FSF Migrating From Savannah to Gforge

bluestrain writes "It's been almost 4 months since Savannah was hacked. The site is still not completely functional, no new projects have been accepted since December 2003. Now it seems that the FSF is abandoning Savannah in favor of Gforge. RMS himself has confirmed the plans. A few developers are questioning the change. Hopefully the dust will settle and savannah can start accepting projects again."

There are some pretty big sites running GForge...

[tcopeland]

...already. Savannah moving over is certainly a big one, though.

Stuff like this is why we're continuing to optimize GForge's SQL...

good news!

[larry+bagina]

No offense to the OSDN/Slashdot guys, but sourceforge has started to suck dick lately. Constant downtime, searches that don't work, CVS running a week late, and now PBS-style appeals for money on the front page.

If you just need a good (and free) public CVS server, what other options are there besides sf and gforge?

Re:good news!

[Queuetue]

Lately? I groan every time I see a project is hosted at sf - it means 20-minute mailing list searches, regular downtime, and the whole download-roulette game where you try to deal with the klunky interface and find a not-completely-dead mirror.

Re:good news!

[FreeLinux]

but sourceforge has started to suck dick lately.

I hadn't heard about this new feature. It could be rather interesting. But SourceForge has been having too many problems for too long. It seems as though no one is maintaining it, they simply disable a feature when it breaks. Additionally, I have always been concerned about having so many projects and information sites in a single OSDN basket. One never knows what the future holds for OSDN.

Re:good news!

[daishin]

Well, why dont you invest lots of money like SourceForge into servers and making it as good as it can be, I mean being over-loaded with people such as you who then complain that its starting to suck, well ofcourse it is and if its a problem you should help those good people out and donate resources to them.

Re:good news!

[chadm1967]

Absolutely!

If you don't like the way things are running, currently, then donate time or money to help make it better. Just stop complaining!

Re:good news!

[sashako]

Here is a good comparison of them all.
Gna is missing though. I am hosting my own project there, it is located in France than I like because I am in Europe too.
Overall, I think it is a better idea to have a bunch of public host places for open source project than having [almost] averybody hosting on sf and savannah.

Re:good news!

[kokamomi]

Berlios is one alternative.

"The goal of BerliOS is to provide support for different interest groups in the area of Open Source Software (OSS). Our aim is to fulfil a neutral mediator function. The target groups of BerliOS are on one hand the developers and users of Open Source Software and on the other hand commercial manufacturers of OSS operating systems and applications as well as support companies."

Re:good news!

[sbrown123]

and now PBS-style appeals for money on the front page.


God Im gonna get flamed for this.

Anyways, maybe its not such a bad idea if Sourceforge required paid membership (like $50 a year) for file and cvs access. Seriously, I'd pay if the moneys right for better service and quicker file and cvs access.

Re:good news!

[psyberjedi]

Who do you expect to provide the "free" hardware, "free" support, "free" bandwidth, etc...

This stuff is not cheap. SF may not be all we want it to be, but we do the entire community a disservice by flaming the hard work of a number of our members.

while saying you flamed them may be harsh, it is how it appears to someone who is already against OSS or someone on the fence.

Re:good news!

[chadm1967]

I agree. I have no problem paying for something like this. Maybe different levels of subscription services?

Re:good news!

[0x0d0a]

I wouldn't work on an Open Source project that required me to pay to work on it. It's just not reasonable.

I can understand them providing additional services, like POP3 email access @sourceforge rather than just email forwarding, or something like that, for money. However, if SF tries doing something like this, they are, simply and plainly, going to go away.

Re:good news!

[Halfbaked+Plan]

I think it would be a good thing for the to start charging.

Mainly because I get very nervous whenever I notice that another good independent project has been sucked into the SourceForge borg.

Why is it seen as a good thing that all the independent projects are becoming dependent on a big entity for their hostspace? All it would take is for VA Linux, or whatever it's called now, to become even more shaky than it always is, and all that work goes down in a big noisy way.

Development should be decentralized. Codebases shouldn't all be hosted out of a single 'hive.'

Re:good news!

[scrytch]

> sourceforge has started to suck dick lately

That's what I call a feature.

thankya, I'll be here all week.

Re:good news!

but sourceforge has started to suck dick lately.

Ahhhhhhhhhh! So THAT's why it's been popular amongst Slashdot geeks. I can see how this can be its single most popular feature.

Geez, who'd of thunk; web site that provides free services that professionals of world's oldest profession charge big money for!

Re:good news!

[tcopeland]

> it means 20-minute mailing list searches,

Although SourceForge will be much faster now that PlayFair has moved to Sarovar :-)

No, but seriously, folks. If the top 10 projects moved off of SourceForge, I bet that'd eliminate 75% of the load. eMule alone gets downloaded a quarter-million times a day...

Re:good news!

[sjames]

and all that work goes down in a big noisy way.

I would imagine that someone might have a current copy of a Free software project's source handy.

There aren't all that many servers out there offering free space in CVS for projects. At least being a cvs server, you don't have to give up any rights to use it.

Open Source/Free Software

[0x0d0a]

I consider SourceForge to be representative of Open Source Software, and Savannah to be representative of Free Software.

It's amazing how accurately they seem to portray their respective ideologies.

Re:Open Source/Free Software

what do you mean? can you elaborate?

Re:Open Source/Free Software

No, he can't elaborate. Karma whoring is a precise art.

Re:Open Source/Free Software

[Phillip2]

As sourceforge is not, to my knowledge, open source
I am unclear how it is representative of open source.

It's not free software either.

This is one of the reasons that Tim Perdue created gforge incidentally.

Phil

Re:Open Source/Free Software

[Smitty825]

IIRC, back in the day (during the boom), SourceForge was released under the GPL. After the bust, they changed the license of the SF software to proprietary, and tried to sell it to the highest bidder.

I think that Savannah was forked from the GPL-based Sourceforge...

Cute

[dorward]

Oooh! GForge looks cute.

(Although I suggest that people using it make that decision based on a more technical analysis)

Ok, lets get this out of the way

[SuperBanana]

"Shouldn't that be GNU/Forge?"

"I for one welcome our Gnu project management overlords"

"In Soviet Russia, projects manage gnu!"

Re:Ok, lets get this out of the way

[endeitzslash]

You forgot:

"They should have said 'cracked' instead of 'hacked'."

Re:Ok, lets get this out of the way

[Adriax]

And:

"Imagine a Beowulf cluster of these projects!"

I can understand that.

[ideatrack]

This is probably uneducated on the matter, but I can understand why they want to move.

Frankly 4 months is way too long for the site to be "not completely functional" and it can't help but make you doubt the quality of the administration of the site if there weren't sufficient provisions in place for this eventuality. Any website is a target so any webadmin should have a plan in place.

When there are seemingly more secure options out there, more reliable anyway, then you'd go with them. Being faithful is one thing, but you can only do that for so long.

Re:I can understand that.

[chasm!killer]

I would agree with the fact that:

• Frankly 4 months is way too long for the site to be "not completely functional" and it can't help but make you doubt the quality of the administration of the site if there weren't sufficient provisions in place for this eventuality. Any website is a target so any webadmin should have a plan in place.

But from the discussions on savannah-hackers (?) and here, I would conclude that the administrators were the ones responsible for the the delay in bringing the site back up. They are also responsible for the switch to Gforge.

Do we have any reason to expect that the new system is necessarily any more reliable or secure than the original one?

But finally, I'm most disappointed in that there seems to be nothing like the NTSB investigations to identify why the problem remained unknown for so long. For example, could checkins and backups be improved to minimize or even eliminate the problem in the future, since it is unlikely that even Gfourge is perfectly secure? Perhaps the analysis is just not public, however.

RMSs history on security

[Rapid+Home+Offer]

For Stallman, the opposition to security was both ethical and practical. On the ethical side, Stallman pointed out that the entire art of hacking relied on intellectual openness and trust. On the practical side, he pointed to the internal structure of ITS being built to foster this spirit of openness, and any attempt to reverse that design required a major overhaul. -- Free as in Freedom

The decision to move to GForge was made by Bradley Kuhn and the system adminitrators, according to Richard Stallman. They considered Savane could not be made secure enough. -- Sylvain Beucler, 2004

Seems like Stallman has lost sight of his roots!

Re:RMSs history on security

[winkydink]

Seems like Stallman has lost sight of his roots!

or he's starting to show signs of being realistic.

