GnuPG Gets Back On Track With Funding 51
jones_supa writes: Soon after the poor state of the GnuPG was unveiled, the online community has rallied to help Werner Koch. He wanted to hire a full-time programmer to work on the project alongside him and to ensure that he's not living on the brink of bankruptcy all the time. Immediately after the article was published, it was revealed that he got a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Also, the community donated over $150,000, and Facebook and Stripe have each pledged to provide $50,000 per year. All in all, it looks like Werner Koch won't be worried about funding for quite some time. The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
Re:Would love grant too (Score:5, Insightful)
In all seriousness, some of those funding systems like Kickstarter seem like they'd be a good fit for many open-source projects. Pay a programmer for a couple of years or pay two programmers for a year to get a fresh major release version paid-for.
Patron of software projects (Score:1)
Something like Patreon should be set up for software projects.
OpenSSL, GnuPG, ... (Score:5, Insightful)
Funny how these projects are crypto-related. As in: so shockingly important crypto, they form the basis for most of the security we enjoy on the Internet.
Funny, that. Just saying.
Re:OpenSSL, GnuPG, ... (Score:5, Interesting)
GnuPG is a civilian crypto initiative. There are plenty of well-funded military crypto initiatives with highly-trained specialists who have amazing resources at their disposal. Civilians, not so much.
Crypto is hard to do right, and it takes very, very specialized mathematical knowledge that takes resources and time to master but doesn't offer much in the way of careers in the civilian world. Most of the software development community focuses on other areas: they do their own things very well, but they don't have the math to implement good crypto on their own, which is why we have the mantra, "Don't try to roll your own crypto." In practical terms, that means that cypto software developers are a rare breed who have invested a lot in expertise that won't pay off for them in financial terms in the civilian world, but they're also indispensable.
That makes them potential points of failure, since knocking out a few, by offering them incentives to work in other fields instead of their own or to weaken their crypto, means weakening the development community as a whole by slowing work on crypto libraries that can be used by the rest of the community. OpenSSL's failures have demonstrated that institutionalizing the point of failure to stabilize the resources available to a crypto programming group doesn't necessarily reinforce or remediate the potential point of failure. This is a big problem, one without an easy solution.
Re: (Score:3)
Re: (Score:3)
Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail - pressure from various governments?
Maybe it's the fact that if your email is encrypted as it passes through Google, they can't data mine it. Since that is the Raison d'etre for gmail, it would kind of defeat the whole purpose.
Re: (Score:2)
Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail
Well it might not be a priority for them because they know you can just use a desktop client that already has gpg and S/MIME support with gmail
Being a customer of a bank should mean I get an authenticated PGP/GPG key or an X.509 key when I open an account.
I agree.
Right now in GPG4Win, there's no way to generate a revocation key from the Kleopatra GUI - I gotta do it from the command line.
It doesn't? (checks the Linux version) It doesn't on Linux either, that's a big missing feature. The Kleopatra docs say to use kgpg to do that, but that's no help for gpg4win users.
Re: (Score:2)
They're on it, actually. Feel free to help.
http://googleonlinesecurity.bl... [blogspot.com]
Re: (Score:2)
Also, forgot to mention the original reason I meant to reply to your post...
The theoretical work has already been done for the encryption techniques that we use, but the methods we use are completely arbitrary -- there is no "right answer" to encryption. And things like RSA have not really been proven to be unbreakable; they've just withstood known attempts to crack. Known attempts. It's important that research continues in strengthening encryption beyond simply lengthening keys and/or permutations.
BTW,
Re:Why need money? (Score:5, Insightful)
Why would he mysteriously need money when everything is free?
Your misunderstanding of Free software is... staggering.
are we sure he's not pocketing the money?
I'm sure that he is pocketing it, then quickly depocketing it for mortgage/rent, food, heat, transportation, etc, etc ad nauseum.
Re:Why need money? (Score:4, Insightful)
Occam's Razor: he knows perfectly well what's going on and is taking the piss.
