FSF Migrating From Savannah to Gforge

bluestrain writes "It's been almost 4 months since Savannah was hacked. The site is still not completely functional, no new projects have been accepted since December 2003. Now it seems that the FSF is abandoning Savannah in favor of Gforge. RMS himself has confirmed the plans. A few developers are questioning the change. Hopefully the dust will settle and savannah can start accepting projects again."

There are some pretty big sites running GForge...

[tcopeland]

...already. Savannah moving over is certainly a big one, though.

Stuff like this is why we're continuing to optimize GForge's SQL...

good news!

[larry+bagina]

No offense to the OSDN/Slashdot guys, but sourceforge has started to suck dick lately. Constant downtime, searches that don't work, CVS running a week late, and now PBS-style appeals for money on the front page.

If you just need a good (and free) public CVS server, what other options are there besides sf and gforge?

Re:good news!

[Queuetue]

Lately? I groan every time I see a project is hosted at sf - it means 20-minute mailing list searches, regular downtime, and the whole download-roulette game where you try to deal with the klunky interface and find a not-completely-dead mirror.

Re:good news!

[FreeLinux]

but sourceforge has started to suck dick lately.

I hadn't heard about this new feature. It could be rather interesting. But SourceForge has been having too many problems for too long. It seems as though no one is maintaining it, they simply disable a feature when it breaks. Additionally, I have always been concerned about having so many projects and information sites in a single OSDN basket. One never knows what the future holds for OSDN.

Re:good news!

[daishin]

Well, why dont you invest lots of money like SourceForge into servers and making it as good as it can be, I mean being over-loaded with people such as you who then complain that its starting to suck, well ofcourse it is and if its a problem you should help those good people out and donate resources to them.

Re:good news!

[sbrown123]

and now PBS-style appeals for money on the front page.


God Im gonna get flamed for this.

Anyways, maybe its not such a bad idea if Sourceforge required paid membership (like $50 a year) for file and cvs access. Seriously, I'd pay if the moneys right for better service and quicker file and cvs access.

Re:good news!

[scrytch]

> sourceforge has started to suck dick lately

That's what I call a feature.

thankya, I'll be here all week.

Re:good news!

[tcopeland]

> it means 20-minute mailing list searches,

Although SourceForge will be much faster now that PlayFair has moved to Sarovar :-)

No, but seriously, folks. If the top 10 projects moved off of SourceForge, I bet that'd eliminate 75% of the load. eMule alone gets downloaded a quarter-million times a day...

Open Source/Free Software

[0x0d0a]

I consider SourceForge to be representative of Open Source Software, and Savannah to be representative of Free Software.

It's amazing how accurately they seem to portray their respective ideologies.

I can understand that.

[ideatrack]

This is probably uneducated on the matter, but I can understand why they want to move.

Frankly 4 months is way too long for the site to be "not completely functional" and it can't help but make you doubt the quality of the administration of the site if there weren't sufficient provisions in place for this eventuality. Any website is a target so any webadmin should have a plan in place.

When there are seemingly more secure options out there, more reliable anyway, then you'd go with them. Being faithful is one thing, but you can only do that for so long.

RMSs history on security

[Rapid+Home+Offer]

For Stallman, the opposition to security was both ethical and practical. On the ethical side, Stallman pointed out that the entire art of hacking relied on intellectual openness and trust. On the practical side, he pointed to the internal structure of ITS being built to foster this spirit of openness, and any attempt to reverse that design required a major overhaul. -- Free as in Freedom

The decision to move to GForge was made by Bradley Kuhn and the system adminitrators, according to Richard Stallman. They considered Savane could not be made secure enough. -- Sylvain Beucler, 2004

Seems like Stallman has lost sight of his roots!

Re:RMSs history on security

[winkydink]

Seems like Stallman has lost sight of his roots!

or he's starting to show signs of being realistic.

Subversion support?

[jared_hanson]

Anyone know if they can get subversion support in their as long as they are going through the effort to switch? I'd really like to see a free OSS hosting solution using all the latest and greatest tools. That and I'm not to sure about trusting the future of SourceForge, given VA's seemingly complete retraction from the open source community.

Re:Subversion support?

