Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption GNU is Not Unix Open Source Software The Almighty Buck Technology

GnuPG Gets Back On Track With Funding 51

jones_supa writes: Soon after the poor state of the GnuPG was unveiled, the online community has rallied to help Werner Koch. He wanted to hire a full-time programmer to work on the project alongside him and to ensure that he's not living on the brink of bankruptcy all the time. Immediately after the article was published, it was revealed that he got a one-time grant of $60,000 from the Linux Foundation's Core Infrastructure Initiative. Also, the community donated over $150,000, and Facebook and Stripe have each pledged to provide $50,000 per year. All in all, it looks like Werner Koch won't be worried about funding for quite some time. The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.
This discussion has been archived. No new comments can be posted.

GnuPG Gets Back On Track With Funding

Comments Filter:
  • Something like Patreon should be set up for software projects.

  • by Noryungi ( 70322 ) on Friday February 06, 2015 @11:46AM (#48998707) Homepage Journal

    Funny how these projects are crypto-related. As in: so shockingly important crypto, they form the basis for most of the security we enjoy on the Internet.

    Funny, that. Just saying.

    • by Anonymous Coward on Friday February 06, 2015 @12:38PM (#48999179)

      GnuPG is a civilian crypto initiative. There are plenty of well-funded military crypto initiatives with highly-trained specialists who have amazing resources at their disposal. Civilians, not so much.

      Crypto is hard to do right, and it takes very, very specialized mathematical knowledge that takes resources and time to master but doesn't offer much in the way of careers in the civilian world. Most of the software development community focuses on other areas: they do their own things very well, but they don't have the math to implement good crypto on their own, which is why we have the mantra, "Don't try to roll your own crypto." In practical terms, that means that cypto software developers are a rare breed who have invested a lot in expertise that won't pay off for them in financial terms in the civilian world, but they're also indispensable.

      That makes them potential points of failure, since knocking out a few, by offering them incentives to work in other fields instead of their own or to weaken their crypto, means weakening the development community as a whole by slowing work on crypto libraries that can be used by the rest of the community. OpenSSL's failures have demonstrated that institutionalizing the point of failure to stabilize the resources available to a crypto programming group doesn't necessarily reinforce or remediate the potential point of failure. This is a big problem, one without an easy solution.

      • Comment removed based on user account deletion
        • Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail - pressure from various governments?

          Maybe it's the fact that if your email is encrypted as it passes through Google, they can't data mine it. Since that is the Raison d'etre for gmail, it would kind of defeat the whole purpose.

        • Every e-mail client(desktop and mobile) should have S/MIME and GnuPG integrated in - including Gmail, Yahoo and the various ISP web clients. What's taking Google so long for Gmail

          Well it might not be a priority for them because they know you can just use a desktop client that already has gpg and S/MIME support with gmail

          Being a customer of a bank should mean I get an authenticated PGP/GPG key or an X.509 key when I open an account.

          I agree.

          Right now in GPG4Win, there's no way to generate a revocation key from the Kleopatra GUI - I gotta do it from the command line.

          It doesn't? (checks the Linux version) It doesn't on Linux either, that's a big missing feature. The Kleopatra docs say to use kgpg to do that, but that's no help for gpg4win users.

        • What's taking Google so long for Gmail - pressure from various governments?

          They're on it, actually. Feel free to help.

          http://googleonlinesecurity.bl... [blogspot.com]

        • Also, forgot to mention the original reason I meant to reply to your post...

          The theoretical work has already been done for the encryption techniques that we use, but the methods we use are completely arbitrary -- there is no "right answer" to encryption. And things like RSA have not really been proven to be unbreakable; they've just withstood known attempts to crack. Known attempts. It's important that research continues in strengthening encryption beyond simply lengthening keys and/or permutations.

          BTW,

  • by millert ( 10803 ) on Friday February 06, 2015 @11:59AM (#48998819) Homepage

    This is exactly the kind of thing Core Infrastructure Initiative is meant to help with and I'm happy to see it being used for gpg. Anyone with an underfunded Open Source project that is in wide use can apply for a grant from http://www.linuxfoundation.org... [linuxfoundation.org]. There's no need to wait until you are in dire straits.

  • by Nutria ( 679911 ) on Friday February 06, 2015 @12:03PM (#48998853)

    Software in the Public Interest [spi-inc.org] is in a unique place to act as an information clearing house, conduit and "amalgamator" for this problem.

  • by fuzzyfuzzyfungus ( 1223518 ) on Friday February 06, 2015 @12:04PM (#48998861) Journal
    At least in part, this problem seems to be down to a lack of any sort of way(short of investigative journalism for every project you are interested in) of being able to see what the funding situation is.

