Slashdot Mirror
SourceForge Terms of Service Change, Users Unhappy
An email fluttering around a few mailing lists has been submitted in
various forms here today. It's about changes to the SourceForge
terms of service. Some relevant links unclude the
old terms,
new terms,
old privacy statement,
new privacy statement
and
contact for "questions or concerns"
(Patrick McGovern, Site Director). Obviously since SF is owned by the
same parent company as Slashdot, I'm biased and corrupt and you should
ignore my opinions on the subject, but while
I don't particularly like this any more then anyone else, I also
don't think it's the huge deal that others are making of it. Especially
considering projects aren't paying for the free service. You get
what you pay for after all.
I have attached a summary to this article of the changes that are
being called into question if you don't want to do a mental diff
on the links above.
This list was submitted by a few different users and was apparently originally posted to several mailing lists, although I don't know who actually originally wrote it. I just quote it here for reference.
- They can henceforth change the terms without notice, just by posting the new terms on the website. (Currently they are obliged to give 15 days notice by email, a period that we are currently in for this change.)
- They can henceforth remove user accounts without giving a reason. (Currently they are obliged to have a reason, though the set of acceptable reasons is open-ended.)
- They're no longer obliged to make the contents of a deleted account available to its owner. (There was previously a "reasonable effort" clause to that effect.)
- They're no longer obliged to provide notice of changes to the privacy policy, unless the changes are "substantive". (Currently they are obliged to provide notice of any change.)
- The privacy policy is acquiring a disclaimer that amounts to "this is not true". It actually disclaims the entire privacy policy.
If they disclaim the privacy policy, why do they bother having one at all?
You are all fartheads.
Sounds like they're trying to streamline the administration of the service so as to make it more attractive to a buyer... Wonder if they have any particular company in mind?
Anyone who's using Sourceforge to host their project, as I am, should be realistic about what they're getting and for how long they'll get it.
First of all, I love sourceforge. It gives me all of the things I want right out of the box and for free. User forums, bug tracking, SSH CVS, and so on.
However, it is free and I think we all know has a pretty slim chance of making money. With that in mind, no matter what their polcies state there seems to be a pretty good chance of them just exploding one fine morning and taking a whole bunch of source down with them. Make backups, I should too.
Other than that, we can be a demanding lot so try to go easy on these guys, let's give them a chance to survive.
of getting Sourceforge to kill off old, inactive projects? Seriously, the tree needs a little trimming. One has to wade through so many unmaintained alpha releases when trying to find a specific thing that it's easier to do a search on Google these days.
SF is a great resource and all, but there needs to be some way to filter out the abandoned stuff.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
These new changes are the last straw, and now after thinking it over for a long time I'm finally going to have my SourceForge account cancelled, but the new terms aren't the real problem. The real reason I'm having my account cancelled is that SourceForge's TOS requires that I "indemnify" them for any trouble they get into as a result of my actions on their system.
In other words, if I do something that upsets a corporation with a legal department, and SourceForge gets sued, I have to pay their lawyer's bills.
Because of that clause, I can't do anything that is legally sensitive; and because free software is by definition revolutionary, I can't do anything real or important on SourceForge at all. I respect and admire the Freenet people, who are going ahead and hosting with SourceForge anyway, but I have no wish to emulate that display of courage. I don't blame SourceForge for having the indemnity clause in their TOS, but it means that their service isn't much use to me. The risks are just too great.
Incidentally, y'all have missed the most important new terms in today's revised TOS - the new DMCA compliance terms. Those, too, are perfectly understandable, and I can't blame SourceForge for having them. As a business operating in the U.S.A., SourceForge is legally obligated to have DMCA compliance procedures. But if I had any illusions left that SourceForge was part of the revolution, those illusions are gone now. SourceForge is now just another profit-making business, and I don't need, or have any particular reason to want, to do business with them. I'll be hosting my free software on amateur servers outside the U.S.A. (I'm outside the U.S.A. myself) where I can be assured of its continued freedom.
It would seem these types of "ad sponsered" services can only work if they perform "editorial" functions. Otherwise the "dark side" can just flood them with garbage, overloading them with junk and causing them to shutdown in frustration. That's basically another form of DOS attack, it's more subtle though and even sounds like a "free speech issue". Look at the problems of "junk speech" showing up on slashdot to get the idea. It's obviously done to degrade the service and cause harm... In such cases I think a vigorous response is required.
...
Anyhow let them have the tools to do the job. Personally I think they ought to offer the service for a small fee, something like a web hosting service but tune'd for the software distributor. I already keep a seperate web space and could just as easily host at sourceforge. They should also have shopping cart service for shareware and for developers that do both freeware and commercial software. Finally a small fee based update subscription service would be great for people who don't have the time to track all the different projects. Something that auto-pulls stuff to your system but lets you control install/backup
After visitng linuxworld and drilling their sales reps we came to the conclusion that Sourceforge can't compete with free alternatives. (by 'we' I mean the software Co. I'm working for)
Bugzilla/bonsai/tinderbox provides a more complete solution. We were even able to modify the trio to deal with java, our many different build scripts (make is rather lacking for java), and our test automation.
