Slashdot Mirror
SourceForge Terms of Service Change, Users Unhappy
An email fluttering around a few mailing lists has been submitted in
various forms here today. It's about changes to the SourceForge
terms of service. Some relevant links unclude the
old terms,
new terms,
old privacy statement,
new privacy statement
and
contact for "questions or concerns"
(Patrick McGovern, Site Director). Obviously since SF is owned by the
same parent company as Slashdot, I'm biased and corrupt and you should
ignore my opinions on the subject, but while
I don't particularly like this any more then anyone else, I also
don't think it's the huge deal that others are making of it. Especially
considering projects aren't paying for the free service. You get
what you pay for after all.
I have attached a summary to this article of the changes that are
being called into question if you don't want to do a mental diff
on the links above.
This list was submitted by a few different users and was apparently originally posted to several mailing lists, although I don't know who actually originally wrote it. I just quote it here for reference.
- They can henceforth change the terms without notice, just by posting the new terms on the website. (Currently they are obliged to give 15 days notice by email, a period that we are currently in for this change.)
- They can henceforth remove user accounts without giving a reason. (Currently they are obliged to have a reason, though the set of acceptable reasons is open-ended.)
- They're no longer obliged to make the contents of a deleted account available to its owner. (There was previously a "reasonable effort" clause to that effect.)
- They're no longer obliged to provide notice of changes to the privacy policy, unless the changes are "substantive". (Currently they are obliged to provide notice of any change.)
- The privacy policy is acquiring a disclaimer that amounts to "this is not true". It actually disclaims the entire privacy policy.
snip
NO GUARANTEES
While this Privacy Statement expresses SourceForge.net's standards for maintenance of private data, SourceForge.net is not in a position to guarantee that the standards will always be met. There may be factors beyond our control that may result in disclosure of data. As a consequence, SourceForge.net disclaims any warranties or representations relating to maintenance or nondisclosure of private information.
/snip
It's a bit questionable if you need a CVS somewhere else, a mailing list archive somewhere else, a patch archive somewhere else, project homepage somewhere else.. whether it's any use to have them a SourceForge at all.. too bad since it really is a great tool, even if sometimes really laggy.
This sure ain't good news for maintainers of small projects.. especially of projects of questionable usefulness..
Software should be free as in speech, but if we also get some free beer, all the better.
Having a useless "Privacy Policy" is a common tactic by commercial web sites to decieve users. It fools most users into thinking that there are protections on thier data due to the fact that the policy exists, or if the user bothers to read it the goal is make it worded such that the lack of protections is concealed.
You might want to check out the GNU Savannah project. It's based on the Sourceforge codebase, but it has a nice distributed architecture, so that the main site for your project is mirrored in a read-only format on other servers. It seems like a good solution to me.
While I don't really think sourceforge will be going down soon, savanna is a good alternative. It is based on sourceforge source code, (it was GPL after all), and should have most facilities sourceforge users are used to. It is also garantueed to stay Free.
I was thinking the same thing, but the OP has a point. Why not create a "Sourceforge attic" with an option to exclude the attic from searches? A project would go into the attic if it had less than a minimum number of downloads and/or changes for a period of 6 months.
The attic could be hosted on older, slower servers, or on a configuration that worked well under low demand. Or perhaps it could even be archived on CD or DVD and distributed to various mirrors.
Regardless of how it is maintained, old code is a valuable resource, even if it's just there to let people know about methods that have been tried and failed. How can we learn from mistakes if we can't *see* them?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
You can sync or backup via downloading daily cvs tree snapshot:j ec t-cvsroot.tar.gz
http://cvs.sourceforge.net/cvstarballs/your_pro
This is true, and it's also the #1 reason why open source is having such a hard time gaining acceptance in many businesses.
How about this? Replace PROJECT with your project name:
(change into a suitable directory to put your CVS tarball in)
(change to where you want your working directory)
I think the GNU project is running something called Savannah which is basically sourceforge's engine running on their server. Yep: http://savannah.gnu.org/ Disclaimer: I really know nothing about the service save that it exists, RTFFinePrint. For all I know, there is an "All Your src Are Belong To Us" clause in the user agreement.
