Why Sourceforge Is No Longer The Place For Open Source Applications

Why Sourceforge Is No Longer The Place For Open Source Applications
Image Credit: Sergey Galyonkin

Image Credit: Sergey Galyonkin

SourceForge was once one of the most respected development sites on the web. Far from just being another competitor among many, it was, for the longest time, the place to host open source applications and projects; the first free code repository on the web. Sadly, that’s no longer the case.

SourceForge has changed, and not for the better.

Its current administrators seem fundamentally lacking in their understanding of what open-source actually is. Over the past few years, they’ve hijacked multiple projects, claiming ownership of everything from Hadoop to Drupal to MySQL. To make matters worse, every project they seize is almost immediately wrapped in adware.

No matter how you look at it, that’s a sleazy thing to do. Sadly, the use of bundled adware is the least of the team’s missteps. That they’re bloating open source applications with crapware is bad enough without taking into account that they do so without notifying the original developers.

“The real problem is, they are polluting open source software installations for the purpose of filling their pockets by this scam,” reads a post on the Notepad++ site announcing the project’s removal from SourceForge. “Worst of all, they’re doing it without even notifying the authors/creators of this software, while the creators are struggling against such parasitic software in order to keep their installers cleaner and safer.”

Consider what happened to Gimp – an open-source Photoshop alternative – back in May. The creator of the software originally hosted the project on SourceForge back in 2002, since, as he put it, “nobody else had comparable infrastructure.” Eventually, as the open-source community hit its stride and networking infrastructure became more readily available, the team made the choice to move away from SourceForge in 2013.

SourceForge didn’t take long to seize upon the opportunity.

“Jernej Simončič, the developer who has been responsible for building Windows versions of GIMP for some time, had maintained an account on SourceForge to act as a distribution mirror,” writes Sean Gallagher of Ars Technica. “That is, he had until [May 27], when he discovered he was locked out of the Gimp-Win account, and the project’s ownership “byline” had been changed to “sf-editor1” – a SourceForge staff account.”

When the controversy came to light, you’d expect SourceForge’s staff to apologize, clean the egg off their face, and set to work making right their mistakes. Unfortunately, they didn’t. Instead, they outright lied about GIMP’s abandonment, in the process openly admitting that they force adware on the projects they hijack.

“Mirrored projects help enable end users to stay current with the latest releases, particularly where SourceForge continues to host historical releases for community benefit,” an unidentified spokesperson told Ars. “Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.”

They should just call it what it is: a scam.

GIMP is far from the only project to receive such treatment – nor is it likely to be the last. This month alone, the Nmap audit tool project was commandeered, as was Mozilla Firefox.

What happened? How did SourceForge turn from a pillar of the open-source community to a crapware distributor? How did the SourceForge team, once so respected and reputable, turn into little more than two-bit hustlers?

As it turns out, this sickness has been festering for some time, perhaps even since SourceForge was first conceived.

The Birth Of Sourceforge


In order to understand how SourceForge so thoroughly lost its way, we must first take a look back to 1999, the year when the site was first founded by VA Software. At the time, the Internet was a very different place. The idea of a free online code repository – of any free mode of distribution – was near-revolutionary.

“It was the fall of 1999, and there was fever in the air,” recalled Data Motion’s James Maguire in a 2007 blog post. “The dotcom frenzy was in full bonanza. It was gonzo, and it was going to last forever.”

“Around this time, VA Linux had an idea,” he continued. “A wildly optimistic idea. It decided to launch a Web site to host the work of open source software developers. The site would offer a full box of tools, from a Concurrent Versioning System (CVS) to a bug tracker to mailing lists. And the site would be – in the spirit of 1999 – totally free of charge.”

Minor details such as how the site would pay for itself weren’t accounted for. As it turned out, VA Linux wouldn’t find a way to monetize its open-source brainchild until 2006. That isn’t to say the site wasn’t popular – it was, incredibly so.

“By the end of 2000, SourceForge had thousands of projects registered; by the end of 2001, almost 30,000 were coding away. And the following year, the flood commenced. Since 2002, the team was adding almost a hundred projects a day.”

And by 2007, the site hosted more than 150,000 projects, with hundreds of thousands of downloads a day. It was around this time that the first cracks began to show in SourceForge’s armor.

“At some point in the mid-2000s, SourceForge stopped evolving as fast as it used to and focused on advertising-based revenue,” explains GIMP’s Alexandre Prokoudine. “This allowed them to go from $6 million in 2006 to $23 million revenue in 2009. But it also alienated free software developers due to poorer service quality. Various projects started moving away.”

Prokoudine recalls how contextual ads on SourceForge download pages were tailored by scammers to pose as legitimate download buttons; tricking users into downloading the wrong installer. These installers would typically contain adware or bloatware, and it was inevitably the developer who took the fall for it.

