Slashdot Mirror
GnuPG Gets Back On Track With Funding
jones_supa writes: Soon after the poor state of the GnuPG was unveiled, the online community has rallied to help Werner Koch. He wanted to hire a full-time programmer to work on the project alongside him and to ensure that he's not living on the brink of bankruptcy all the time. Immediately after the article was published, it was revealed that he got a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Also, the community donated over $150,000, and Facebook and Stripe have each pledged to provide $50,000 per year. All in all, it looks like Werner Koch won't be worried about funding for quite some time. The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
At least in part, this problem seems to be down to a lack of any sort of way(short of investigative journalism for every project you are interested in) of being able to see what the funding situation is.
As with OpenBSD a while back, it was pretty much 100% everything-as-normal until "Boom, out of money, game over, man, game over." followed by a last minute fundraiser.
There are plenty of projects, GnuPG among them(and OpenBSD, at that time), that I'd be happy to assist; but I don't really have the slightest idea of who is A-OK, who could use some more money in an ideal world, and who is about to burn out and quit for lack of resources.
Is there any sort of mechanism in place, or under discussion, for making resource needs more visible before they become emergencies?
GnuPG is a civilian crypto initiative. There are plenty of well-funded military crypto initiatives with highly-trained specialists who have amazing resources at their disposal. Civilians, not so much.
Crypto is hard to do right, and it takes very, very specialized mathematical knowledge that takes resources and time to master but doesn't offer much in the way of careers in the civilian world. Most of the software development community focuses on other areas: they do their own things very well, but they don't have the math to implement good crypto on their own, which is why we have the mantra, "Don't try to roll your own crypto." In practical terms, that means that cypto software developers are a rare breed who have invested a lot in expertise that won't pay off for them in financial terms in the civilian world, but they're also indispensable.
That makes them potential points of failure, since knocking out a few, by offering them incentives to work in other fields instead of their own or to weaken their crypto, means weakening the development community as a whole by slowing work on crypto libraries that can be used by the rest of the community. OpenSSL's failures have demonstrated that institutionalizing the point of failure to stabilize the resources available to a crypto programming group doesn't necessarily reinforce or remediate the potential point of failure. This is a big problem, one without an easy solution.
If one thinks about it, there are really few crypto products out there that are open source, trustworthy, and independent. GnuPG is one effort. NetPGP is another.
The reason why OpenPGP implementations are important is for a number of reasons:
1: They are the top-most layer of communications. For example, if I get an encrypted E-mail, it doesn't matter what my MUA is, and if there are hooks in it for viewing OpenPGP packets. Worst case, I copy the .asc blob or attachment and paste it to decrypt it. By having a crypto format independent of everything else on the stack (the mail program, the network protocols, the mail server, etc.), the messages are encrypted and can't be tampered with unless the endpoint is compromised. A bad SSL key, compromised Exchange mailbox, or other items don't matter. Plus, OpenPGP packets can be sent over any message system. AIM? Just fine. FB PM? Assuming FB doesn't consider it spam and toss it. A USENET post on alt.anonymous.messages? Works.
There are a lot of people trying to bundle encryption with their own messaging protocol, but having it separate, with the key management and web of trust not reliant on one company or organization is important. Being forced to trust CAs only results in DigiNotar hacks eventually, while a WoT tends to be more robust.
2: For long term storage on insecure media, using OpenPGP packets is a useful tool. Using PGP/GPG keys for securing files not just makes it impossible for an attacker to try brute forcing passwords, but also allows for one to check signatures (assuming a sign after encryption) to check for bit rot or tampering. Even secure media, the ability to store files in a signed format is useful.
3: PGP/gpg is available on many platforms. It isn't just limited to OS X/Windows/Linux. I can write a message on AIX and sent it with dtmail or mutt, and the receiver using Windows can read it in Outlook, having it decoded by Symantec's successor of PGP Desktop.
The problem is that PGP, gnuPG, and NetPGP are not flashy. They form a secure foundation, but tend to be forgotten about because a lot of startups want their own, private security solution to sell. I'm glad that GnuPG has gotten funding. I'm also hoping that other OpenPGP implementations get some cash as well, be it NetPGP, and even commercial items like Symantec's offering keep maintained, just because of how important it is to have a lowest-common-denominator messaging format that works over any messaging protocol.
The problem is that this fool licensed GnuPG under the GPL license. No business in their right mind would finance him to build a project using it, as then that software would have to be GPL'd, too.
I think he should develop an MIT licensed version and see how that does.
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
Wow. That was an amazing thing the community did, and I have to believe slashdot helped. I think it would be great if there were a continuing thread on /. that just focuses on worthy projects that need help.