Re:RMSs history on security

or he's starting to show signs of being realistic.

Not very likely. I got nothing but mad respect for f/oss but really rms has a utopian idealist view of the way things should be, most of the time that view is incompatible with the real world.

Re:RMSs history on security

[JamesKPolk]

Did you read the words you quoted? "The decision.. was made by Bradely Kuhn and the system administrators."

What do Stallman's roots have to do with it? Do you expect him to wield supreme veto power over anything done by anyone at the FSF?

Re:RMSs history on security

Do you expect him to wield supreme veto power over anything done by anyone at the FSF?

yes

Re:RMSs history on security

[Sunnan]

or he's starting to show signs of being realistic.

Yes. This is an increasing problem in our community - witness the GFDL debate. The RMS of old was wildly - some would say blindly - utopian. "No passwords", "Everyone can learn how to program", "It's possible to write a free operating system including compiler tools and editor".

We owe a lot of the results we've seen to that lovely, crazy optimism.

Sometimes you're wrong, of course, and get bitten - but sometimes you are very right. The success of the free software movement is testament to this.

Does this mean…

...you will have keyword index searching of all source? Will 1 gig be enough for a repository size? Could this be the largest size implementation of source control using an email service?

Subversion support?

[jared_hanson]

Anyone know if they can get subversion support in their as long as they are going through the effort to switch? I'd really like to see a free OSS hosting solution using all the latest and greatest tools. That and I'm not to sure about trusting the future of SourceForge, given VA's seemingly complete retraction from the open source community.

Re:Subversion support?

Getting support in their what?

Re:Subversion support?

[Electrawn]

I don't think Subversion has taking the beating CVS has at Sourceforge and Savanah. If they offered CVS and Subversion concurrently, that would be great, but with the penetration of subversion clients in IDEs and the like, I'd like to see CVS stick around a bit.

Sourceforge is now a commercial product with commercial bugs. A perfect case study of what not to do with OSS code. No significant alternatives have appeared to challenge SourceForge other than Savannah. Considering the bandwidth costs I doubt any others will step up.

-Electrawn

-Electrawn

Re:Subversion support?

[monac]

Somebody was working on gforge supporting subversion through webdav. His project name was Dforge or something. Can't check it atm. Gforge site seems slashdotted and down now. I remember he made a working alpha or beta version of Dforge when i checked a few days ago.

Subversion is so convenient and I also switched to subversion recently. Supporting subversion or Webdav may have many potential advantages in its flexible architecture. I hope webdav be integrated into Gforge into its next mainstream version.

Re:Subversion support?

[tcopeland]

> His project name was Dforge or something

Yup, it's DForge; Sung Kim is working on it. You can read his post about it here.

Re:Subversion support?

[YoJ]

DForge is up-and-running for UCSC students and faculty. Take a look. I've used it a little, and it has worked great so far.

Another cool thing is that every project has a wiki set up for it. I think wikis are a great way to record FAQs and such for evolving projects.

Sung rocks!

Gforge is very specialized.

[Electrawn]

Gforge may be great for high traffic sites like Savanaah, but for low traffic 1-10 project sites I use Xoops+MyXoopsForge or Novell Forge. I think Savanahh made a good choice here, but they are stuck once they port. Novell Forge is the other choice.

GForge uses some highly optimized transaction stuff and database functions inside postgres that probably should be in the PHP layer.

Reminds me to port MyXoopsForge to postnuke to take advantage of ADODB! Compatibility or speed?

-Electrawn

Re:Gforge is very specialized.

[LWATCDR]

Why have the transactions in the PHP layer? Lots of databases now support transactions including MySQL.

Re:Gforge is very specialized.

[leperkuhn]

I think he was referring to the functions in the database. The only reason to have them in PHP is for portability.

Re:Gforge is very specialized.

[Electrawn]

Why have the transactions in the PHP layer?

Compatibility vs. Speed. I don't like the fact Gforge is highly optimized for Postgres only. And in the Faq that they refuse to accept MySql patches. Thats pretty arrogant, but it's their project.

I like abstraction layers like ADODB or php PEAR. Either allows you to migrate from say MySql to Oracle or Postgres to DB2 with 1 or 2 PHP code chages. Moving the data is a different story, but it can be done.

-Electrawn

Re:Gforge is very specialized.

You should be made at Slashcode for only supporting MySQL also.

Re:Gforge is very specialized.

[tcopeland]

> And in the Faq that they refuse
> to accept MySql patches

It's not that simple. It'd be a fair bit of work to port GForge to MySQL, and for what gain? PostgreSQL is fast, stable, and open source. And targeting PostgreSQL means we can write stored procedures to make hotspots faster.

I agree that abstraction layers are good, though - we've chatted on the forums a bit about the pros and cons of refactoring towards PEAR.

Re:Gforge is very specialized.

[Electrawn]

Wouldn't be to MySQL per-se, would be more porting to an abstraction layer like PEAR or ADODB (ADODB fan myself for speed).

The ability to support MySQL or Sqllite or whatever would just be an side benefit of the abstraction layer, the real benefit is now you can hook into oracle or IBM dbs.

Just have to give up those in the DB functions.

-Electrawn

Re:Gforge is very specialized.

[tcopeland]

> the real benefit is now you can
> hook into oracle

Yup, true.

> Just have to give up those in the DB functions.

And really, there aren't that many of them, so it might not be a big deal.

I guess it just hasn't been an itch anyone wanted to scratch yet... we're pretty happy with PostgreSQL...

RMS in hospital?

[slipgun]

I don't have time to discuss this further. I am in the hospital and falling behind on my other work.

He's in hospital? Nothing serious, I hope.

Re:RMS in hospital?

He's got FLU/Linux

Re:RMS in hospital?

[daishin]

RMS Medical Surgery? K..it was funny when I first thought of it

Re:RMS in hospital?

[Original+AIDS+Monkey]

Every few months, the cops come get him and force him to take a sponge bath, it's not big deal.

Re:RMS in hospital?

[JLyle]

He's in hospital? Nothing serious, I hope.

Umm, why is this comment modded as "+3, Funny"?

Re:RMS in hospital?

Because everyone wants him dead?

Re:RMS in hospital?

thats really funny

Re:RMS in hospital?

He is suffering from "Open Sores".

Re:RMS in hospital?

[JLyle]

Because everyone wants him dead?

I had a bad feeling that this was the reason. ;)

Re:RMS in hospital?

[bXTr]

I guess the GPL really *is* viral in nature. :)

Re:RMS in hospital?

Aparently he had a broken arm last October (Inqurier article too). Related problem? He's only 51. There's no mention of any other event on his personal homepage.

Re:RMS in hospital?

[iamacat]

Why are you assuming it's necesserily a physical illness?

Re:RMS in hospital?

[Bombcar]

No!no!NO!

It's GNU/FLU

Re:RMS in hospital?

Haha, I lolled all the way to the reply button.

Re:RMS in hospital?

[vesik]

You mean, GNU/Flu?

Richard Stallman in hospital

Let everyone hope that Richard Stallman gets well soon.

Re:Richard Stallman in hospital

I once watched a video of him making a speech and his arm was in a cast or splint at the time it was recorded.

His biography mentions at least one ankle injury.

I get the impression he isn't a very careful man.

Re:Richard Stallman in hospital

linky biography

Re:Richard Stallman in hospital

[Paul+Fernhout]

I hope he gets well soon too. He's a remarkable person who has made a great contribution to society (whether one agrees with all his philosophy or not).

Re:Richard Stallman in hospital

[CrankyFool]

I just heard some sad news on talk radio - Free Software guru Richard Stallman was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to F/OSS. Truly an American icon.

Re:Open Source at its finest

[October_30th]

Hacked in Dec 2003, 4 months later its still isn't working.

Dammit!

You beat me to it.

Stallman's in the hospital?

[paroneayea]

His post says that he is in the hospital. What happened to him?

Why You Should Avoid SourceForge....In A Nutshell.

Considering everyone's favorite company in the world, VA Software, is pimping SourceForge as a tool to help companies outsource their workers to India..I'm glad the FSF is going with something _other_ than SourceForge, frankly.

Having your project on SourceForge gives VA's salesmen something to point to, and say "See? Look how flexible it is! Look how many people are using it!"

VA is pimping SourceForge as tool for outsourcing.

Go look for yourself. VA is pimping SourceForge off as a tool to help companies ship jobs overseas. They don't even hide the fact.

