nmap Maintainer Warns He Doesn't Control nmap SourceForge Mirror

vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that he does not control the SourceForge nmap project.

According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.

On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.

Fuck Sourceforge

[weilawei]

They are dead to me.

Re:Fuck Sourceforge

[ardentsoap]

This. Would anyone still use an FTDI chip?

Re:Fuck Sourceforge

Then why are you here. same company.

Re:Fuck Sourceforge

[TWX]

Probably because Soylent News has a godawful colorscheme that drives users away?

Re:Fuck Sourceforge

[ArcadeMan]

Given that it's plug-and-play for my Mac, yes I would still prefer a (real) FTDI chip. Fuck those CH340 ICs.

Re:Fuck Sourceforge

Changeable from preferences if I am not mistaken.

Re:Fuck Sourceforge

[0100010001010011]

Some well known projects they've taken:

• Evolution (GNOME Mail Client)
• Firefox
• MySQL
• PostgreSQL
• openvz
• Apache HTTP Server
• Apache Hadoop
• SQLite
• SWRare Iron
• Thunderbird
• The R Project
• NetBeans IDE

Your comment has too few characters per line (currently 11.7).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum. Praesent mauris. Fusce nec tellus sed augue semper porta. Mauris massa. Vestibulum lacinia arcu eget nulla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos.

Re:Fuck Sourceforge

And yet here we all are trusting Slashdot. If this site isn't dead to us then are we as principled as we make ourselves out to be?

Re:Fuck Sourceforge

[MSG]

It looks like they've added a page for 389-DS, unbeknownst to its authors, as well.

Re:Fuck Sourceforge

[Z00L00K]

The best way to crack down on this is to use the "Report inappropriate content" on every page that Sourceforge has that provides contaminated content.

Re:Fuck Sourceforge

[weilawei]

I like to think that most other websites would censor me for swearing at the top of their comments section about one of their sibling companies. Luckily, Slashdot is better than that. Slashdot is not Sourceforge, despite the relation (unless timothy or soulskill are behind all of this nonsense).

Re:Fuck Sourceforge

[gnunick]

The best way to crack down on this is to use the "Report inappropriate content" on every page that Sourceforge has that provides contaminated content.

Which will help ensure that... the folks at Sourceforge know that they're a bunch of despicable assholes?

Re:Fuck Sourceforge

[DescX]

Holy crap. You're not kidding. I'm just about ready to run screaming back to IRC. I'm getting rather sick of this experiment we call the world wide web and all the trappings of advertising that fuel the beast. ...but I also recall running into all sorts of unpalatable crap before the WWW made it big. Mainly, square eyed nerds with small minded evil streaks. "Will this program attempt to burn out my CPU, or will it sort my email?" is a question I haven't had to worry about realistically for years. As much as I dislike the power "clouds" give to businesses, I will say that such models have made it a lot harder for some depressed person to reason that they can be ruinous. And mistakes actually get noticed... a step in the right direction.

I think we just need to be more stringent about policing our own kind, and the type of ownership problem SF has spurred will fix itself. Specifically, I mean growing a pair as an employee to stop poor management internally, insisting on having competent help, etc. I disagree with a comment below saying we should click buttons to report content. All that does is drive participation numbers. Want change? Spend 20 bucks on an old PC, 10 on a domain, and roll your own SVN/git/etc. Then, treat SF as though they never existed. Problem solved... ...or have I missed something crucial & worthy of an ethical crusade??? ;)

Re: Fuck Sourceforge

I'm sure Red Hat will try and handle the 389 issue.

Re:Fuck Sourceforge

[antdude]

What are good replacements over SF, download.com, FreshMeat, etc.?

Re:Fuck Sourceforge

You could at least try to troll a little harder. Download.com? Really?

Re:Fuck Sourceforge

[Solozerk]

Commenting to undo wrong moderation.

Re:Fuck Sourceforge

[toddestan]

Just create yourself a user.css file and change the colors to whatever you want. I've done this for years to change slashdot have light on dark text. Nowadays, you can even download extensions for popular browsers where someone else has done all the hard work for you for many popular sites.

Re:Fuck Sourceforge

[jeek]

Not saying Sourceforge is or isn't evil, but I've been poking around archive.org and it looks like the "nmap" project never had any files.

http://web.archive.org/web/201...

Re:Fuck Sourceforge

Start a new license that allows the author to restrict its distribution through venues that don't abide by certain rules.

People still use that?

[Lazere]

Honestly, using SorceForge right now is kind of like using Download.com. Sure, you might not get something nasty, but why take the chance?

Re:People still use that?

[gstoddart]

You know, it probably still shows up in a lot of searches.

There's quite possibly people out there who have known it long enough that they still trust it.

If you're following this stuff, you know about it. But it's surprising how long it can take from when a company starts being shady and when everybody stops trusting them.

From the sounds of it, Sourceforge will be able to coast on their reputation for some time before they go away, if at all.

Re:People still use that?

[Lazere]

Fair (and depressing) point.

Re:People still use that?

I am one of those people who have used it occasionally in the past and have grown to trust it. I appreciate the effort that /.'ers have made to make the issue public. At first I thought it was some kind of spam or APK or Golden Girls type thing, but then I saw it getting modded up. I easily could have been an unwitting vector in telling other people how great SourceForge is.

Re:People still use that?

[macraig]

Honestly, using SlashDot right now is kind of like using Facebook.com. Sure, you might not get something nasty, but why take the chance?