Re: (Score:1)
You have one life to live. Unless you're the sort of person to believe in re-incartion, in which case nothing (logic included) are going to apply to you.
In that one life you have a certain amount of time to accomplish the things you want to accomplish. GNUPG is still free...people's time is NOT. It's a COST that goes into the development of free software that people like you get to enjoy without ever contributing anything back other than snarky, ignorant remarks on Slashdot. "Free things don't cost anything
Re:Why need money? (Score:4, Interesting)
The problem is that this fool licensed GnuPG under the GPL license. No business in their right mind would finance him to build a project using it, as then that software would have to be GPL'd, too.
I think he should develop an MIT licensed version and see how that does.
Re: (Score:3, Insightful)
I think part of the problem is, I wouldn't trust a company that said it's product was based on GnuPG, but wouldn't let me look at the source code for the encryption bits. How would you know they hadn't given the NSA a backdoor of some sort?
Re: (Score:3)
And MySQL, GCC, busybox, blender, ...
Re: (Score:1)
For better or for worst, those aren't one-man operations, either, but mostly run by foundations with overarching missions and established donors or corporations with deep pockets. They utilize the GPL not as a freedom device but as a control: OPEN SOURCE YOUR CODE UNDER THE GPL *or* PAY US LOTS OF MONEY FOR A COMMERCIAL LICENSE [if we even let you! wahahahaa!]
Re: (Score:2)
You have heard of a little institution called the stock market, right? It's precisely how companies acquire more cash even when overflowing with billions.
As for GnuPG, I am very glad to see that the community realized the importance of his work. It probably should have been funded years ago.
Re:in trouble.. (Score:5, Interesting)
If one thinks about it, there are really few crypto products out there that are open source, trustworthy, and independent. GnuPG is one effort. NetPGP is another.
The reason why OpenPGP implementations are important is for a number of reasons:
1: They are the top-most layer of communications. For example, if I get an encrypted E-mail, it doesn't matter what my MUA is, and if there are hooks in it for viewing OpenPGP packets. Worst case, I copy the .asc blob or attachment and paste it to decrypt it. By having a crypto format independent of everything else on the stack (the mail program, the network protocols, the mail server, etc.), the messages are encrypted and can't be tampered with unless the endpoint is compromised. A bad SSL key, compromised Exchange mailbox, or other items don't matter. Plus, OpenPGP packets can be sent over any message system. AIM? Just fine. FB PM? Assuming FB doesn't consider it spam and toss it. A USENET post on alt.anonymous.messages? Works.
There are a lot of people trying to bundle encryption with their own messaging protocol, but having it separate, with the key management and web of trust not reliant on one company or organization is important. Being forced to trust CAs only results in DigiNotar hacks eventually, while a WoT tends to be more robust.
2: For long term storage on insecure media, using OpenPGP packets is a useful tool. Using PGP/GPG keys for securing files not just makes it impossible for an attacker to try brute forcing passwords, but also allows for one to check signatures (assuming a sign after encryption) to check for bit rot or tampering. Even secure media, the ability to store files in a signed format is useful.
3: PGP/gpg is available on many platforms. It isn't just limited to OS X/Windows/Linux. I can write a message on AIX and sent it with dtmail or mutt, and the receiver using Windows can read it in Outlook, having it decoded by Symantec's successor of PGP Desktop.
The problem is that PGP, gnuPG, and NetPGP are not flashy. They form a secure foundation, but tend to be forgotten about because a lot of startups want their own, private security solution to sell. I'm glad that GnuPG has gotten funding. I'm also hoping that other OpenPGP implementations get some cash as well, be it NetPGP, and even commercial items like Symantec's offering keep maintained, just because of how important it is to have a lowest-common-denominator messaging format that works over any messaging protocol.