Have a look for yourself: VA Software

Re:Open Source at its finest

[realdpk]

I do think that is rather disconcerting. Rather than fix the problem, the solution was to "upgrade" or "install other software".

Sorta like how Windows users are "trained" to handle their problems - either live with them or buy more software.

Re:Open Source at its finest

Windows: Years in the making, hacked every day, still not working.

For Benefit of Lazy Bastards...

[4of12]

Would someone enlighten me to the main differences between Savannah, GForge and SourceForge?

[IIRC, SourceForge is written in PHP. I've never been comfortable with how customizable and interoperable the whole PHP package is...]

Re:For Benefit of Lazy Bastards...

[Electrawn]

Sourceforge, also code named Alexandria. Original concept of a public development and collaboration for Open Source Projects. Last code base available was about 2000 before VA took the project Closed source for commercial purposes.

Savannah: Fork of Alexandria code for GNU projects. I evaluated it but it was too kludgy to understand.

GForge: Fork of Alexandria code by former Sourceforge developer. Rips out foundries and is for optimized PHP and Postgresql and Apache. Patches for Oracle in beta, refuses mysql patches.

Novell Forge: Fork of XoopsForge that uses LDAP and Novell directory server. Needs Xoops 2.0 to run.

XoopsForge: Fork of Alexandria that runs as a module in Xoops. Not much Dev activity, most dev in Novell Forge.

MyXoopsForge: Fork of XoopsForge that has some active development. Used for forge.xoops.org

The only thing that may compete in the same space that is somewhat similar is PHPGroupWare.

-Electrawn

Re:For Benefit of Lazy Bastards...

[Dark+Lord+Seth]

GForge: Fork of Alexandria code by former Sourceforge developer. Rips out foundries and is for optimized PHP and Postgresql and Apache. Patches for Oracle in beta, refuses mysql patches.

Why? No seriously, I wouldn't support a project once I encounter this kind of attitude. People often go "Well, it's their project so they have the final say about it.", which is bullshit. If you're going to start your own OS project and be a complete jackass to people who use it, ( In short, your developers, bugtesters, QA people, support staff AND users all in one. ) then DO NOT START A DAMNED OS PROJECT. Look what's happening to Xfree86 for example; they went anal about licensing and voila, the OS community gave them the collective middle finger and it's highly likely that in a few years time Xfree86 wil be nothing more then an interesting little footnote in computing history. Remember people, don't just open your source, alos open your mind. And for the love of Eris, get rid of that crap "No matter how fucked up/lacking things are, my will be done. Infidel." attitude.

On a slightly different note, doesn't this whole idea about SF, one of the flagships of the OS community, is actually closed source and used to promote offshore outsourcing seem painfully ironic? Especially when one considers Slashdot is actually part of VA Software? Don't you subscribers love to know that your hard-earned money might one day be used to A) buy these people a penis extension on four wheels with an engine and B) fire this guy and replace him with Deeptendu Chakrapani from Bangladesh? At least the spelling will improve, though...

Re:For Benefit of Lazy Bastards...

[EnglishTim]

To be honest this may be to do with the feature set that oracle and postgres have as compared to mysql. Sure, it may be possible to get it to work with mysql currently, but it may be either very clunky or may not work well with future planned features.

In other words, there may be very good technical reasons for not supporting mysql.

Also, if they accept mysql patches now, how are users who want to use mysql in the future feel if mysql support is dropped later? If someone wants a mysql version they should set up a tracking fork themselves.

Should the maintainers of a OS project be behooved to accept all submitted patches, regardless of whether they fit their vision for the project? Of course not.

Re:For Benefit of Lazy Bastards...

[Electrawn]

Why? No seriously, I wouldn't support a project once I encounter this kind of attitude. People often go "Well, it's their project so they have the final say about it.", which is bullshit. If you're going to start your own OS project and be a complete jackass to people who use it, ( In short, your developers, bugtesters, QA people, support staff AND users all in one. ) then DO NOT START A DAMNED OS PROJECT. Look what's happening to Xfree86 for example; they went anal about licensing and voila, the OS community gave them the collective middle finger and it's highly likely that in a few years time Xfree86 wil be nothing more then an interesting little footnote in computing history. Remember people, don't just open your source, alos open your mind. And for the love of Eris, get rid of that crap "No matter how fucked up/lacking things are, my will be done. Infidel." attitude.

OSS Developers have one big tool in their arsenal on this matter that you don't get with commercial code: The Free Fork. If you think the developer is a twit, fork! Best example is php-nuke to post-nuke. There becomes a certain point in an OSS project where suddenly its gone from your little side thing to a Corporate ready Mission Critical machine. Mosy folks don't have the business sense to coordinate at that level.

It basically comes down to a business/OSS project ignoring the needs of Customers/Users. Customers/Users will look for alternatives and if no better ones are found, they will stick with the crap they have.

On a slightly different note, doesn't this whole idea about SF, one of the flagships of the OS community, is actually closed source and used to promote offshore outsourcing seem painfully ironic? Especially when one considers Slashdot is actually part of VA Software? Don't you subscribers love to know that your hard-earned money might one day be used to A) buy these people a penis extension on four wheels with an engine and B) fire this guy and replace him with Deeptendu Chakrapani from Bangladesh? At least the spelling will improve, though...

As much as despise outsourcing, offshoring or whatever crap word it is today, I don't think the villan here is VA Software. For some markets, outsourcing is a good thing. Google for example is opening new think tanks in Switzerland and India. Those new tanks will help Google increase international business, add some new features that will trickle back to US Google and won't cost American jobs.

The real demons are the companies who provide services/products in America that are gutting American jobs in favor of Indians, Pakistanis and whatever. If everyone does it, suddenly there is no one left who can afford your product! OOPS!

If considered entering the market as a retailer touting american loyalty and preference. Choice: A) Store where the prices were slightly higher but had a decent staff and corporate ethics.
B) Wallymart the model of corporate efficency.

(A is socialist, B is capitalist). Capitalist will win in America because socialism isn't rampant in corporate society. (Needs to be.)

VA software provides a product that lets people from anywhere and everywhere communicate to develop software. Yes they are promoting it to companies as such but they weren't the first and won't be the last. Bankrupting/Boycotting VA will cause more harm then good in the long term because of what SF provides.

The solution is political efforts need to be made to stop outsourcing at the Federal level. This will require a swing to the left towards socialist views in government.

Demon companies by Lou Dobbs of CNN Moneyline: http://www.cnn.com/CNN/Programs/lou.dobbs.tonight/ popups/exporting.america/content.html

Not surprisingly though, VA software is on that list.

Since this is a long, important post, I'll release this under Creative Commons license.

Mountain? Mole-hill?

[mellon]

It sounds like a total of two people are questioning this decision, which is a small number given how many people use savannah. I have rarely seen a controversy about GNU end so quickly - there were a total of about ten messages in the thread. There is always someone for whom any change is a big tragedy.

As to losing track of roots, maybe RMS is getting a little bit more pragmatic in his old age. It's all very well and good to say "we should do X" when you have the resources to do X, but if you don't have the resources to do X, then saying "we should do X" is just stupid.

Acute case...

-delusions of grandeur.
-dementia.
-old codgers disease.
-BO.

The doctor, a specialist in indegent care, said it is the worst he had ever seen.

gforge slashdotted?

[paroneayea]

Is it just me, or is gforge.org already slashdotted? gforge might be more secure, but what about stability?

Re:gforge slashdotted?

[jared_hanson]

GForge doesn't actually host projects (besides its own). It is simply a software package used to maintain and coordinate development efforts. If/when the FSF switches to GForge, it will be up to them to provide the resources necessary to handle the large amounts of traffic and projects. That responsibility does not fall on GForge.

Re:gforge slashdotted?

[tcopeland]

> GForge doesn't actually
> host projects (besides its own)

Right on. That's made clear in the answer to question # 1 of the FAQ.

The diff between GForge, SourceForge and Savannah

1) Savannah is insecure.
2) GForce is nice.
3) VA advertises SourceForge as a tool to help companies ship jobs overseas. Go look at their website for yourself if you don't believe it. They're not even bashful about it. I'm not surprised people are leaving it in droves, if not for sucking, but for the fact they're (the developers) are getting dicked as well.

Gforge /.ed

[troop23]

It would seem that Gforge is /.ed. I would be thinking the move over if I was FSF.

