Slashdot Mirror

← Back to Stories (view on slashdot.org)

GnuPG Gets Back On Track With Funding

Posted by Soulskill on from the pulling-together dept.

jones_supa writes: Soon after the poor state of the GnuPG was unveiled, the online community has rallied to help Werner Koch. He wanted to hire a full-time programmer to work on the project alongside him and to ensure that he's not living on the brink of bankruptcy all the time. Immediately after the article was published, it was revealed that he got a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Also, the community donated over $150,000, and Facebook and Stripe have each pledged to provide $50,000 per year. All in all, it looks like Werner Koch won't be worried about funding for quite some time. The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.

51 comments

  1. Would love grant too by Anonymous Coward · · Score: 0

    I would love to hire somebody else too, it would help me a lot on my open source projects.

    1. Re:Would love grant too by TWX · · Score: 4, Insightful

      Well, write one that becomes ubiquitous, quality, and that people depend on, and you too can probably hover near-bankruptcy for a decade before people decide to reward you with five-figures.

      In all seriousness, some of those funding systems like Kickstarter seem like they'd be a good fit for many open-source projects. Pay a programmer for a couple of years or pay two programmers for a year to get a fresh major release version paid-for.

      --
      Do not look into laser with remaining eye.
    2. Re:Would love grant too by Anonymous Coward · · Score: 0

      Are your open source programs used all over the world by people avoiding running afoul of the regime in charge of their country? What about people all over the world protecting private information from competitors?

      I thought not.

    3. Re:Would love grant too by Anonymous Coward · · Score: 0

      So you're saying you'd pay me if I was writing software for ISIS?!

  2. Patron of software projects by zrbyte · · Score: 0

    Something like Patreon should be set up for software projects.

    1. Re:Patron of software projects by Anonymous Coward · · Score: 0

      You mean https://gratipay.com?

  3. OpenSSL, GnuPG, ... by Noryungi · · Score: 4, Insightful

    Funny how these projects are crypto-related. As in: so shockingly important crypto, they form the basis for most of the security we enjoy on the Internet.

    Funny, that. Just saying.

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
    1. Re:OpenSSL, GnuPG, ... by Anonymous Coward · · Score: 5, Interesting

      GnuPG is a civilian crypto initiative. There are plenty of well-funded military crypto initiatives with highly-trained specialists who have amazing resources at their disposal. Civilians, not so much.

      Crypto is hard to do right, and it takes very, very specialized mathematical knowledge that takes resources and time to master but doesn't offer much in the way of careers in the civilian world. Most of the software development community focuses on other areas: they do their own things very well, but they don't have the math to implement good crypto on their own, which is why we have the mantra, "Don't try to roll your own crypto." In practical terms, that means that cypto software developers are a rare breed who have invested a lot in expertise that won't pay off for them in financial terms in the civilian world, but they're also indispensable.

      That makes them potential points of failure, since knocking out a few, by offering them incentives to work in other fields instead of their own or to weaken their crypto, means weakening the development community as a whole by slowing work on crypto libraries that can be used by the rest of the community. OpenSSL's failures have demonstrated that institutionalizing the point of failure to stabilize the resources available to a crypto programming group doesn't necessarily reinforce or remediate the potential point of failure. This is a big problem, one without an easy solution.

    2. Re:OpenSSL, GnuPG, ... by Mariner28 · · Score: 2

      Sorry, but the theoretical work has mostly been already done. The real work now is making OpenSSL/LibreSSL ( including client, not just server authentication ) and PGP/GPG ubiquitous. Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail - pressure from various governments? Projects like Enigmail are great, but there really needs to be a push to get commercial companies to start adopting secure email.

      Being a customer of a bank should mean I get an authenticated PGP/GPG key or an X.509 key when I open an account. Or my ISP should issue one to me. Maybe something akin to the FDIC would maintain the public key infrastructure. The bank has my identifying information. We just need the wherewithal to create the supporting infrastructure in the marketplace.

      How to fund it? Hell, it would pay for itself by reducing identity theft and fraud losses incurred by the banks and retailers.

      And it should be easy to generate a revocation key in case mine is compromised (phone or laptop gets stolen?). Right now in GPG4Win, there's no way to generate a revocation key from the Kleopatra GUI - I gotta do it from the command line. Adding that feature doesn't take a PhD in mathematics - that's something a reasonably experienced coder to add, since Kleopatra is just a front-end to generate the command line to pass to the gpg executable.