FTFY.

Re:People still use that?

[Andy+Dodd]

That's the disappointing thing - when a trusted name gets acquired by shady people, and those shady people milk the name for all it is worth.

I haven't been going to SF nearly as much lately, something just seemed "off" - now I'm glad I almost never go there.

It reminds me of what happened to a fairly popular hosting site for Android development projects, dev-host. d-h used to be a pretty good service, but sometime in the last year, they started replacing downloads with malware/adware.

Re:People still use that?

[AmiMoJo]

You know, it probably still shows up in a lot of searches.

Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?

Re:People still use that?

[penguinoid]

You know, it probably still shows up in a lot of searches.

Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?

Yeah, and I changed my sig in case other people are too lazy to look up where to do said reporting.

Re:People still use that?

[TWX]

You know, it probably still shows up in a lot of searches.

Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?

And how exactly are the search engines supposed to know that sites are pushing malware? What metric should search engines use for defining malware? In the case of the GIMP experience it sounds like Sourceforge put up a version that displays ads. Given that most search engines are funded through the use of ads displayed to users that might not exactly hit their criteria for malware.

Re:People still use that?

About two years back I remember that i found an "open source" project hosted on SF.

It only offered binaries. No source, repository or anything like that could be found anywhere. The binaries were, of course, malware and not what was stated.

Sure, probably not SFs fault directly but it did show that there is no accountability, no interest or resources to maintain a respectable standard.

That was what showed me that something was "off". Since then I only had negative encounters (including the "downloader").

Re:People still use that?

[Archangel+Michael]

I was gonna post exactly this. Download used to be usable (a very long time ago). Now when I end up there looking for software I simply say "No. NO! HELL NO!" and leave. But hey, they all have to pay the bills and what better way than to install crapware that is nothing short of evil?

Re:People still use that?

[aitikin]

I'm actually with this AC. I haven't been on SF in probably 3-4 years. Back then I never had issues and would actually look for stuff on SF. Now I don't have as much downtime for that sort of work/play, so I haven't been on, but I'm about to have significantly more free time soon and thus this is a timely notification to stay away.

Re:People still use that?

At the very least it should probably be flagged as less than trustworthy by Web of Trust.

Re: People still use that?

[AvitarX]

I also find it the best way to search for small open source tools.

When I search on the Internet in general, I get a lot of "free" things. Of course, at this point, source forge appears to be bundling just like them, so I don't know what to do.

Re:People still use that?

Are you cowardly comment-moderators all idiots? This is hilarious, considering that both SourceForge and Slashdot are now owned by Dice. Coincidence or master plan?

Re:People still use that?

Ah :)

Damn, I trusted them

[Pete+(big-pete)]

Sourceforge was always my go-to place for trusted original non-screwed files, and now I check the list of projects owned by sf-editor1, 2, and 3 and I see a lot of projects that I have used in the past.

Sometimes (particularly for older projects) it is very difficult to find a home-page or source that I can trust...and now it just became a lot harder.

-- Pete.

Re:Damn, I trusted them

To be fair, you could not then, nor can you now, trust most sites. This doesn't make it harder to trust them, unless by trust you mean "false-sense-of-security"

Re: Damn, I trusted them

Don't forget, these are now SF projects.

They alter the Eula, your selections in the installer are overriden, and malware installs.

Re:Damn, I trusted them

[Dog-Cow]

I see you don't know what trust is.

Re: Damn, I trusted them

[penix1]

They alter the Eula, your selections in the installer are overriden, and malware installs.

I wonder if the authors can bring a violation against their license if SF doesn't release the source code for an open source project they abscond with for those licenses that require reciprocity such as the GPL? Or a copyright violation for derivative works? Would be interesting to see if it happened.

Re: Damn, I trusted them

[david_thornley]

If Sourceforge distributes GPLed binaries without the corresponding source, Sourceforge is in violation of the license, and therefore has no valid license to distribute. The authors could indeed bring legal action against Sourceforge, probably not getting damages (or at least not much), but definitely getting an injunction against further distribution.

It's about time...

[MikeRT]

To just refer this matter to law enforcement. They're putting together bundles specifically to shove spyware down people's throats. It's being done in such a way as to make uninformed users think they're the official page. I'm not normally one to say stuff like this, but sourceforge needs to have a visit from FBI and/or FTC over this.

Re:It's about time...

[johanw]

If the bundled malware is closed source it may be a GPL violation too...

Re:It's about time...

[Dr_Barnowl]

No, because it's separate software - GPL is only activated when you link (dynamically or statically) other GPL software.

Re:It's about time...

Mere aggregation is not a GPL violation. Unless the malware somehow interacts with the GPL'd software it is *not* a derived work and the GPL does not apply.

Re:It's about time...

Oh jesus christ...

Not only has this been gone over every fucking time this story gets posted, but any one with half a brain who has ever actually *read* the GPL knows it isn't a fucking GPL violation. The license SPECIFICALLY says you can bundle closed source stuff with downloads of GPL software. IT FUCKING CALLS OUT AGGREGATION OF PROGRAMS AS A SPECIFIC EXEMPTION.

. . . In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

Fucking christ, you people are morons.

Re:It's about time...

This is why the GPL is no longer relevant. GPLv3 has failed, and momentum is behind BSD-style licensing.

Re:It's about time...

Perhaps they already have had that visit, and it informed their bundling procedures.

Re:It's about time...