[monac]

Somebody was working on gforge supporting subversion through webdav. His project name was Dforge or something. Can't check it atm. Gforge site seems slashdotted and down now. I remember he made a working alpha or beta version of Dforge when i checked a few days ago.

Subversion is so convenient and I also switched to subversion recently. Supporting subversion or Webdav may have many potential advantages in its flexible architecture. I hope webdav be integrated into Gforge into its next mainstream version.

Re:Subversion support?

[tcopeland]

> His project name was Dforge or something

Yup, it's DForge; Sung Kim is working on it. You can read his post about it here.

Gforge is very specialized.

[Electrawn]

Gforge may be great for high traffic sites like Savanaah, but for low traffic 1-10 project sites I use Xoops+MyXoopsForge or Novell Forge. I think Savanahh made a good choice here, but they are stuck once they port. Novell Forge is the other choice.

GForge uses some highly optimized transaction stuff and database functions inside postgres that probably should be in the PHP layer.

Reminds me to port MyXoopsForge to postnuke to take advantage of ADODB! Compatibility or speed?

-Electrawn

Re:Gforge is very specialized.

[tcopeland]

> And in the Faq that they refuse
> to accept MySql patches

It's not that simple. It'd be a fair bit of work to port GForge to MySQL, and for what gain? PostgreSQL is fast, stable, and open source. And targeting PostgreSQL means we can write stored procedures to make hotspots faster.

I agree that abstraction layers are good, though - we've chatted on the forums a bit about the pros and cons of refactoring towards PEAR.

RMS in hospital?

[slipgun]

I don't have time to discuss this further. I am in the hospital and falling behind on my other work.

He's in hospital? Nothing serious, I hope.

Re:RMS in hospital?

He's got FLU/Linux

Re:RMS in hospital?

[Original+AIDS+Monkey]

Every few months, the cops come get him and force him to take a sponge bath, it's not big deal.

Richard Stallman in hospital

Let everyone hope that Richard Stallman gets well soon.

Re:Richard Stallman in hospital

[Paul+Fernhout]

I hope he gets well soon too. He's a remarkable person who has made a great contribution to society (whether one agrees with all his philosophy or not).

VA is pimping SourceForge as tool for outsourcing.

Go look for yourself. VA is pimping SourceForge off as a tool to help companies ship jobs overseas. They don't even hide the fact.

Have a look for yourself: VA Software

Mountain? Mole-hill?

[mellon]

It sounds like a total of two people are questioning this decision, which is a small number given how many people use savannah. I have rarely seen a controversy about GNU end so quickly - there were a total of about ten messages in the thread. There is always someone for whom any change is a big tragedy.

As to losing track of roots, maybe RMS is getting a little bit more pragmatic in his old age. It's all very well and good to say "we should do X" when you have the resources to do X, but if you don't have the resources to do X, then saying "we should do X" is just stupid.

Re:gforge slashdotted?

[jared_hanson]

GForge doesn't actually host projects (besides its own). It is simply a software package used to maintain and coordinate development efforts. If/when the FSF switches to GForge, it will be up to them to provide the resources necessary to handle the large amounts of traffic and projects. That responsibility does not fall on GForge.

Re:For Benefit of Lazy Bastards...

[Electrawn]

Sourceforge, also code named Alexandria. Original concept of a public development and collaboration for Open Source Projects. Last code base available was about 2000 before VA took the project Closed source for commercial purposes.

Savannah: Fork of Alexandria code for GNU projects. I evaluated it but it was too kludgy to understand.

GForge: Fork of Alexandria code by former Sourceforge developer. Rips out foundries and is for optimized PHP and Postgresql and Apache. Patches for Oracle in beta, refuses mysql patches.

Novell Forge: Fork of XoopsForge that uses LDAP and Novell directory server. Needs Xoops 2.0 to run.

XoopsForge: Fork of Alexandria that runs as a module in Xoops. Not much Dev activity, most dev in Novell Forge.

MyXoopsForge: Fork of XoopsForge that has some active development. Used for forge.xoops.org

The only thing that may compete in the same space that is somewhat similar is PHPGroupWare.

-Electrawn

About gna.org

Many of the previous savannah contributors have already moved to gna.org, which is sometimes referred to as savannah's successor.
I have already moved all my projects to gna a month ago. Gna is way more stable and way faster than savannah. I love it.

