Slashdot Mirror
GnuPG Gets Back On Track With Funding
jones_supa writes: Soon after the poor state of the GnuPG was unveiled, the online community has rallied to help Werner Koch. He wanted to hire a full-time programmer to work on the project alongside him and to ensure that he's not living on the brink of bankruptcy all the time. Immediately after the article was published, it was revealed that he got a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Also, the community donated over $150,000, and Facebook and Stripe have each pledged to provide $50,000 per year. All in all, it looks like Werner Koch won't be worried about funding for quite some time. The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
Funny how these projects are crypto-related. As in: so shockingly important crypto, they form the basis for most of the security we enjoy on the Internet.
Funny, that. Just saying.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Why would he mysteriously need money when everything is free?
Your misunderstanding of Free software is... staggering.
are we sure he's not pocketing the money?
I'm sure that he is pocketing it, then quickly depocketing it for mortgage/rent, food, heat, transportation, etc, etc ad nauseum.
"I don't know, therefore Aliens" Wafflebox1
Well, write one that becomes ubiquitous, quality, and that people depend on, and you too can probably hover near-bankruptcy for a decade before people decide to reward you with five-figures.
In all seriousness, some of those funding systems like Kickstarter seem like they'd be a good fit for many open-source projects. Pay a programmer for a couple of years or pay two programmers for a year to get a fresh major release version paid-for.
Do not look into laser with remaining eye.
This is exactly the kind of thing Core Infrastructure Initiative is meant to help with and I'm happy to see it being used for gpg. Anyone with an underfunded Open Source project that is in wide use can apply for a grant from http://www.linuxfoundation.org.... There's no need to wait until you are in dire straits.
Occam's Razor: he knows perfectly well what's going on and is taking the piss.
Software in the Public Interest is in a unique place to act as an information clearing house, conduit and "amalgamator" for this problem.
"I don't know, therefore Aliens" Wafflebox1
At least in part, this problem seems to be down to a lack of any sort of way(short of investigative journalism for every project you are interested in) of being able to see what the funding situation is.
As with OpenBSD a while back, it was pretty much 100% everything-as-normal until "Boom, out of money, game over, man, game over." followed by a last minute fundraiser.
There are plenty of projects, GnuPG among them(and OpenBSD, at that time), that I'd be happy to assist; but I don't really have the slightest idea of who is A-OK, who could use some more money in an ideal world, and who is about to burn out and quit for lack of resources.
Is there any sort of mechanism in place, or under discussion, for making resource needs more visible before they become emergencies?
The developers who work on the heart of the operating system are badly funded and its getting worse.
Please consider donating:
https://my.fsf.org/donate/
* The FSF "sponsors" the project, but doesn't have the resources to properly fund it. You can help change that indirectly by donating to the FSF. There are many GNU pieces that need more attention and one of the reasons that many projects are in poor shape is because people are letting politics get in the way.
The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
I was thinking if XFCE could use some help? A lot of people like it, but the project seems to be greatly underresourced and the development is very slow. It seems that they have a Bountysource page set up already.
If one thinks about it, there are really few crypto products out there that are open source, trustworthy, and independent. GnuPG is one effort. NetPGP is another.
The reason why OpenPGP implementations are important is for a number of reasons:
1: They are the top-most layer of communications. For example, if I get an encrypted E-mail, it doesn't matter what my MUA is, and if there are hooks in it for viewing OpenPGP packets. Worst case, I copy the .asc blob or attachment and paste it to decrypt it. By having a crypto format independent of everything else on the stack (the mail program, the network protocols, the mail server, etc.), the messages are encrypted and can't be tampered with unless the endpoint is compromised. A bad SSL key, compromised Exchange mailbox, or other items don't matter. Plus, OpenPGP packets can be sent over any message system. AIM? Just fine. FB PM? Assuming FB doesn't consider it spam and toss it. A USENET post on alt.anonymous.messages? Works.
There are a lot of people trying to bundle encryption with their own messaging protocol, but having it separate, with the key management and web of trust not reliant on one company or organization is important. Being forced to trust CAs only results in DigiNotar hacks eventually, while a WoT tends to be more robust.
2: For long term storage on insecure media, using OpenPGP packets is a useful tool. Using PGP/GPG keys for securing files not just makes it impossible for an attacker to try brute forcing passwords, but also allows for one to check signatures (assuming a sign after encryption) to check for bit rot or tampering. Even secure media, the ability to store files in a signed format is useful.
3: PGP/gpg is available on many platforms. It isn't just limited to OS X/Windows/Linux. I can write a message on AIX and sent it with dtmail or mutt, and the receiver using Windows can read it in Outlook, having it decoded by Symantec's successor of PGP Desktop.
The problem is that PGP, gnuPG, and NetPGP are not flashy. They form a secure foundation, but tend to be forgotten about because a lot of startups want their own, private security solution to sell. I'm glad that GnuPG has gotten funding. I'm also hoping that other OpenPGP implementations get some cash as well, be it NetPGP, and even commercial items like Symantec's offering keep maintained, just because of how important it is to have a lowest-common-denominator messaging format that works over any messaging protocol.
The problem is that this fool licensed GnuPG under the GPL license. No business in their right mind would finance him to build a project using it, as then that software would have to be GPL'd, too.
I think he should develop an MIT licensed version and see how that does.
Slashdot Valentines Beta Massacre: iT WORKED! The boycotts killed Beta!!
I think that's fairly descriptive of the behavior that led to this: Projects like OpenSSL and GPG are used by many people (and big companies), but since it's "not their responsibility", the haven't put any support into them. "I got mine--why should I pay up?" Fortunately, in those cases, highlighting the problem led to an outpouring of support. Those who didn't have direct skin in the game (coders, companies, etc) brought the problem to light and those who did have skin in the game (as well as others) started supporting the projects. I'm not making a real criticism--it's just the default human herd behavior. But with enough examples of things going wrong, maybe a few people can emulate those people and take up the mission of supporting them to keep this from happening. It sounds like things are already moving in that direction.
Never confuse movement with action. --Hemingway
Wow. That was an amazing thing the community did, and I have to believe slashdot helped. I think it would be great if there were a continuing thread on /. that just focuses on worthy projects that need help.
I think part of the problem is, I wouldn't trust a company that said it's product was based on GnuPG, but wouldn't let me look at the source code for the encryption bits. How would you know they hadn't given the NSA a backdoor of some sort?
And MySQL, GCC, busybox, blender, ...
Not really, because there aren't that many projects as important as GNUPG but without a foundation or something backing them up. OpenSSL is probably the next good example, but that's run by a consulting company.
Without GNUPG, no major GNU/Linux distros could security download updates. It's *the tool* that does digital signatures. It's at least as important as OpenSSL, but in that case there are viable alternatives (e.g. GNUTLS, NSS).
Really, the GNU project needs to spend some more money on maintaining the infrastructure that they sponsor. They'd get quite a bit more money if the had fundraisers directly for core GNU software (e.g. GNUPG / GCC / Bash / libc) development rather than generic funds that might get spent sending their mascott to protest at an Apple store or some nonsense. Activism is great and all, but it's a waste of time if the concrete infrastructure that the movement has built is allowed to rot.
-- The act of censorship is always worse than whatever is being censored. Always.