[jdavidb]

You're going to report the people peddling spyware to the authorities that want to victimize everyone with spyware?

Just Remove The Product

[KermodeBear]

Re-packaging the product as your own is bad enough, but another bad part is that older projects may have security vulnerabilities as well. It seems like it would be far more ethical to me to simply mark the project as "abandoned", then after a while remove it completely. If the project is alive somewhere else, then contact those folks, let them know what is up, give them a chance to close it all down themselves or revive the proejct on SF.

But taking it over? No, that is not cool.

Re:Just Remove The Product

It's cute that you assume this only the misguided result of a well-intended move on SF's side.

This is the intentional monetization of the trust people put in well-established OpenSource projects, by corrupt business drones without any ethics whatsoever. They don't give a fuck about the projects. They are explicitely in it to milk cash as long as they can get away with it.

Your suggestion is akin to telling a crook to please do something else. Crooks are crooks by choice. These people need to be cut.

Re:Just Remove The Product

[worf_mo]

The problem is that SF does not allow project removal. I have a few projects that I hosted with SF in the early 2000s; years later I moved the projects to other places, but I cannot remove them from SF. Any project that has been "abandoned" is at their mercy.

Vacation ?

[darkz0r]

Look, the slashdot editor in chief is not on vacation any more and can thus post an anti employer post! *snicker*

slashdot is still slashdot

[Ilgaz]

I really admire slashdot editors freely accepting SF stories no matter how damaging they are.

Did you see a single newspiece/editorial on CNET news.com about the junk download.com bundles?

Re:slashdot is still slashdot

The cat is out of the bag since the Gimp story finally appeared.

They did, however, suppress that story for several days, until Slashdot started becoming associated with the whole fiasco too.

Re:slashdot is still slashdot

[vivaoporto]

No, it's not. See the difference between the original submission and how it was changed below.

To summarize, it was changed from "Fyodor accuses Sourceforge of hijacking nmap account" to "Fyodor warns that he doesn't control Sourceforge nmap mirror", among other things.

Re:slashdot is still slashdot

[Sarten-X]

Good.

Honestly, I'd rather see more stories edited to be less inflammatory. Most of the crap we get on here seems to be pushed to the extremes of "hate these guys" or "love those guys". It's nice to see some small attempt at real journalism, even if it is fueled by corporate politics. I'm hoping it will spread.

Re:slashdot is still slashdot

[Gavagai80]

Every slashdot story is a few days out of date.

Goodbye Sourceforge

[Stephen+Chadfield]

A good reputation is hard to earn but easily lost.

Re:Goodbye Sourceforge

[sound+vision]

It's actually hard to lose too, or at least it might take as long to lose it as to build it. If I, for example, didn't read Slashdot today and didn't regularly visit a tech forum, I would have no idea that Sourceforge was getting sketchy. I would just remember the dozen mentions of Sourceforge as a reliable place to download, and the years of clean downloads I'd got from them. So, it's critical that we as knowledgeable people don't just stop using Sourceforge but make an effort to spread the word. "If you see something, say something!" ... in this case, if you see a Sourceforge link, give them a better link and explain why.

Freshmeat?

[ArchieBunker]

Is is time for Freshmeat.net to make a return?

Re:Freshmeat?

[c0d3g33k]

Is is time for Freshmeat.net to make a return?

Why? As far as I recall, Freshmeat never hosted projects (with full support for VCS, mailing lists, website, downloads etc.), just provided an updated directory of interesting projects. It was good for keeping up with changes for the various projects scattered around the web, but it's not a substitute for SourceForge.

Re:Freshmeat?

[LaurenCates]

Depends. Is it any more reliable than SourceForge?

Re:Freshmeat?

[Anna+Merikin]

It was good for keeping up with changes for the various projects scattered around the web, but it's not a substitute for SourceForge.

Yep. I had to go to RPMfind.net or to tucows to get the source or SRPMs.

There is a little hope

[Ilgaz]

Their parent Dice holdings should start an internal investigation and find&fire the suits who led to this scandal. They should also hire a person who will oversee such decisions.

They may also suggest a fire&forget, respectable spyware cleaner (malwarebytes, spybot or even ms windows defender) to users.

Or they better backup the site, sudo shutdown -f now

Re: There is a little hope

[davidwr]

For a minute I thought "shutdown -f" meant "--f_ckthisweareneverpoweringonagain"

Then I read the freakin man page.

Re:There is a little hope

Why would they do that, this was done by directive, not by some rogue employee.

Ransoms is my captcha.

Re: There is a little hope

[TWX]

Okay, I'll bite, I looked at the man page and didn't see a -f option...

Re:There is a little hope

They are likely the ones that pushed them to do it (find a way to make money or get axed) and likely gave the final OK before it went live.

In the end, they want to get money out of SF somehow. Obviously more and more people are moving away and they want to milk the cow while they can.

It's their last ditch effort to change direction to become (more) profitable (offering "mirrors" aka becoming Download.com).

The despicable part is that they are using the established trust (used to be maintained by a developer) to push something else (that they make money for each each download/install). This is impersonation. Moving to another project name (i.e. ".mirror") may be an attempt to claim they are not impersonating. However, unless they explicitly state in big red bold letters "THIS IS AN UNOFFICIAL MIRROR NOT MAINTAINED BY THE ORIGINAL DEVELOPER", they are still abusing impersonation aspect stated above. Download.com doesn't have this problem because they never were an official/developer maintained mirror nor do they try to appear like one.