News for Geeks in Austin, TX
Hmmm...IANALY, but what this means is that Sourceforge.net will follow the law. It means that if someone posts copyrighted material without authorization, they will take down that material (as required by law of a common carrier).
Come play Heroes of Might and Magic Mini online.
SourceForge will eventually either need to charge money or will be spun off as a (soon to be bankrupt) spinoff business, leaving VA Software with just the various web sites. The web sites are probably (barely) profitable with the cost-cutting that has been done on them over the past year or so. SourceForge is not profitable, and never can be.
I currently have four projects hosted at SourceForge. I download the CVS web-ball every night in my crontab, and am investigating alternatives. At the moment it appears that any alternative will require developers to fork up money to help pay for the bandwidth. SourceForge itself has too many big (bandwidth) projects to make money even then, because if they charged what the bandwidth costs, most of those projects would end up hosted elsewhere shortly with companies who can hide the bandwidth costs in their accounting noise.
Does this mean that I wish SourceForge ill? Of course not. I just don't see how it can ever be profitable, and thus while I'll use it while it lasts, I'm not banking on it.
Send mail here if you want to reach me.
They could take your work and sell it under their own copyright.
Umm, no. You don't sign away your copyright when you host something on Sourceforge. In many cases you don't even have the authority to do so if you wanted to. Sourceforge has the right to do whatever they want with the copy of data on their server, they can delete it and they can delete your account, but they don't own the data you stored there.
But that's okay. "The sky is falling!" is catchier.
I use Savannah and it is a very slick service, well documented (as is Sourceforge), it's also nice to be able to cut time by been able to automatically apply to be a GNU project. The licensing issues are well dealt with (anything as long as its FSF approved) and any questions that I have posted have been answered in hours.
With regards of compatibility there is an offer (when you sign up) to use your existing CVS's data on their systems. The only caveat was that they are far stricter with licensing. So if you use the Sourceforge CVS it should be easy (providing the licence is OK) to transfer to Savannah.
You also geta homepage at: http://www.freesoftware.fsf.org/yourprojectname
Which is adminned via RSYNC or CVS over SSH.
So almost identical to Sourceforge.
It doesn't seem to be as fast as Sourceforge, but this is opionion and I have no metric to support this.
e4 e5
Actually, kernel.org costs a lot more then that - the bandwidth alone, in real dollars would be about 250k per year.
Yeah, I'm that guy.
You, and the people who've posted similar comments in this article, are missing a key difference between getting the source code -- or even a fully-implemented in-house instance -- of Sourceforge or Slashdot and using, as a free service, an instance that is hosted, maintained, and paid for by someone else.
The "You get what you pay for" remark was clearly not intended as a reflection upon the value of free/open software, but as a statement that if you are availing yourself of a service that costs you nothing and which costs the provider of the service huge sums of money (surely tens of thousands of dollars per month), you should really keep the bitching to a minimum. Since this is something CmdrTaco deals with daily (trolls etc), I'm sure he knows how it feels firsthand.
Now I'm not completely innocent in this regard -- I think the Slashdot crew could, in general, show some more journalistic integrity, and speeling/gramar mistakes really irks me -- but basically the answer to every complaint can be summarized with "if you don't like it, don't use it" when it comes to situations like Slashdot or Sourceforge.
rooooar
The privacy clause is just a result of Oracle's stupid "uncrackable" promise, and the realisation that online companies can't possibly make such guarantees. They're saying they'll try their hardest to avoid disclosure of private info, but because it's online, there's always a chance it'll get abused. Not that big a deal IMO - if you post private info over the 'net you deserve what you get anyway.
I always say you shouldn't send anything over the 'net unencrypted that you wouldn't put on a postcard, and nothing encrypted that you wouldn't put in a standard letter. No matter what promises the intended recipient makes. Period.
Why is there only one Monopolies commission?
The change that I find most objectionable is the one I listed first: being able to change the terms without notice. It seems difficult for Sourceforge to actually legally enforce their terms - it's difficult to show that there's a contract between Sourceforge and the users, since they're providing a service for free. However, using a service that claims terms that one finds unacceptable is just asking for trouble. If they change the terms to say that they own your firstborn, it'll be difficult for them to actually enforce that, but you might have to go to court to argue it.