Re:Open Source at its finest

Ya the same thing happened when debian got hacked. Took a couple months for the shit to come back up. The static pages came up but the stuff with cgi took forever. That's when i switched to another distro. I need a distro that is secure and responds to infrastructure failure quickly. Debian does not.

Re:Open Source at its finest

Let's see you develop new security protocols overnight.

Re:The diff between GForge, SourceForge and Savann

[110010001000]

#3 is very important! I can't believe that Slashdotters don't seem to care about this issue. VASoftware is actively selling SourceForge as an "offshoring" tool (not even "outsourcing", but OFFSHORING).

How can this be offtopic?

I can't imagine anything more on topic.

Re:VA is pimping SourceForge as tool for outsourci

[110010001000]

VA doesn't even call it "outsourcing". They call it "offshoring". So much for supporting the "community".

Re:VA is pimping SourceForge as tool for outsourci

[sashako]

What's so wrong with using the techinical tools for outsourcing. If you don't like this trend, I understand you. But the best way to fight IMHO is to promote a law that requires paying the US (or watever country's corporation is outsourcing) minimal wages to the workers in India, Russia, etc. This will not allow them (us) compete only on price.

You're out of context, and way off

[Rapid+Home+Offer]

The very next words I quoted said, "according to Richard Stallman". Well, I guess you see that as him throwing his hands up in the air and giving up. You don't know Stallman very well, do you? If you recognized the way RMS works, you'd know that on religious differences like this, he is very pedantic and doesn't stop.

I mean, read the following made up quote to realize that I'm right: "The decision to move to MS IIS was made by Bradley Kuhn and the system adminitrators, according to Richard Stallman. They considered Apache could not be made secure enough."

Sure, this comparison isn't exactly valid because GForge is GPL'd and Apache is way more secure than IIS, but Richard "St. Ignucius" Stallman's brain is not wired like most people's, and believe me, he has veto power on all religious issues.

Re:You're out of context, and way off

[JamesKPolk]

He also happens to be in the hospital. Maybe he'd take up the personal task of getting Savannah up to snuff if he were healthy.

I can't imagine he'd sacrifice his health for this, though. That just wouldn't make sense.

Re:You're out of context, and way off

[Rapid+Home+Offer]

Good point. I'll agree to that. Maybe he's just not himself right now.

su(1) manual page

Why GNU su does not support the wheel group (by Richard Stallman)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

About gna.org

Many of the previous savannah contributors have already moved to gna.org, which is sometimes referred to as savannah's successor.
I have already moved all my projects to gna a month ago. Gna is way more stable and way faster than savannah. I love it.

Re:About gna.org

Shouldn't that be GNAA.org? :P

Stupid trolls...

Re:About gna.org

[demi]

Does gna.org (or gforge.org for that matter) support GNU Arch?

Re:About gna.org

[knipknap]

Does gna.org (or gforge.org for that matter) support GNU Arch?

Gna! is based on CVS only. I don't know about gforge though.

Gna is practivally a debugified mirror of savannah.gnu.org. The administrators of Gna! are mostly from savannah, so a nice mail should be enough and they will migrate your project's CVS tree. (They did this for my projects, at least)

The full quote sheds some light

[eldacan]

Thank you for providing a link to the text, which confirmed my impression that we're speaking about different kinds of "security" (and that the way you presented the quotes is misleading).

Here is a more comprehensive quote:

At the AI Lab, Stallman's political activities had a sharper-edged tone. During the 1970s, hackers faced the constant challenge of faculty members and administrators pulling an end-run around ITS and its hacker-friendly design. One of the first attempts came in the mid-1970s, as more and more faculty members began calling for a file security system to protect research data. Most other computer labs had installed such systems during late 1960s, but the AI Lab, through the insistence of Stallman and other hackers, remained a security-free zone.

For Stallman, the opposition to security was both ethical and practical. On the ethical side, Stallman pointed out that the entire art of hacking relied on intellectual openness and trust. On the practical side, he pointed to the internal structure of ITS being built to foster this spirit of openness, and any attempt to reverse that design required a major overhaul.

"The hackers who wrote the Incompatible Timesharing System decided that file protection was usually used by a self-styled system manager to get power over everyone else," Stallman would later explain. "They didn't want anyone to be able to get power over them that way, so they didn't implement that kind of a feature. The result was, that whenever something in the system was broken, you could always fix it."9

Through such vigilance, hackers managed to keep the AI Lab's machines security-free. Over at the nearby MIT Laboratory for Computer Sciences, however, security-minded faculty members won the day. The LCS installed its first password-based system in 1977. Once again, Stallman took it upon himself to correct what he saw as ethical laxity. Gaining access to the software code that controlled the password system, Stallman implanted a software command that sent out a message to any LCS user who attempted to choose a unique password. If a user entered "starfish," for example, the message came back something like:

I see you chose the password "starfish." I suggest that you switch to the password "carriage return." It's much easier to type, and also it stands up to the principle that there should be no passwords.10

Users who did enter "carriage return"-that is, users who simply pressed the Enter or Return button, entering a blank string instead of a unique password-left their accounts accessible to the world at large. As scary as that might have been for some users, it reinforced the hacker notion that Institute computers, and even Institute computer files, belonged to the public, not private individuals. Stallman, speaking in an interview for the 1984 book Hackers, proudly noted that one-fifth of the LCS staff accepted this argument and employed the blank-string password.

Re:The full quote sheds some light

[chasm!killer]

It does shed a lot of light. Stallman seems to have changed sides of this debate, No?

At the time of the quote, I suspect he would have told you to keep change logs and backups so a hacker doesn't have the opportunity to wipe out your data. [Much like Linus Torvalds backup strategy -- release the source to 1000 mirror sites and you don't really need to keep a backup copy....]

Now he seems to agree with the sysadmins -- security mechanisms, secure software, unbreakable passwords, whatever, of one form or another are how to best keep data secure?

Re:The full quote sheds some light

[eldacan]

Mmm well it's true that Stallman's position is not the same in the two cases. But he doesn't address the same problems, does he? The problems are a bit different in nature, and very different in scale (the life in the laboratory vs. shared repositories on Internet).

I don't know what he'd have said in the 70s about the repositories, but I think that today he would say the same things about passwords in the lab as he said back then.

Re:The full quote sheds some light

[chasm!killer]

I have to agree with you but I still think he is barking up the wrong tree as far as security goes, though.

A robust data repository that can be rebuilt on an uncorrupted machine from a known good starting point should be his goal, not an unbreakable system with perfect security. Even then, the change log records could have been modified. So there is no perfect solution.

My main irritation is that the messages I have read so far seem to imply that Stallman has assigned a scapegoat, and is really not interested in addressing the problem.

On the other hand, if the problem is that Savannah does not support recovery mechanisms (Microsoft's Sourcesafe is a good example of a code archive that fails miserably in this area), then that should be the reason given for the changeover, not that the system is "insecure" somehow.

Clarification

[0x0d0a]

Savannah is lesser used -- there are fewer adherents of Free Software than Open Source.

The Open Source stance (as exemplified by ESR) is a more pragmatic one than an ideological one -- that people should use Open Source rather than Free Software because it *works better* than closed source, not because of a moral or philosophical mandate. The primary issue that SourceForge detractors bring up is that the current codebase is not available; this is an issue to a number of people strongly ideologically aligned with Free software, who want to interact with nothing but Free software. There is a parallel here. Since SF costs nothing, works well, and helps spread and facilitate open source software, there are few pragmatic issues with SourceForge that Savannah solves. Thus, the issues with Open Source that Free advocates have are mostly the same complaints that are raised about SourceForge.

Savannah's main issues are caused by a lack of people working on it, and it is currently less ready-to-go than SourceForge. It's HURD and Linux in a mirror.

Savannah makes its feelings on the importance of Free software very clear with the nongnu and gnu names. The SF people don't particularly place a lot of emphasis on someone being associated with a project or having a particular license -- there's no sourceforge.sortaopen.net for BSD-licensed projects, for instance.

Finally, while this is more germane to this story than to SF in general, the politics in the linked-to story remind me a good deal of the complex and never-ending debates about Free software purity that come up more frequently in the Free Software world.

I suppose that a lot of Free advocates are going to view this as a bit flamish -- I guess it's a bit cutting in that it identifies that Savannah hasn't been operating as well as SourceForge, but I don't feel that it's particularly false or misleading.

I use the GNU utilities as well as Apache every day -- I like both chunks of software.

