SourceForge Terms of Service Change, Users Unhappy

An email fluttering around a few mailing lists has been submitted in various forms here today. It's about changes to the SourceForge terms of service. Some relevant links unclude the old terms, new terms, old privacy statement, new privacy statement and contact for "questions or concerns" (Patrick McGovern, Site Director). Obviously since SF is owned by the same parent company as Slashdot, I'm biased and corrupt and you should ignore my opinions on the subject, but while I don't particularly like this any more then anyone else, I also don't think it's the huge deal that others are making of it. Especially considering projects aren't paying for the free service. You get what you pay for after all. I have attached a summary to this article of the changes that are being called into question if you don't want to do a mental diff on the links above.

This list was submitted by a few different users and was apparently originally posted to several mailing lists, although I don't know who actually originally wrote it. I just quote it here for reference.

1. They can henceforth change the terms without notice, just by posting the new terms on the website. (Currently they are obliged to give 15 days notice by email, a period that we are currently in for this change.)
2. They can henceforth remove user accounts without giving a reason. (Currently they are obliged to have a reason, though the set of acceptable reasons is open-ended.)
3. They're no longer obliged to make the contents of a deleted account available to its owner. (There was previously a "reasonable effort" clause to that effect.)
4. They're no longer obliged to provide notice of changes to the privacy policy, unless the changes are "substantive". (Currently they are obliged to provide notice of any change.)
5. The privacy policy is acquiring a disclaimer that amounts to "this is not true". It actually disclaims the entire privacy policy.

I dunno ...

[gurensan]

If they disclaim the privacy policy, why do they bother having one at all?

hmm

[Anonymous Coward]

Sounds like they're trying to streamline the administration of the service so as to make it more attractive to a buyer... Wonder if they have any particular company in mind?

Sourceforge reality.

[Matt2000]

Anyone who's using Sourceforge to host their project, as I am, should be realistic about what they're getting and for how long they'll get it.

First of all, I love sourceforge. It gives me all of the things I want right out of the box and for free. User forums, bug tracking, SSH CVS, and so on.

However, it is free and I think we all know has a pretty slim chance of making money. With that in mind, no matter what their polcies state there seems to be a pretty good chance of them just exploding one fine morning and taking a whole bunch of source down with them. Make backups, I should too.

Other than that, we can be a demanding lot so try to go easy on these guys, let's give them a chance to survive.

Substantive?

[TheMatt]

If I might ask, who determines what a substantive change to the privacy policy is? I know of a few people on /. that think any change beyond fixing the spelling is a pretty substantive change to a privacy policy.

My only problem

[roXet]

My only problem that I can see with this right off is the "We don't have to notify you of changes to the TOS, you should check it often" crap. This is the type of shit that is ruining the internet and I thought(hoped) VA was above this kind of stuff.

What are the chances ...

[zangdesign]

of getting Sourceforge to kill off old, inactive projects? Seriously, the tree needs a little trimming. One has to wade through so many unmaintained alpha releases when trying to find a specific thing that it's easier to do a search on Google these days.

SF is a great resource and all, but there needs to be some way to filter out the abandoned stuff.

Indemnity is the real issue

[Anonymous Coward]

These new changes are the last straw, and now after thinking it over for a long time I'm finally going to have my SourceForge account cancelled, but the new terms aren't the real problem. The real reason I'm having my account cancelled is that SourceForge's TOS requires that I "indemnify" them for any trouble they get into as a result of my actions on their system.

In other words, if I do something that upsets a corporation with a legal department, and SourceForge gets sued, I have to pay their lawyer's bills.

Because of that clause, I can't do anything that is legally sensitive; and because free software is by definition revolutionary, I can't do anything real or important on SourceForge at all. I respect and admire the Freenet people, who are going ahead and hosting with SourceForge anyway, but I have no wish to emulate that display of courage. I don't blame SourceForge for having the indemnity clause in their TOS, but it means that their service isn't much use to me. The risks are just too great.

Incidentally, y'all have missed the most important new terms in today's revised TOS - the new DMCA compliance terms. Those, too, are perfectly understandable, and I can't blame SourceForge for having them. As a business operating in the U.S.A., SourceForge is legally obligated to have DMCA compliance procedures. But if I had any illusions left that SourceForge was part of the revolution, those illusions are gone now. SourceForge is now just another profit-making business, and I don't need, or have any particular reason to want, to do business with them. I'll be hosting my free software on amateur servers outside the U.S.A. (I'm outside the U.S.A. myself) where I can be assured of its continued freedom.

