Two weeks ago the new owner of SourceForge terminated the controversial "DevShare" program. https://sourceforge.net/blog/sourceforge-acquisition-and-fut...

So it should be safe again.

Nah. Reputation is hard to build, but eeeeasy to destroy; saying "trust us that you can trust us again" doesn't magically revert it to previous version (at least a suspicion remains of "...until we have another Wonderful Idea at an indeterminate point in the future").

I wasn't aware of that, thanks for sharing.

It is an old state of things, but the data is not an executable installer (that is usually the problem, as SF has a bad habit of infect them with malware), it's a ISO image. For nightly (trunk) builds ReactOS uses its own servers, so I guess it's about the maximal bandwidth that may be of concern here especially when the new version are released, and SF may address exactly that.

> (that is usually the problem, as SF has a bad habit of infect them with malware)

SF is under new ownership as of last week, and they've already removed the most problematic behavior. If you find malware you should let them know, as the new ownership seems much more on the ball.

There's nowhere else to easily host "large" binaries for free.

Seems like a legitimate case for BitTorrent? It's always my go-to download method for Linux ISOs.

Running a VPS / web server for an initial (web) seed isn't free - and then you're relying on popularity to keep the files available. I should check whether the Internet Archive will host things.

I've grabbed 5 year old tarballs off SourceForge before. I know there are 5+ year old torrents that still have peers but that's an exception to the rule.