I also, as people who read my posts frequently know, tend to often feel a bit frusterated with Free advocates. I do, not infrequently, think that Free folks can come off as a bit too rabid to the general public -- this mainly becomes an issue when media, desperate for some kind of figurehead for the open source world, settle on RMS, and he propagates his (intimidating to a CTO) views on intellectual property. I also remember when the Crystal Space team (an excellent LGPLed 3d engine), wanted to be absolutely correct WRT the GPL and valuing Stallman's input, wrote him to ask for a bit of clarification on a licensing detail. Stallman's response, an enlightening read, highlights a good deal of what I consider the difference between Open Source folks like Jorrit and Free folks like Stallman.

Re:Clarification

[Brandybuck]

there's no sourceforge.sortaopen.net for BSD-licensed projects, for instance.

That's because the BSD license is 100% Free Software, with the imprimatur of Richard M. Stallman himself, and 100% Open Source Software, certified by the Notorius Public at OSI.

It is not "sortaopen", it is open!

Re:Clarification

[tepples]

Since SF costs nothing

Really? What makes you think OSDN won't start charging for SourceForge.net in the future? If so, what's your plan to migrate your projects to another server? If the SourceForge code were available, anybody would have the Freedom to start up a successor. That's what GForge is for.

Savannah makes its feelings on the importance of Free software very clear with the nongnu and gnu names.

The only difference between nongnu.org projects and gnu.org projects is that Free Software Foundation Inc owns the copyright in the source code of gnu.org projects. Owning the copyright gives FSF the standing to enforce a program's license in court should out-of-court negotiation fail. Regarding copyleft vs. permissive licensing, even Mr. Stallman has agreed that a permissive license such as the new BSD license or the zlib license would best serve the goals of some projects, such as the Ogg project.

Re:Clarification

[Famatra]

Stallman's response, an enlightening read, highlights a good deal of what I consider the difference between Open Source folks like Jorrit and Free folks like Stallman.

That was quite a good link, explains the difference between Free and Open Source software extremely well.

Re:Clarification

[Otter]

Certainly the way this process played out strikes me as all too typical of FSF behavior:

SourceForge, for better or worse, creates an incredibly useful new service. The Savannah and GForge guys copy it, using (at least in the case of Savannah, don't know about GForge) SourceForge's code, GForge knocks off their name, and instead of showing a bit of appreciation, GNU issues a statement about how SourceForge is worse than Microsoft and everyone ought to switch.

Oh, and then Savannah turns out to be unusable and the FSF is lucky someone is there to save their necks, like with GCC.

Re:Clarification

[0x0d0a]

Really? What makes you think OSDN won't start charging for SourceForge.net in the future? If so, what's your plan to migrate your projects to another server? If the SourceForge code were available, anybody would have the Freedom to start up a successor. That's what GForge is for.

Don't you view that as a sort of paranoid approach?

I mean, sure, if GForge works as well as SF, then it might be a good choice. But slamming SF because you think that they're suddenly going to clamp down on all the data they serve, without any evidence to support such a claim...that's paranoid. I recognize that there is a risk, but there's risks everywhere -- it's essentially impossible to eliminate everything. What if the FSF goes bad? Perhaps more plausibly, what if Stallman has a heart attack and a corporation manages to gain control (via bribery or whatnot) of the FSF, and hence has the freedom to write the GPLv3, with which GPL software by default can be automatically moved to. There was some discussion of giving special privileges to GPL-friendly companies, which IIRC what started Linus on his "I'm releasing my software under GPLv2 only" kick. The GPL controls a phenomenal amount of IP, probably more than any other legal document in history -- the ability to affect that document would be worth almost anything.

We have no way of knowing for certain who will turn out to be a baddie. We just try to generally reduce risk and react as things happen. Thus far, I've been pleased with the services provided by SourceForge, and have no reason to think that they will change their stance in the future.

The only difference between nongnu.org projects and gnu.org projects is that Free Software Foundation Inc owns the copyright in the source code of gnu.org projects.

Sure, but given all the domain names in the world, Savanah chose to use the domain name "nongnu.org", and proposes that software projects on SourceForge move there. Frankly, that's a political message that they propose that an awful lot of people should look at each day.

Re:Clarification

[tepples]

But slamming SF because you think that they're suddenly going to clamp down on all the data they serve, without any evidence to support such a claim

Exhibit 1: Why would SourceForge.net have stopped pushing Alexandria updates to the Net?

what if Stallman has a heart attack and a corporation manages to gain control (via bribery or whatnot) of the FSF, and hence has the freedom to write the GPLv3, with which GPL software by default can be automatically moved to.

The FSF is a 501(c)(3) charity. Can corporations own charities?

Re:Clarification

[0x0d0a]

They wouldn't need to -- that's why they'd be taking control via something like bribery, not purchasing outright.

Re:Clarification

[0x0d0a]

As for the Alexandria updates (assuming Alexandria is the SF codebase), I just don't see any reason to think anything other than the fact that Alexandria is more likely to be purchased by companies if it isn't freely available as an alternative.

Re:Clarification

[Sri+Lumpa]

"has the freedom to write the GPLv3, with which GPL software by default can be automatically moved to."

Not quite true.

By default, if you put it under the GPL but do not specify a version number, you can use any version of the GPL you want to redistribute the software. If you put a version number then you can only redistribute it under that version of the GPL (like Linux). If you put a version number and "any later version" then you can also redistribute it under any GPL version that is greater than the originally licensed version number.

So in your example of a company/somebody taking control of the FSF and issuing a GPLv3 that the community doesn't like we would do just like with the XFree86 license change and fork all this "GPL v. x.y or any later version" software by choosing only the GPL v. x.y that we like and continue development on that.

The FSF could still use the code up to the fork with the new GPL but wouldn't be able to use the new code in the fork since that code is only available under the old GPL.

That's exactly the same as with the XFree86 license change (although in your example the FSF turns evil whereas the XFree guys haven't).

If you are really concerned that you will not like the next GPL version you can always license your code only to the GPL version you like, like Linus did.

I'm afraid that your fears are nothing new and have already been dealt with.

Re:Clarification

[0x0d0a]

By default, if you put it under the GPL but do not specify a version number, you can use any version of the GPL you want to redistribute the software.

Right. This is the case for almost all GPL software.

The problem is that if Jim Bob gets a copy of my source released "under the GPL, sans a version number", he can then also release it "under the GPL, sans a version number". This would include GPLv3. Thus, such a change would not affect nondistributed software, since there would be no opportunity to change the license used for release -- I realize that. It does, however, affect any distributed, GPLed software.

The FSF could still use the code up to the fork with the new GPL but wouldn't be able to use the new code in the fork since that code is only available under the old GPL.

Right. Such a change could exempt companies from the source-available clause, for instance.

If you are really concerned that you will not like the next GPL version you can always license your code only to the GPL version you like, like Linus did.

Sure. The problem is that this is not the case for most software; most people do not consider the possibility that the FSF might not act in their best interests.

I'm afraid that your fears are nothing new and have already been dealt with.

I recognize that they aren't new; I am less sure that they have been (or can be, given the absence of anyone trusted by everyone in the world) dealt with.

Re:Clarification

[Sri+Lumpa]

"Sure. The problem is that this is not the case for most software; most people do not consider the possibility that the FSF might not act in their best interests."

Given that the FSF board of director includes, among other, RMS, Eben Moglen and now Lawrence Lessig and due to the way I have seen them argue for Free Software I do not consider such a possibility very likely in the foreseeable future.

This is also probably the case for Bradley Kuhn, Gerald Sussman and the last board member (whose name I do not remember) but I do not know quite as much about their point of view to take it into account (although this is a lack that you encouraged me to do).

Also, I think that I will try to see if the FSF has any kind of charter that limits the freedom of movement of its board (and I do not know what kind of legal binding power such a charter would confer if it was broken).

Anyway, while I think that it is possible that the FSF can turn evil I also believe it to be very unlikely in the foreseeable future and even if they did turn evil we would just fork every project under the GPL v2 and continue from there. Sure, they still would control a huge amount of code but the situation would be much better than before the FSF was founded for the Free Software community would also control that huge amount of code via the fork.

In other word, I consider the FSF turning evil the Free Software equivalent to an asteroid threat: something that is possible and happened in the past* but with astronomical odds stacked against it and while it could happen tomorrow and while we are gonna keep looking out for the threat we ain't gonna lose any sleep over it.