Perhaps related to DOS attacks

[GMac]

It would seem these types of "ad sponsered" services can only work if they perform "editorial" functions. Otherwise the "dark side" can just flood them with garbage, overloading them with junk and causing them to shutdown in frustration. That's basically another form of DOS attack, it's more subtle though and even sounds like a "free speech issue". Look at the problems of "junk speech" showing up on slashdot to get the idea. It's obviously done to degrade the service and cause harm... In such cases I think a vigorous response is required.

Anyhow let them have the tools to do the job. Personally I think they ought to offer the service for a small fee, something like a web hosting service but tune'd for the software distributor. I already keep a seperate web space and could just as easily host at sourceforge. They should also have shopping cart service for shareware and for developers that do both freeware and commercial software. Finally a small fee based update subscription service would be great for people who don't have the time to track all the different projects. Something that auto-pulls stuff to your system but lets you control install/backup ...

Sourceforge has yet to compete with Bugzilla

[Anonymous Coward]

After visitng linuxworld and drilling their sales reps we came to the conclusion that Sourceforge can't compete with free alternatives. (by 'we' I mean the software Co. I'm working for)

Bugzilla/bonsai/tinderbox provides a more complete solution. We were even able to modify the trio to deal with java, our many different build scripts (make is rather lacking for java), and our test automation.
What we found was that Sourceforge provided discussion groups which we got using exchange or INND, bug tracking which wasn't nearly as feature rich as bugzilla, and cvs integration which bonsai provided just as well. It was still lacking the automated builds, and by the time they got back to us after linuxworld we had allready deployed the bugzilla solution (partly thanks to some nice debian packages put together by Remi Perrot).

One large drawback is that bonsai relies on glimpse as its fulltext indexer. Glimpse used to be free but since then has gone commercial. We were, however, able to find some old glimpse source (which may have been GPL or artistic license - perhaps we should redistribute the old code as GNUlimpse).
We have made our own tweaks to bugzilla/tinderbox/bonsai and contributed a few of them back to the mozilla developers (in the future probably all will be recycled into the public implementation).

How do I remove my account?

[The Salamander]

I dug around the account maintenance page, but didn't see any way to delete my account.

I've been suspicious of Sourceforge stability

[LetterJ]

I've been hedging my bets for a while on Sourceforge. I have a fairly popular project [sourceforge.net] (over 1 million downloads) hosted there. This week I've averaged something like 5000 downloads/day at 10+MB each (which is why I have it on SF rather than on a server I pay for). I've been questioning how long this can last. There's no way SF can get enough revenue from my project to cover that kind of bandwidth usage. So, I wrote a simple PHP-based distributed mirror system (100% Buzzword Compliant(TM)) [phpgeek.com] that lets people handle very small portions of the download traffic with daily bandwidth limits. I'm hoping to start shifting some of the burden off SF so that it isn't a single point of failure in distribution. Eventually the gravy train of massive free bandwidth is going to end.

Savannah is a gnu.org alternative to SF; comments?

[spindo]

Anyone have comments about the maturity of Savannah [gnu.org]? I know of several projects that have moved from SF to Savannah recently and wondered how comparable the two services are.

Re:Alternatives

[Anonymous Coward]

There is an alternative - configure everything yourself. It is not that bad. Maybe a week of work initially, and after that your setup would support unlimited number of projects.

Here is a case study from my own OpenSource project setup:

- qmail/ezmlm for mail server/mailing lists, hypermail for mail archives
- ssh/scp for secure file access/server administration
- cvs for code repository (including ssh and anonymous access)
- apache for the web server (with virtual host for every project)

Note, there is no bug tracking - this is a missing part of such setup. I was reluctant to use bugzilla, since it is CGI-based and therefore vulnerable to attacks

Also there is no FTP, since I hate to install a new patch every week (same is true for sendmail, therefore qmail is used) Files are uploaded via ssh/scp, downloads are done via HTTP

This proved to be an ideal setup. Simple secure and extensible. Since it is a community project, user requested features (say, nightly builds) can be implemented on request pretty easy. A DSL connection and a static IP is all you need to host such a beast.

- Andrus
andrus a t objectstyle.org
http://objectstyle.org

Why isn't everyone kicking CmdrTaco's ASS?

