Please remove Bitcoin from Sourceforge.net

[Raoul Duke]

It has come to my attention that Sourceforge only does what the U.S.A. government wants, so it isn't the right place to host the Bitcoin client nor the bitcoin.org website.

You can see what i mean here: http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#ProhibitedPersons

It came to my knowledge because of this thread: https://bitcointalk.org/index.php?topic=37402.0

Probably you guys chosen the wrong place to host such a project.
Free hosting is good, allright, but not when it comes with this price tag

If they let the US government tell them what to do, i ask: What's next? Giving the authorities access to repositories so they can install backdoors?

I think this is a very serious issue and I bet a lot of people will agree with me.

Let the discussion begin!

PS: Sorry for not being eloquent enough but I guess you all understand what I want to say.

[1715115177]

1715115177

[1715115177]

1715115177

[1715115177]

1715115177

[1715115177]

1715115177

[1715115177]

1715115177

[1715115177]

1715115177

[N.Z.]

Why "remove"? It`s not a Bitcoin way Add some mirrors, diversification will solve the problem.

[Raoul Duke]

Why "remove"? It`s not a Bitcoin way Add some mirrors, diversification will solve the problem.

Do you think it's a good idea to take the risk?

I'm fully aware that the source code is hosted on github, but I'm also aware that 90% or more of Bitcoin installs come from the exe's on sourceforge.

I know I'm not trusting SourceForge anymore...
If they are willing to punish people that live under oppressive regimes just for fear of US law i wonder what else will they do when said law "asks"* them...
*forces them to

[captainteemo]

It has come to my attention that Sourceforge only does what the U.S.A. government wants, so it isn't the right place to host the Bitcoin client nor the bitcoin.org website.

You can see what i mean here: http://sourceforge.net/apps/trac/sitelegal/wiki/Terms_of_Use#ProhibitedPersons

It came to my knowledge because of this thread: https://bitcointalk.org/index.php?topic=37402.0

Probably you guys chosen the wrong place to host such a project.
Free hosting is good, allright, but not when it comes with this price tag

If they let the US government tell them what to do, i ask: What's next? Giving the authorities access to repositories so they can install backdoors?

I think this is a very serious issue and I bet a lot of people will agree with me.

Let the discussion begin!

PS: Sorry for not being eloquent enough but I guess you all understand what I want to say.

This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et al

Cryptographic software is subject to the US government export control and economic sanctions laws (“US export laws”) including the US Department of Commerce Bureau of Industry and Security’s (“BIS”) Export Administration Regulations (“EAR”, 15 CFR 730 et seq., http://www.bis.doc.gov/). You may also be subject to US export laws, including the requirements of license exception TSU in accordance with part 740.13(e) of the EAR. Software and/or technical data subject to the US export laws may not be directly or indirectly exported, reexported, transferred, or released (“exported”) to US embargoed or sanctioned destinations currently including Cuba, Iran, North Korea, Sudan, or Syria, but any amendments to this list shall apply. In addition, software and/or technical data may not be exported to any entity barred by the US government from participating in export activities. Denied persons or entities include those listed on BIS’s Denied Persons and Entities Lists, and the US Department of Treasury’s Office of Foreign Assets Control’s Specially Designated Nationals List. The country in which you are currently located may have restrictions on the import, possession, use of encryption software. You are responsible for compliance with the laws where You are located.

[Raoul Duke]

This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et al

Yes, yes, but... does it make it right?

Or is Bitcoin also bending over and let the US government do as he pleases?

EDIT: Why doesn't Bitcoin have it's own servers in a less restrictive country and hosts all the code themselves instead of relying in companies that have to follow US rulings, no matter how unfair they are?

Or will they just kill the project as soon as the US government says Bitcoin should die?

[captainteemo]

This is a requirement by all US based companies. No exceptions, this includes github, googlecode, et al

Yes, yes, but... does it make it right?

Or is Bitcoin also bending over and let the US government do as he pleases?

No, but your thing about getting it off sourceforge is pointless because it makes no difference.
In any case, the source is out there, so it doesn't matter. SF is just a mirror at this point.

[Raoul Duke]

SF is just a mirror at this point.

No it isn't... It's the only official place from where people can get compiled binaries.

[captainteemo]

SF is just a mirror at this point.