Re: There is a little hope

[Lazere]

Apparently -f is to skip fsck on reboot. Not quite what I expected.

Re:There is a little hope

[slashdice]

Ever use the dice job site? Same thing.

Re: There is a little hope

[aitikin]

I think that their exposing their ignorance: https://technet.microsoft.com/...

Re: There is a little hope

Is it ignorant to use "their" when it should be "they're"?

Just ask to remove the project?

If maintainers are no longer using Sourceforge to host or mirror their project files, can they not just delete them from Sourceforge? Why allow old versions to bandy about the internet? Is it just laziness on the part of the developer to remove old files, or does Sourceforge prevent it?

Re:Just ask to remove the project?

[LaurenCates]

It's like old email addresses or other internet accounts that you don't even remember you have anymore, I would guess.

Re:Just ask to remove the project?

[TheGratefulNet]

wonder how many dropped emails happen for people who had 'my-deja.com' accounts, etc etc ?

wow, dejanews. been ages since I even thought about that.

Re:Just ask to remove the project?

[innocent_white_lamb]

Sourceforge prevents it.

http://webapps.stackexchange.c...

Re:Just ask to remove the project?

[steveg]

Since that's not an option, maybe the smart thing to do (now that we know the problem) would be to keep your Sourceforge account current and periodically upload a "special" version that pops up a warning, "This software has been downloaded from an untrusted site. Please go to...."

If you renew this version every six months or so they'll have to find a new excuse beyond, "Hey, it was abandoned."

That may not help projects that have already been hijacked.

Re:Just ask to remove the project?

[CronoCloud]

wonder how many dropped emails happen for people who had 'my-deja.com' accounts, etc etc ?

Gods knows how many accounts like that existed. Seemed like every free website host, webchat, or message board community handed out e-mail addresses. You just reminded me of one I was a member of, Talkcity, which merged with Yet another old-time relic of the internet, the DelphiForums. Wonder if my account is still there, yep, turns out they were sending messages to an older non-existing address.

wow, dejanews. been ages since I even thought about that.

Now that brings back some memories. Let me tell you, that I wish google groups would go back to the Deja style interface for USENET searches and I wish you could search USENET by just using "searchterm group:foo.foo.foo" like in the old days.

Time for a get off my lawn joke.

Re:Just ask to remove the project?

Jeezus, that's a good incentive not host your stuff on Sourceforge. Thanks for the info.

Re:Just ask to remove the project?

[david_thornley]

If you have a SF project and have registered the name as a trademark, you could tell SF that they may not distribute modified files under that name. (Or maybe if the name is unregistered. Ask a real lawyer if you're interested; I'm just a guy who sometimes talks about legalities on the net.)

This problem

[koan]

This business with SF is troubling, and reinforces my concern about someone malicious gaining control over other items, like Linux repositories, updates, etc.

Anyone from "Russian hackers" to the NSA.

Editor accounts

http://sourceforge.net/u/sf-editor1/profile/
http://sourceforge.net/u/sf-editor2/profile/
http://sourceforge.net/u/sf-editor3/profile/

Re:Editor accounts

[Anonym0us+Cow+Herd]

Those who are very observant might be able to detect a pattern to these URLs. Advanced leet sooper skilled hax4rs may be able to develop a way to predict or deduce what the next items in the sequence might be.

Re:Editor accounts

Oo I know this one:

http://sourceforge.net/u/tf-editor1/profile/
http://sourceforge.net/u/tf-editor2/profile/
http://sourceforge.net/u/tf-editor3/profile/

Sigh.

[ledow]

Rather than continuingly being forced to report on your own humiliations, why don't you just have a word with someone at DICE and show them what kind of response their actions are getting?

Re:Sigh.

[Anonym0us+Cow+Herd]

That goes against everything taught at MBA school. It should be obvious to the most simple minded simpleton that the best course of action is to have a word with the EDITORS and get them to IMMEDIATELY SUPPRESS all stories about that. That will prevent the reporting of their humiliations. Problem solved. Everyone happy.

Re:Sigh.

Tthe comments section for every other story got flooded with nastygrams when the story didn't hit the front page. Seeing as the comments are the main attraction, it would appear unwise to suppress the entire comments section.

Don't trust installer packages from anyone

While downloading pre-built binaries is often a necessity on Windows you don't have to trust the installer packages you download. At a minimum use a tool like 7-Zip to look inside the package to see what is lurking there. Its pretty obvious when a self-extracting executable contains extra crap and when you find that you can either look for a different download source or manually extract only the content you intended to download.

Re:Don't trust installer packages from anyone

Sometimes you can use a program called Inno Setup Unpacker to extract files from inside the installer executable or MSI, where 7-zip fails.

Sourceforge can go White Hat on this

[davidwr]

All they have to do is:

1) post a prominent disclaimer along with a link to an officially maintained source, if any.

2) only provide true read-only mirrors or, for truly-abandoned projects or projects with "political squabbles" that make it hard to know the "real, official" maintainter, true historical mirrors in an explicitly frozen state along with a stayement explaining why the code is old.

3) prominently display an invitation to "official maintainers" to reclaim control of the repository or have the mirror deactivated once they prove who they are.

They can go one step further by pro-actively reaching out to currently affected projects and to projects they later identify as "abandoned on Sourceforge but still alive elsewhere."

They also need to apologize to affected developers and maintainers.

Why should they even bother?
1) They can still make money on web-site ads.

2) It will help boost their reputation and that of their corporate overlords, which will eventually translate into revenue.

Re:Sourceforge can go White Hat on this

[houghi]

It will EVENTUALLY translate into revenue? But the CxO needs a new boat NOW. The numbers of this quarter are due in less than 3 months, so we need it now.

Get the golden eggs out of the goose NOW, because there will be at least one in there. Fcuk tomorrow.

Confusion with names and roles in his announcement

[Simon+Budig]

Hi all.

Just a quick service announcement since Fyodor erred with regard of the role of Michael Schuhmacher.

Michael is *not* the CEO of Sourceforge. He is Office Wrangler for the GIMP project and very much on the other side of the dispute...

Bye,
              Simon

Project Removal?

[Rob+Riggs]

How does one permanently remove a project from SourceForge that has been transferred elsewhere so this does not occur?

Re:Project Removal?

[davidleelambert]

You can't. In particular,

• "Has the project released files? If not, we will honor the removal request."
• "Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value."
• "Projects that are moving to closed source do not qualify for removal."

Re:Project Removal?

[worf_mo]

SourceForge does not allow project removal, especially when moving the project to a new hosting provider.

Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value.

Re:Project Removal?

Not to defend sourceforge's actions, but part of this may be to comply with the terms of the GPLv2, since they distributed source and binaries, they need to be able to keep the source for code that they have distributed around for a given amount of time.

If I recall correctly, this was one of the flaws in the GPLv2 that it didn't have an expiration date on the written offer and for how long the source had to be made available. This has been left open to be 'reasonable' by the parties involved.

Look at the bright side.

[idontgno]

We slashdotters complain vociferously about the (lack of) quality of the editors here at Slashdot. But it could always be worse. We could have editors like the ones at that other Dice holding, who steal people's contributions and put their own labels on them, and then wrap them in malware.

It'd be like Timothy personally claiming every +1-or-higher comment made in one of the articles he "edited", leaving only Goatse and GNAA trollage for us plebians.

I want my old /. With BlackJack and Hookers.

[0100010001010011]

Eh, forget the ./

Dice you've successfully figured out how to run one of the most best 'news' and opensource websites and run them into the ground for profit. /. and Fark were the only 2 places that could handle 9/11 traffic. I rode out that entire day on both sites when CNN was crumbling.

I'm glad I had Slashdot over Reddit when I was an angsty tenager. I took pride in trying to get +5 comments and put effort into doing so. Honestly slashdot made me a better writer. Reddit is nice for short terse communication but sometimes I want to "talk with adults".

Slashdot didn't need much. Unicode support. Newer HTML5 support. CSS3. Make a decent mobile app, move away from HTML for Markdown. Moderation made sense and was much better than a simple +- system. Voting was randomly enabled and you couldn't both vote and comment on the same article. -2 to 5 also limited band wagoning. It's easier to recover from a bunch of early 'down votes'. Instead you drove everyone away to other sites (which still don't quite scratch the /. itch). You shoe horn in what ever fucking agenda is "big in IT". Looking back at all the news I got from /. I can't ever remember thinking "I wonder if a woman did this" or "Too bad a woman didn't do this" because I didn't care. It was about the tech and news for nerds.

On 'Gamergate', 'sexual equality', 'gender issues', we don't care "Trans-gendered" is a big thing in the news these days (and especially around tech) but a long, long time ago I remember a Mac developer made the transition. (This was in the late '90s.) I read her bio. Shrugged my shoulders went "Neat" and moved on. Why? Because she made some awesome Mac games. Most other person I know in IT or engineering think the same way. None of us care what you do with your body or who you take to the bedroom. I do care if you can cut it and get your work done or contribute to society.

On the other side of that is Randi Harper (FreeBSD Girl) who actually write decent code. I've dug through some of her BSD commits, major props to her for doing that. But it can all be done without photoshopping traffic tickets to make it look like you got swatted, begging for money to move on twitter, (When you already earn $3k/month from Patreon), grandstanding on Twitter for no reason and bandwagoning users against anyone that disagrees isn't the way to do it.

You had the same opportunity to fix Sourceforge all of its' convoluted download mirrors (just use a proper CDN), update to Git, and everything else that Sourceforge isn't and GitHub is. Instead you rested on your laurels and are now trying to use this as one last cash grab before the Titanic goes down.

I don't know where I was going with this either. Just thought someone up top should know why your traffic is tanking and a lot of us are pissed off at you for what you've done.

I still won't forget the time you broke the capslock filter, I remember BitTorrent being announced and people thinking it was useless, the iPod's lack of wifi and space compared to a Nomad, et al.

Thanks for the fish?

Re:I want my old /. With BlackJack and Hookers.

[j-turkey]

I like a lot of what you had to say, but please forgive me for being pedantic on one point that you've made.

On 'Gamergate', 'sexual equality', 'gender issues', we don't care

Who's we white man? ;)

It's great for you that you're privileged enough to not have to care about issues of gender equality. However, to be clear, I do care about that stuff, and if you have any interest in social justice, I believe that you should too.

My last point with respect to your sinking ship comment, I believe that there is one major shortfall that you missed, and it's not /.'s fault. It's the /. user community itself. Seriously, commenters here are almost as bad as YouTube - going straight for the ad hominem jugular over something as minor as an error in punctuation (or worse, a technical error in a post). I suppose that it's endemic to any Internet forum, but some places are better than others...and this place is worse than many others. It's like a magnet for internet buttholes and tough guys. There isn't much that can be done about it, other than trusting the moderation system, but that kind of environment does tend to stifle productive and respectful dialog.