      --
      "A little misunderstanding? Galileo and the Pope had a little misunderstanding."
    3. Re:OpenSSL, GnuPG, ... by Fnord666 · · Score: 2

      Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail - pressure from various governments?

      Maybe it's the fact that if your email is encrypted as it passes through Google, they can't data mine it. Since that is the Raison d'etre for gmail, it would kind of defeat the whole purpose.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    4. Re:OpenSSL, GnuPG, ... by CronoCloud · · Score: 1

      Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail

      Well it might not be a priority for them because they know you can just use a desktop client that already has gpg and S/MIME support with gmail

      Being a customer of a bank should mean I get an authenticated PGP/GPG key or an X.509 key when I open an account.

      I agree.

      Right now in GPG4Win, there's no way to generate a revocation key from the Kleopatra GUI - I gotta do it from the command line.

      It doesn't? (checks the Linux version) It doesn't on Linux either, that's a big missing feature. The Kleopatra docs say to use kgpg to do that, but that's no help for gpg4win users.

    5. Re:OpenSSL, GnuPG, ... by StikyPad · · Score: 1

      What's taking Google so long for Gmail - pressure from various governments?

      They're on it, actually. Feel free to help.

      http://googleonlinesecurity.bl...

      --
      https://www.eff.org/https-everywhere
    6. Re:OpenSSL, GnuPG, ... by StikyPad · · Score: 1

      Also, forgot to mention the original reason I meant to reply to your post...

      The theoretical work has already been done for the encryption techniques that we use, but the methods we use are completely arbitrary -- there is no "right answer" to encryption. And things like RSA have not really been proven to be unbreakable; they've just withstood known attempts to crack. Known attempts. It's important that research continues in strengthening encryption beyond simply lengthening keys and/or permutations.

      BTW, why doesn't slashdot support https yet??

      --
      https://www.eff.org/https-everywhere
  4. Why need money? by smooth+wombat · · Score: -1, Troll

    Maybe I'm missing something, but it is repeatedly said that everything should be free.

    So how is it that this guy needed money to continue his work? Isn't it free? Why would he mysteriously need money when everything is free?

    Free things don't cost anything so are we sure he's not pocketing the money?

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:Why need money? by Anonymous Coward · · Score: -1

      You think RMS pays for his foot skin on good will and forks of emacs?

    2. Re:Why need money? by Anonymous Coward · · Score: 0

      What the fuck are you even talking about? The software is free to use, and is free in the liberty sense as you're allowed to use it however you'd like. But what does any of that have to do with the living expenses and cost of running an open-source project (you do have to pay for things such as various tools, web hosting, SSL certs, Git project hosting, etc.) of the man that is behind its development? Nothing.

      You do know that an overwhelming majority of work done on open-source projects is paid-for work, right?

    3. Re:Why need money? by Nutria · · Score: 4, Insightful

      Why would he mysteriously need money when everything is free?

      Your misunderstanding of Free software is... staggering.

      are we sure he's not pocketing the money?

      I'm sure that he is pocketing it, then quickly depocketing it for mortgage/rent, food, heat, transportation, etc, etc ad nauseum.

      --
      "I don't know, therefore Aliens" Wafflebox1
    4. Re:Why need money? by Pope+Hagbard · · Score: 3, Insightful

      Occam's Razor: he knows perfectly well what's going on and is taking the piss.

    5. Re:Why need money? by Anonymous Coward · · Score: 1

      You have one life to live. Unless you're the sort of person to believe in re-incartion, in which case nothing (logic included) are going to apply to you.

      In that one life you have a certain amount of time to accomplish the things you want to accomplish. GNUPG is still free...people's time is NOT. It's a COST that goes into the development of free software that people like you get to enjoy without ever contributing anything back other than snarky, ignorant remarks on Slashdot. "Free things don't cost anything," sorry to burst your bubble you special little snowflake but EVERYTHING FUCKING COSTS SOMETHING. Just because it's "free software" doesn't mean that someone isn't paying for it in some way and not necessarily with money. Koch chose, with the urging of Richard Stallman, to devote a large part of his life to developing a part of the software "stack" of most free operating systems that's absolutely vital and apparently he's one of the few people, if any, who are actually doing it.