* Well, not with the FSF but with other human organisations turned bad

Free Rider Problem; Tragedy of the Commons

[David+Hume]

Well, why dont you invest lots of money like SourceForge into servers and making it as good as it can be, I mean being over-loaded with people such as you who then complain that its starting to suck, well ofcourse it is and if its a problem you should help those good people out and donate resources to them.

I understand your point. I too don't like it when somebody complains about a good or service that is provided free or at below cost.

However, the post to which you are responding may also have a point. The free rider problem and the tragedy of the commons (or, perhaps more precisely, tragedy of the net-commons) are inherent and endemic problems with Open Source software and projects.

Let's face it, Open Source projects are classically Marxist -- i.e., To each according to their needs, from each according to their ability. I'm not saying that to red-bait. On the contrary, I think it is kind of nice. :) However, it does require certain assumptions regarding human nature -- e.g., that people will act from good will, not be "lazy" (or place a different value on leisure), not freeload, etc.

Which I guess is my way of saying that, given these problems, I'm always surprised when people are surprised when an Open Source or Free Software project is over-burdenend and/or under-supported.

Re:Free Rider Problem; Tragedy of the Commons

[110010001000]

Yeah, minor issue though - SourceForge is owned by VA Software (LNUX on Nasdaq) who has reaped millions from their IPO. Sourceforge is no more open source than www.microsoft.com is.

Re:Free Rider Problem; Tragedy of the Commons

[David+Hume]

Yeah, minor issue though - SourceForge is owned by VA Software (LNUX on Nasdaq) who has reaped millions from their IPO. Sourceforge is no more open source than www.microsoft.com is.

VA Software may be a for profit company, but SourceForge still "provid[es] free hosting to tens of thousands of projects." If that isn't sufficient to create a free rider problem and a bandwidth tragedy of the commons, nothing would.

And while VA Software may have "reaped millions from their IPO," one may wonder where all of that money is now.

Re:Free Rider Problem; Tragedy of the Commons

Let's face it, Open Source projects are classically Marxist -- i.e., To each according to their needs, from each according to their ability. (...) it does require certain assumptions regarding human nature

If that were true, Open Source projects would never have got to where they are today.

Unlike Marxism, the Open Source movement does not require everybody to be altruistic and unselfish.

It works because a comparatively small number of talented people feel the creative urge so strongly that they will create good software for the rest of us, for little or no reward except the satisfaction of doing it.

Highly creative people have always behaved like this; read a biography of Mozart, or Schubert. Today's creative people risk much less than they did, fortunately.

Re:Free Rider Problem; Tragedy of the Commons

[David+Hume]

Let's face it, Open Source projects are classically Marxist -- i.e., To each according to their needs, from each according to their ability. (...) it does require certain assumptions regarding human nature

If that were true, Open Source projects would never have got to where they are today.

I think that Open Source software has made tremendous strides and made great contributions. But it is perfectly possible that it has done so despite obvious free rider problems.

People have been charitable for thousands and thousands of years. Other people have been leaching for thousands and thousands of years, yet charity continues.

Unlike Marxism, the Open Source movement does not require everybody to be altruistic and unselfish.

Marxism does not require everybody to be alturistic and unselfish. It simply requires enought capable people to be sufficiently alturistic and unselfish to sufficiently take care of those who are unable or unwilling to take care of themselves.

Sort of like Open Source software. :)

Re:Free Rider Problem; Tragedy of the Commons

[110010001000]

VALinux claims to make money from sourceforge.net (not their commercial closed source product). See their 10Q's for more info.

"And while VA Software may have "reaped millions from their IPO," one may wonder where all of that money is now."

A lot of it went into the pockets of the executives when they exercised their options on their stock.

Slashcode is specialized too

[Electrawn]

I could be, but who uses slashcode? If you want blogging software you can use Moveabletype or livejournal.com / greatestjournal.com .

Oh? Slashdot a news site? Sorry. Xoops for Mission Critical stuff, Php-nuke, Post Nuke and any derivatives, tikiwiki or some other CMS derivative.

No one cares about Slashcode because no one uses it other than Slashdot.

-Electrawn

Not exactly.

[devphil]

There are two reasons this decision is somewhat controversial for those of us maintaining FSF-related projects:

1. The decisions are made in a closed environment.
2. The Savannah admins have not demonstrated sufficient competence nor responsiveness. (Not meant to be a personal attack; I think they only have a few part-time volunteers.)

For example, GCC is under constant pressure by RMS to move from its own server (that happens to be hosted at Red Hat) and onto Savannah. But this pressure has been resisted for the same reasons, and it will continue to be resisted regardless of what "packaged development environment" Savannah is using.

With regard to the pair above, (1) the GCC maintainers have never been invited to share their concerns with the Savannah maintainers; when they speak up, they're ignored, and (2) Savannah gets fscked up on a regular basis, and complaints are ignored. For example, Savannah is supposed to be mirroring the GCC CVS repository, but it falls over constantly, leading to even higher load on the GCC servers as users switch over. The Savannah team has a long long way to go if they want to hold themselves up as a reliable open development site.

Re:Not exactly.

[0x0d0a]

For example, GCC is under constant pressure by RMS to move from its own server (that happens to be hosted at Red Hat) and onto Savannah.

I really love it when people criticise Red Hat as not being oriented enough toward the community, and ignore the constant hosting, patches, technical work, donations, and political oomph and Red Hat provides to the open source world.

Re:Not exactly.

[devphil]

Indeed. RH donates a lot of time, effort, hardware, and bandwidth to the community (gcc.gnu.org, sources.redhat.com, cygwin.com, sourceware.org, etc, are all the same machine). We get far better results from them than we do/would from the FSF equivalent. RMS doesn't like to admit or believe this.

Time for IWW?

[Sunnan]

Interesting!

Or, if not a law, maybe an international union of some sort.

Re:Time for IWW?

[sashako]

International union might not help here, because e.g. my income is 4 times greater than average income in Russia, and it is sufficient for sustaining a very comfortable life here. So, the union of this sort here will not succeed because there will _always_ be too many people who will agree on the smaller salaries. So US workers who's jobs are being stolen are the _only_ force that is interested in this legislation.

P.S. I am not in the outsourcing business right now,quit it 2 years ago, but it is still setting the compensation levels for software engineers here.

Re:Time for IWW?

[Sunnan]

Yeah, you're right. I just don't know how to solve the problem properly in a way that's fair to people all over the world.

The full quote proves me right

[Rapid+Home+Offer]

How is this different? The ethical issue is that the users of the system should be able to control the system. So, in 1979, you could log in as Stallman and change all of his files if you wanted to. He would disapprove and have to restore his files from backup.

Fast forward to today, and a user of the system changed the system in a way that the administrators disapproved of. They'd have to restore from backup.

Same situation.

Re:The full quote proves me right

[eldacan]

I don't say you're completely wrong. But in the context I understand Stallman's position is tied to the "community" of the users. Like if I tell my family that I don't want the computer to be locked by passwords, which will prevent anyone (and me in particular) to fix things when necessary, and well can't we trust each other in this family !?

Re:The full quote proves me right

[zangdesign]

This works all fine and well within a single homogenous community, but we now live in a world where people actively seek to break into computers and do harm because "Hey, it's Tuesday!". We can no longer trust that the faceless fifteen-year old entity two states over is not out to get us because he's trying to impress someone.

In some ways, the Internet has improved our lives (access to por^H^H^Hinformation, access to por^H^H^Hcommunities of like-minded individuals previously unreachable, etc.), but in a lot more ways we've left ourselves wide open to the random jerkwads out there.

Like it or not, we have to have security and I hope that Stallman realizes this, some day. We're all in the same boat and I'd prefer it not get overturned by some obnoxious brat.

Re:There are some pretty big sites running GForge.

[NightSpots]

It's unfortunate, because the code is insecure as hell.

For instance, 'source.php' lets you view the source of files, but only if 'sys_view_source' (a global) is set in the config.

Of course, they don't check to see HOW it is set, but rather, allow you to pass it on the _GET global, which overrides the config, which, of course, lets you view the source of any file:

Compare:

http://gforge.org/source.php?file=source.php


http://gforge.org/source.php?sys_show_source=tru e& file=source.php

Nice, eh?

Re:There are some pretty big sites running GForge.

tperdue has the docroot in his home directory:

Insecure!

Re:There are some pretty big sites running GForge.