Re:I want my old /. With BlackJack and Hookers.

I was under the impression that Randi had famously made 0 BSD commits, and that her block-bot code was hilariously bad. Therac 25 bad according to one analyst.

Re:I want my old /. With BlackJack and Hookers.

[0100010001010011]

Who's we white man?

Now I'm white and a man?

"We" is the people that actually do work in the tech industry & engineering. When I go to work in the morning I don't care if you're white, black, purple, gay, straight, trans-gendered, female, pierced, tattooed, et al. All I care about (those that I work about care about) is if you get your work done and if it's quality work. It's been that way for a while and it's been that way with most people I work with and know.

It's why a lot of similar industries don't care about your attire and you can get away with piercings, colored hair and tattoos

It's great for you that you're privileged enough to not have to care about issues of gender equality. However, to be clear, I do care about that stuff, and if you have any interest in social justice, I believe that you should too.

That's the thing. I believe in social justice. And the way to get 'social justice' is to stop pointing out the differences and turning sides against each other. Women and LGBT have been in 'industry' for a long time. (Grace Murray Hopper graduated from Yale in the 30s) It's not an issue for most people. The only people that think it's an issue are the ones that are trying to grandstand it into something more than it is.

Tim Cook wasn't really deep in the closet before he came out, it's just that it was a non-issue around Apple.

Re:I want my old /. With BlackJack and Hookers.

I believe that you should too

This is what makes an SJW an SJW. Busybody instead of activist.

*I* believe you should fuck off and let me form my own opinions.

Re:I want my old /. With BlackJack and Hookers.

[j-turkey]

Who's we white man?

Now I'm white and a man?

I really hope that you were joking too. I don't know you, so just in case - here's the joke that I was referencing. :)

"We" is the people that actually do work in the tech industry & engineering. When I go to work in the morning I don't care if you're white, black, purple, gay, straight, trans-gendered, female, pierced, tattooed, et al. All I care about (those that I work about care about) is if you get your work done and if it's quality work. It's been that way for a while and it's been that way with most people I work with and know.

It's why a lot of similar industries don't care about your attire and you can get away with piercings, colored hair and tattoos

It's great that all you care about is results. I wish that there were more people like you. However, it doesn't mean that the tech industry is immune from the wage gap (or position gap) between men and women. It has and it continues to happen. There are some companies who are pioneers in this sense, too. However, these are not the norm. While I am optimistic about progress, we have a long way to go to establish equality. I welcome hearing about it on Slashdot, as the topic is worthy of discussion. To squelch discussion is being complicit with the status quo, which is a form of racism/sexism in and of itself. Please don't take that as me accusing you of anything. It's not my point. My point is to explain the merits of discussing it here.

That's the thing. I believe in social justice. And the way to get 'social justice' is to stop pointing out the differences and turning sides against each other. Women and LGBT have been in 'industry' for a long time. (Grace Murray Hopper graduated from Yale in the 30s) It's not an issue for most people. The only people that think it's an issue are the ones that are trying to grandstand it into something more than it is.

Tim Cook wasn't really deep in the closet before he came out, it's just that it was a non-issue around Apple.

I agree that the tech industry is diverse. However, it continues to be a male-dominated industry. If certain people feel alienated, or there is a wage/position gap - should they not be free to voice their opinion? Should they not be welcome to engage in discussion about it (it's not like anyone is forcing anyone else to participate in it)? What makes Slashdot the wrong place for it? I mean, if they're "nerds" in their field, should they head over to Ms-Slashdot.org and discuss it there? Just because the CEO of Apple's sexuality was a non-issue, does it mean that others in other companies do not experience it on a wholesale basis? Another example: while I am a huge admirer of Grace Hopper, her story is an exceptional one, considering that she practically stands along among history's female computer pioneers.

With respect to how to achieve social justice, I don't know if I agree with you. There is really no way to point out how inequality within the status quo without someone feeling attacked. Every online discussion that I have ever read about gender equality or racism results in a person in the majority (who is usually white, male, and/or heterosexual) attacking back, or at least pushing back in a way that indicates that they feel threatened. This type of behavior is endemic to the status quo. An attempt at social change that will negatively affect the privileged will often result in a negative response. At best, activists of social justice are accused of being divisive or stirring the pot. Maybe they are being divisive, but maybe they're right to be if they've been living with inequality their entire lives.

I also understand your point about grandstanding. However, if we agree to stipulate that there are

Re:I want my old /. With BlackJack and Hookers.

I complely agree.

Changes from the original submission

[vivaoporto]

The edits made by Slashdot editors on my original submission (that can be read here) are very telling. Fyodor isn't warning that he doesn't control Sourceforge nmap mirror, he is accusing them of hijacking his Sourceforge nmap account, removing the content and creating a mirror that he doesn't control.

The original title was "Sourceforge Hijacks the Nmap Sourceforge Account" and it was the same title Fyodor used on its post to the maillist. Losing the original Sourceforge original nmap account (created by nmap developers themselves) is not the same news as him not controlling "nmap SourceForge Mirror". The same expression was also changed in the submission body.

Two other important parts from the the original submission removed by the editor:

1. The statement by SourceForge themselves that (emphasis mine):

At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.