      The ignorance you display about how free software actually works is so stunning that...well looking at your post history you're just a fucking troll anyway, so I probably shouldn't have bothered trying to make a case to you. You're just poisoning the well because you know you have no other value in the world. You're worthless. You are nothing. Koch actually accomplished something, free software developers actually accomplish something. You use the fruits of their work and then complain when one of them is looking at being bankrupt and homeless. You are a fucking twat.

    6. Re:Why need money? by zidium · · Score: 4, Interesting

      The problem is that this fool licensed GnuPG under the GPL license. No business in their right mind would finance him to build a project using it, as then that software would have to be GPL'd, too.

      I think he should develop an MIT licensed version and see how that does.

      --
      Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
    7. Re:Why need money? by Squach · · Score: 3, Insightful

      I think part of the problem is, I wouldn't trust a company that said it's product was based on GnuPG, but wouldn't let me look at the source code for the encryption bits. How would you know they hadn't given the NSA a backdoor of some sort?

    8. Re:Why need money? by peppepz · · Score: 2
      You might have heard of some minor pieces of software that are licensed under the GPL and yet managed to attract some moderate commercial interest, such as Linux.

      And MySQL, GCC, busybox, blender, ...

    9. Re:Why need money? by zidium · · Score: 0

      For better or for worst, those aren't one-man operations, either, but mostly run by foundations with overarching missions and established donors or corporations with deep pockets. They utilize the GPL not as a freedom device but as a control: OPEN SOURCE YOUR CODE UNDER THE GPL *or* PAY US LOTS OF MONEY FOR A COMMERCIAL LICENSE [if we even let you! wahahahaa!]

      --
      Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
  5. Ass ramming for Patreon donations by Anonymous Coward · · Score: -1

    Can I ram my throbbing, veiny cock up your pooper? I'll donate to your Patreon afterwards.

    1. Re:Ass ramming for Patreon donations by Anonymous Coward · · Score: -1

      Little-known fact: parent is Theo de Raadt and that's why he got kicked off the NetBSD team.

    2. Re:Ass ramming for Patreon donations by Anonymous Coward · · Score: 0

      He got kicked out for not doing the Patreon donations?

  6. in trouble.. by Anonymous Coward · · Score: 0

    Noone rushes to your rescue when you're not in trouble, how much cash do you think facebook, microsoft or apple would raise if they started fundraiser with bankaccounts overflowing with BILLION$$$ ..

    1. Re:in trouble.. by Ronin+Developer · · Score: 1

      You have heard of a little institution called the stock market, right? It's precisely how companies acquire more cash even when overflowing with billions.

      As for GnuPG, I am very glad to see that the community realized the importance of his work. It probably should have been funded years ago.

    2. Re:in trouble.. by mlts · · Score: 4, Interesting

      If one thinks about it, there are really few crypto products out there that are open source, trustworthy, and independent. GnuPG is one effort. NetPGP is another.

      The reason why OpenPGP implementations are important is for a number of reasons:

      1: They are the top-most layer of communications. For example, if I get an encrypted E-mail, it doesn't matter what my MUA is, and if there are hooks in it for viewing OpenPGP packets. Worst case, I copy the .asc blob or attachment and paste it to decrypt it. By having a crypto format independent of everything else on the stack (the mail program, the network protocols, the mail server, etc.), the messages are encrypted and can't be tampered with unless the endpoint is compromised. A bad SSL key, compromised Exchange mailbox, or other items don't matter. Plus, OpenPGP packets can be sent over any message system. AIM? Just fine. FB PM? Assuming FB doesn't consider it spam and toss it. A USENET post on alt.anonymous.messages? Works.

      There are a lot of people trying to bundle encryption with their own messaging protocol, but having it separate, with the key management and web of trust not reliant on one company or organization is important. Being forced to trust CAs only results in DigiNotar hacks eventually, while a WoT tends to be more robust.

      2: For long term storage on insecure media, using OpenPGP packets is a useful tool. Using PGP/GPG keys for securing files not just makes it impossible for an attacker to try brute forcing passwords, but also allows for one to check signatures (assuming a sign after encryption) to check for bit rot or tampering. Even secure media, the ability to store files in a signed format is useful.

      3: PGP/gpg is available on many platforms. It isn't just limited to OS X/Windows/Linux. I can write a message on AIX and sent it with dtmail or mutt, and the receiver using Windows can read it in Outlook, having it decoded by Symantec's successor of PGP Desktop.