Still, SourceForge was one of the leading code repositories. The ads, while obnoxious, could be ignored. Though it lost a few developers, SF.net was still viable.

That would change. Drastically.

The Beginning Of The End


Fast forward to 2010, when VLC Media Player developer VideoLAN decided to move distribution of the application over the SourceForge. In less than two years, VLC Media Player was the site’s most popular project.

“The service provided was good enough, even if some users were sometimes confused by the advertisements that appeared on the download pages,” VideoLAN developer Ludovic Fauvet recalls. Unfortunately, those ads gradually became more obnoxious, more numerous, and more misleading. Before long, they became outright malicious; fake project downloads bundled with unauthorized third-party software.

“In 2012, Geeknet started to add more banners to their pages and did not bother filtering ads that were obvious scams, misleading consumers to click on fake ‘download’ buttons,” continues Fauvet. “Some if not all of these advertisers were distributing VLC bundled with crapware. We alerted SF.net quite a few times asking them to be more careful about these ads.”

In spite of numerous attempts to contact the site’s administrators – and numerous assurances that Geeknet was looking into VideoLAN’s grievances – nothing changed. Even the few ads they did remove eventually returned. SourceForge’s advertising network was a broken cesspool, and those responsible were either unwilling or unable to fix it.

As a result, they extended VideoLAN an olive branch of sorts. In exchange for putting up with the ads, the nonprofit received a few thousand dollars a month in advertising revenue. It was a band-aid solution: Although Fauvet and his peers were happy to receive a bit of extra revenue, their users – and their reputation – were still suffering due to SourceForge’s inaction.

Then, in September 2012, Geeknet sold most of its business portfolio to Dice Holdings. To say the transition was not a smooth one would be a gross understatement. Like many other facets of the site, it was thoroughly mishandled – and at the end of the day, it was the members of SourceForge’s community that suffered the most.

Under New Management


Image Credit: Liz West (Muffet)

It may seem impossible, but Dice Holdings mismanaged SourceForge even more thoroughly. VideoLAN’s previous contact on the site left soon after the acquisition, leaving the developer without any means of reaching the new team. In the meanwhile, the advertising situation grew steadily worse, to the point that VideoLAN received “literally dozens” of emails each week from angry users about bundled software and toolbars.

If you want an example of how bad it got, take a look at this image linked by Fauvet. That isn’t a legitimate download link. It’s an ad.

“I remember counting more than seven “download” buttons on our SF.net page,” says Fauvet.

It was also around this time that Dice Holdings pulled something even greasier out of its bag of tricks: a feature known as DevShare. Touted as an opt-in advertising service, DevShare placed closed-source, ad-supported content into binary installers, allowing the developer to gain partial ad revenue. That might be fine on its own…until one accounts for the fact that SourceForge also bundled ads into its own Windows installer, independent of DevShare.

The Last Nails In The Coffin

Image Credit: marbrure (Alain)

Image Credit: marbrure (Alain)

Come April 2013, VideoLAN’s developers agreed that they’d had enough. They began looking into a new way to distribute their media player, and soon divorced themselves entirely from SF.net. The improvements were almost instantaneous – for VideoLAN, at least.

For SourceForge, this was the moment it started to tank. VLC Media Player was the site’s largest source of revenue, and its most downloaded project. Dice Holdings was put in even more dire straits as GIMP – another heavy hitter – left only a few months later.

VideoLAN’s final contact from SourceForge was an offer from an employee to bundle third-party software with VLC so it could share more revenues. VideoLAN declined, instead opting to focus on improving its own distribution platform. Shortly afterward, that platform was hit with a large DDOS.

“We still don’t know who was behind this attack and their motivations, but the coincidence is striking,” muses Fauvet. “I let you draw your own conclusions.”

Then at the end of May 2015, the proverbial other shoe dropped. SourceForge hijacked GIMP’s binaries, and VideoLAN quickly discovered that it did the same with VLC media player. At the time of writing, VLC’s developers are still trying to get access restored, in order to “avoid further damage.” SourceForge has yet to respond.

Closing Thoughts

SF.net is not what it once was – at this point, that should be obvious. What was once a well-respected focal point of the open-source community now exists on its periphery; a bogged-down digital slum replete with underhanded business tactics, misleading advertising, and outright theft. The company’s behavior would be unacceptable even in a closed-source context; with open-source it borders on villainy.

Developers, you’d do well to avoid SourceForge. Because today, there’s nothing left to do but abandon the ship and watch it sink. Dice Holdings has shown no signs that it’s even aware that it’s doing wrong, after all – and unless it does, SourceForge’s slow collapse is now irreversible.

Follow Liberty Center One:

Subscribe with Feedly