On Wed, Jun 10, 2015 at 4:06 AM, Norbert Wenzel < norbert.wenzel.lists@gmail.com> wrote:

On 06/10/2015 10:34 AM, Michael Ainsworth wrote:

...

...

On 10 Jun 2015, at 1:20 pm, Adam Walling wrote: Should releases be hosted somewhere other than sourceforge?

I've ran across this regarding boost twice this week, and I'm sure we are all well aware of the history of problems that sourceforge has been accumulating

For those new to the boost mailing lists such as myself can you provide a reference to catch us up?

I don't know about the original author, but I've seen a discussion about leaving Sourceforge on Reddit recently:

https://www.reddit.com/r/cpp/comments/397mt5/someone_needs_to_convince_the_b...

So this might be one of the times the author ran across that topic.

Even if we don't want to make a change like this at this time, I think it would be worth investigating other options for making releases. Off the top of my head: * Downloads directly on the boost.org site or some boost maintianed subdomain/server (bandwidth is a *lot* cheaper than it was 10 years ago) * Using github releases[1], downside being that each file has to be less than 1GB, which the windows binaries release passes. * Using microsoft's code plex[2], downside - microsoft is moving away from it...to github. Tom [1]https://github.com/blog/1547-release-your-software [2]http://www.codeplex.com/

On Wed, Jun 10, 2015 at 5:34 PM, Adam Walling wrote:

Michael Ainsworth writes:

...

For those new to the boost mailing lists such as myself can you provide

a reference to catch us up?

...

The wikipedia page has a brief outline of the latest news and sources:

http://en.wikipedia.org/wiki/SourceForge

...

In November 2013, GIMP, a free image manipulation program, removed its download from SourceForge, citing misleading download buttons that can potentially confuse customers, as well as SourceForge's own Windows installer, which bundles third-party offers. In a statement, GIMP called SourceForge a once "useful and trustworthy place to develop and host FLOSS applications" that now faces "a problem with the ads they allow on their sites ..." In May 2015, the GIMP for Windows SourceForge project was transferred to the ownership of the "SourceForge Editorial Staff" account and adware downloads were re-enabled.[33] The same happened to the developers of nmap.[34][35]

There are several other projects which have also suffered the same fate, though the developers have not gotten up in arms as much as the GIMP and nmap devs.

The entire thing is a mess with a lot of carefully worded PR.

I agree that the situation is worrying, especially since we distribute binary installers as well and don't seem to publish SHA/MD5 of the installers on www.boost.org. Basically, we trust that SourceForge won't be hacked or won't do anything mischievous, like it did with these other projects. However, what are the alternatives?

Gesendet: Mittwoch, 10. Juni 2015 um 16:59 Uhr Von: "Andrey Semashev" An: "boost@lists.boost.org" Betreff: Re: [boost] sourceforge and release hosting

On Wed, Jun 10, 2015 at 5:34 PM, Adam Walling wrote:

...

Michael Ainsworth writes:

...

For those new to the boost mailing lists such as myself can you provide

a reference to catch us up?

...

The wikipedia page has a brief outline of the latest news and sources:

http://en.wikipedia.org/wiki/SourceForge

...

In November 2013, GIMP, a free image manipulation program, removed its download from SourceForge, citing misleading download buttons that can potentially confuse customers, as well as SourceForge's own Windows installer, which bundles third-party offers. In a statement, GIMP called SourceForge a once "useful and trustworthy place to develop and host FLOSS applications" that now faces "a problem with the ads they allow on their sites ..." In May 2015, the GIMP for Windows SourceForge project was transferred to the ownership of the "SourceForge Editorial Staff" account and adware downloads were re-enabled.[33] The same happened to the developers of nmap.[34][35]

There are several other projects which have also suffered the same fate, though the developers have not gotten up in arms as much as the GIMP and nmap devs.

The entire thing is a mess with a lot of carefully worded PR.

I agree that the situation is worrying, especially since we distribute binary installers as well and don't seem to publish SHA/MD5 of the installers on www.boost.org. Basically, we trust that SourceForge won't be hacked or won't do anything mischievous, like it did with these other projects.

However, what are the alternatives?

Selfhosting or Github. Question is does boost want to wait until sourceforge gets worse? Having malware infected boost-installers or users click on "wrong" download buttons isn't worth the risk IMHO. But also it should be enshured, that the sourceforge account is under boosts control, even when not continued for new releases. regards, Jens Weller

Le 10/06/15 20:19, Norbert Wenzel a écrit :

On 06/10/2015 07:04 PM, Jens Weller wrote:

But the problem with SF seems to be, that there is no possibility to delete a project. So it seems (from what I read recently) one has to maintain these projects forever and hope for the best.

Apparently on SF, there is a "deleted state" for a project, and a project may also be renamed (Boost -> "Boost - now hosted on X"). Raffi