SourceForge Introduces HTTPS Support For Project Websites

SourceForge announced on Wednesday that it is introducing HTTPS for all project websites on its platform. Once a project has been moved to HTTPS, old domain will automatically redirect to their new counterparts, resulting in no loss of traffic or inconvenience. From a blog post on the site: With a single click, projects can opt-in to switch their web hosting from http://name.sourceforge.net to https://name.sourceforge.io. Project admins can find this option in the Admin page, under "HTTPS", naturally.There's also a guide to assist developers with the transition. SourceForge launched HTTPS support for SourceForge.net back in February, but this rolls out HTTPS support to individual project websites hosted on SourceForge. There's also a Site News section on the website now where you can read about all SourceForge changes and improvements over the past year since SourceForge was acquired by BIZX, such as eliminating the DevShare program and scanning all projects for malware.

Re:

[0xdeaddead]

new owners, and they stopped that a long while ago.

Re:

[0xdeaddead]

One of mine gets hundreds of downloads a week. There are other people.

I love how I can organize binary releases, on sourceforge, vs what on github?

Bad guys

[TWX]

I thought sourceforge was one of the bad guys now that they're manipulating projects irrespective of those project maintainers...

Re:

[Anonymous Coward]

That was last year under DICE. New owners put an end to it. http://www.pcworld.com/article... [pcworld.com]

Re:

[TechyImmigrant]

That was last year under DICE. New owners put an end to it. http://www.pcworld.com/article... [pcworld.com]

Interesting, because as we can see from the comments, the smell still lingers. That fart was not silent but it sure was deadly.

Re:Bad guys

[Kobun]

Speaking from the position of an IT admin - I cannot unblock Sourceforge yet. It will remain locked off to my users as long as this is the status quo - https://sourceforge.net/projec... [sourceforge.net]

Yes, their installer is scanned for Malware. But then the installer downloads malware during the installation process. My users are not observant enough to be trusted to read a notice "This project uses a 3rd party installer", and certainly not seasoned enough to infer that the message means "download malware here". I've reported this project as distributing malware a few times now since Slashdot/Sourceforge's change of hands, so its continued virus-laden distribution tells me everything I need to know about how much trust I should put in the new regime.

Re:

[TWX]

I did not know either. A reputation built over decades can be destroyed in a moment and will then take decades to rebuild again.

Re:

[whipslash]

Yes we acquired SourceForge just this year, and yes what you say about reputations is true. SourceForge's improvements this year weren't covered nearly as much as their previous missteps, but we'll continue to improve it regardless for the 1 million+ users we see per day. Ars Technica did a good write up though. [arstechnica.com]

Re:Bad guys

[93 Escort Wagon]

The new-ish owners of SourceForge / Slashdot seem to be trying to find a way to rebuild the mindshare and site reputation which the former owners did their best to destroy. But doing that while simultaneously figuring out how to not hemorrhage money is a tough nut to crack on today's internet. I wish them luck - I really want both sites to succeed - but I'm also glad it's not my problem to solve.

Re:

[TWX]

Eh. Honestly my return to Slashdot was mostly predicated by the cesspool that other general-purpose forums became after this election cycle got into swing.

I get the problem that specific-focus mediums have, there's a natural cap to growth based on the size of the market served plus the possible number of competing mediums. Unfortunately people seem to think that they can convert a medium from one subject-focus to another without understanding why the medium worked to begin with and how the attempts to

Re:

[whipslash]

There's still over 1 million users per day on SourceForge, and over 500,000 projects hosted there. Perhaps we've lost some people from back in the day, but it's still a large amount of people using SourceForge every day that we are focused on doing right by.

Re:

[TWX]

Well hopefully this will truly manage to save it. I've been avoiding projects hosted on it because of the problems that were reported. Maybe it's time to take a look again.

I'm just not a fan of github, seems like a lot more zeal relative to actual quality over there. And Freshmeat's dead too if I remember.

Re:

[tepples]

Is there a timetable to ensure that important features can be used without JavaScript or with only free JavaScript [gnu.org]? The Savannah code hosting service, based on a fork of the software that SourceForge uses, appears to work without any proprietary JavaScript.

Re:

[Anonymous Coward]

Github uses .io for project websites - my guess is SourceForge went with .io since people would be used to that for project web pages

.io: Indian Ocean

[crow]

https://en.wikipedia.org/wiki/... [wikipedia.org] .io is the country code for the British Indian Ocean Territory.

Re:

[sims 2]

And here I thought computers hated water.

Re:

[tepples]

Those were taken by the European Union, Gabon, and Canada respectively.

Why?

[hsmith]

Source forge is incredibly annoying to use, and git/github/bitbucket have all pretty much become the ubiquitous tools for hosting projects on. If I find an OS project on SoureForge, I assume it is long since abandoned.

Re:

[sims 2]

I am constantly surprised by things that haven't been updated since 2008 that still work correctly on windows 10.
Then I wonder is it abandoned or has it just not needed anything fixed in the last 8 years?

Re:

[Anonymous Coward]

There are some good projects that are still going on SourceForge. In fact, some developers like it better because the higher barrier to entry means you don't have to deal with the noise of +1 comments, PRs to remove "long" from all instances of "long long int," SJW drama over the use of master/slave and pronouns and duplicate bugs galore because people don't know how to search.