[gavinroy]

This would seem to be more a function of how *PHP* on the gforge server is setup. If register_globals is on, this will happen, if register_globals is off, which it is by default in the recent (read at least 1 year or more) stock php tarballs, this would not occur.

Re:Mountain? Mole-hill?

[HiThere]

Depends. Sometimes you decide that if we don't have the resources to do it, we must *get* the resources to do it.

How important is X to you?

Also, what's the GForge license? It's quite possible that RMS sees nothing wrong with moving to GForge. (I know that GForge is Debian-Free, so it's likely to be GPL. In which case the choice of which site would probably be largely pragmatic.)

Re:There are some pretty big sites running GForge.

[gavinroy]

The PostgreSQL community is also migrating to GForge from GBorg. I'm pretty excited to see the outcome. There are some things I'd like to see in GForge, which can easily happen if enough people take the time to submit patches, such as modular support for revision control systems. Remember GForge is a fork of Sourceforge, maintained by one of the original architects and authors of Sourceforge.

Re:So much for the security of Linux

well said.

Odd mods

[SuperBanana]

How was this redundant, when I posted it when there were 3 other comments? And how was it off-topic? Plenty of people thought it was funny...

I smell a new round of moderators shortly. Let's here it for metamoderation...

And this is why

SourceForge started in the first place.

Its always been run by the business types; it was never a pure OS/hobbyist site; they always hoped to generate funds by harnessing the good will of the community.

Back in the heyday, advertising was sufficient. Now that reality is harder, they need people like you to fill their coffers.

Re:There are some pretty big sites running GForge.

You can force this into a more secure mode by reading the global variable (from _GET, _POST, etc), unsetting it, and THEN reading the config, which will override the unset global.

There are secure ways to write PHP code, GForce ignores them.

Re:The diff between GForge, SourceForge and Savann

#3 is very important! I can't believe that Slashdotters don't seem to care about this issue. VASoftware is actively selling SourceForge as an "offshoring" tool (not even "outsourcing", but OFFSHORING).

You seem to be very interested in this subject, so I'll respond. /.ers may not care because of apathy or hypocracy, but there are other alternatives. Given that VA hasn't actually managed to sell much of anything, I don't think they are a threat, but also, as a professional software developer, I don't think "offshoring" is much of a threat, either.

My thoughts on Savannah

[dyfet]

I have always felt that, rather than having a single mass community site, like a master sourceforge or Savannah site, where most projects congregate, it would be much better to have a lot of little "xforge" sites scattered about and that can then be more specialized to the needs of different groups and projects over time; that individual universities, companies, and even individual project maintainers, could easily setup and deploy locally or through common hosting services; and then to have specialized master search or index sites that could locate and aggregate projects easily from remote xforge's...

The problem of the single Sourceforge site or Savannah site is that it is a single point of failure. Many projects will be down if sourceforge or Savannah, for example, are down for extended periods of time. Having smaller project sites will at least mean failures will be far more localized and far less disruptive to the community as a whole.

The problem in the original sourceforge code is that it was impossible to easily customize or deploy, and this remained fairly true even after the heavy hacking done on the Savannah branch. If gforge has finally solved this problem, and makes it relatively easy to deploy xforge-like sites, then I see this as a very promising development indeed.

Re:My thoughts on Savannah

[tcopeland]

> that can then be more specialized to
> the needs of different groups

Very well said. And this is happening with GForge installations. For example, there's graal.net, which is "the home of Graal Player World collaborative development". Instead of projects, they've got "worlds".

Over on RubyForge, we're working on integrating the Ruby project distribution mechanism - Ruby Gems - into the GForge file release process. It's mostly duct tape currently, but it's coming along.

Re:There are some pretty big sites running GForge.

[Chris_Jefferson]

Hmm.. it's an open source application, so viewing the source lets you do what exactly? Why not just download the whole lot instead?

Re:There are some pretty big sites running GForge.

[gavinroy]

Turning on register_globals makes for more insecure code across the board. Yes they could have accounted for register_globals being on, but don't blame gforge for being insecure because of a "feature" of php. On a side note, who cares if you can read the source code of an open source project? The code is written in such a way as to not let you out of $_SERVER['DOCUMENT_ROOT'].

Hostile to Copyleft? No....

[chrisd]

Hi all, I know a bunch of people on the gforge team...while they've had disagreements with RMS over the whole gnu/linux vs linux thing, I think they could only be characterised as hostile only the deluded.

Also, I'd point out that GForge is released under the GPL....so if actions count...

Chris DiBona

Re:There are some pretty big sites running GForge.

[jasondlee]

The problem as I see it is that if the system lets you set that variable via the query string, who says you can't elevate your permissions the same way...

Re:There are some pretty big sites running GForge.

[Carl+T]

That solution could be a bit problematic if e.g. $_GET has a key "_GET" or "GLOBALS" etc. But done right, it sounds like a decent workaround for PHP code that really depends on register_globals. The simplest fix if register_globals isn't needed would be to just die() if register_globals is on, though this would probably cause admins to remove that test if they need register_globals for something else, and then you're back to square one...

In most of my PHP code, I've used a prefix on variable names ("i_") to indicate that the contents are tainted, and only those variables are imported to $GLOBALS from $_GET and $_POST. And even though I warn if register_globals is on, I make sure never to assume that a variable is unset. I guess it all comes down to your overall level of distrust and paranoia. Which I have lots of.

Re:There are some pretty big sites running GForge.

[imr]

Incredible, it's the same exact example that i found by following the link in the article.
http://mail.gnu.org/archive/html/savanna h-hackers/ 2004-04/msg00191.html
You must be its author!

Re:There are some pretty big sites running GForge.

[gavinroy]

Of course the ultimate solution to this particular "problem" is to use $_GET, $_POST, or $_REQUEST, instead of relying on register_globals, and in the case of source.php that would be what, a 2 minute fix?

Re:There are some pretty big sites running GForge.

It's also one of the worst examples of web app coding practices I've ever seen. This spaghetti crap-app is a nasty mess of hell. It would have to be open sores software, because no one would pay for code like that.

Re:Mountain? Mole-hill?

[tcopeland]

> what's the GForge license?

GPL.

Re:The diff between GForge, SourceForge and Savann

Replying to yourself?

That's pretty low, even for an opinionated, short-sighted, bigoted asshold like yourself.

Come on, it's FSF we are talking about

[iamacat]

I am sure they have choice comments about administrators restricting your right to access and modify the source of websites you are using.

Re:VA is pimping SourceForge as tool for outsourci

The thing is... different states have different minimum wages... or do you suggest we go with the lower Federal min. wage? I suppose that would still be a nice chunk of change overseas for certain people.

BerliOS.de and Tigris.org

I've lately partially switched to http://developer.berlios.de/ which
provides SVN and CVS (it's a sf.net spin off). Then http://tigris.org/
is also a valueable alternative (which there are more of) to sourceforge.
In fact tigris.org is where subversion is developed. *hint*

Any developer should at least consider moving to one of the alternative
OSS project and development hosters out there. And believe it or not,
there is more alternatives than just Savannah and sourceforge.

Re:There are some pretty big sites running GForge.

not intializing your variables (especially permissions-related variables) is insecure. It's the fault of the author, not the language.

Re:VA is pimping SourceForge as tool for outsourci

Since when has the "community" been restricted to citizens of the USA only? In case you missed it, the USA has been siphoning jobs and people away from the rest of the world for DECADES now. But I guess when it is India losing people to the USA everything is fine, hmm?

Re:VA is pimping SourceForge as tool for outsourci

So you're saying it's morally wrong for people to move out of India if they can make a better living in the US?

Re:There are some pretty big sites running GForge.

Because there are files that contain usernames and passwords, specifically, to the backend databases.

Damaged goods

Nobody can trust it again.

Let it go dudes, and let's start afresh with something that's got security built in from the ground floor.

micropayments

[zogger]

--I'd like to see micropayments. I'm pretty low income but I wouldn't mind doing a micropayment to the various projects/apps I use. I also think that the big distro vendors need to do a micropayment system to every app they include, and that a minimum fee be established for the downloading service. Pays for the brick and mortar expense of the servers and the bandwith etc, with some more going to the micro payments to the app developers. Kind of a place between traditional shareware and "no payment whatsoever even though it costs to distribute" like it is now.

