
Securing the future of GnuPG - edwintorok
https://gnupg.org/
======
sanxiyn
I donated 100 euro.

APT is secured using GnuPG
[https://wiki.debian.org/SecureApt](https://wiki.debian.org/SecureApt) and
that is enough contribution to my peace of mind for me to donate.

~~~
Johnny_Brahms
I donated £50. I use GPG to encrypt every unencrypted incoming email in my
inbox (I'm self hosted) so that nothing is stored unencrypted. I had one
server breach a year ago (due to me not updating...), but thanks to gpg I knew
my mails were secure from prying eyes.

I sore the mails unencrypted locally though. Being able to search them is too
useful to give up.

~~~
Nanzikambe
Did you use gpg instead of disk/partition encryption for that scenario?

~~~
maaku
Disk encryption only protects against physical theft of the drive, which is
not the primary concern with most servers. If a server is up 24/7 and I hack
into it, it doesn't matter that the drive is encrypted since I have access to
the decrypted files anyway. Encrypting incoming emails works because the mail
server doesn't really care what the content of the email is, so decryption
keys don't have to be stored on the server.

~~~
gog
Can you give some more information about your setup?

In which phase to you encrypt the email, what tools do you use, etc.

~~~
jakeogh
Here's my over engineered setup:
[https://github.com/jakeogh/gpgmda](https://github.com/jakeogh/gpgmda) It
attempts to also store the metadata encrypted. Admittedly got a bit carried
away trying to hide mtimes.

------
tmikaeld
This is the part that scares me the most when it comes to security related
open source systems, tools and software. What if there is suddenly no
maintainer for a project? If the project is too complex to fork and there is
no one willing to invest in development - would it not leave the door open for
a project to be overtaken/maintained by surveillance authorities themselves?

Also, I get the feeling that most people take projects like these for granted,
shouldn't security companies that rely on these projects at least want to try
and keep them alive by donations?

~~~
nextw33k
I am surprised that the developers don't just seek sponsorship from corporate
entities, especially with distributions which can get given priority support.

Asking the populous to donate seems like a short term fix.

~~~
peterwwillis
It doesn't really make sense for a corporation to fund development outside of
its organization.

First, how would you bill it? Tax-deductible gifts to a charity? To an
individual, at the rate of a salary, to develop and maintain a product you
want to use? Sounds an awful lot like employment. Somebody would need to pay
taxes on it, and then there's the laws in whatever countries you're working to
consider.

Second, there's the immediate lack of benefits to funding someone outside your
company. If you want a particular feature or fix done, you can't demand this
person do it as they don't work for you. And if they quit, you'll have to hire
someone to maintain it anyway, right? And if you need some domain-specific
expertise or customization down the road, you'll again need to hire an expert
for your company. It just makes a whole lot more sense to hire and keep an
expert in-house that maintains the code, rather than gift to some rando some
large chunk of money to work on something without addressing your company-
specific needs.

Third, if you wanted funding, you'd probably have to show you have a board
made up of the companies that fund you and some industry peers, have a
roadmap, processes for discovering, addressing and solving issues, etc...
basically your own little organization to manage everything. Just one guy
doing code isn't necessarily enough for sponsors to take you seriously.

The problem here is that there's just one developer. Open source projects
usually only work if there's many developers working on it a little at a time;
then you don't need to pay full salaries and it won't go into disrepair. But
for whatever reason (stagnation, disrepair, difficulty working with the
community, obsolescence, etc) nobody is interested in working on it or with
them. To me, that's a recipe for disaster: it means there's a 'smell' with
this project, and maybe someone should fork it and do what they want with it
now.

(I actually work and have worked in companies where this has happened...
nobody is going to get funding approved to give money to someone outside their
company for something that would be better served in-house)

~~~
mrsteveman1
It looks like an organization called "g10code GmbH" is in charge of funding
development, not "some rando", and indeed it seems like they're willing to
enter in to contracts with companies for development of specific features that
company might need[1].

I don't know how the tax situation for donations works out for a GmbH, but
they seem to be in a similar position as several other open source projects.

Various parties fund Tor development by giving money to "The Tor Project,
Inc.", a 501(c)(3) corporation[2].

The same is true of Freenet, "The Freenet Project Inc", another 501(c)(3) is
in charge of funding development, and Google itself has been among the
entities that have donated[3].