The main things I would change with SourceForge:

Making activity more visible by adding more info to " 4.3 Stars (28) 3,788 Download

Too late

[ahziem]

I appreciate the changes SF has made, but in January I moved my web hosting from Sourceforge to my own infrastructure. Now I have HTTPS, can make outbound HTTP calls, have more control over the backend, and the web site is 10x faster. It does not cost much, and with reverse proxies, I was able to weather several huge traffic spikes without a blip.

https "everywhere" is 4 websites, not so much usrs

[lpq]

https on "social" sites (non bank/finance/medical...etc ones traditionally needing encryption), mostly benefits the site -- not so much most user. It usually harms users more than not as it prevents content caching and local-filtering. On a https site, I can cache near zero in my squid proxy (used by more than one account & user). That allows much tighter tracking of individuals as they go from site to site.

On news and discussion sites, I can easily get over 25% of the requests satisfied locally --

Re:

[lpq]

That's what I meant by https "everywhere" harming security for those sites that have a legitimate need for it. By implementing a MITM proxy, it makes all https streams less secure. I don't like that trade-off (not that I don't already have such
implemented for myself).

At the same time, google is pushing for "certificate transparency"
(https://www.certificate-transparency.org/what-is-ct ), that might not let home-user issued certs be used for such purposes --- not sure. The more internal-proxies that imple

Re:

[tepples]

That's what I meant by https "everywhere" harming security for those sites that have a legitimate need for it. By implementing a MITM proxy, it makes all https streams less secure.

Cleartext HTTP: Any router on the path can see the communication.
HTTPS: Only three hosts can see the communication, namely the client, the server, and the corporate MITM.

It's still an improvement.

The more internal-proxies that implement MITM HTTPS for their internal needs/wants, the more pressure those not wanting those streams to be easily visible or cacheable will work to disable that "hole"

Are you referring to public key pinning? Native apps for smartphone-derived operating systems already do this as a common practice.

Re:https "everywhere" is 4 websites, not so much U

[lpq]

cleartext HTTP .. there are no routers on the path that aren't capable of playing MITM. What do I care if they "see" what kernel version I download or open source project I download. Who cares if they see the articles I am reading/writing on slashdot.

There is no improvement as google knows all the traffic as it tied into almost every site and HTTPS doesn't help a bit. And they in turn can hand the info over to any gov agency that asks for it -- and be forced not to tell you about it.

HTTPS is a wet-securi

Re:

[tepples]

When you connect to an encrypted site, you really connect to your ISP's pass-through traffic decoder, which then passes another encrypted circuit on to wherever you were going.

That's true only if your ISP is using an intercepting proxy. Because the proxy's internal CA is not installed as a trusted root on a stock client, a stock client will display an "untrusted issuer" warning. So I imagine that networks serving only a minority of clients, such as corporate or school networks or ISPs in less-developed economies, would force an intercepting proxy on clients newly introduced to the network.

HTTPS safety is an "illusion" to get you to use it so you can't easily be selective about what you block or cache by site.

Blocking "by site" is still possible with HTTPS, as the Server Name Indication (SNI) field o

Re:https "evRywhr" is 4 sites, not so much, Users.

[lpq]

> That's true only if your ISP is using an intercepting proxy.
---
Right -- they are a large corporation. You don't think they couldn't be ordered to do so and say nothing under the Patriot act? Do you disbelieve that root-ca's in the US or other monitoring countries couldn't be forced to give out subordinated CA's to install @ ISP monitoring sites?

> Blocking "by site" is still possible with HTTPS...blocking at a finer level than "by
> site" or "intermediate caching" still requires MITM.

I've always

Re:

[tepples]

Do you disbelieve that root-ca's in the US or other monitoring countries couldn't be forced to give out subordinated CA's to install @ ISP monitoring sites?

That's what "certificate transparency" is supposed to block.

MITM proxying that lowers security for all https sites (finance, et al.).

The problem might be related to the historic use of the scheme and port as a hint for whether or not it ought to be possible to treat a particular connection as Cache-Control: public or not. I'll have to think about how to most effectively express this problem to "encrypt all the things" types.

Simply by going w/HTTPS instead of HTTP creates increased server load and increased network latencies.

There are anecdotal reports that HTTP/2 over TLS can have less latency than cleartext HTTP/1.1. So if you add HTTP/2 to your MITM, you may be able to mitigat

Re:

[lpq]

> hosts file or client-side tracking blocker extension works for HTTPS
> just as well as for cleartext HTTP.
---
You can't use a hosts file to selectively block content. I've already stated, that to cache or to block, you need to know the object-type and size. You don't get that w/HTTPS.

> There are anecdotal reports that HTTP/2 over TLS can have less latency
> than cleartext HTTP/1.1. So if you add HTTP/2 to your MITM, you may be
> able to mitigate some of the TLS overhead.
---
Interesting, but

Which Wikipedia pages you view may be sensitive

[tepples]

If you want to selectively block media types, you can do that using a browser extension installed on each PC. Or you can set up a proxy on localhost on each PC and have the browser installed on that PC trust that proxy's root certificate. Then you're back down to two parties being able to see the communication: the client and the localhost proxy, and the server. This regains blocking by media type but loses a shared cache.

It's also possible to configure your Squid proxy to behave differently on sites that a

scanning all projects for malware

[Culture20]

"scanning all projects for malware"
Irony!