The full quote sheds some light

[eldacan]

Thank you for providing a link to the text, which confirmed my impression that we're speaking about different kinds of "security" (and that the way you presented the quotes is misleading).

Here is a more comprehensive quote:

At the AI Lab, Stallman's political activities had a sharper-edged tone. During the 1970s, hackers faced the constant challenge of faculty members and administrators pulling an end-run around ITS and its hacker-friendly design. One of the first attempts came in the mid-1970s, as more and more faculty members began calling for a file security system to protect research data. Most other computer labs had installed such systems during late 1960s, but the AI Lab, through the insistence of Stallman and other hackers, remained a security-free zone.

For Stallman, the opposition to security was both ethical and practical. On the ethical side, Stallman pointed out that the entire art of hacking relied on intellectual openness and trust. On the practical side, he pointed to the internal structure of ITS being built to foster this spirit of openness, and any attempt to reverse that design required a major overhaul.

"The hackers who wrote the Incompatible Timesharing System decided that file protection was usually used by a self-styled system manager to get power over everyone else," Stallman would later explain. "They didn't want anyone to be able to get power over them that way, so they didn't implement that kind of a feature. The result was, that whenever something in the system was broken, you could always fix it."9

Through such vigilance, hackers managed to keep the AI Lab's machines security-free. Over at the nearby MIT Laboratory for Computer Sciences, however, security-minded faculty members won the day. The LCS installed its first password-based system in 1977. Once again, Stallman took it upon himself to correct what he saw as ethical laxity. Gaining access to the software code that controlled the password system, Stallman implanted a software command that sent out a message to any LCS user who attempted to choose a unique password. If a user entered "starfish," for example, the message came back something like:

I see you chose the password "starfish." I suggest that you switch to the password "carriage return." It's much easier to type, and also it stands up to the principle that there should be no passwords.10

Users who did enter "carriage return"-that is, users who simply pressed the Enter or Return button, entering a blank string instead of a unique password-left their accounts accessible to the world at large. As scary as that might have been for some users, it reinforced the hacker notion that Institute computers, and even Institute computer files, belonged to the public, not private individuals. Stallman, speaking in an interview for the 1984 book Hackers, proudly noted that one-fifth of the LCS staff accepted this argument and employed the blank-string password.

Clarification

[0x0d0a]

Savannah is lesser used -- there are fewer adherents of Free Software than Open Source.

The Open Source stance (as exemplified by ESR) is a more pragmatic one than an ideological one -- that people should use Open Source rather than Free Software because it *works better* than closed source, not because of a moral or philosophical mandate. The primary issue that SourceForge detractors bring up is that the current codebase is not available; this is an issue to a number of people strongly ideologically aligned with Free software, who want to interact with nothing but Free software. There is a parallel here. Since SF costs nothing, works well, and helps spread and facilitate open source software, there are few pragmatic issues with SourceForge that Savannah solves. Thus, the issues with Open Source that Free advocates have are mostly the same complaints that are raised about SourceForge.

Savannah's main issues are caused by a lack of people working on it, and it is currently less ready-to-go than SourceForge. It's HURD and Linux in a mirror.

Savannah makes its feelings on the importance of Free software very clear with the nongnu and gnu names. The SF people don't particularly place a lot of emphasis on someone being associated with a project or having a particular license -- there's no sourceforge.sortaopen.net for BSD-licensed projects, for instance.

Finally, while this is more germane to this story than to SF in general, the politics in the linked-to story remind me a good deal of the complex and never-ending debates about Free software purity that come up more frequently in the Free Software world.

I suppose that a lot of Free advocates are going to view this as a bit flamish -- I guess it's a bit cutting in that it identifies that Savannah hasn't been operating as well as SourceForge, but I don't feel that it's particularly false or misleading.

I use the GNU utilities as well as Apache every day -- I like both chunks of software.

I also, as people who read my posts frequently know, tend to often feel a bit frusterated with Free advocates. I do, not infrequently, think that Free folks can come off as a bit too rabid to the general public -- this mainly becomes an issue when media, desperate for some kind of figurehead for the open source world, settle on RMS, and he propagates his (intimidating to a CTO) views on intellectual property. I also remember when the Crystal Space team (an excellent LGPLed 3d engine), wanted to be absolutely correct WRT the GPL and valuing Stallman's input, wrote him to ask for a bit of clarification on a licensing detail. Stallman's response, an enlightening read, highlights a good deal of what I consider the difference between Open Source folks like Jorrit and Free folks like Stallman.

