Migrating from SourceForge seems worth considering. I also agree this is a breach of trust with the open source community. It is my impression that the GIMP team stopped using SF for downloads some time ago in favour of using their own website, leaving the SF account live to maintain the old release downloads: https://mail.gnome.org/archives/gimp-developer-list/2015-May/msg00098.html According to the SourceForge blog, they assumed the "GIMP for Windows" account was abandoned, and it appears SF decided to make some money off it as a mirror site offering adware-bundled versions of the official releases: http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ We would not want the same thing to happen to NumPy, but on the other hand deleting all the old releases on SourceForge would break a vast number of installation scripts/recipes. Peter On Thu, May 28, 2015 at 2:35 PM, David Cournapeau <cournape@gmail.com> wrote:
IMO, this really begs the question on whether we still want to use sourceforge at all. At this point I just don't trust the service at all anymore.
Could we use some resources (e.g. rackspace ?) to host those files ? Do we know how much traffic they get so estimate the cost ?
David
On Thu, May 28, 2015 at 9:46 PM, Julian Taylor <jtaylor.debian@googlemail.com> wrote:
hi, It has been reported that sourceforge has taken over the gimp unofficial windows downloader page and temporarily bundled the installer with unauthorized adware: https://plus.google.com/+gimp/posts/cxhB1PScFpe
As NumPy is also distributing windows installers via sourceforge I recommend that when you download the files you verify the downloads via the checksums in the README.txt before using them. The README.txt is clearsigned with my gpg key so it should be safe from tampering. Unfortunately as I don't use windows I cannot give any advice on how to do the verifcation on these platforms. Maybe someone familar with available tools can chime in.
I have checked the numpy downloads and they still match what I uploaded, but as sourceforge does redirect based on OS and geolocation this may not mean much.
Cheers, Julian Taylor _______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion
_______________________________________________ NumPy-Discussion mailing list NumPy-Discussion@scipy.org http://mail.scipy.org/mailman/listinfo/numpy-discussion