[Unknown Bovine Group]

You get what you pay for after all.

Did CmdrTaco, one of the helmsmen of the most popular Free/OS news sites in existence just mimic what Microsoft PR/FUD machine has been saying since Linux showed up on its threat radar?

Why isn't everyone kicking CmdrTaco's ASS?

Re:gnu savannah

[Eric Green]

Note that Savannah is moving away from the Sourceforge engine, due to, quote, "its unmaintainable nature" unquote. As someone who has hacked two different versions of the Sourceforge engine to the point of usability, I must agree with them about the basic unmaintainable nature of the Sourceforge source code. Talk about a mess!

Needed: tools to recover bug lists, patches, etc.

[jalane]

AFAIK, there are no tools to pull the contents of the bug lists, patch lists, etc off the site. There probably never were.

So, here's what we need:

1. Tool to "web-scrape" the contents of the bug-list for a project.
2. Tool to "web-scrape" the contents of the patch-list for a project.
3. Tool to "web-scrape" the mailing list archive and member list for a project.
4. Tool to put together a mirrored CVS repo (a la CVSup, but it just needs to work in one shot).
5. Any other similar tools to above needed to reconstitute project state on a different host.

Putting an XML-RPC interface on these would allow them the most general use.

We've always needed them. This announcement doesn't really change anything, but it should bring the point home that we who admin projects are responsible for our own disaster recovery, just in case Lars Ulrich decides he owns that sample mp3 of your cat hacking up a hairball because it sounds just like Metallica.

And finally, just a common sense clarification, in case some people don't get it: don't put crypto on SF, because it'll probably get DMCA'd.

I'll start the project on sourceforge.net (of course). Volunteers welcome.

Re:Big deal

[Cyno]

And I suppose its not enough to state that you will protect copyrighted works. Today you have to state that you will uphold the DMCA, a rather controversial law, to show how faithful you are to copyright holders and wealthy corps.

Re:Journalistic efforts when covering one's self

[/dev/trash]

Yes, it's CmdrTaco's site,

It is? I'd argue that Taco and all teh editors here are just replaceable figureheads.

My offer is open

[bruns]

Well, my offer is still open from the last sourceforge rounds.

If you want hosting, no ads, no hidden requirements, no surprises, let me know. The SOSDG is run by individuals, not by any company.

The Summit Open Source Development Group [2mbit.com]

Re:Big deal

[njdj]

I think it's a bad idea to host a service like Sourceforge in a country which has laws like the DMCA.

Re:Further proof...

[dasmegabyte]

And that's one of the problems with modern capitalism...in the odd case that you don't claim to know nothing and be irresponsible, you're inviting people to sue you. How many times have I heard in the same breath "X Co, Inc, is a huge, evil, corrupt institution with no care for its customers" and "let's sue them so we can have money?"

I run a very small (read: profits are almost half my car payment) web hosting service under the flag of openness and freedom of content. I started it because I got upset that every single host I went with wanted to corral me into a year contract, tell me what I couldn't do or say and take credit and the ability to edit my personal thoughts and ideas. Originally, it was a co-op, and I began to take on extra users who wanted the same thing -- ownership of their work and a fair charge for the low bandwidth they were moving.

In the past three months we've grown a dozen times larger -- so big that I no longer know every site op by name. Now, I don't want to have to force the new people to sign a TOS or a EULA. I think that posting the rules on the frontpage should be good enough for everybody. But I'm afraid. We've had a couple users ask if they could serve porn, and when I said no a few signed up anyway. I trust them (and check my logs), but if I go away on vacation and one of them starts serving nude shots of Frankie Muniz, I'm the one who gets in trouble. I'm the one who's got his name on the tax forms, and I don't intend to incorporate the business.

So I'm stuck. I want to let users do their own thing, own their own shit, but I'm the one who's ass is on the line. If one site slips up, they all go down. Everybody loses their stuff and all the good I've tried to do, all the bright young folks I've formed relationships with are scrambling for a new host. Someday soon I'll need to call my lawyer (okay, I don't have a lawyer to call my own, I'll have to pick a name out of the phone book) and have him draw me up a plan for a TOS. It'll probably be pretty brutal. Legally, I'll have to claim responsibility or ownership over users and content so I'll have the ability to pull it if I have to. And I'll have to do the same stupid shit, bowing to C&Ds and dropping user info and so forth.