Yet another app that's hardcoded to hell and back

[Tadghe]

From the gforge faq, on why it doesn't support Mysql (see http://gforge.org/docman/view.php/1/24/faq.html)

"You could do it, but why bother? To quote Tim Perdue - "GForge could not be made to run on the primitive MySQL database without serious hacking, and I won't accept those kinds of changes back into the system. For the amount of work involved in such a project, you'd be better off taking an hour to learn postgres. It's a superior database in every way, with the only point of debate being speed on simple 'hello world' type applications".

It'd be a lot of work because:

1. GForge uses Postgres stored procedures, so you'd have to convert those into PHP functions

2. GForge uses Postgres functions like pg_connect, so you'd have to replace those with the MySQL equivalents

3. GForge uses subselects, so you'd have to rewrite those to use temporary tables or whatever (MySQL 4.1 supports subselects, so once it becomes production-ready, this won't be a barrier anymore)
"

So what they are telling me is that this thing is hard coded around PG specific routines..... That's NOT a good thing, I don't care what they think about Mysql (ditto applies to DB2, SapDB (Now MaxDB), Informix or Sybase).

Someone call me when these guys get a clue.

We see different things

[Rapid+Home+Offer]

Ah, now I see what you're saying. The quote clearly distinguishes between the "ethical" and the "practical" points of view. The practicality of the no-password plan was due to the community.

I've read the biography, but I certainly don't know exactly how RMS works. His history seems to indicate that he prefers ethics to practicality most days of the week. That was the thought that inspired my original comment... that he seemed to now accept a violation of his own ethics.

Marxism is irrelevant

Let's face it, Open Source projects are classically Marxist...

No, they aren't.

Marxism was an 19th-century economic theory. 19th-century economics treated the existence of scarcity as an axiom. Because of this and other reasons, neither it nor classic capitalism can explain what's going on in the open source movement. (Leaving aside Marxism's other glaring weaknesses...)

I could decide to understand quark behavior by bouncing tennis balls against each other, on the theory that all my physics books represent subatomic particles as little colored balls. Is this any less valid than equating Marxism and open source based on superficial similarities?

Re:Marxism is irrelevant

[David+Hume]

Let's face it, Open Source projects are classically Marxist...

No, they aren't.

Marxism was an 19th-century economic theory. 19th-century economics treated the existence of scarcity as an axiom. Because of this and other reasons, neither it nor classic capitalism can explain what's going on in the open source movement.

I can't address your "other reasons" because you don't specify what they are. I can, however, address the issue of "scarcity."

Scarcity still exists. With regard to Source Forge, bandwidth is limited and still costs money. With regard to Open Source and Free Software projects, the great and continuing scacity is that of time.

How do you want to spend your time? Playing with your children? Helping them with their homework? With you wife? Working for money?

Or working on an Open Source or Free software project that many people will download and use without making compensation or making a contribution? If the latter, I thank you, and I mean that sincerely. However, the problem of scarcity -- the scarcity of your time -- remains.

Feature Creep Kills Software

[Acy+James+Stapp]

Libre, Gratis, and Commercial. If there is some person actively managing the software, good for them if they can actively control the development instead of it being an uncontrolled free-for-all. More people will want to use a small, well-built system than one with hundreds of poorly-tested features donated and used by only one developer.

Re:VA is pimping SourceForge as tool for outsourci

[Syberghost]

Go look for yourself. VA is pimping SourceForge off as a tool to help companies ship jobs overseas. They don't even hide the fact.

Another tool that's helping companies "ship jobs overseas" is Linux. gcc is a big help in these endeavors, as well.

Oh, and don't forget about the Internet.

Re:There are some pretty big sites running GForge.

Is this a linux problem or php problem? If it is a linux problem, they should switch to windows. If it is a php problem, switch to java or asp.net.

No it does not aply to all those

Only point 2 refers to PG specific routines ...

Since they are accepting patches for Oracle it seems they are willing to support other databases as long as it is just about replacing "PG specific routines" ... and not about recoding functionality they feel should reside in the DB.

So the solution seems simple ... if you really want them to support MySQL then start contributing to MySQL and get 5.0 to release ASAP.

Re:No it does not aply to all those

[Tadghe]

Actually, the better response would be to move Gforge to PEAR or the like and move the DB logic where it belongs (in the DB).

Re:There are some pretty big sites running GForge.

[destiny_uk]

So... how is being able to view the source files of open source projects insecure?

Re:VA is pimping SourceForge as tool for outsourci

[Performer+Guy]

Outsourcing is different from offshoring. Offshoring is specifically moving jobs overseas, those people may still be employees of your company. Outsourcing is contracting a function to another company, however the company you outsource to might be across the street, it needn't be an overseas company.

Savannah in need of volunteers

[webworm]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, we are currently struggeling at Savannah. We are in need of some
good volunteers who are willing to spend a couple of hours a day
helping us.

Someone with good knowledge of Perl and PHP is welcome. The first
task would be to get the approval of projects working again. That
means, among other things adjusting the current code to make cvsroots.

Rudy Gevaert
rudy @ gnu .org
Savannah-hacker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFAfFrUHlNnY/z8cn0RArUSAKDBAaPH4H1tIgJZmSVS OW HOoAlkoACgt4RR
0BvB0sCydF2DYv3+c6oEDv8=
=PKRP
- ----END PGP SIGNATURE-----

Re:There are some pretty big sites running GForge.

register_globals is a braindead misfeature, especially in a web environment pitched to newbie programmers.

The authors of "Personal Home Page" should just disable this permenantly, fuck legacy apps.

Parent is a troll

[Ben+Hutchings]

Move along now, there's nothing to see.

Re:Parent is a troll

[CrankyFool]

Hey, I resent that! I did that as a joke, not a troll.

the missing bits

[hachete]

I was momentarily interested in GForge but when I saw that it was designed for small projects, then less so. Where are the task-to-release views? Management of releases? The tracker view goes near but so far...Task assignments for testers, developers and approvers? How do you map tasks to code? So close yet so far...if this project could beef up some of it's features, then it could really be a killer app for small and large companies.

h.

Re:the missing bits

[tf23]

Interesting feature requests you've got there. All good ideas (IMHO). Do you have any more? If so please post them. Who knows, maybe someone will code 'em up :)

Re:VA is pimping SourceForge as tool for outsourci

[MenTaLguY]

I might take that as a valid comparison if either gcc or the Internet were proprietary products explicitly advertised as being tools for shipping work overseas.

hmm

[che.kai-jei]

"I consistently try to use Open Source technology whenever possible (I fully support the sociology behind the movement)" doesnt she mean ideology, surely?' the first time i ever try to read an article and i am defeated in the first paragraph!

Place to develop software with ethical licenses?

I develop applications which I release under ethical licenses such as the Hacktivismo license which prohibits using the software to violate human rights and the like. The source is open and available and you are free to distribute and modify the source, as with any other open source license.

However I do believe Savannah and Sourceforge required their projects to stick to the Open Source Initiative's definition of "Open Source", which prohibited use restrictions (and therefore condoned human rights violations); so, these sites would not allow software with such ethical licenses, despite the software being otherwise completely "open".

So my question is: are there any other Sourceforge/Savannah-like sites that would allow such projects to be developed using the tools on their sites? How does Gforge fit in to this? Does it require people to use the GNU license or only licenses fitting the Open Source Initiative's strict definition of what makes for "Open Source"?

How does PEAR help?

I dont quite see how that helps if you are dead set on designing your DB access around stored procedures.

Re:VA is pimping SourceForge as tool for outsourci

[ErikZ]

The US has been siphoning JOBS? You're saying, that instead of hiring people locally, overseas companies are hiring expensive Americans to do long distance telecommuting!?

I've never heard of such a thing. Links please.

Re:The diff between GForge, SourceForge and Savann

So? A good many people on /. live outside the US, and no doubt some of them are the beneficiaries of offshoring of jobs.

Re:There are some pretty big sites running GForge.

The files contain usernames and passwords for the backend databases.

Re:VA is pimping SourceForge as tool for outsourci

w00t! Preach it brother!

Re:VA is pimping SourceForge as tool for outsourci

[Cyberdyne]

The US has been siphoning JOBS? You're saying, that instead of hiring people locally, overseas companies are hiring expensive Americans to do long distance telecommuting!?

Look at non-US companies using Windows, with Intel or AMD processors, maybe using Netware or Solaris servers and HP printers. None of those are locally developed - every one of them represents work being done in the US (and sometimes other countries), thus "siphoning jobs overseas". Call centres move jobs one direction, plenty of things move them in the other - and so far, the US has been on the receiving end of most of those jobs, overall.