It was like Cooks Source all over again, just without the catchphrase “But honestly Monica.”
It’s been all over the web for the last week or two that the photo imaging program GIMP, a FOSS crown jewel, has dropped SourceForge as a download site. Although the GIMP folks had been a little concerned over some advertisements on SourceForge, the real reason appears to be DevShare, which bundles third party offers with open source downloads for install on Windows machines.
Last Thursday, in an attempt at damage control, the folks at SourceForge explained the DevShare program in some detail:
“In July 2013, we launched a pilot version of an opt-in revenue-sharing program called DevShare. DevShare is a partnership program offered to SourceForge developers to turn downloads into a source of revenue for them, by bundling their applications with third parties’ offers. This revenue will help these projects grow, help the developers keep contributing to the Open Source community, and help us keep offering free hosting, distribution, and other services.”
The article goes on to explain there were other reasons besides money behind their implementation of this program. Some projects were already bundling offers, mainly for proprietary freeware, in an attempt to monetize their projects, often with unsatisfactory results. Sometimes users would get confused and accidentally install one of these free offers, then find them to be nearly impossible to uninstall. Among other things, the DevShare program allows SourceForge to vet the “free offers” to make sure they’re clearly described, malware free and can be easily removed after an installation.
The program is also opt-in. No software is bundled with a download unless a project has explicitly asked to be included in the DevShare program:
“Currently in the Pilot phase, we only have 3 projects participating in the DevShare program all of which explicitly opted-in. This represents 3 out of 300,000+ projects in our entire catalog. This is a 100% opt-in program for the developer, and we want to reassure you that we will NEVER bundle offers with any project without the developers consent.
“The DevShare program has been designed to be fully transparent. The installation flow has no deceptive steps, all offers are fully disclosed, and the clear option to completely decline the offer is always available. All uninstallation procedures are exhaustively documented, and all third party offers go through a comprehensive compliance process to make sure they are virus and malware free.”
The bundling of proprietary offers with a FOSS download is certainly problematic and GIMP’s decision to abandon the service was certainly justified. But this doesn’t necessarily mean that SourceForge now represents some evil that’s descended over our world, especially given the fact that SourceForge is a service for open source projects in general and isn’t limited to projects using free and open copyleft licenses such as the GPL.
SourceForge hosts projects using any recognized open source license. Yes, there are many FOSS projects available for download on the site, but there are also many projects using “permissive” licenses such as BSD or Apache. While we FOSSers might be surprised and appalled if we were to see some proprietary Windows freeware offered-up with a download of LibreOffice, we probably wouldn’t be so surprised to see such a bundle with Apache’s OpenOffice, as projects using permissive licenses have different ideas about what’s acceptable than we in some cases.
From this viewpoint, the DevShare program would seem to solve a few problems for SourceForge and their users, especially given the fact that such offers were already taking place outside the service’s control. These offers can now be vetted to assure they’re malware free and that they’ll uninstall easily and completely if accidentally installed by a confused user. In addition, this program will offer a potential new revenue stream to projects that use it. Certainly, many worthwhile projects could use the bucks.
So although I have reservations about DevShare, I’m not ready to call out the cavalry and declare war on SourceForge for testing or implementing the program. For the time being, I’m content to wait and see.
This wasn’t the case with a group of Reddit users last week, where a scene broke out in a comment thread that pretty much turned into a mob that reminded me of the Cooks Source massacre of 2010. It seems that a few folks don’t need to know the full story before picking up their virtual weapons and launching an attack. They’re ready to bring SourceForge to its knees by flooding all of SourceForge’s download mirror sites with emails vilifying the service.
This started when a user made this suggestion:
“The answer to sourceforge being a dick by adding adware is this…
“Contact your local sourceforge download mirror site, usually an ISP, educational institution or other non profit organisation. inform them their servers are being used by sourceforge to generate profit by adding adware/spyware to open source downloads.
“Sourceforge get a staggering amount of free bandwidth from organisations who assume they are a benevolent distributor of open-source software. this is no longer the case.”
This was followed by a list of the email addresses of a number of SourceForge mirror sites and a sample email to send:
“I’m writing to inform you of adware/spyware being distributed through your servers via Sourceforge mirroring services provided by your organisation.
“Details can be found here: http://www.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/
As well as the GIMP project moving their windows binaries from the service today:
http://www.gimp.org/ (blog entry “GIMP Windows Installers move from Sourceforge to ftp.gimp.org”)
“I don’t want to see you being taken advantage of by this organisation as they monetize your bandwidth and storage for their own gain. Sourceforge’s actions in this case are harmful to the reputation of open source software and to the integrity of its partners. It is my hope that you will raise this issue with Sourceforge directly and consider the removal of adware/spyware enabled files from your mirror.
“Thanks for your time,”
This began a long thread from users ready to jump into action and flood these sites with email, as well as an attempt by a representative from AARNet to quell the mob:
“Our Network Operations Centre have noted this issue and it will be discussed by our systems administrators and their managers during business hours. Sending further e-mails on this topic to [email protected]… is likely to be counter-productive (that is, it will become a discussion about limiting incoming spam, not about SourceForge’s distribution of undesirable software).”
This virtual mob action is wrongheaded–especially since all of the facts here are not yet known. All of the projects that use SourceForge are aware both of the DevShare program and of GIMP’s take on it. Let them decide whether to stick with the service or move elsewhere.
Latest posts by Christine Hall (see all)
- New IoT Botnet, Attackers Target Tor, and More… - December 3, 2016
- What Malware Is on Your Router? - November 30, 2016
- Mickey Mouse Open Source, Close Call at WordPress, and More… - November 25, 2016