Thread: Sourceforge

All,

Based on this:

https://lwn.net/Articles/646118/

... it would be great if someone could check on the various mirrors of
PostgreSQL packages on Sourceforge, and make sure that (a) someone from
our project still owns them, and (b) they're still offering actual
Postgres downloads.

Overall, I would suggest that we probably want to disable all Postgres
content mirrors on Sourceforge.  We don't really have the spare time to
maintain them, and this incident shows that that's a bad situation.


--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

On 05/28/2015 10:06 AM, Josh Berkus wrote:
>
> All,
>
> Based on this:
>
> https://lwn.net/Articles/646118/
>
> ... it would be great if someone could check on the various mirrors of
> PostgreSQL packages on Sourceforge, and make sure that (a) someone from
> our project still owns them, and (b) they're still offering actual
> Postgres downloads.
>
> Overall, I would suggest that we probably want to disable all Postgres
> content mirrors on Sourceforge.  We don't really have the spare time to
> maintain them, and this incident shows that that's a bad situation.

According to SF, this donkey has left the field:

PostgreSQL
A powerful, open source object-relational database system.
Brought to you by: sf-editor, sf-editor1, sf-editor3

Unless someone in our community is an sf-editor.....

JD


--
Command Prompt, Inc. - http://www.commandprompt.com/  503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Announcing "I'm offended" is basically telling the world you can't
control your own emotions, so everyone else should do it for you.

On 05/28/2015 10:06 AM, Josh Berkus wrote:
> All,
>
> Based on this:
>
> https://lwn.net/Articles/646118/

Oops, subscriber-only story (I recommend subscribing to LWN, btw).

Here's the background material:

https://plus.google.com/+gimp/posts/cxhB1PScFpe
https://lwn.net/Articles/646180/
https://sourceforge.net/blog/advertising-bundling-community-and-criticism/
https://lwn.net/Articles/564250/

Summary is:

a) Sourceforge has started bundling installers on some projects with
adware, without notifying the downloading users;

b) Sourceforge has started taking over projects which they deem
abandoned, and there is no appeal/reversal of this takeover.

>
> ... it would be great if someone could check on the various mirrors of
> PostgreSQL packages on Sourceforge, and make sure that (a) someone from
> our project still owns them, and (b) they're still offering actual
> Postgres downloads.
>
> Overall, I would suggest that we probably want to disable all Postgres
> content mirrors on Sourceforge.  We don't really have the spare time to
> maintain them, and this incident shows that that's a bad situation.
>
>


--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

On 05/28/2015 10:11 AM, Joshua D. Drake wrote:
>
> On 05/28/2015 10:06 AM, Josh Berkus wrote:
>>
>> All,
>>
>> Based on this:
>>
>> https://lwn.net/Articles/646118/
>>
>> ... it would be great if someone could check on the various mirrors of
>> PostgreSQL packages on Sourceforge, and make sure that (a) someone from
>> our project still owns them, and (b) they're still offering actual
>> Postgres downloads.
>>
>> Overall, I would suggest that we probably want to disable all Postgres
>> content mirrors on Sourceforge.  We don't really have the spare time to
>> maintain them, and this incident shows that that's a bad situation.
>
> According to SF, this donkey has left the field:
>
> PostgreSQL
> A powerful, open source object-relational database system.
> Brought to you by: sf-editor, sf-editor1, sf-editor3

Thanks.

They do seem to be maintaining up-to-date downloads.  Can someone on
Windows check to see if they're distributing adware?

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

>
>
> On 05/28/2015 10:06 AM, Josh Berkus wrote:
>>
>> All,
>>
>> Based on this:
>>
>> https://lwn.net/Articles/646118/
>>
>> ... it would be great if someone could check on the various mirrors of
>> PostgreSQL packages on Sourceforge, and make sure that (a) someone from
>> our project still owns them, and (b) they're still offering actual
>> Postgres downloads.
>>
>> Overall, I would suggest that we probably want to disable all Postgres
>> content mirrors on Sourceforge.  We don't really have the spare time to
>> maintain them, and this incident shows that that's a bad situation.
>
> According to SF, this donkey has left the field:
>
> PostgreSQL
> A powerful, open source object-relational database system.
> Brought to you by: sf-editor, sf-editor1, sf-editor3
>
> Unless someone in our community is an sf-editor.....