      The problem is that PGP, gnuPG, and NetPGP are not flashy. They form a secure foundation, but tend to be forgotten about because a lot of startups want their own, private security solution to sell. I'm glad that GnuPG has gotten funding. I'm also hoping that other OpenPGP implementations get some cash as well, be it NetPGP, and even commercial items like Symantec's offering keep maintained, just because of how important it is to have a lowest-common-denominator messaging format that works over any messaging protocol.

  7. Core Infrastructure Initiative by millert · · Score: 5, Informative

    This is exactly the kind of thing Core Infrastructure Initiative is meant to help with and I'm happy to see it being used for gpg. Anyone with an underfunded Open Source project that is in wide use can apply for a grant from http://www.linuxfoundation.org.... There's no need to wait until you are in dire straits.

  8. before they get in trouble, and not after. by Nutria · · Score: 5, Insightful

    Software in the Public Interest is in a unique place to act as an information clearing house, conduit and "amalgamator" for this problem.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:before they get in trouble, and not after. by Anonymous Coward · · Score: 0

      I posted this on the ycombinator news site, but it would be cool if sites like spi had a patreon kind of thing to allow fractional donation:
      0.50 cents to projects x, y and z
      1 dollar to project w
      2 dollars to ...

      I think that would be nice at least for individuas to keep track of the projects they want to support while being able to chip in on a very large number of projects without paying a lot.

  9. Is there a good 'clearinghouse' for this? by fuzzyfuzzyfungus · · Score: 3, Interesting

    At least in part, this problem seems to be down to a lack of any sort of way(short of investigative journalism for every project you are interested in) of being able to see what the funding situation is.

    As with OpenBSD a while back, it was pretty much 100% everything-as-normal until "Boom, out of money, game over, man, game over." followed by a last minute fundraiser.

    There are plenty of projects, GnuPG among them(and OpenBSD, at that time), that I'd be happy to assist; but I don't really have the slightest idea of who is A-OK, who could use some more money in an ideal world, and who is about to burn out and quit for lack of resources.

    Is there any sort of mechanism in place, or under discussion, for making resource needs more visible before they become emergencies?

    1. Re:Is there a good 'clearinghouse' for this? by jones_supa · · Score: 3, Interesting

      Imagine a database website where you could see the current year's funding target and amount collected, for each open source project.

      ExtremelyImportantLibrary [||||||||||] $1200 / $1000 (target reached) [donate now]
      VideoCruncher [||--------] $145 / $600 [donate now]
      GizmoPanel [----------] $10 / $500 [donate now]

    2. Re:Is there a good 'clearinghouse' for this? by Anonymous Coward · · Score: -1

      kill systemd [----]

  10. JYou fail It! by Anonymous Coward · · Score: -1

    The5e eArly

  11. The GNU project needs money! by Anonymous Coward · · Score: 4, Informative

    The developers who work on the heart of the operating system are badly funded and its getting worse.

    Please consider donating:

    https://my.fsf.org/donate/

    * The FSF "sponsors" the project, but doesn't have the resources to properly fund it. You can help change that indirectly by donating to the FSF. There are many GNU pieces that need more attention and one of the reasons that many projects are in poor shape is because people are letting politics get in the way.

    1. Re:The GNU project needs money! by jones_supa · · Score: 1

      This is true and the need is increasing as software becomes more complex. 50k lines of code project is a small one these days. Among full-time developers, resources for proper quality assurance are sorely needed and unfortunately it's starting to show already.

    2. Re:The GNU project needs money! by Kohlrabi82 · · Score: 0

      Why invest in coders when we can invest in outreach programs like GNOME does?

    3. Re:The GNU project needs money! by laird · · Score: 2

      That's due to US non-profit rules. That is, by US law (and the IRS) non-profits can have educational missions, but can't produce anything that's of direct benefit to for-profit companies. Since FOSS software can be used by for-profits and not just by non-profits, creating FOSS software can't be the primary mission of a non-profit. That's why the Apache Foundation, GNOME Foundation, etc., are non-profits set up to educate and promote, but can't directly fund development of the FOSS software. Yeah, seems a little silly, but the IRS is quite consistent on this point for decades now.

      --
      Enable 3D printed prosthetics!
    4. Re:The GNU project needs money! by fulldecent · · Score: 0

      GNU is abandonware, which is fine in and of itself. However, abandonware under a GPL license discourages corporate sponsorship.