It won't make me as a host and as a person any more of an asshole. I won't trade email addresses for cigarettes or claim rights to rkm's work [somethingpositive.net]. But I'll look just as corporate and uncaring as the rest.

Just think about it, baby, before you hate the legalese. You can't avoid being screwed without screwing somebody on paper. At the end of the day, it all comes down to who you trust, and after these long years with Slashdot, OSDN and SourceForge, I guess I trust VA. I have to, they designed my new server!

Shameless plug: webslum.net [webslum.net]. Say you read this post and I'll give you a free shell :)

Slashdot hypocrisy

[Frank White]

I'm sure I'm going to get modded down for criticizing Slashdot, but to hell with my karma....

Most Slashdot users don't post their exact email addresses on the pages. They put NOSPAM or REMOVETHIS in the middle of the address. It's a very intelligent thing to do - spammers have robots that harvest email addresses from web pages.

So what do we do when we get angry with someone? We post a hyperlink their email address on the front page. No NOSPAM. No link to a page CONTAINING the email address. The email address right where it can first be Slashdotted, and then harvested by spammers.

What a disgrace.

Let's think about exploiting p2p

[moebius_4d]

I think the main weakness of SourceForge is that it is hosted by a single entity. The tremendously valuable information hosted by freshmeat is a similar example. It does the FS/OS community no good to have the various project sources cached all over the place if we have no way to access information about the projects, including where they are, what they do, and so forth.

How can we surmount this problem? Maybe by making a set of standards (beyond the informal ones that exist now) for how to document what your software is and where to get it. This could be a variation on the old .lsm (linux software map) files. This could be submitted to multiple places on the web. Freshmeat might parse it into their database, while metalab might just through it in the .osm directory. But at least there would be a way to track things down. Google would help a lot.

I am concerned that a lot of good code and good projects are left to die while other people re-invent that particular wheel. Since FS/OS is based on volunteer work, we can't really afford to throw it away or waste it. I hope other people who also have ideas about this will reply to this, and perhaps we can get together a mailing list or something to brainstorm about possible solutions to this problem.

this is the part I hate..

[Dr. Awktagon]

They can henceforth change the terms without notice, just by posting the new terms on the website. (Currently they are obliged to give 15 days notice by email, a period that we are currently in for this change.)

This is the part that disgusts me about "Terms of Use". Basically, they could say anything they want, and you would be bound by it, before you can even read it!

So Tuesday, they can say they don't own the copyright in your programs, but Wednesday they can, and NOBODY WOULD KNOW until AFTER the terms went into effect.

Yes, they have the right to put pretty much anything in their terms, BUT they should have to make a reasonable effort to inform their users of any new terms.

Free markets work best when information is available about your choices. Saying "if you don't like it, go elsewhere" is silly if you don't know what it is exactly you just agreed to.

There should be a consumer protection law that says, you have 30 days before new terms go into effect, no matter what. Then you would know, just have your attorney or your web-page watcher script check the terms every 30 days. But now, they can change them twice a day, or just for 5 minutes every night, or whatever, and nobody knows.

Of course every company is completely honest and above-board and would never change their terms like that, would they??

Re:what's wrong with these changes

[Hemos]

To address several points:

• We may not be able to give deleted user accounts thei data, especially in the case of a legal issue. That's the reason for the change. I don't like it either,but welcome to the DMCA world. To be frank, any service that says you will always get your data is lying. We are simply trying to be honest on this. If a company comes at us with a DMCA cease and desist, and the project owner won't contest, I'm legally compelled to *NOT* give the user that data. You see the problem?
• As far as changing the TOS: we plan on following the same path. However, the way it was worded before, if we wanted to change a typo, we had to e-mail all user accounts, post big messages, etc. That's the same deal with Privacy notice: I don't want to have to e-mail ever time a typo is chaned. Legally, substantive chanes are interpreted broadly, and I plan on intrepreting them broadly as well; e.g. more on the side of saying whenever we make changes we tell people.
• The null paragraph is put in as legal CYA: esssentially, if thar graph doesn't exsist, and someone cracked our servers, and stole the user data you could sue, saying that we failed to comply with our privscy policy. Strange, but true. As with the substantive changes, of course we'd say if there was a change like MS bought all the data. Legally, a judge with side with the users as well, most likely. And no, the former escape clauses there were not sufficent, at least according to counsel.
• People will of course take this as they want to - but I can tell you personally at least - we are not changing at all how we operate. Please e-mail Pat if you have other questions.