or backend. User management? Most enterprises have some type of SSO or user management in place already, and the sf.net code didn't have the ability to use another source for user management.
The only thing that SFEE did well was provide a single 'neck' for customers to strangle when things went wrong -- and we became very, very good at keeping those customers happy.
If you're looking for the last public release of the sf.net code, it's from around 2003/2004, and it's....messy. SFEE (the product that I worked on) was acquired by CollabNet in 2006, and is now something called CollabNet TeamForge, but, I wouldn't use it for an enterprise anything these days).
They did once, a long time ago. But Github has a big headstart on them in that department now... and $100m they just raised earlier this year to keep growing.
Their mirrors system is working very well. It's very easy to distribute big files (like ISO images) through Sourceforge's mirrors. No wonder that Adobe's leaked users database was (or still is) being distributed using Sourceforge mirrors.
It's hard to download from Sourceforge using HTTPS. (Or even to use HTTPS to get the SHA hash of a download.) Can you tell me how to do it, so I can download from Sourceforge without risk of a man-in-the-middle modifying the download to, say, contain malicious code?
Navigating to the directory from the 'Files' tab and clicking the 'i' icon to the right of each filename available for download displays the 'View details' panel with the SHA1 hash of that file. Is that not enough?
It's slightly more of a nuisance for the attacker to modify the hash as well as the file, but if they can modify the .zip you get, then they'll surely have no trouble doing "s/the original zip's hash/their malicious zip's hash/" on all your unauthenticated web traffic too. It's a simpler modification than Upside-Down-Ternet.
In this case, they do need to create a compromised version of the zip before you view the hash, but that can be arranged with good probability by tracking the web pages you visit, pre-computing compromises of popular downloads, and/or slowing down your page load speed to give them enough time to compute and serve you compromised hashes. It wouldn't be too hard for an accomplished Web villain to have a good shot at compromising your computer if you are using public WiFi or they have ISP or NSA level access, provided you download software insecurely. ( My unfortunately ranty blog post on the matter: http://idupree.dreamwidth.org/3233.html )
HTTPS isn't perfect, but it (and/or other cryptographic signing) is the minimum we should accept for downloads of code that can quietly pwn your user account when you run 'make'.
Most companies block torrents. And software that does torrent downloads often gets flagged as badware.
We considered building torrent into the PortableApps.com Platform and getting users to help share bandwidth with other users, but those stumbling blocks are pretty big ones.
My company (in fact client company) is using bluecoat filter. This is insane crap that block randomly many sites. Hopefully, the company does not block ssh. Bluecoat filter is so much annoying that I have installed a proxy on my home computer. When a site is blocked, I have to fully close Chrome, to launch ssh with a tunnel (two clicks) and to relaunch Chrome using this proxy (one click). I wonder when companies will understand that excessive or bad filtering have opposite consequences. PortableApps.com is awesome (notably xampp). Congrats
But I think writing off torrents because companies filter them isn't a reason to do so.
As long as they can download random executables and run them, they'll be able to download torrents, either via .torrent files, magnet links, via a proxy or whatever method they figure out.
Torrents themselves are blocked by most corporate firewalls (and many university ones). Adding torrent abilities to the PortableApps.com Platform, even if we custom wrote it to work with our app store, would encourage places to block our whole platform.
Like it or not, even with all the legitimate uses torrent has, to many people it's about stolen software, stolen music, stolen movies, and porn.
>Adding torrent abilities to the PortableApps.com Platform, even if we custom wrote it to work with our app store, would encourage places to block our whole platform.
>Like it or not, even with all the legitimate uses torrent has, to many people it's about stolen software, stolen music, stolen movies, and porn.
I think that's a little far-fetched, nearly all open source projects utilize torrents for distribution with noone blocking them. Torrents are just the default way of providing high-speed software mirrors these days.
Lots of open source projects make torrents of their files available for download from their website. That's a different animal from building a torrent client into your app. The PortableApps.com Platform is how lots of our users get their apps now, right from the app store or via the automatic app updater, and that all takes place via HTTP. In order to properly use torrents, we'd need to build a client right into the app store so users can use it but still one-click update/install their apps. But, having a torrent client built into the platform would encourage companies to block the platform itself. And, it would leave our users unable to update their apps inside organizations that block torrenting at the network level.
edit - I mean when at work, I can't torrent any large ova's or iso's. Sadly fortune 500 america will hardly ever allow torrent through their firewall for obvious reasons.
