Many of you have undoubtedly heard of what happens to projects that SourceForge deems inactive: the installers get wrapped in a bundled adware installer. Popular projects like nmap, VLC, and the GIMP have found their packages subject to this hijacking lately. Although legally permissible (at least from a licensing standpoint), it’s ethically disturbing. SourceForge says this is a feature — an opportunity for projects to generate a little bit of revenue (assuming they opt in and aren’t hijacked), but it is antithetical to the philosophy of many projects.
Part of the problem is the the “Hotel California” nature of SourceForge. Projects can check out any time they like, but they can never leave. Once a project is hosted on SourceForge, it is reportedly near-impossible for the project to be removed, even if it moves active development to a different platform. On the one hand, this is beneficial to the community, since it ensures abandoned or closed packages will remain available for download. On the other hand, it allows for undesired insertion of adware and other antisocial activities.
SourceForge is clearly no longer a safe place for developers to host projects or for users to download software. That’s a shame, because SourceForge had a take on hosting that other sites seem to ignore. GitHub, BitBucket, and others are very focused on serving as platform for hosting code. They focus on the developer experience. GitHub’s simple interfaces for forking projects and submitting pull requests (whatever technical limitations they may have) have done a great deal for making source code readily accessible and encouraging open development.
SourceForge’s strength was that it provided an easy way for users to search for projects and to download compiled releases. The casual user almost certainly lacks the skills and desire to build packages from source (and many others who are capable certainly don’t want to). The misleading “Click here to Download!” ads aside, SourceForge made it easy for users to get an installer. GitHub has a “Releases” feature which attempts to do this, though it’s not clear that the feature is widely used (full disclosure: I have not used it as a developer or a consumer).
The looming death of SourceForge leaves a real gap in the accessibility of open source to the casual user. It also highlights the dangers of relying on a third-party hosting service (what’s to stop GitHub from doing something similar except the fear of irrelevance?). Self-hosting is not the easy answer it seems, though. Developers are not necessarily systems administrators and may not have the skill or the available resources to maintain their own hosting site, especially for trivial code or code that becomes widely popular. Hopefully SourceForge serves as an example of what not to do and an inspiration for someone to fill the gap better.