2. The reference by Fyodor that even if Sourceforge still isn't bundling anything on nmap, the page is designed to mislead the users with fake download buttons:

"So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) (...)

Below I repost the original submission so you can compare:

Sourceforge Hijacks the Nmap Sourceforge Account

Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that the Sourceforge Nmap account was hijacked from him.

According to him the old Nmap project page (located at http://sourceforge.net/project..., screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which controlled by sf-editor1 and sf-editor3, in pattern mirroring the much discussed the takeover of GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week Slashdot.

That happens after Sourceforge promises to stop "presenting third party offers for unmaintained SourceForge projects. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

To their credit Fyodor states that "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP" but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html"

Re:Changes from the original submission

[Soulskill]

Hi. Thanks for the submission.

In addition to editing your submission for brevity and minor grammatical issues, I edited it for factual accuracy as well. I'll first address your two main points.

1) The rest of the quote from SourceForge was trimmed because it wasn't relevant to the content of the submission. SF has been bundling their "third-party offers" with projects who explicitly opt into it for a long time — it's a known thing, and has been discussed at length. Second, according to Fyodor's own post, they weren't bundling anything with nmap.

2) The rest of the Fyodor quote was trimmed for a similar reason. It makes reference fake download buttons and catching SF "trojaning" nmap. It's fine for Fyodor to editorialize as he pleases, but the first is a separate issue and the second is a non-event, so neither really have a place on this story.

The headline was changed for two reasons: First, Fyodor's account seems to still be under his control, and the nmap project seems to have been cloned/mirrored, so the references to hijacking the account lack clarity. Second, this is not actually new news. When the GIMP story broke, anyone with an interest could see what projects SF had taken over. Nothing actually changed for the project page Fyodor is posting about since the GIMP story broke — thus, the new information is simply that he's complaining about it. (Which is his right, of course.) I went ahead and posted the story for transparency's sake, and I added links at the bottom of the summary to the SF editor accounts, so people could easily see the full list of affected projects.

Re:Changes from the original submission

[gatzke]

Between /. screwing around with this SF story and them screwing around with the poll, I am about to give up.

After nearly two decades reading /. nearly daily they are pushing me over the edge.

Re:Changes from the original submission

Change job, dude. This isn't worth it.

Re:Changes from the original submission

[gatzke]

And the stupid video stuff. Looks like we can't turn that garbage off either. Thanks /. !!

Re:Changes from the original submission

[vivaoporto]

Hi, and thanks for taking the time to address those points, altought they were not the main points. They were merely "other important parts (...) removed", the main point being that "Fyodor isn't warning that he doesn't control Sourceforge nmap mirror" but "is accusing them of hijacking his Sourceforge nmap account".

Concerning to the main point:

1. The original title stated that he lost control of "Nmap Sourceforge Account" and not his own
and it was very clear that by having the project page erased outside his control meant that he lost control of it.

2. The submission was not about SourceForge (as they were, as you say, pretty much similar to the what was discussed in the previous story) but about the reaction of a prominent figure of the IT world. By editing it for factual accuracy the point of the submission was lost (as what was kept after the edit was not Fyodor's reaction anymore).

I don't agree that those other two points were satisfactorily addressed either and here is for what reason.

1. The entire quote was copied verbatim from the update made by T on the SourceForge and GIMP article. Assuming it was relevant enough to be included there by the Slashdot staff itself I don't see why it is not relevant to be included in a similar article referring to the same subject.

2. The rest of Fyodor quote served to illustrate his opinion that, despite not bundling the installation files with "easy to decline third party offers" (to borrow an eufemism sometimes used by the industry, referred by Fyodor as "trojaned"), it is still risky to download nmap from SourceForge mirror. There are very confusing download buttons on that page that link to those same kind of third party offers instead of to the unmodified installer (referred as "fake download buttons").

it is very misleading to have a submission accepted, altered for factual accuracy but to kept as if it were submitted as is by the original submiter:

vivaoporto writes:

an edited version of what vivaoporto wrote, without any indication of what was changed, who changed and why.

It would be better to either accept the submission as is (with the minor gramatical mistakes corrected) with a "Note of the Editor (NE)" appended or to reject the submission as factually incorrect.

Re:Changes from the original submission

[Nethead]

I remember when /. was so hard up for bandwidth I ended up hosting images.slashdot.org at the ISP I was working for. That's back when it was just Malda, a T1 line, and the community. I was so much better then.

Re:Changes from the original submission

[Nethead]

Uhg! It was so much better then. Almost 20 years and I still haven't learned to preview posts!

Re:Changes from the original submission

You are really nitpicking here homey

Re:Changes from the original submission

Yep, nearly 2 decades lurking here too, and sick of it getting worse and worse.

Perfect example: What is that fucking video crap?

These days I avoid most stories and hunt and peck for interesting scraps. But, there's now just so much pop culture and politics, and the good stuff often wanders off down inane directions. Truly makes me sad.

Re:Changes from the original submission

[morkk]

noscript = no video

Re:Changes from the original submission

[DocHoncho]

If you use a plugin like Stylish (available for Chrome & Firefox) you can add a stylesheet for slashdot.org with the following rule:

article#firehose-000 {
        display: none;
}

This will collapse the element containing the videos. I've also heard of people using their Adblock plugins to do the same thing by telling it to treat that element as an ad and collapse it.