This site lock download from Cuba

Saludos,
Gilberto Castillo
ETECSA, La Habana, Cuba
---
This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu
Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>

On 05/28/2015 11:15 AM, Gilberto Castillo wrote:
>
>
>>
>>
>> On 05/28/2015 10:06 AM, Josh Berkus wrote:
>>>
>>> All,
>>>
>>> Based on this:
>>>
>>> https://lwn.net/Articles/646118/
>>>
>>> ... it would be great if someone could check on the various mirrors of
>>> PostgreSQL packages on Sourceforge, and make sure that (a) someone from
>>> our project still owns them, and (b) they're still offering actual
>>> Postgres downloads.
>>>
>>> Overall, I would suggest that we probably want to disable all Postgres
>>> content mirrors on Sourceforge.  We don't really have the spare time to
>>> maintain them, and this incident shows that that's a bad situation.
>>
>> According to SF, this donkey has left the field:
>>
>> PostgreSQL
>> A powerful, open source object-relational database system.
>> Brought to you by: sf-editor, sf-editor1, sf-editor3
>>
>> Unless someone in our community is an sf-editor.....
>
> This site lock download from Cuba

Yes, it's run by a US-based company.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

On 5/28/2015 1:20 PM, Josh Berkus wrote:

On 05/28/2015 10:11 AM, Joshua D. Drake wrote:

On 05/28/2015 10:06 AM, Josh Berkus wrote:

All,

Based on this:

https://lwn.net/Articles/646118/

... it would be great if someone could check on the various mirrors of
PostgreSQL packages on Sourceforge, and make sure that (a) someone from
our project still owns them, and (b) they're still offering actual
Postgres downloads.

Overall, I would suggest that we probably want to disable all Postgres
content mirrors on Sourceforge.  We don't really have the spare time to
maintain them, and this incident shows that that's a bad situation.

According to SF, this donkey has left the field:

PostgreSQL
A powerful, open source object-relational database system.
Brought to you by: sf-editor, sf-editor1, sf-editor3

Thanks.

They do seem to be maintaining up-to-date downloads.  Can someone on
Windows check to see if they're distributing adware?

I just did a fresh install of 9.4.2 on Windows 8.  Looked like just the standard EnterpriseDB packaging to me, gives you the option of doing the StackBuilder add-ons when complete.

As an aside, though, it doesn't appear that this is where most people are getting their PostgreSQL:

http://sourceforge.net/projects/postgresql.mirror/files/stats/timeline

Cheers,
Ned

Ned,

> I just did a fresh install of 9.4.2 on Windows 8.  Looked like just the
> standard EnterpriseDB packaging to me, gives you the option of doing the
> StackBuilder add-ons when complete.
>
> As an aside, though, it doesn't appear that this is where most people
> are getting their PostgreSQL:
>
> http://sourceforge.net/projects/postgresql.mirror/files/stats/timeline

Thanks!

My question was "does the PostgreSQL project need to do anything about
this?", and the answer is apparently "no".

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

On 29/05/2015 04:09, Josh Berkus wrote:
> Ned,
>
>> I just did a fresh install of 9.4.2 on Windows 8.  Looked like just the
>> standard EnterpriseDB packaging to me, gives you the option of doing the
>> StackBuilder add-ons when complete.
>>
>> As an aside, though, it doesn't appear that this is where most people
>> are getting their PostgreSQL:
>>
>> http://sourceforge.net/projects/postgresql.mirror/files/stats/timeline
>
> Thanks!
>
> My question was "does the PostgreSQL project need to do anything about
> this?", and the answer is apparently "no".
>

I would say YES.

The files may be ok now, but what are they going to do in the future?

We should make sure that everyone knows the SF binaries are no longer
officially endorsed or maintained.

Chances are we cannot re-gain control of the files at SF so anything
may be connected to this project in the future. This appears to be
pretty widespread so I expect any project left using SF will start
moving away soon.

Shane

On 05/28/2015 06:03 PM, Shane Ambler wrote:
> On 29/05/2015 04:09, Josh Berkus wrote:
>> Ned,
>>
>>> I just did a fresh install of 9.4.2 on Windows 8.  Looked like just the
>>> standard EnterpriseDB packaging to me, gives you the option of doing the
>>> StackBuilder add-ons when complete.
>>>
>>> As an aside, though, it doesn't appear that this is where most people
>>> are getting their PostgreSQL:
>>>
>>> http://sourceforge.net/projects/postgresql.mirror/files/stats/timeline
>>
>> Thanks!
>>
>> My question was "does the PostgreSQL project need to do anything about
>> this?", and the answer is apparently "no".
>>
>
> I would say YES.
>
> The files may be ok now, but what are they going to do in the future?
>
> We should make sure that everyone knows the SF binaries are no longer
> officially endorsed or maintained.
>
> Chances are we cannot re-gain control of the files at SF so anything
> may be connected to this project in the future. This appears to be
> pretty widespread so I expect any project left using SF will start
> moving away soon.

As long as sourceforge is redistributing unaltered packages, we have no
legal ability to restrict them.  And I'm not keen on court of public
opinion when they haven't actually done anything wrong with our
packages.  They're a free mirror, and one of their staff is even
maintaining the mirror page.  Where's the harm to us?

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

On 05/28/2015 06:10 PM, Josh Berkus wrote:

> As long as sourceforge is redistributing unaltered packages, we have no
> legal ability to restrict them.  And I'm not keen on court of public
> opinion when they haven't actually done anything wrong with our
> packages.  They're a free mirror, and one of their staff is even
> maintaining the mirror page.  Where's the harm to us?

