Reposting what I wrote on the Reddit thread:<p>I'm one of the lead devs of LXQt and an LXDE sysadmin. We use Sourceforge for our mailing lists and some LXDE legacy stuff.<p>I'm absolutely sick of them. It's not the first time this has happened. I've been pushing for us to move off SF for a while and this is a good occasion to push for it harder.<p>I've sent an email [1] detailing plans to move. I am urging everyone who still has projects on Sourceforge to do the same.<p>If you have similar migration problems to solve as the ones I've highlighted in the email, please contact me directly and we can share the workload. My email is available on my Github profile [2].<p>[1] <a href="http://sourceforge.net/p/lxde/mailman/message/34148903/" rel="nofollow">http://sourceforge.net/p/lxde/mailman/message/34148903/</a>
[2] <a href="https://github.com/jleclanche" rel="nofollow">https://github.com/jleclanche</a>
This is precisely for these reasons we stopped distributing VLC via SF.net in 2013. I even wrote about it:
<a href="https://blog.l0cal.com/2013/05/02/rethinking-vlc-mirrors-infrastructure/" rel="nofollow">https://blog.l0cal.com/2013/05/02/rethinking-vlc-mirrors-inf...</a>
Our VLC account has been taken too by sf-editor-1.<p>Fortunately, we've moved to our mirror infrastructure since quite some time, and it's faster and way better.<p>Btw, if any other open source project needs help to distribute their binaries (because of the size), please contact me.<p>PS-EDIT: signing the installer was a good idea, I guess :)
What are the reasons for people to use SourceForge today? Why hasn't everyone else (<i>especially</i> major projects like GIMP and Audacity) moved off?<p>Here are some possibilities I can think of, but I'm curious if they're correct:<p>- Mailing list hosting<p>- Non-git repository hosting, for projects that prefer CVS or SVN<p>- Shell account (though it doesn't seem very useful)<p>- Features GitHub has but few others do (binary hosting, website hosting, etc.) and the project wants to avoid GitHub<p>Are there others?
SourceForge made a blog post about the GIMP project here:
<a href="http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/" rel="nofollow">http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-...</a><p>It appears they switched the GIMP project on SF back to directly downloading the standard GIMP installer, at least that's what I see right now in Firefox at 3:30pm NYC time.
As noted in other comments, the GIMP installer on <a href="http://sourceforge.net/projects/gimp-win/files/" rel="nofollow">http://sourceforge.net/projects/gimp-win/files/</a> is now bit-for-bit identical to the one on <a href="http://download.gimp.org/pub/gimp/v2.8/windows/" rel="nofollow">http://download.gimp.org/pub/gimp/v2.8/windows/</a> (let's call this one official).<p>Does anybody have a copy of the "value added" installer?<p>How did it work? Was it a wrapper which contained a copy of the official installer? Did it have the same filename? Was there some identifier in the URL? A cookie?<p>In other words, can we programmatically identify other hijacked projects?
Is there anything suggesting it's SourceForge itself doing this and not just (an improbably widespread, admittedly) set of account breaches? It makes sense -- acquire accounts, enable ads, profit.
The number of people casually suggesting github for large binaries on HN is incredible and funny. They should try downloading something from github in Asia and they'll learn why local mirrors are useful.
I think this pretty much explains why this happened, a quote from their parent company here: "2005 - IN AUGUST, WE ARE ACQUIRED BY DICE HOLDINGS, INC., WHICH IS OWNED EQUALLY BY GENERAL ATLANTIC LLC AND QUADRANGLE LLC, PRIVATE EQUITY FIRMS IN NEW YORK CITY." via: <a href="http://www.dhigroupinc.com/our-company/default.aspx" rel="nofollow">http://www.dhigroupinc.com/our-company/default.aspx</a>
Any other projects affected ? Would be nice to start a list of all affected projects. This could also be a case of targeted attack on the gimp account.
In this age of GitHub being huge, and GitLab being the purely open-source choice, this can't really end well for SF.<p>They really really need to up their game if they want to stay relevant. Most of the stuff I find pointing me to SF these days is usually abandoned (GIMP and Pidgin are probably notable exception).
I'll still never understand why people don't move off of SourceForge; GitHub and Bitbucket (among others) are almost feature complete, and for the things that they're missing (mailing lists) there are plenty of free alternatives out there that are fairly easy to port.
More details:
<a href="http://libregraphicsworld.org/blog/entry/anatomy-of-sourceforge-gimp-controversy" rel="nofollow">http://libregraphicsworld.org/blog/entry/anatomy-of-sourcefo...</a>