An (untested) rule to hide the polls would be:

article.fhitem-poll {
        display: none;
}

Replacement for sourceforge File Release System?

[Junta]

While looking at other open source project hosting, the one thing that I couldn't see was a good alternative to sourceforge's file release system.

They basically provide a yum/apt friendly structure that can be rsynced to. Since it allows pretty much arbitrary structure and it gets mirrored, it works out ok.

Even before this, was interested in replacing everything on sourceforge, but now really interested in killing it off. Anyone know a good free CDN to cram yum/apt repositories into?

It seems like sourceforge is committing suicide.

[roc97007]

This is the internet -- Sourceforge doesn't control content they don't own any more than anyone else does on the internet. And their audience being geeks rather than Fred and Ethyl Consumer, who would be better connected into threads like these and would know to go to the "official" sites... I just don't see this strategy working.

Project should use trademark defense

The project's being 'mirrored' should just use trademark defense and force SF to not use the same trademark/project name for the altered binaries they are peddling. SF actions are obviously harming the brand that those projects have worked hard to establish.

Re:Project should use trademark defense

[TechyImmigrant]

The project's being 'mirrored' should just use trademark defense and force SF to not use the same trademark/project name for the altered binaries they are peddling. SF actions are obviously harming the brand that those projects have worked hard to establish.

This. Trademark GIMP, NMAP or whatever. Take it with you. SF can fork the code, but they need to put a different name on it so users are led into thinking the code has a provenance other that what it actually has.

"News For Nerds"

[westlake]

On 'Gamergate', 'sexual equality', 'gender issues', we don't care

Until the back pressure from coverage by mainstream news sites and other geek forums like Arts Technica can't be resisted any longer.

Re:Fuck slashdot & sourceforge

Yeah... it's sad but true. I'm also looking for alternatives.

Re:Confusion with names and roles in his announcem

[Culture20]

Hi all.

Just a quick service announcement since Fyodor erred with regard of the role of Michael Schuhmacher.

Michael is *not* the CEO of Sourceforge. He is Office Wrangler for the GIMP project and very much on the other side of the dispute...

Bye,
Simon

Are you sure the Sourceforge CEO didn't co-opt the "abandoned" identity of Michael Schuhmacher?

Is SourceForge ...

[PPH]

... working its way up to replacing legitimate content with alternative and possibly corrupt stuff? In the case of GIMP for Windows, it has been sold off to an advertising provider. For nmap, the motivation could be more nefarious. As an important tool for performing network and security diagnostics, the implications of a crippled copy could be far more nefarious.

NSA, please go away.

Re: Is SourceForge ...

it works differently
  they have linux, windows, solaris and osx os developers on their covert payroll.

all bases covered.

and it is jcs, not just nsa.

Re:Replacement for sourceforge File Release System

Bitbucket.

score 0 redundant

wasn't this issue discussed two days ago, along with an official response? were you mnapping at the time? do you want a new story for every project affected, along with critiques of their website and false allegations of trojans? maybe you dislike their fashion sense or cooking, too? are you that bored? need another mnap?

On the bright side...

[radarskiy]

Slashdot editors are now actually editing.

WTF Sourceforge?!

[Zalbik]

Seriously, WTF?

Are the SF editors just retarded or are they intentionally just trying to shoot themselves in the head?

What were they thinking:
"Wow, taking control of GIMP and adding adware to it certainly stirred up some controversy....let's see what happens if we hijack NMap! No such thing as bad publicity, right?"

Someone needs to hit these people upside the head with a clue-bat and let them know that yes, there IS such a thing as bad publicity.

PS
Guess we can talk about this in a couple of weeks on main when the Slashdot editors finally get the go-ahead from their corporate overlords.

Related

[ThatsNotPudding]

To just refer this matter to law enforcement. They're putting together bundles specifically to shove spyware down people's throats. It's being done in such a way as to make uninformed users think they're the official page. I'm not normally one to say stuff like this, but sourceforge needs to have a visit from FBI and/or FTC over this.

More to the point, would it really be that hard for an even more nefarious third-party to change out the Sorceforge shovel-ware for truly dangerous malware? Do they even offer hashes to check the installers they've 'improved'?

God Damnit, Sourceforge

[StikyPad]

This is why we can't have nice things!

Re:Confusion with names and roles in his announcem

[weilawei]

I suppose if you're a world famous race car driver and you get paralyzed, you might be driven to maintain the GIMP.

I'm sorry, but that was contractually obligated.

Re:Confusion with names and roles in his announcem

Hi all.

Just a quick service announcement since Fyodor erred with regard of the role of Michael Schuhmacher.

Michael is *not* the CEO of Sourceforge. He is Office Wrangler for the GIMP project and very much on the other side of the dispute...

I believe he was referring to Michael Schuhmacher Mirror, who was created and promoted to CEO, after the real Michael Schuhmacher was observed to be inactive for a period of time.

Re:

Not sure, but please post one here if you find one.

SOP for me

[Todd+Knarr]

This is why my policy has always been to obtain downloads only from the author's or package's official site or an official download named on the official site. Apparently that policy's saved me from a lot of malware/crapware.

owend by Slashdot Media

[samantha]

Is this the owner of slashdot.org or something else. If they are the same then WTF ARE YOU GUYS DOING taking over people's projects and locking them out?

Re: slashdot & sourceforge

[requerdanos]

> I had enough from them. I'm going somewhere else.

Yet you come back, every other story, to post this or a similar comment.....