We don't have legal ability to restrict them period. We are BSD
licensed. The best we can do is put up a PSA.

That said, SF doesn't have the traffic to harm us. I am not worried
about it. We aren't a web browser or something "users" would download
(like Gimp).

Sincerely,

JD





--
Command Prompt, Inc. - http://www.commandprompt.com/  503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Announcing "I'm offended" is basically telling the world you can't
control your own emotions, so everyone else should do it for you.

> On May 28, 2015, at 7:08 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
>
> We don't have legal ability to restrict them period. We are BSD licensed. The best we can do is put up a PSA.

Today a coworker mused whether we could issue a C&D for misuse of trademark if it comes to that. Maybe?

> That said, SF doesn't have the traffic to harm us. I am not worried about it. We aren't a web browser or something
"users"would download (like Gimp). 

We came to the same conclusion at lunch today. I wondered aloud whether Oracle would ever extend their [shameful
practices][1]to MySQL, and someone pointed out that it’s probably only worthwhile to do so for apps likely to be
installedon end-user machines. Adware in server software is not going to pay off. 

I saw [at least one project][2] which retained control over its SF account but rather than deleting it just turned off
allread access. Might be a possibility. 

[1]: http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/
[2]: https://twitter.com/OOLua/status/603908660264316928

--
Jason Petersen
Software Engineer | Citus Data
303.736.9255
jason@citusdata.com

On 05/28/2015 10:21 PM, Jason Petersen wrote:
>> On May 28, 2015, at 7:08 PM, Joshua D. Drake <jd@commandprompt.com> wrote:
>>
>> We don't have legal ability to restrict them period. We are BSD licensed. The best we can do is put up a PSA.
>
> Today a coworker mused whether we could issue a C&D for misuse of trademark if it comes to that. Maybe?

Maybe. There is a postgresql trademark but.... the ability to enforce it
as it has never been enforced would be a bit tough.

JD


--
The most kicking donkey PostgreSQL Infrastructure company in existence.
The oldest, the most experienced, the consulting company to the stars.
Command Prompt, Inc. http://www.commandprompt.com/ +1 -503-667-4564 -
24x7 - 365 - Proactive and Managed Professional Services!

On 05/29/2015 06:43 AM, Joshua D. Drake wrote:
> On 05/28/2015 10:21 PM, Jason Petersen wrote:
>>> On May 28, 2015, at 7:08 PM, Joshua D. Drake <jd@commandprompt.com>
>>> wrote:
>>>
>>> We don't have legal ability to restrict them period. We are BSD
>>> licensed. The best we can do is put up a PSA.
>>
>> Today a coworker mused whether we could issue a C&D for misuse of
>> trademark if it comes to that. Maybe?
>
> Maybe. There is a postgresql trademark but.... the ability to enforce it
> as it has never been enforced would be a bit tough.

Theoretically we could do so if they were using the PostgreSQL trademark
to distribute something which "wasn't PostgreSQL".  However, since we've
never engaged in such an enforcement action before, we would only want
to do so if there was clear harm to our users and our reputation.  Which
is completely lacking here.

If you ignore the issues with WinGimp, SF.net is providing us a service:
a free mirror which a handful of people use.  I imagine they would be
flabbergasted to receive a nastygram from an attorney over it, and I
really don't see the benefit from doing so to our commmunity.

We have lots of companies who distribute Postgres, some bundled with
commercial and proprietary software.  It's a big part of how our project
supporters make money.  As long as nobody's being decieved, there is no
cause of action.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

> On May 29, 2015, at 10:30 AM, Josh Berkus <josh@agliodbs.com> wrote:
>
> we would only want to do so if there was clear harm to our users and
> our reputation.  Which is completely lacking here.

Clearly! I meant only in the context of using a PostgreSQL download as
a malware vector. That’s not presently the case, but I was putting the
idea out there.

> If you ignore the issues with WinGimp, SF.net is providing us a service:
> a free mirror which a handful of people use.

If we ignore the issues with GIMP, this thread doesn’t exist!

FWIW I think filing a takedown is a Rubicon of sorts, and making that
move comes with a cost, especially for the sort of benevolent/laissez-
faire community FOSS projects such as PostgreSQL strive to cultivate.
It would need a clear and present danger to a large segment of users.

On the other hand, there is probably little risk of alienating “good”
community members by going after SF should this behavior continue.

--
Jason Petersen
Software Engineer | Citus Data
303.736.9255
jason@citusdata.com

On 2015-05-29 06:43:37 -0700, Joshua D. Drake wrote:
> Maybe. There is a postgresql trademark but.... the ability to enforce it as
> it has never been enforced would be a bit tough.

If it really came to that - and I think it's unlikely - it'd probably be
EDB's trademarks that are violated because they'd probably wrap their
installer.

On 05/31/2015 09:29 PM, Brent Friedman wrote:
> If no one has done this yet, I can check on the mirrors this week.
>

Ned Lily did, but thanks!

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com