Core Infrastructure Initiative (Score:5, Informative)
This is exactly the kind of thing Core Infrastructure Initiative is meant to help with and I'm happy to see it being used for gpg. Anyone with an underfunded Open Source project that is in wide use can apply for a grant from http://www.linuxfoundation.org... [linuxfoundation.org]. There's no need to wait until you are in dire straits.
before they get in trouble, and not after. (Score:5, Insightful)
Software in the Public Interest [spi-inc.org] is in a unique place to act as an information clearing house, conduit and "amalgamator" for this problem.
Is there a good 'clearinghouse' for this? (Score:4, Interesting)
As with OpenBSD a while back, it was pretty much 100% everything-as-normal until "Boom, out of money, game over, man, game over." followed by a last minute fundraiser.
There are plenty of projects, GnuPG among them(and OpenBSD, at that time), that I'd be happy to assist; but I don't really have the slightest idea of who is A-OK, who could use some more money in an ideal world, and who is about to burn out and quit for lack of resources.
Is there any sort of mechanism in place, or under discussion, for making resource needs more visible before they become emergencies?
Re:Is there a good 'clearinghouse' for this? (Score:4, Interesting)
Imagine a database website where you could see the current year's funding target and amount collected, for each open source project.
ExtremelyImportantLibrary [||||||||||] $1200 / $1000 (target reached) [donate now]
VideoCruncher [||--------] $145 / $600 [donate now]
GizmoPanel [----------] $10 / $500 [donate now]
The GNU project needs money! (Score:4, Informative)
The developers who work on the heart of the operating system are badly funded and its getting worse.
Please consider donating:
https://my.fsf.org/donate/
* The FSF "sponsors" the project, but doesn't have the resources to properly fund it. You can help change that indirectly by donating to the FSF. There are many GNU pieces that need more attention and one of the reasons that many projects are in poor shape is because people are letting politics get in the way.
Re: (Score:2)
Re: (Score:1)
Why invest in coders when we can invest in outreach programs like GNOME does?
Re: (Score:3)
That's due to US non-profit rules. That is, by US law (and the IRS) non-profits can have educational missions, but can't produce anything that's of direct benefit to for-profit companies. Since FOSS software can be used by for-profits and not just by non-profits, creating FOSS software can't be the primary mission of a non-profit. That's why the Apache Foundation, GNOME Foundation, etc., are non-profits set up to educate and promote, but can't directly fund development of the FOSS software. Yeah, seems a li
Re: (Score:1)
GNU is abandonware, which is fine in and of itself. However, abandonware under a GPL license discourages corporate sponsorship.
End result: the nix systems we know and love from 10 years ago will be the same exact systems we know and love 20 years from now.
XFCE anyone? (Score:3, Informative)
The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
I was thinking if XFCE could use some help? A lot of people like it, but the project seems to be greatly underresourced and the development is very slow. It seems that they have a Bountysource page [bountysource.com] set up already.
Tragedy of the Commons (Score:3)
Re: (Score:2)
Given how many people have given when asked, it's less, "tragedy of the commons" and more "tragedy for not asking" which is understandable. In the west we think it's bad taste to ask for money. Even if there's some output in return some people consider it begging.
Good use of /. (Score:5, Interesting)
There's not much that's "as important" as GPG (Score:3)
Not really, because there aren't that many projects as important as GNUPG but without a foundation or something backing them up. OpenSSL is probably the next good example, but that's run by a consulting company.
Without GNUPG, no major GNU/Linux distros could security download updates. It's *the tool* that does digital signatures. It's at least as important as OpenSSL, but in that case there are viable alternatives (e.g. GNUTLS, NSS).
Really, the GNU project needs to spend some more money on maintaining the infrastructure that they sponsor. They'd get quite a bit more money if the had fundraisers directly for core GNU software (e.g. GNUPG / GCC / Bash / libc) development rather than generic funds that might get spent sending their mascott to protest at an Apple store or some nonsense. Activism is great and all, but it's a waste of time if the concrete infrastructure that the movement has built is allowed to rot.