[1] [https://gnupg.org/donate/index.html](https://gnupg.org/donate/index.html)

[2] [https://www.torproject.org/about/findoc/2013-TorProject-
Form...](https://www.torproject.org/about/findoc/2013-TorProject-Form990.pdf)

[3]
[https://freenetproject.org/sponsors.html](https://freenetproject.org/sponsors.html)

~~~
dd9jn
a GmbH is similar to a Limited and thus a commercial entity. It is owned by my
brother and me; see [https://gnupg.org/blog/20141214-gnupg-
and-g10.html](https://gnupg.org/blog/20141214-gnupg-and-g10.html)

------
otherusername
I always want to donate to such causes, and always the only options are
creditcard or paypal. I don't have a creditcard and I refuse to use paypal.

Last time Wikipedia asked for donations, they had a nice iDEAL (the online
payment system in the Netherlands) option right there on the first page. I
entered €50,- pressed a button and presto. Done.

Moral of the story: if you want donations, invest some time into making it
super easy to get donations. I can't imagine there isn't some online service
that'll let people pay in just about every possible payment method there is.

~~~
icebraining
Not saying they shouldn't do that, but virtual prepaid CCs are available in
many countries, including in the Netherlands, from what I can gather, like
[https://www.3vcard.nl/](https://www.3vcard.nl/)

~~~
maw
Are they usable in different countries? I know that, unfortunately, some
prepaid CCs issued in the US can't be used in other countries, for instance.
But maybe that's less likely to be the case in Europe, or, really, just about
anywhere else.

~~~
icebraining
Dunno about 3V, but here in Portugal we have a similar system (called MBNet)
and it works fine everywhere. I do all my online shopping with it.

------
mbrubeck
I made a credit card donation through Stripe, but it was declined and flagged
as potential fraud by my credit card company (Amex). I was able to donate
successfully after logging into my credit card web site, verifying that I had
attempted the transaction, and then resubmitting the donation on the GPG site.

So if you get an error message during the donation process, check for messages
from your credit card account.

------
eyeareque
If your company pays Symantec for PGP Desktop, think about switching to GnuPG
related projects. I think a license for a single PGP Desktop copy is $100 USD.
Ask your boss if you can send $100 to GnuPGP instead of giving it to Symantec
(because honestly, Symantec PGP Desktop is terrible and buggy software).

------
timtadh
You can also support the development by purchasing a paid support contract
from g10code:
[https://g10code.com/support.html](https://g10code.com/support.html) .

~~~
zymhan
Firefox tells me that page is untrusted. Oh the irony.

------
edwintorok
"Note that despite GnuPG carries an FSF copyright notice, they never funded
the development or hosting costs."
[https://gnupg.org/donate/index.html](https://gnupg.org/donate/index.html)

~~~
PeterWhittaker
I saw that as well and couldn't help but wonder what fraction of their costs
are development and what fraction are hosting. After all, there are free
hosting alternatives for open source projects, e.g., GitHub, so if hosting is
a significant cost, why not simply eliminate it?

------
binwiederhier
Great project. I've been using it for years! Keep up the good work. I just
donated a bit. Hope it helps!

------
peterwwillis
Germany (the government) used to foot part of the development bill. I wonder
if that's changed.

~~~
nwalfield
This is a complicated story. The BND's priorities have changed (they are now
migrating to Windows internally instead of GNU/Linux). FOSS is also a lower
priority. See this video from the German Bundestag about funding GPG and
related projects: [http://vimeo.com/111715711](http://vimeo.com/111715711) .
(TLDR: We already gave them some money. Others should step in and cover the
bill.)

~~~
tormeh
>they are now migrating to Windows internally instead of GNU/Linux

Do you know why? Is it because it just makes it more convenient for everyone
if the BND just gives the NSA access to their machines directly? I'm not even
completely joking. What could possibly be the rationale for doing that?

~~~
dd9jn
Politics, internal power struggles, all the usual things in an administration.
I also heard this is not yet set in stone and may change again with their next
president. BTW, he meant the BSI (Federal IT security agency) and not the BND
(foreign secret service, aka the CIA's German stable lads).

------
wvh
Maybe they should do a crowd funding campaign, if anything those requests seem
to get more media attention and hence momentum. Lots of people use Gnupg
indirectly ("infrastructurally" if that's a word...) and might simply not
think of donating because of the project's low visibility as a tool in or
component of a larger system.

~~~
mrsteveman1
You mean another one? Wouldn't be such a bad idea, they have done that in the
past according to this[1] blog post, and it seems to have been incredibly
successful: "36.741 EUR raised out of 24.000 target".

[1] [https://gnupg.org/blog/20140206-crowdfunding-
complete.html](https://gnupg.org/blog/20140206-crowdfunding-complete.html)

~~~
dd9jn
For a more complete view you may also want to read
[https://gnupg.org/blog/20140512-rewards-
sent.html](https://gnupg.org/blog/20140512-rewards-sent.html) . Maybe I picked
an non-optimal campaign manager.

------
imglorp
Sheesh.

    
    
      >   Goteo fee   2939 
      >   Paypal fees 1152
    

They would really benefit taking bitcoin.

~~~
eli
I have a corporate credit card but not a corporate bitcoin account.

~~~
Fuxy
I have 1 bitcoin for just these occasions.

They say on their page they are not tax exempt so i don't mind using that if
it reduces the amount of fees they have to pay.

