Please migrate away from SourceForge
noloader opened this issue · 1 comments
CMU should migrate away from SourceForge to a trusted platform like GitHub or GitLab. GitHub should not be a mirror for SourceForge.
There are three reasons for the migration away from SourceForge. First and foremost, SourceForge is an untrustworthy source. The platform has a history of tampering with projects and adding malware. Additionally the platform has gaps in its data security and allowed unauthorized parties to obtain sensitive information and tamper with projects. Finally, the company forces forum and mailing list users to agree to spam.
I am saddened to see CMU still uses SourceForge, and GitHub is a SourceForge mirror. CMU has a rich history of application and data security. Normally I just walk away from a SourceForge offering. Unfortunately, I cannot do it this time because I need to test SphinxBase and PocketSphinx.
SourceForge is Untrustworthy
SourceForge is an untrustworthy source. They were caught in the past packaging malware with binaries. See, for example, SourceForge under fire again for Nmap page, SourceForge locked in projects of fleeing users, cashed in on malvertising and Warning: Don’t Download Software From SourceForge If You Can Help It. Even the non-technical folks get it.
Many folks have walked away from the platform for this reason alone. For example, Crypto++ migrated away because users no longer trust the platform. The Crypto++'s original SourceForge project page now says:
The Crypto++ website is located at https://cryptopp.com/, and the source code is located at https://github.com/weidai11/cryptopp. The repository was moved in response to developer requests for Git access.
The SourceForge site will remain in "read only" mode for historical purposes. You should visit the Crypto++ website at https://cryptopp.com/ or GitHub at https://github.com/weidai11/cryptopp to view the latest news, download the latest source code, file bugs and request features.
We thank SourceForge for hosting us through the years.
Questionable data security
SourceForge has suffered several high profile break-ins. See, for example, SourceForge applies global password reset after hack attack and SourceForge.net servers compromised. Not only does it expose sensitive information of users and administrators, it also brings into question the integrity of the projects hosted by SourceForge.
Users forced to accept spam
When a user wishes to join a forum or join a mailing list, the user cannot proceed without checking the box that says the he or she agrees to receive mailings from SourceForge. SourceForge then proceeds to spam users.
Users join a forum or mailing list to interact with the project, not receive spam from SourceForge . The lack of choice goes well beyond disingenuous. About all I can say is, I am disgusted with the practice.
Yes. This is a good idea. We also need to move the models to github, and exclude the ones that do not have proper licenses. I hope to do this soon.