What we found was that Sourceforge provided discussion groups which we got using exchange or INND, bug tracking which wasn't nearly as feature rich as bugzilla, and cvs integration which bonsai provided just as well. It was still lacking the automated builds, and by the time they got back to us after linuxworld we had allready deployed the bugzilla solution (partly thanks to some nice debian packages put together by Remi Perrot).
One large drawback is that bonsai relies on glimpse as its fulltext indexer. Glimpse used to be free but since then has gone commercial. We were, however, able to find some old glimpse source (which may have been GPL or artistic license - perhaps we should redistribute the old code as GNUlimpse).
We have made our own tweaks to bugzilla/tinderbox/bonsai and contributed a few of them back to the mozilla developers (in the future probably all will be recycled into the public implementation).
I dug around the account maintenance page, but didn't see any way to delete my account.
I've been hedging my bets for a while on Sourceforge. I have a fairly popular project (over 1 million downloads) hosted there. This week I've averaged something like 5000 downloads/day at 10+MB each (which is why I have it on SF rather than on a server I pay for). I've been questioning how long this can last. There's no way SF can get enough revenue from my project to cover that kind of bandwidth usage. So, I wrote a simple PHP-based distributed mirror system (100% Buzzword Compliant(TM)) that lets people handle very small portions of the download traffic with daily bandwidth limits. I'm hoping to start shifting some of the burden off SF so that it isn't a single point of failure in distribution. Eventually the gravy train of massive free bandwidth is going to end.
The Glass is Too Big: My Take on Things
Anyone have comments about the maturity of Savannah? I know of several projects that have moved from SF to Savannah recently and wondered how comparable the two services are.
There is an alternative - configure everything yourself. It is not that bad. Maybe a week of work initially, and after that your setup would support unlimited number of projects.
Here is a case study from my own OpenSource project setup:
- qmail/ezmlm for mail server/mailing lists, hypermail for mail archives
- ssh/scp for secure file access/server administration
- cvs for code repository (including ssh and anonymous access)
- apache for the web server (with virtual host for every project)
Note, there is no bug tracking - this is a missing part of such setup. I was reluctant to use bugzilla, since it is CGI-based and therefore vulnerable to attacks
Also there is no FTP, since I hate to install a new patch every week (same is true for sendmail, therefore qmail is used) Files are uploaded via ssh/scp, downloads are done via HTTP
This proved to be an ideal setup. Simple secure and extensible. Since it is a community project, user requested features (say, nightly builds) can be implemented on request pretty easy. A DSL connection and a static IP is all you need to host such a beast.
- Andrus
andrus a t objectstyle.org
http://objectstyle.org
You get what you pay for after all.
Did CmdrTaco, one of the helmsmen of the most popular Free/OS news sites in existence just mimic what Microsoft PR/FUD machine has been saying since Linux showed up on its threat radar?
Why isn't everyone kicking CmdrTaco's ASS?
m00.
Note that Savannah is moving away from the Sourceforge engine, due to, quote, "its unmaintainable nature" unquote. As someone who has hacked two different versions of the Sourceforge engine to the point of usability, I must agree with them about the basic unmaintainable nature of the Sourceforge source code. Talk about a mess!
Send mail here if you want to reach me.
AFAIK, there are no tools to pull the contents of the bug lists, patch lists, etc off the site. There probably never were.
So, here's what we need:
1. Tool to "web-scrape" the contents of the bug-list for a project.
2. Tool to "web-scrape" the contents of the patch-list for a project.
3. Tool to "web-scrape" the mailing list archive and member list for a project.
4. Tool to put together a mirrored CVS repo (a la CVSup, but it just needs to work in one shot).
5. Any other similar tools to above needed to reconstitute project state on a different host.
Putting an XML-RPC interface on these would allow them the most general use.
We've always needed them. This announcement doesn't really change anything, but it should bring the point home that we who admin projects are responsible for our own disaster recovery, just in case Lars Ulrich decides he owns that sample mp3 of your cat hacking up a hairball because it sounds just like Metallica.
And finally, just a common sense clarification, in case some people don't get it: don't put crypto on SF, because it'll probably get DMCA'd.
I'll start the project on sourceforge.net (of course). Volunteers welcome.
And I suppose its not enough to state that you will protect copyrighted works. Today you have to state that you will uphold the DMCA, a rather controversial law, to show how faithful you are to copyright holders and wealthy corps.
It is? I'd argue that Taco and all teh editors here are just replaceable figureheads.
Well, my offer is still open from the last sourceforge rounds.
If you want hosting, no ads, no hidden requirements, no surprises, let me know. The SOSDG is run by individuals, not by any company.
The Summit Open Source Development Group
Brielle
I think it's a bad idea to host a service like Sourceforge in a country which has laws like the DMCA.