When I first registered on Sourceforge, I examined the T&Cs with some care. The provision for notice on changing the terms was to me absolutely essential, and I wouldn't have accepted the terms without it. Notice on changes is a necessary safety provision: it's not possible to limit what they might try to change the terms to, but a notice provision gives the guarantee that one will at least be able to get out before the new terms are applied, if they are unacceptable. In this case, the removal of the notice provision is unacceptable to me, so it's time to get out - fortunately we have notice, this time.
On the removal of the obligation to make the contents of deleted accounts available to their owners: this removes a lot of Sourceforge's utility as a hosting site, because it means they can entirely deny access to the data being hosted, with no notice. Even if one backs everything up, one still loses the most recent changes. One can't rely on a hosting site that might destroy data, just as one wouldn't use a disk that periodically mangled a track.
Some people gave reasons why Sourceforge might not be able to give people the contents of their deleted accounts (e.g., legal problems). This is true, but not the reason for this change. The old terms already had an escape clause for that kind of thing. The only effect of this change is that Sourceforge can now destroy data without justification.
Deleting accounts without reason: similarly, they always had wide discretion in deleting an account for any justifiable reason. The change is that now "our e$teemed leader doesn't like you" is considered sufficient justification.
The change to notice for changes to the privacy policy is quite curious. They retain the term that guarantees notice - unlike the change to the TOS' notice clause - but it's restricted to "substantive" changes. This isn't a problem if implemented as stated, but there is a problem in interpretation. It gives them room to weasel in changes without notice, under the guise of "editorial corrections". Frankly I don't see any advantage in them being able to make even genuinely insubstantive changes without notice - the notice in question is just a matter of emailing their users, we're not talking about airmail postage.
And the disclaimer. After reading through a lengthy and mostly-identical privacy policy, it was quite a shock to find a new paragraph that undoes everything that goes before. The new paragraph says, in part, "SourceForge.net disclaims any warranties or representations relating to maintenance or nondisclosure of private information.". "warranties or representations", of course, describes the privacy policy. What are we left with? A null privacy policy - 10kB of text that in the end says "this page doesn't mean anything at all, and nor does anything else we might have accidentally said".
Again, people have pointed out that there are circumstances, such as legal action, where they can't follow the privacy policy they'd like to. But again, the old version already had escape clauses for that. The change in the new version is that they can now violate your privacy for reasons like "MS offered us money".
With each of these changes, there's room for them to argue why there are occasions where such a term is necessary, and how they would obviously only use their new powers in good ways. But if they really intended that, they could write the legalese to say so. The only conceivable reason for these changes is that they intend to use them for nefarious purposes.
Finally, there's one other aspect of this that's got me concerned, and no one has mentioned it so far. The email message in which Sourceforge is informing everyone of the new terms actually purports to describe the changes:
There is a similar statement regarding the privacy policy. I find it very worrying that there is no mention at all of such things as the changes to the notice provisions. I find it very worrying that it says "the most critical components of our previous Privacy Statement remain in effect" when the new version actually removes the effect of every component. Some might even call it a lie.I leave it to you to make up your own mind on that point.
Hotmail. After avoiding them for ages, I created an account in order to scope Passport.
The "Greet-King" spam I received within a week of creating a hotmail account that I never used resulted in a lengthy bout of mails to their abuse department and to "TrustE" (the supposed industry "watchdog" which is actuallly just a shill to prevent guvmnt action).
Despite MS assurances that my information would not be shared, their insistence remained that Greet-King got my name and email address from me, when it was not at all possible. Despite the statement that "Hotmail will not sell, lease or rent its member lists with any third parties," they refuse to accept any statement on the user's part that the email address and my name were not shared anywhere.
Hence, a "useless" privacy policy. And a deception -- even if it was just a renegade MS employee that pilfered some user names, MS is uninterested in knowing about it. Carelessness that is not, I believe, an uncommon phenomenon.
I survived the Dick Cheney Presidency 7 to 9 AM 7-21-07