      End result: the nix systems we know and love from 10 years ago will be the same exact systems we know and love 20 years from now.

      --

      -- I was raised on the command line, bitch

    5. Re:The GNU project needs money! by Anonymous Coward · · Score: 0

      Are you kidding me? 99% of the code out there is GPL licensed. This has nothing to do with it. Redhat sponsors a ton of GPL licensed code among many other companies.

  12. The Trisquel project needs your support as well! by Anonymous Coward · · Score: 0

    Rubén Rodríguez a.k.a. quidam has been the lead developer of what might be one of the most important projects in the free software community. Without his work we wouldn't be making progress on a 100% software distribution geared at the masses. It's nice and easy to point people at distributions which don't care about free software- and I'll admit even I do it. However we need to consider the consequences of those actions and the harm its doing to our community. We are sacrificing freedom for proprietary software and in doing so undermining our very values. If you wanted to run proprietary software you could have just stuck with Microsoft Windows or Mac OS X. The reality is we do want free software to prosper, but if we don't even make the effort to develop free software replacements what is that saying? I'll tell you: we're all a bunch of hypocrites. While money is not a solution to this problem it does help avert catastrophe. We do at least need people working on these problems and that won't happen if only proprietary software are allowed into the club- and allowed to subvert the freedom that attracted us in the first place.

  13. Re:The Trisquel project needs your support as well by Anonymous Coward · · Score: 0

    You forgot the URL:

    http://trisquel.info/en/donate

  14. XFCE anyone? by Anonymous Coward · · Score: 3, Informative

    The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.

    I was thinking if XFCE could use some help? A lot of people like it, but the project seems to be greatly underresourced and the development is very slow. It seems that they have a Bountysource page set up already.

  15. Tragedy of the Commons by happyslayer · · Score: 2

    I think that's fairly descriptive of the behavior that led to this: Projects like OpenSSL and GPG are used by many people (and big companies), but since it's "not their responsibility", the haven't put any support into them. "I got mine--why should I pay up?" Fortunately, in those cases, highlighting the problem led to an outpouring of support. Those who didn't have direct skin in the game (coders, companies, etc) brought the problem to light and those who did have skin in the game (as well as others) started supporting the projects. I'm not making a real criticism--it's just the default human herd behavior. But with enough examples of things going wrong, maybe a few people can emulate those people and take up the mission of supporting them to keep this from happening. It sounds like things are already moving in that direction.

    --
    Never confuse movement with action. --Hemingway
    1. Re:Tragedy of the Commons by RyuuzakiTetsuya · · Score: 1

      Given how many people have given when asked, it's less, "tragedy of the commons" and more "tragedy for not asking" which is understandable. In the west we think it's bad taste to ask for money. Even if there's some output in return some people consider it begging.

      --
      Non impediti ratione cogitationus.
  16. Whatsapp Status by Anonymous Coward · · Score: -1

    whatsapp status quotes in english

  17. Good use of /. by iritant · · Score: 5, Interesting

    Wow. That was an amazing thing the community did, and I have to believe slashdot helped. I think it would be great if there were a continuing thread on /. that just focuses on worthy projects that need help.

  18. Let the rich scream poor by Anonymous Coward · · Score: 0

    What a result! A wealthy and over-funded individual screams poor and he's suddenly made much wealthier still. To the donors, I can only say that there are some real idiots on this planet and you've just helped to identify yourselves.

  19. There's not much that's "as important" as GPG by Chandon+Seldon · · Score: 2

    The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.

    Not really, because there aren't that many projects as important as GNUPG but without a foundation or something backing them up. OpenSSL is probably the next good example, but that's run by a consulting company.

    Without GNUPG, no major GNU/Linux distros could security download updates. It's *the tool* that does digital signatures. It's at least as important as OpenSSL, but in that case there are viable alternatives (e.g. GNUTLS, NSS).

    Really, the GNU project needs to spend some more money on maintaining the infrastructure that they sponsor. They'd get quite a bit more money if the had fundraisers directly for core GNU software (e.g. GNUPG / GCC / Bash / libc) development rather than generic funds that might get spent sending their mascott to protest at an Apple store or some nonsense. Activism is great and all, but it's a waste of time if the concrete infrastructure that the movement has built is allowed to rot.

    --
    -- The act of censorship is always worse than whatever is being censored. Always.