Free Rider Problem; Tragedy of the Commons

[David+Hume]

Well, why dont you invest lots of money like SourceForge into servers and making it as good as it can be, I mean being over-loaded with people such as you who then complain that its starting to suck, well ofcourse it is and if its a problem you should help those good people out and donate resources to them.

I understand your point. I too don't like it when somebody complains about a good or service that is provided free or at below cost.

However, the post to which you are responding may also have a point. The free rider problem and the tragedy of the commons (or, perhaps more precisely, tragedy of the net-commons) are inherent and endemic problems with Open Source software and projects.

Let's face it, Open Source projects are classically Marxist -- i.e., To each according to their needs, from each according to their ability. I'm not saying that to red-bait. On the contrary, I think it is kind of nice. :) However, it does require certain assumptions regarding human nature -- e.g., that people will act from good will, not be "lazy" (or place a different value on leisure), not freeload, etc.

Which I guess is my way of saying that, given these problems, I'm always surprised when people are surprised when an Open Source or Free Software project is over-burdenend and/or under-supported.

Re:Free Rider Problem; Tragedy of the Commons

[David+Hume]

Yeah, minor issue though - SourceForge is owned by VA Software (LNUX on Nasdaq) who has reaped millions from their IPO. Sourceforge is no more open source than www.microsoft.com is.

VA Software may be a for profit company, but SourceForge still "provid[es] free hosting to tens of thousands of projects." If that isn't sufficient to create a free rider problem and a bandwidth tragedy of the commons, nothing would.

And while VA Software may have "reaped millions from their IPO," one may wonder where all of that money is now.

Not exactly.

[devphil]

There are two reasons this decision is somewhat controversial for those of us maintaining FSF-related projects:

1. The decisions are made in a closed environment.
2. The Savannah admins have not demonstrated sufficient competence nor responsiveness. (Not meant to be a personal attack; I think they only have a few part-time volunteers.)

For example, GCC is under constant pressure by RMS to move from its own server (that happens to be hosted at Red Hat) and onto Savannah. But this pressure has been resisted for the same reasons, and it will continue to be resisted regardless of what "packaged development environment" Savannah is using.

With regard to the pair above, (1) the GCC maintainers have never been invited to share their concerns with the Savannah maintainers; when they speak up, they're ignored, and (2) Savannah gets fscked up on a regular basis, and complaints are ignored. For example, Savannah is supposed to be mirroring the GCC CVS repository, but it falls over constantly, leading to even higher load on the GCC servers as users switch over. The Savannah team has a long long way to go if they want to hold themselves up as a reliable open development site.

Re:There are some pretty big sites running GForge.

[NightSpots]

It's unfortunate, because the code is insecure as hell.

For instance, 'source.php' lets you view the source of files, but only if 'sys_view_source' (a global) is set in the config.

Of course, they don't check to see HOW it is set, but rather, allow you to pass it on the _GET global, which overrides the config, which, of course, lets you view the source of any file:

Compare:

http://gforge.org/source.php?file=source.php


http://gforge.org/source.php?sys_show_source=tru e& file=source.php

Nice, eh?

Re:There are some pretty big sites running GForge.

[gavinroy]

This would seem to be more a function of how *PHP* on the gforge server is setup. If register_globals is on, this will happen, if register_globals is off, which it is by default in the recent (read at least 1 year or more) stock php tarballs, this would not occur.

Re:There are some pretty big sites running GForge.

[gavinroy]

The PostgreSQL community is also migrating to GForge from GBorg. I'm pretty excited to see the outcome. There are some things I'd like to see in GForge, which can easily happen if enough people take the time to submit patches, such as modular support for revision control systems. Remember GForge is a fork of Sourceforge, maintained by one of the original architects and authors of Sourceforge.

Re:VA is pimping SourceForge as tool for outsourci

Since when has the "community" been restricted to citizens of the USA only? In case you missed it, the USA has been siphoning jobs and people away from the rest of the world for DECADES now. But I guess when it is India losing people to the USA everything is fine, hmm?