    As with OpenBSD a while back, it was pretty much 100% everything-as-normal until "Boom, out of money, game over, man, game over." followed by a last minute fundraiser.

    There are plenty of projects, GnuPG among them(and OpenBSD, at that time), that I'd be happy to assist; but I don't really have the slightest idea of who is A-OK, who could use some more money in an ideal world, and who is about to burn out and quit for lack of resources.

    Is there any sort of mechanism in place, or under discussion, for making resource needs more visible before they become emergencies?
  • by Anonymous Coward on Friday February 06, 2015 @12:29PM (#48999069)

    The developers who work on the heart of the operating system are badly funded and its getting worse.

    Please consider donating:

    https://my.fsf.org/donate/

    * The FSF "sponsors" the project, but doesn't have the resources to properly fund it. You can help change that indirectly by donating to the FSF. There are many GNU pieces that need more attention and one of the reasons that many projects are in poor shape is because people are letting politics get in the way.

    • This is true and the need is increasing as software becomes more complex. 50k lines of code project is a small one these days. Among full-time developers, resources for proper quality assurance are sorely needed and unfortunately it's starting to show already.
    • Why invest in coders when we can invest in outreach programs like GNOME does?

      • by laird ( 2705 )

        That's due to US non-profit rules. That is, by US law (and the IRS) non-profits can have educational missions, but can't produce anything that's of direct benefit to for-profit companies. Since FOSS software can be used by for-profits and not just by non-profits, creating FOSS software can't be the primary mission of a non-profit. That's why the Apache Foundation, GNOME Foundation, etc., are non-profits set up to educate and promote, but can't directly fund development of the FOSS software. Yeah, seems a li

    • GNU is abandonware, which is fine in and of itself. However, abandonware under a GPL license discourages corporate sponsorship.

      End result: the nix systems we know and love from 10 years ago will be the same exact systems we know and love 20 years from now.

  • XFCE anyone? (Score:3, Informative)

    by Anonymous Coward on Friday February 06, 2015 @12:56PM (#48999405)

    The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.

    I was thinking if XFCE could use some help? A lot of people like it, but the project seems to be greatly underresourced and the development is very slow. It seems that they have a Bountysource page [bountysource.com] set up already.

  • by happyslayer ( 750738 ) <david@isisltd.com> on Friday February 06, 2015 @01:16PM (#48999623)
    I think that's fairly descriptive of the behavior that led to this: Projects like OpenSSL and GPG are used by many people (and big companies), but since it's "not their responsibility", the haven't put any support into them. "I got mine--why should I pay up?" Fortunately, in those cases, highlighting the problem led to an outpouring of support. Those who didn't have direct skin in the game (coders, companies, etc) brought the problem to light and those who did have skin in the game (as well as others) started supporting the projects. I'm not making a real criticism--it's just the default human herd behavior. But with enough examples of things going wrong, maybe a few people can emulate those people and take up the mission of supporting them to keep this from happening. It sounds like things are already moving in that direction.
    • Given how many people have given when asked, it's less, "tragedy of the commons" and more "tragedy for not asking" which is understandable. In the west we think it's bad taste to ask for money. Even if there's some output in return some people consider it begging.

  • Good use of /. (Score:5, Interesting)

    by iritant ( 156271 ) <lear&ofcourseimright,com> on Friday February 06, 2015 @01:44PM (#48999913) Homepage
    Wow. That was an amazing thing the community did, and I have to believe slashdot helped. I think it would be great if there were a continuing thread on /. that just focuses on worthy projects that need help.
  • The problem remains: it's very likely that other projects just as important as this one are probably facing the same kind of issues, but it would be nice to hear about them before they get in trouble, and not after.

    Not really, because there aren't that many projects as important as GNUPG but without a foundation or something backing them up. OpenSSL is probably the next good example, but that's run by a consulting company.

    Without GNUPG, no major GNU/Linux distros could security download updates. It's *the tool* that does digital signatures. It's at least as important as OpenSSL, but in that case there are viable alternatives (e.g. GNUTLS, NSS).

    Really, the GNU project needs to spend some more money on maintaining the infrastructure that they sponsor. They'd get quite a bit more money if the had fundraisers directly for core GNU software (e.g. GNUPG / GCC / Bash / libc) development rather than generic funds that might get spent sending their mascott to protest at an Apple store or some nonsense. Activism is great and all, but it's a waste of time if the concrete infrastructure that the movement has built is allowed to rot.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...