Sourceforge is very user-oriented (in contrast, GitHub is very coder-oriented). Non tech-savvy users don't know how to download software using torrents while HTTP just works using one click.
For users with adblock. I would never send my technically illiterate friends to SF as there is a high chance they click on an ad instead of the real download.
I go to SourceForge for civiCRM and it works pretty well. However I am downloading something to install on a linux box where there is no .exe installer.
I have heard that GitHub has been DDOSed a few times in recent times. Therefore, for me, it is swings and roundabouts.
I used to love SourceForge so it's a bit painful to admit that it's no longer important enough to waste the bots needed for a DDOS on it. The reality seems to be that they're destroying themselves.
The state of affairs really is unfortunate. I think we can all attest to SourceForge having played a wonderful roll in the open software industry at one point. But how can anybody, no matter how loyal, support what it has become?
Some people here seem to be seriously confused by anti-SF FUD.
These ad-ware loaded installers are not the default. You have to explicitly opt-in. It provides SF and projects hosted there (a kinda shady) optional way to make money.
The FileZilla installer contains ad-ware because the FileZilla developers chose to add it. It is their attempt to make money. I use SF too but none of my projects come with ad-ware installers.
One should point out that bundling ad-ware is a common way developers of free (as in beer) software make money in the Windows world.. so SF has not cooked up some nefarious new scheme here.
And that's why companies like Apple or Google or Amazon or Microsoft, feel morally justified to lock-in users inside of their curated app stores. It's because of Windows and its ecosystem filled with all the scum this industry has to offer.
People pay for valuable software. If people don't want to pay for your software, then it may mean that your software isn't worth paying for. And I can agree with ads loaded inside that software. In my eyes ads are a legitimate way of monetizing software.
But pushing extra adware junk down on users' throats, especially plugins for other pieces of software, like browsers? That's taking it a step way too far. And this also hurts developers that are monetizing their apps by serving tasteful ads. Not to mention that it hurts the browser makers - for example my wife wants Chrome, not Firefox, because she doesn't have the expertise to keep her Firefox clean and because Firefox is more open, more extensible, I've never seen a Firefox instance on Windows that's not overloaded with third-party junk.
But hey, lets poison the pool for everybody, right? Thanks guys for killing an otherwise viable business model, not to mention the only major browser built by a non-profit.
Amazon Route 53 has a feature called Latency Based Routing, which you can use to distribute traffic to your own mirrors. With AWS, Rackspace and other similar cheap hosting, I see no reason for a SourceForge.
By the way, SourceForge, Freecode (aka Freshmeat) and Slashdot were all acquired by Dice.com in September 2012.
The GIMP uses an awful lot of bandwidth monthly, well into the terabytes monthly, I believe. PortableApps.com is another project and one which I know much more about due to my involvement; it goes through over 50TB per month and with something like S3 that is already well over $5,000 per month at a minimum. No reason for SourceForge?
According to [1] there were 1,425,722 downloads of gimp-2.8.6-setup.exe from SourceForge last month.
According to [2] that file is 90.1 megabytes
So that one file used 122.5 TB of bandwidth in that month.
Assume for the purposes of argument this is 100% from the US and follows the cloudfront pricing outlined at [3], and per-request costs are trivial.
(10 terabytes) * (0.120 US$ per gigabyte)
+ (40 terabytes) * (0.080 US$ per gigabyte)
+ ((122.5-50) terabytes) * (0.060 US$ per gigabyte) in US$
= 8960 US$ [4]
So, for that single file, about US$ 9000 a month.
It gets more expensive if people download from other countries, and 22% of downloads were for different files not included in the download count for the most popular file, which I used above. It would be trivial to top $12,000 a month in cloudfront fees.
SF didn't have a good sustenance plan. If they had a way to charge users directly (instead of bombarding them with ads), they could have continued to provide good service to open-source projects.
As a user, it is a good idea to research the sustenance plan of a service before using it.
It's a shame that a company which spearheaded free availability to open source code has sunken to the point of encouraging proprietary installers and adware laden applications.
Downloading on Sourceforge hasn't been a pleasant experience for a long time, and we have to live with that because it's free. But now an installer? I have to say it's crazy.
The OSS project I maintained for several years was always in the top 10 downloaded lists on Sourceforge, but I got frustrated with how things were going and eventually moved the code to Github and hosted a simple website on my own.
Honestly, I can't think of a reason why an OSS project would choose Sourceforge in this day and age.