Open source downloads are an endangered species

No readers like this yet.
Change the model

With recent news that GitHub is banning storage of any file over 100Mb and discouraging files larger than 50Mb, their retreat from offering download services is complete. It's not a surprising trend; dealing with downloads is unrewarding and costly. Not only is there a big risk of bad actors using download services to conceal malware downloads for their badware activities, but additionally anyone offering downloads is duty-bound to police them at the behest of the music and movie industries or be terated as a target of their paranoid attacks. Policing for both of these—for malware and for DMCA violations—is a costly exercise.

As a consequence we've seen a steady retreat from offering downloads, even by those claiming to serve the open source community. First GitHub bowed out of offering the service, claiming that it was "confusing" for the clients. More recently Google followed suit, bringing Google Code Download services to an end. They stated that "downloads have become a source of abuse, with a significant increase in incidents recently." Community reactions to this have been mixed.

GitHub didn't have an alternative plan for it's users and clearly has no desire to be a full-service community host. Google suggested using its Drive cloud file storage service to host files, though this is clearly far from ideal as, for a start, no analytics are available for downloaders. Small projects are left with a rapidly decreasing number of options. They could pay of course, for S3, but for a free downloader solution SourceForge seem to be the only high-profile answer. SourceForge are doing everything in their power to make it easy for users of Google Code and GitHub to transition across to their service and GitHub have even included a link to SourceForge in their help pages, recommending them as a viable alternative. SourceForge assures us that they have no intention of shutting down their upload/download services at all.

SourceForge providing an alternative is potentially handy for those whose projects would otherwise be held up by this lapse in services and they will no doubt welcome the wave of new users. The issue shouldn't be coming up at all though. Confusion for and abuse by users may sound like reasonable pretexts, but perhaps the real problem encountered by both the closing services is a somewhat less reasonable one. There's a growing expectation that they should regulate the downloads, acting the part of police on behalf of copyright holders.

The pressure to behave that way, whether through a desire to preserve a safe harbour status or simply to tread carefully in the eyes of the law, is an unreasonable hack that appears to mend copyright law online but in fact abdicates the responsibility of legislators to properly remake copyright law for the meshed society and over-empowers legacy copyright barons. These changes to downloads are an inconvenience for open source developers, but should serve as a warning to the rest of us that the copyright system is beyond simple patching.

Simon Phipps (smiling)
Computer industry and open source veteran Simon Phipps started Public Software, a European host for open source projects, and volunteers as President at OSI and a director at The Document Foundation. His posts are sponsored by Patreon patrons - become one if you'd like to see more!


Thanks for sharing, I actually did not notice Github and Google Code were moving in this direction. Used to self hosting the downloads, and Github 'simply' as development repository.

Actually, Github just announced Releases, a workflow for shipping software to end users:

Now that you mention this post, I remember reading about the releases. I guess the difference with Github is in the files (large binaries) not being supported.

Indeed, looks interesting. It would have been good if GitHub had waited until this feature was available before banning downloads from repos. Note that this article was originally published in June: when the only reality was they had just banned downloads...

Yes, I just found out about Releases today when I re-tweeted's post. Was there a lot of backlash? Surely Releases wasn't knee-jerk, but they are pretty nimble.

We're glad to host more distros at will host contributor managed content of 1 gig - 1 terabyte in size. Occasionally smaller.

We at are happy to host and distribute distros etc. is designed to host contributor managed files of about 1 gig to 1 terabyte.

Launchpad ( hosts some non-trivial open source projects and offers downloads.

Now let's think of a creative way of keeping downloads "on", maybe a decentralized method, maybe a good implement torrent only downloads...

As long as you're hosting your binary somewhere that supports requesting specific ranges within a file (download resuming, basically), you could try <a href="">BurnBit</a>.

They generate trackerless torrents with your download link listed as a web seed and give you embed code for a button that'll show seeds and leechers.

back before sourceforge and githib the world used mirrors such as this where projects had data at "" and they ran cvsup or svn or some other tool for managing the source tree, we'll end up going back that way but with newer cooler ideas on how contributing and management of core projects are done

it's harsh on those who use git-hub it's harsh on those who use other parties but at the end of the day the idea that if you are interested you will find a way to scratch the itch will work again

it's all fun and changes here on the planet where the only constant is change ;-)


I don't think you can really blame companies for having to deal with the realities of operating online services. I see no issue with GitHub's actions. They are a source code repository, not a file storage service. I would hardly call staying within the bounds of the law an unreasonable hack. Its unfortunate that some people have caused this to be an issue by exploiting these services. Blaming the services for instituting limits on what is largely a free service, though, is like "biting the hand that feeds you".

^My perception is that Simon is blaming the broken copyright law and the lazy copyright holders not GitHub.


I concur with both Simon's point and your view of his point.

Perhaps it's not all the story here, people have in various projects searched for copyright compliance and passed this information back to the upstream when it was found wanting. There was a potential issue in this space, however the community managed it very well. SCO being an interesting agent of change in community perception, which people in various projects have taken to heart and added to their process as a result.

The problem of legacy copyright institutions beating up legit copyright owners is well documented, be it youtube or other places, however the ability to mitigate that problem is harder to manage than herding cats.

The only thing close to it was the whole reaction to SOPA in the US and the reactions to its ilk internationally.

While the OSS community is a threat to the publishers business model and they are a bigger threat to their own business by means of not publishing or releasing to all markets at the same time that's a different story and it actually needs tackling. The job of the publishers as they see it themselves is to control the path to the market.

Back to GitHub they had a genuine gripe against large files, but they set themselves up for it. They had to react if it was going to kill them, they did. The choice of method might be open ot debate as to the elegance of the solution. makes for interesting reading. It makes a reasonable case but not a perfect one.

Is it really that the other question that falls out of this is at what point does something that was reasonable become unreasonable and when that happens what is a good way for a group or organisation to react.

The article picture has the great phrase
Change the model
this was what my initial reaction was to.

These are just some thoughts on the broader article, and what it touches on.

To be correct there have been legal issues with source and binaryies not matching.

This ruling also put the complaince back on the provider of the device. This might put the complaince requirement back on the webhost.

So there is really a requirement for build farms for places like github to use. So they can be sure the binary they are providing is legal. This also reduces possible malware.

Also changing to where user uploads something as a release instead of general source is another way so you can have that the supplier lied to you.

By the way binaries in git archives is not what you call space effective either. Yes github got its press releases in the wrong order. Releases bit came on line before the repo stuff was disabled. But they failed to send out a press release about Releases feature being implemented first.

Hey github PR guys be a little more careful in future.

Given that maybe one in three open source libraries or utilities will compile when downloaded, as often because one's system is too up to date as not up to date enough, this is awful. I really need to step up my virtualization game if I am going to keep using open source code.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.