And that's one of the problems with modern capitalism...in the odd case that you don't claim to know nothing and be irresponsible, you're inviting people to sue you. How many times have I heard in the same breath "X Co, Inc, is a huge, evil, corrupt institution with no care for its customers" and "let's sue them so we can have money?"
:)
I run a very small (read: profits are almost half my car payment) web hosting service under the flag of openness and freedom of content. I started it because I got upset that every single host I went with wanted to corral me into a year contract, tell me what I couldn't do or say and take credit and the ability to edit my personal thoughts and ideas. Originally, it was a co-op, and I began to take on extra users who wanted the same thing -- ownership of their work and a fair charge for the low bandwidth they were moving.
In the past three months we've grown a dozen times larger -- so big that I no longer know every site op by name. Now, I don't want to have to force the new people to sign a TOS or a EULA. I think that posting the rules on the frontpage should be good enough for everybody. But I'm afraid. We've had a couple users ask if they could serve porn, and when I said no a few signed up anyway. I trust them (and check my logs), but if I go away on vacation and one of them starts serving nude shots of Frankie Muniz, I'm the one who gets in trouble. I'm the one who's got his name on the tax forms, and I don't intend to incorporate the business.
So I'm stuck. I want to let users do their own thing, own their own shit, but I'm the one who's ass is on the line. If one site slips up, they all go down. Everybody loses their stuff and all the good I've tried to do, all the bright young folks I've formed relationships with are scrambling for a new host. Someday soon I'll need to call my lawyer (okay, I don't have a lawyer to call my own, I'll have to pick a name out of the phone book) and have him draw me up a plan for a TOS. It'll probably be pretty brutal. Legally, I'll have to claim responsibility or ownership over users and content so I'll have the ability to pull it if I have to. And I'll have to do the same stupid shit, bowing to C&Ds and dropping user info and so forth.
It won't make me as a host and as a person any more of an asshole. I won't trade email addresses for cigarettes or claim rights to rkm's work. But I'll look just as corporate and uncaring as the rest.
Just think about it, baby, before you hate the legalese. You can't avoid being screwed without screwing somebody on paper. At the end of the day, it all comes down to who you trust, and after these long years with Slashdot, OSDN and SourceForge, I guess I trust VA. I have to, they designed my new server!
Shameless plug: webslum.net. Say you read this post and I'll give you a free shell
Hey freaks: now you're ju
I'm sure I'm going to get modded down for criticizing Slashdot, but to hell with my karma....
Most Slashdot users don't post their exact email addresses on the pages. They put NOSPAM or REMOVETHIS in the middle of the address. It's a very intelligent thing to do - spammers have robots that harvest email addresses from web pages.
So what do we do when we get angry with someone? We post a hyperlink their email address on the front page. No NOSPAM. No link to a page CONTAINING the email address. The email address right where it can first be Slashdotted, and then harvested by spammers.
What a disgrace.
Custer's Revenge: The greatest video
I think the main weakness of SourceForge is that it is hosted by a single entity. The tremendously valuable information hosted by freshmeat is a similar example. It does the FS/OS community no good to have the various project sources cached all over the place if we have no way to access information about the projects, including where they are, what they do, and so forth.
.lsm (linux software map) files. This could be submitted to multiple places on the web. Freshmeat might parse it into their database, while metalab might just through it in the .osm directory. But at least there would be a way to track things down. Google would help a lot.
How can we surmount this problem? Maybe by making a set of standards (beyond the informal ones that exist now) for how to document what your software is and where to get it. This could be a variation on the old
I am concerned that a lot of good code and good projects are left to die while other people re-invent that particular wheel. Since FS/OS is based on volunteer work, we can't really afford to throw it away or waste it. I hope other people who also have ideas about this will reply to this, and perhaps we can get together a mailing list or something to brainstorm about possible solutions to this problem.
They can henceforth change the terms without notice, just by posting the new terms on the website. (Currently they are obliged to give 15 days notice by email, a period that we are currently in for this change.)
This is the part that disgusts me about "Terms of Use". Basically, they could say anything they want, and you would be bound by it, before you can even read it!
So Tuesday, they can say they don't own the copyright in your programs, but Wednesday they can, and NOBODY WOULD KNOW until AFTER the terms went into effect.
Yes, they have the right to put pretty much anything in their terms, BUT they should have to make a reasonable effort to inform their users of any new terms.
Free markets work best when information is available about your choices. Saying "if you don't like it, go elsewhere" is silly if you don't know what it is exactly you just agreed to.
There should be a consumer protection law that says, you have 30 days before new terms go into effect, no matter what. Then you would know, just have your attorney or your web-page watcher script check the terms every 30 days. But now, they can change them twice a day, or just for 5 minutes every night, or whatever, and nobody knows.
Of course every company is completely honest and above-board and would never change their terms like that, would they??
Yeah, I'm that guy.