Hopefully...
Hopefully this motivates more projects to move. :)
Popular open source code-hosting repository SoureForge has been battling a significant outage for days and is slugglishly recovering from a lengthy Total Inability To Support Usual Performance (TITSUP) drama. On Thursday, the site slipped into "disaster recovery mode" and since then it has been a torrid time for sysadmins …
Given the attitude of forcing malware into installers for a lot of SF hosted software I'd say this is a big hint that people should be moving their software elsewhere to something more reliable, reputable, and not commercially driven, at least not enough to force malware on people via fake download links or messing with the binaries.
SF is now a dodgy download site and should be blacklisted.
> SF is now a dodgy download site and should be blacklisted.
There's still lots of good software hosted on SF and from your comment I suppose you tend to use it to download binaries -- which important but somewhat auxiliary function of such site. And it's the one most fucked up on SF.
Anyway, what are the suggested alternatives that offer beside SCM some basic auxiliary stuff such as
- mailing lists
- forums
- web hosting
- download of packages/binaries
?
If you can't trust one aspect of an organisation, how can one have confidence in any other aspects of the organisation? Have they slipped anything that will subsequently be found to be sinister into any of the other facilities/services they provide? Of course the provision of these facilities/services need to be funded, but enveloping binaries with Potentially Unwanted Programs is a good way to alienate the people they are trying to serve.
- mailing lists
- forums
Google Groups
download of packages/binaries
Github
Maven/GEM/Aptitude/Google Play/Macports/etc/etc
Web hosting
Everyone and their dog. But you don't really need it, unless you are promoting a big project to make money, in which case you can probably find $100 a year for a paid hosting account. Really.
For me the egregious thing isn't malware in actual downloads, it's the ads with fake 'click here to download' buttons that try to shovel you malware. They have a lot more control over ads than they do over individual projects, and this suggests a disturbing level of not-giving-a-shit.
https://sourceforge.net/blog/sourceforge-infrastructure-and-service-restoration/
Given this is Ceph, and Inktank was bought by Red Hat just over a year ago, does this mean the "storage vendor" was Red Hat? However, the page suggests that everything is open source, mentioning CentOS but not RedHat.
Or is the "storage vendor" just a hardware vendor who sells vanilla servers and disks, and Sourceforge are running Ceph on top of it themselves? But in that case, why consult with the storage vendor if there is a Ceph issue?
Or is someone other than Red Hat selling and supporting Ceph appliances?
Whatever it is, it would be interesting to know.
Good point. I must admit I was surprised at the length of time its been taking. I wonder if the asset strippers bean counters senior staff have been removing expensive and 'unnecessary' backup systems.
I also thought it interesting that SourceForge and Slashdot are on the same hardware these days. Eggs & baskets?
> Good point. I must admit I was surprised at the length of time its been taking. I wonder if the asset strippers bean counters senior staff have been removing expensive and 'unnecessary' backup systems.
Well from their blog post http://sourceforge.net/blog/sourceforge-infrastructure-and-service-restoration/ I see:
"Our backup solution is Open Source, backing on to popular cloud storage platforms."
...
As a long time user and occasional contributor to open source projects it was a jarring 'back to the future' moment to have to evaluate some software hosted on SourceForge as I haven't looked at it for at least 5 years and use GitHub regularly.
So it was pretty horrific to see a site littered with low-grade advertising and the greasy tricks of the internet marketing brigade around the site... the user experience horrible making me wonder why people bother with it.
The dev. outage came after that unpleasant reminder of how bad the internet of the 1990's used to be.
To heap injury on insult, the outage has created a significant blocker in a project I'm doing for a client where I am evaluating a number of open source offerings. The source has been unavailable now for over a week.
To those supporting Sourceforge I would say there is one massive reason why GitHub has a better future... I pay a regular monthly subscription that is entirely reasonably priced for the service offered. As a result, GitHub are motivated to support their customers and there is a sustainable business model that means I don't have to look through a UX cluttered with dreadful crap. Now that is worth paying for alone... even if outages still occur, though they are planned and last minutes instead of weeks.