No it isn't... It's the only official place from where people can get compiled binaries.

Why would people be dumb enough to trust compiled binaries? Compile from source, audit the source.

[jackjack]

I'm sure 60+% of bitcoiners are dumb enough to use these binaries

I'm about to post a poll in the discussion forum, we'll see

[Xephan]

SF is just a mirror at this point.

No it isn't... It's the only official place from where people can get compiled binaries.

Why would people be dumb enough to trust compiled binaries? Compile from source, audit the source.

You obviously live in your own personal fantasy world.

If bitcoin is ever going to be successful, the _vast_ of folks who are going to end up
running the client won't have the first clue about compiling anything (as a matter of
fact, that's probably already the case).

Of those actually capable of compiling a client, very few have the expertise to read
C++ code (and the client is non trivial code, to say the least). A quick search through
these forums for clamors of "please provide latest binary release of XXX" should be
have been your first clue.

Finally of the very tiny minority of peoplecapable of both compiling and reading C++
code, who the @&%$@ has the time to check every new commit against the code base ?

Puh-lease.

I would tend to agree with the OP: hosting the official clients on a site that abides by
US rules is unhealthy. I'd pick a place like a site hosted in sweden for official, checksummed
new releases and just mirror the stuff wherever.

+1 for this post.

There are still too many Bitcoiners who don't realize that in order for Bitcoin to succeed, it MUST be accessible to the general public whose experience with new software is simply download and click-click-click.

[kjj]

SF is just a mirror at this point.

No it isn't... It's the only official place from where people can get compiled binaries today.

Fixed that for ya.

Do you really think it will be hard to put binaries up on a different mirror some day if we need to?

[Raoul Duke]

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

Now on a serious note: Usually I'm not the ultra-paranoid freak type, but do you think Satoshi never came forward with his identity just because? The invention of Bitcoin would be a great thing in anybodys' resume, but he chose to hide because he knew about the powerful enemies he would face if he didn't.
Now, you are giving the power to a US controlled institution to f*** us without us even knowing about it.

Leave the binaries there if you think it's the right thing to do. Move them in a hurry after the trouble comes if you think that's the best thing to do. Just don't say you weren't warned or that you didn't knew about it when it happens.

For a project that is all about decentralization i see it too much centralized in the US, even worse, the source code is hosted in servers under the power of US law.

Let's see how it rolls. After all Bitcoin was like that from the start. Too bad that the only person who seemed to ever think about the dangers of this was the creator, and he's gone.

[twobits]

Sometimes you have to pick your battles.  There are enough other ones looming on the horizon to not give the government this one as an easy excuse to go after the devs based in the USA.   

I do think the distribution is a bit lax.  They should at least be being signed.  This would allow mirrors to be made and a way to still check that what you get was ok.  Once this is done,  the issue should be solvable by people that want to solve it. If that issue is providing more global access to the bitcoin binaries anyway.  Are there any bridge counties?  Like could someone in China download it, then provide it to N Koreans?

[Maged]

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

[zellfaze]

I would suggest mirrors in the Netherlands and Sweden.  Both are fairly nonrestrictive countries as far as I know.

Anyone want to volunteer to do this?  I'm sure we could find a host that would accept Bitcoins even, or just do it for free.

[twobits]

Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Thats good. I was surprised that it seemed like they are not.  Would be good to use two different hashes or at least not sha-1 anymore.  Also, it is not obvious at all from the bitcoin.org page.  I just see link to downloads of the binaries, where are the links to the signatures?

[Raoul Duke]

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Yes, I understand that. I also know that people like Dan Kaminsky review the source code or at least did it once and said it was a ugly like hell but very well thought-off and bug-free.
But I also remember this and this

[aq]

who the @&%$@ has the time to check every new commit against the code base ?

I think you guys have a wrong picture about the "development" of bitcoin.
Basically, there is almost no development going on, I would at best call it maintenance.
I don't believe that there are even 10 lines of *code* changes commited on average per day, so one could probably even teach his grandma to review those

[zellfaze]

Perhaps in addition to moving off of SF a yearly audit of the code should be required.

We could make it a contest.  Pay BTC to those who find the most severe security flaws, just like Google does.  I would donate to doing that.

[pekv2]

Because people in iran "or any other country's listed" cannot access sourceforge, you want bitcoin not to be hosted on SF?