Boost logo

Boost :

Subject: Re: [boost] sourceforge and release hosting
From: Jens Weller (JensWeller_at_[hidden])
Date: 2015-06-10 13:04:45


> Gesendet: Mittwoch, 10. Juni 2015 um 16:59 Uhr
> Von: "Andrey Semashev" <andrey.semashev_at_[hidden]>
> An: "boost_at_[hidden]" <boost_at_[hidden]>
> Betreff: Re: [boost] sourceforge and release hosting
>
> On Wed, Jun 10, 2015 at 5:34 PM, Adam Walling <adam.walling_at_[hidden]> wrote:
> > Michael Ainsworth <michael <at> michaelainsworth.id.au> writes:
> >
> >>
> >> For those new to the boost mailing lists such as myself can you provide
> > a reference to catch us up?
> >>
> >
> > The wikipedia page has a brief outline of the latest news and sources:
> >
> > http://en.wikipedia.org/wiki/SourceForge
> >
> >> In November 2013, GIMP, a free image manipulation program, removed its
> >> download from SourceForge, citing misleading download buttons that can
> >> potentially confuse customers, as well as SourceForge's own Windows
> >> installer, which bundles third-party offers. In a statement, GIMP called
> >> SourceForge a once "useful and trustworthy place to develop and host
> >> FLOSS applications" that now faces "a problem with the ads they allow on
> >> their sites ..." In May 2015, the GIMP for Windows SourceForge project
> >> was transferred to the ownership of the "SourceForge Editorial Staff"
> >> account and adware downloads were re-enabled.[33] The same happened to
> >> the developers of nmap.[34][35]
> >
> > There are several other projects which have also suffered the same fate,
> > though the developers have not gotten up in arms as much as the GIMP and
> > nmap devs.
> >
> > The entire thing is a mess with a lot of carefully worded PR.
>
> I agree that the situation is worrying, especially since we distribute
> binary installers as well and don't seem to publish SHA/MD5 of the
> installers on www.boost.org. Basically, we trust that SourceForge
> won't be hacked or won't do anything mischievous, like it did with
> these other projects.
>
> However, what are the alternatives?

Selfhosting or Github.
Question is does boost want to wait until sourceforge gets worse?
Having malware infected boost-installers or users click on "wrong" download buttons isn't worth the risk IMHO.

But also it should be enshured, that the sourceforge account is under boosts control, even when not continued for new releases.

regards,

Jens Weller


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk