
Email Encryption Software Relies on One Guy, Who Is Going Broke - r0h1n
http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke
======
agwa
Calling GnuPG "email encryption software" really understates its importance.
It's also used in countless applications to encrypt data at rest, and GPG
signatures are used to secure the distribution of software. For instance, GPG
is an essential part of the package managers of Debian, Ubuntu, and RedHat.

Here is a link to the donation page:
[https://gnupg.org/donate/index.html](https://gnupg.org/donate/index.html)

~~~
gandalfu
Thanks for the link, just donated!

~~~
takluyver
Watching the bar on the GnuPG homepage is pretty encouraging. Since the
article was written, we've donated nearly €30k more. It looks like the problem
was that people hadn't heard about it, not that we're all too selfish to
donate.

I just chipped in $25.

Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way
to the funding target.

~~~
acqq
It still progresses, now (21:47 UTC) only 12% left to the target.

~~~
jpatokal
Target exceeded, and I don't think this even includes the EUR 100k from Stripe
& Facebook.

------
seizethecheese
Apparently Stripe and Facebook just stepped in to pledge $50K/year each.

[https://twitter.com/stripe/status/563449352635432960](https://twitter.com/stripe/status/563449352635432960)

~~~
tdicola
That's awesome, but it's weird to me that Facebook, etc. will happily pay a
senior engineer a total compensation of $200k+ yet only pledge $50k for the
maintainer of a critical tool. Not trying to look a gift horse in the mouth
here, just odd perception of the priorities here.

~~~
72deluxe
Out of interest, what does this senior engineer have to do? Is it C++ or PHP?

EDIT: Someone downvoted me, not sure why, but I am genuinely curious what the
senior engineer does?

~~~
conradk
I'd guess that whoever downvoted you thought this was a troll meant to start a
flamewar with C++ vs. PHP and whether one or the other is more difficult (read
"better" or "a real language").

It's interesting to note though, that Facebook does uses PHP _and_ C++
extensively. And Facebook maintains a large a number of open source PHP _and_
C++ projects. So I suppose that some Facebook engineers are more involved with
PHP and some more involved with C++.

But more importantly, I don't think Facebook engineers are bound to a
technology. They think about how to solve problems. If PHP is the best tool to
solve a problem, they'll use that. If it's C++, they'll use that instead.

~~~
72deluxe
Ah I hadn't thought of that about the flamewar. I use both languages (now
mainly C++ as I don't need to use PHP for the stuff I am writing anymore).

You're right about them using the right tool for the job - their entire HipHop
etc. (whatever it is called now) creations to convert PHP to C++ and run a C++
web server are a good indication of this. Good point!

------
teamhappy
I've been complaining about this on HN before; lot's of startups built chat
apps on top of GPG during the whole Snowden thing and Werner can't raise
$120,000.

I'm really glad Pro Publica picked it up, but I also think _we_ need to change
to way _we_ think about critical software like GPG. The GPG Tools team (GPG
for Apple Mail) recently stated they need to charge for the tool in the future
because they simply can't handle to amount of work anymore (it's still GPL) —
the response from _us_ was nothing but outrage.

// I just realized all of this is mentioned in the article. My bad.

~~~
unfamiliar
>I also think we need to change to way we think about critical software like
GPG

Maybe the lesson here is not to license important software under such
permissive licenses. Make it open source and free for non-commercial, require
a donation if it is used in a commercial product. I don't really see how you
can give something away for free and then expect companies to volunteer to pay
for it.

~~~
takluyver
> open source and free for non-commercial, require a donation if it is used in
> a commercial product

Every serious definition of 'open source' or 'free software' says that you
can't discriminate by field of endeavour - if you have one set of rules for
commercial use and one for non-commercial use, it's not really open source.
And the nature of donations is that you can't require them.

That's not to say that you can't build a business model around open source
software. You can charge for pre-built binaries, you can charge for exceptions
to the GPL license to build proprietary software with it (this is what Qt used
to do), or you can charge for services associated with the code (e.g. running
a hosted service). You can even technically charge for the code itself, though
since anyone who buys it can resell it or give it away, that sounds
precarious.

~~~
teamhappy
Nope.

We call it Free _and_ Open Source Software for a reason. Open Source means the
code is open (i.e., you can study it), Free means it's licensed under a Free
Software license (it doesn't necessarily mean free of charge).

People usually omit the "Free and" part when they talk about FOSS.

[https://en.wikipedia.org/wiki/Free_and_open-
source_software](https://en.wikipedia.org/wiki/Free_and_open-source_software)

// Anybody want to tell me why you vote me down? Am I wrong?

~~~
TillE
Almost nobody would call merely viewable source "open source". Certainly not
the OSI.

~~~
teamhappy
I see. I call that free software, because "having access to the source code"
is part of free software licenses.

The kind of "open source" I was talking about is source code that is released
under a non-free software license. What do we call that?

\---

@alexvoda "it's not really open source" is the part I tried to contradict. I
may have been wrong though.

~~~
JoshTriplett
> The kind of "open source" I was talking about is source code that is
> released under a non-free software license. What do we call that?

"obnoxious".

More seriously, typically something like "look but don't touch", or
"proprietary with source available", or "source available under a restrictive
license". Microsoft used to call it "shared source", and that term still has
those connotations too.

Definitely not "open source", though; that means more than just "has source
available".

~~~
teamhappy
It's common practice in the game industry to license/pay for access to the
source code. Whether you end up changing it or not is up to you, but at least
you have a choice. This might not be true for Microsoft's "public" source
code. I don't know. It looks like we're talking about two very different
domains.

The Unreal Engine is an example for this kind of business model on a large
scale. KoboldTouch (used to be?) an example for the same on a very, very small
scale (less than 5 people). I really don't see anything "obnoxious" about it.

~~~
JoshTriplett
> It's common practice in the game industry to license/pay for access to the
> source code. Whether you end up changing it or not is up to you, but at
> least you have a choice. This might not be true for Microsoft's "public"
> source code. I don't know. It looks like we're talking about two very
> different domains.

Yeah, that's a very different case. It's indeed moderately common for
proprietary software frameworks/engines to include source, so that their
paying customers can modify and redistribute, but cannot redistribute in
source form (modified or otherwise). That's not any more obnoxious than any
other kind of proprietary software distribution, and I wouldn't call it "look
but don't touch", though it certainly isn't open source _or_ free software.

The case I'm talking about is software with publically available source, but
under a restrictive license that doesn't satisfy the OSI or FSF or DFSG
definitions. For instance, many random projects on github that don't bother
applying a license, or rar (the archive format implementation), or tarsnap, or
the _extremely_ obnoxious JSON license.

------
smcl
I had no idea this project (and others) had so few contributors. I'd love to
be involved in some Open Source project but I always feel like "yeh there's
probably millions of people far more talented than me wanting to contribute"
and I've no idea how to start. Some people suggest taking a look at the open
bug lists for software you use frequently, but on the few occasions I've tried
that (python, gcc, and a couple of others) I've ended up digging through lists
of tough bugs each with fairly impressive sounding discussions by people who
are way more familiar with the whole ecosystem than I am and it's sort of
intimidating.

I did manage to do some isolated contributions to Open Corporates
([http://turbot.opencorporates.com](http://turbot.opencorporates.com)) where
the community are super-welcoming and very patient, but I've felt a little
isolated and like I'm not exactly giving much back. Apologies for the mildly-
OT rambling.

~~~
pyre
> I've ended up digging through lists of tough bugs each with fairly
> impressive sounding discussions by people who are way more familiar with the
> whole ecosystem than I am and it's sort of intimidating.

Sometimes it's small things, like documentation. For example:

[http://bugs.python.org/issue17701](http://bugs.python.org/issue17701)

~~~
shackenberg
Good point, but you have to admit that the site does not look inviting at all
and that a novice has no idea where to start.

~~~
bloodorange
[https://www.mozilla.org/en-US/contribute/](https://www.mozilla.org/en-
US/contribute/)

Mozilla is quite friendly and makes it easy to contribute. I've had quite a
pleasant experience whenever I tried to make a contribution.

------
lawl
I think the biggest problem is visibility for these projects. They need to be
louder. In the case of openssl, I had no idea that they were severly
underfunded (until heartbleed).

Same for GPG until now. I didn't hear they asked for donations.

And I doubt I'm the only one. So I quickly checked if maybe this was big on HN
at a point and I just missed it.

[https://hn.algolia.com/?query=GPG%20donation&sort=byPopulari...](https://hn.algolia.com/?query=GPG%20donation&sort=byPopularity&prefix&page=0&dateRange=all&type=story)
[https://hn.algolia.com/?query=GPG%20fund&sort=byPopularity&p...](https://hn.algolia.com/?query=GPG%20fund&sort=byPopularity&prefix&page=0&dateRange=all&type=story)
[https://hn.algolia.com/?query=GPG%20money&sort=byPopularity&...](https://hn.algolia.com/?query=GPG%20money&sort=byPopularity&prefix=false&page=0&dateRange=all&type=story)

Nope. It's not just me.

If not even the most technical people (that actually know what GPG and openssl
are without looking it up) don't hear about this, how are regular people going
to find out where to throw their donations at?

I think people would donate if they knew about it. I'm going to send this guy
$100 and consider it a license fee, because he deserves it.

~~~
malandrew
I'm wondering if there is a meta-donation page that lists a bunch of the most
important open source projects, how you can donate to them and their yearly
funding goals (and how many developers are being supported).

~~~
takluyver
That could be an interesting project for someone. I suspect the hardest bit
would be how you determine which projects are most important or most deserving
of donations. As soon as money is involved, people will try to game it and
spam it.

~~~
gglon
I think the simplest method would be to consider total amount of donated
money.

~~~
takluyver
As in projects that are attracting lots of donations are probably important?
Or as in projects that aren't getting many donations probably need more?

------
ChuckMcM
I wonder sometimes if this is the legacy that RMS was thinking about.
Sometimes, in my more cynical moments, it seems like we have somehow managed
to trick a whole generation of programmers into giving "free stuff" to the
world, enabling the creation of the very successful mega corporations which
have then kept the value for themselves.

Would it be impossible to create some sort of stipend program at FSF? After
all the creation and maintenance of software is allowed to cost money under
the GPL.

~~~
jordigh
> I wonder sometimes if this is the legacy that RMS was thinking about.

No.

Free software was never about no money being involved. In fact, RMS himself
used to get a lot of money by selling free software. Back in the day when
Emacs was too big for the internet, RMS used to sell Emacs tapes at 100 USD
each (with documentation and source code, of course).

In fact, he still thinks that you should be charging money for distributing
free software:

    
    
        Distributing free software is an opportunity to raise funds for
        development. Don't waste it!
    

[https://www.gnu.org/philosophy/selling.html](https://www.gnu.org/philosophy/selling.html)

He also thinks selling exceptions to the GPL is another good way to support
yourself. FFTW and Qt are two prominent projects I can think of that did this.

[https://www.fsf.org/blogs/rms/selling-
exceptions](https://www.fsf.org/blogs/rms/selling-exceptions)

The GPL itself is anti-freeloading. We give you the code, you can do whatever
you want with it, but if you want to build on top of ours, you have to give
back. It's all about levelling the playing field for everyone.

I have really hoped that the current app store model would turn out to be a
great way to sell free software. A convenient way to pay, and you can download
and install whatever you want. Optionally, you can have a link to the source
code.

Sadly, it doesn't seem to be happening this way. I don't understand why not.
Perhaps I too am being too idealistic.

~~~
gabemart
> I have really hoped that the current app store model would turn out to be a
> great way to sell free software. A convenient way to pay, and you can
> download and install whatever you want. Optionally, you can have a link to
> the source code.

> Sadly, it doesn't seem to be happening this way. I don't understand why not.
> Perhaps I too am being too idealistic.

As an indie app developer, I already struggle with people ripping off my apps
and publishing them in various app marketplaces under similar or identical
names, or taking my web app, wrapping it and charging money for it.

I have to imagine that if I used a free software licence, this would happen a
lot more, and I wouldn't be able to issue takedown requests. Someone searching
for the name of my app might find five or ten similar or identical looking
results and have no idea which is mine. These other results might serve ads,
track user behavior, gather personal information or perform other anti-user
operations, leveraging the popular reputation my apps have built to do so.

~~~
jordigh
I think issuing trademark infringements notices is fine as far as handling
this problem for free software.

If people want to bundle "my" GNU Octave and modify it randomly delete the
users hard drive, that's ok. Free software allows this. Just don't call it GNU
Octave, call it GNU DiskDestroyer or something.

------
yegg
We are collecting nominations for our DuckDuckGo yearly FOSS donations at
[https://duck.co/forum/thread/11753/foss-donation-
nominations...](https://duck.co/forum/thread/11753/foss-donation-
nominations-2015-edition). The theme this year is mainstream privacy. This
seems to fit well and we'd welcome others. Donations will go out soon.

------
minopret
Can someone explain why GPG in the person of Werner Koch isn't substantially
funded under FSFE?

My first thought was the Software Freedom Conservancy. The only reasons I see
for them not to take GPG under their wing are lack of will (but why?), sense
of funding priorities (but why?), or the possibility that some GPG
constituents would be concerned about associating GPG strongly with a US-based
organization.

~~~
drzaiusapelord
Because this article is misleading. Apparantly, Koch has been subsidized by
the german government thus felt no need to be used the FSFE. Secondly, gpg
isn't really used for enterprise email, SMIME is or commercial php.

There's a history of Koch that is pretty ugly. He tried to start a consulting
company with said government money and seems to have a "pay me to fix bugs"
attitude. This breathless "omg must donate now" sentiment dominant here is
highly questionable.

gpg should be under and funded by FSFE not via begdonations and german
government funding.

~~~
skj
I have that "pay me to fix bugs" attitude, too. After all, my chosen
profession is software developer and one of the things my employer pays me to
do is fix bugs.

------
mseebach
Given the general scarcity of talent in the business, it should really be
trivial for a high end IT security consultancy to pay Werner a €3000/month
(ie. enough to live on, if not extravagantly) retainer to be available ~10
hours a month to consult on encryption matters (or something like that).

I wonder if it all really comes down to "Really I am better at programming
than this business stuff." or if there is some unstated dogmatism that gets in
the way.

It seems to me there's a parallel to someone like Moxie Marlinspike who's
vaguely in the same field, but seems to be doing very well for himself.

~~~
tptacek
The task of maintaining GPG isn't principally cryptographic. GPG is one of
those classic un-fun projects that the open source community is notorious for
neglecting. So the problem isn't finding and funding cryptographic experts to
work on it; the problem is finding _Werner Koches_ who are willing to take on
the slog of making sure GPG continues to work.

Look at how many crappy, trivially broken crypto messaging systems are posted
to HN every year. Some of them even get funded! Nobody _wants_ to work on GPG,
which makes what Koch is doing even more important.

~~~
mseebach
Whether the work is "principally cryptographic" or not means fantastically
little for it's business value, what matters is that the fraction of the value
Werner is capturing is almost unmeasurably small. What Werner needs isn't
donations, it's a vehicle for capturing some of the value he's creating.

The idea I suggested (a consultancy retainer) is a way of converting his name
into cash. At 10 hours a month, his function would mostly be limited to the
company being able to say that he works for them, maybe have him join some
high-level meetings, more than actually doing programming for clients.

You're in the general security business, you seem to be pretty good at
business in general: don't you know someone who could turn hiring Werner and
two devs to work on GPG into cash?

~~~
tptacek
No, I don't. You can trace some of my open frustration with crappy message
crypto apps to this, by the way.

------
andrewla
For bitcoin donations, you can go to [1], which gives the address as
12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq [2]. The address is not generated per user,
and is dedicated to GnuPG.

[1]
[https://www.wauland.de/en/donation.nojs.html](https://www.wauland.de/en/donation.nojs.html)

[2]
[https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzk...](https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq)

~~~
Torgo
Can someone signal boost this on bitcointalk or other bitcoin communities?
They are huge users of PGP. I don't have accounts on any of those sites or I'd
do it myself.

~~~
rnhmjoj
I have spread the word in bitmessage chans. People there are certainly
concerned about privacy and love free software.

------
cs702
"Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch
informed us that last week he was awarded a one-time grant of $60,000 from
Linux Foundation's Core Infrastructure Initiative. Werner told us he only
received permission to disclose it after our article published. Meanwhile,
since our story was posted, donations flooded Werner's website donation page
and he reached his funding goal of $137,000. In addition, Facebook and the
online payment processor Stripe each pledged to donate $50,000 a year to
Koch’s project."

The problem, in other words, was that lots of people like me, who depend
everyday on gpg and are thankful for it, would have supported it over all
these years _if only we had known that its maintainer was barely scraping by
on $25K a year._

Kudos to Pro Publica for bringing this to everyone's attention.

------
_wmd
GnuPG sounds like a prime candidate for Linux Foundation's core infrastructure
initiative. [http://www.linuxfoundation.org/programs/core-
infrastructure-...](http://www.linuxfoundation.org/programs/core-
infrastructure-initiative)

If they're willing to fund a new NTP implementation then they should be able
to drop a few coins in the GnuPG bucket too

~~~
carsonreinke
Strange you cannot seem to just donate to the Linux Foundation, you have to
become a member?

~~~
_fizz_buzz_
Yes you can: [https://www.linuxfoundation.org/participate/linux-
donate](https://www.linuxfoundation.org/participate/linux-donate)

~~~
carsonreinke
Oh my bad.

------
moreati
In the last hour or so (I think since this hit the front page) there have been
approximately €2000 of donations added to the drive at
[https://gnupg.org/](https://gnupg.org/), nudging it over €40000.

Please do your part, and keep that bar moving.

~~~
twothamendment
I gave my 0.02. Ok, a bit more than that, but everything helps. I don't know
what I'd do without GnuPG. It has so many uses beyond email...

------
a3n
He's been voluntarily cheated. He should take a job, take care of himself (no
one else will), and give gpg whatever time he has left, if he has the energy.

~~~
hackuser
> He should take a job, take care of himself (no one else will), and give gpg
> whatever time he has left, if he has the energy.

In your scenario, what will happen to GPG? The world just loses this essential
asset?

~~~
RobotCaleb
Sure, why not? His (and his family's) life should be more important to him
than you getting to use GPG.

~~~
hackuser
I wouldn't say what someone else "should" or shouldn't do, but my point was
that the parent's solution overlooked a crucial factor.

It's not an either-or choice; There are solutions that help him and GPG.

------
dredmorbius
The problem of reward for innovation is one that goes back a _long_ ways under
the market / capitalist system.

The tale of the unrewarded genius is legion, one set of substantiation is
presented in Gregory Clark's _A Farewell to Alms_ looking at key inventors of
the early Industrial Revolution: John Kay (flying shuttle), James Hargreaves
(spinning jenny), Richard Arkwright (spinning frame), Samuel Crompton
(spinning mule), Reverend Edmund Cartwright (power loom), Eli Whitney (cotton
gin), and Richard Roberts (power loom, machine tools).

Of the list, Kay, Hargreaves, and Roberts died in poverty. Crompton and
Cartwright were granted substantial payments by acts of Parliament (£5,000 and
£10,000 respectively), Whitney made money through arms sales to the U.S.
government, and of the lot, only Arkwright earned significant wealth, half a
million pounds, _after_ his patents stopped being honored by other
manufacturers.

Invention and information goods fare poorly in economic systems.

Most of us are coloured by the experience of Microsoft from 1980 - 2000 or so,
but what is generally _not_ recognized is that _Microsoft as a seller of
"shrink-wrap" software was exceptionally anomalous_. Most other pure-play
software firms were nowhere _near_ as profitable as Microsoft. Some
_technology_ companies had large revenues, but they were often based on
hardware (Sun, HP), professional services (Oracle, Price Waterhouse), or both
(IBM). Hardware does well, but has a small fraction of the profit margin of
software, and professional services -- brains by the bucketful -- is _very_
difficult to scale. Companies which do well at the latter almost always have a
distinctly mafia-like reputation (IBM, EDS, Oracle, PWC, Accenture, etc.).

Werner's situation is unfortunate, and I really do hope he finds a way to
survive. He's hardly alone, and frankly, the proprietary commercial model has
proven highly problematic as well.

------
gommm
I've just donated. It's an important project and Werner Koch needs to be
rewarded.

I feel that we, as a community, are really bad at supporting some of the
opensource projects that powers our infrastructure. I'm not sure what can be
done to improve this. Maybe we need a foundation that raises money for those
projects and does the marketing needed to remind us to donate.

I for one wouldn't mind giving say 30 euros/month to be redistributed between
projects like GPG, openssh, varnish, nginx, openssl...

~~~
sanderjd
You are right that we, as a community, are really bad at supporting key open
source infrastructure. But I also think that relying on donations from
individuals like us is a fundamentally wrong model. I don't benefit directly
from GPG, but I benefit from many services that make use of GPG and make lots
of money off of me.

~~~
gommm
I completely agree that the services and companies that rely on those
technologies should also contribute.

But as a software developer, I use openssh daily in my job. I use tmux, I use
nginx, I use openssl and a lot more opensource projects and they allow me to
make a living. So, it makes sense for me to contribute.

~~~
sanderjd
I don't disagree at all, but as you say, you do those things _in your job_.
It's likely that you also use them outside your job for personal purposes,
which is why I agree that it makes sense for you to contribute. But most
employees don't (and shouldn't) feel like it's their duty to pay for the tools
they use to do their jobs.

------
tw04
It's a sad day when Farmville can become a billion dollar business and Werner
can't feed his kids. I'm curious if he's truly living on ~$20k/year. That
seems ridiculously low for life in Germany. Or if he's got other sources of
income to bolster that.

Either way, what really needs to happen is companies that build programs off
his work need to make a concerted effort to donate to the project. Heck, set
aside a small percentage of revenue and consider it a cost of business.

~~~
nperson
I personally know lots of people here in Germany living off 20k/year and less.
More would be better, but it's doable.

------
peterwwillis
And this is the weird conflict with open source software. OSS is primarily
written because somebody needed it and didn't have it. If they have it, and it
works, they have no need to write it or support it. Eventually somebody stops
supporting it, and then we all realize we're in trouble, somebody forks it and
support is taken up by somebody who needs it.

I think this works. It's sad that it depends on exploiting the virtually
unpaid work of a few committed die-hards. But basically, it's the only way we
can have good gratis software without something stupid like bundling ads, lack
of source code or 'services-based' models. It's clear from all the other
unfunded OSS projects that corporate sponsorship isn't going to happen unless
they're getting something in return.

------
unreal37
There does seem to be a need for an "Internet fund". Pick 100 of the core free
technologies that everyone relies on and pay people to maintain them.

~~~
agwa
I'm really dismayed that the Core Infrastructure Initiative, which was created
in the aftermath of Heartbleed to fund OpenSSL and other critical software,
has chosen to prioritize _NTP_ , and not GnuPG[1]. Most of the companies that
rely on OpenSSL are probably using a distro that uses GPG to securely
distribute the OpenSSL package.

[1] [http://www.linuxfoundation.org/programs/core-
infrastructure-...](http://www.linuxfoundation.org/programs/core-
infrastructure-initiative/faq)

~~~
smutticus
NTP is important as well. If I remember correctly, that decision was made
around the time that NTPD was found to have multiple exploits allowing
amplification attacks. Given that there are so many publicly available NTP
servers, that makes it a pretty important project.

The fact is that all of these projects need better funding. Frankly it
surprises me that large multinational corporations that care about security
don't just fund these people. The downside risk for them is terrible.

------
dchichkov
"Stallman urged the crowd to write their own version of PGP. 'We can't export
it, but if you write it, we can import it,' he said."

"Inspired, Koch decided to try. 'I figured I can do it,' he recalled."

"Koch's software was a hit even though it only ran on the Unix operating
system. It was free, the underlying software code was open for developers to
inspect and improve, and it wasn't subject to U.S. export restrictions."

Brilliant :)

------
florianfunke
Here are Felix ("fefe") von Leitner's comments
[http://translate.google.com/translate?js=n&sl=de&tl=en&u=htt...](http://translate.google.com/translate?js=n&sl=de&tl=en&u=http://blog.fefe.de/?q=gnupg)
Not that I would share his views, but he is a relatively well known German
security expert and free software activist (dietlibc). He knows GnuPG pretty
well and basically says: Werner, you don't deserve our donations, stop crying,
get a day job and maintain GnuPG in your spare time.

------
nathan-muir
This feels like "WorldVision" for programmers. The wealthy pouring support on
the forgotten, decrying the unjust conditions, only to forget about them and
return to their normal lives.

Unlike the poor children of the world - Koch's decisions are wholly
responsible for his current predicament.

The "market" doesn't care about individuals like Koch, and he chose to
continue despite his efforts not being reciprocated/acknowledged.

I'd like to say that Koch should have abandoned the project, and if the market
saw that maintenance/development of GPG was important, it would have happened.

However, it's not a perfect world - and there are probably plenty of pieces of
critical software installed on our systems that are no longer maintained.

Would GPG have become one of these unmaintained codebases had Koch acted in
his own self interest?

Or, would have another organisation/individual funded someone else to maintain
and develop it?

------
redthrow
"He says he's made about $25,000 per year since 2001 — a fraction of what he
could earn in private industry"

The developer of git-annex assistant was happy when he received $20,000 on
Kickstarter and he said with this money he could dedicate his time on this
project for a full year. [1]

Maybe he could also start a Kickstarter/Indiegogo etc campaign so that he
could hire another full-time developer? If enough people find this additional
workforce on this project worthwhile, it will be funded.

[1] [https://www.kickstarter.com/projects/joeyh/git-annex-
assista...](https://www.kickstarter.com/projects/joeyh/git-annex-assistant-
like-dropbox-but-with-your-own)

~~~
quadrangle
Cost of living varies widely. Having no dependents and living in an
inexpensive place is great. Obviously, it's better for us to fund people who
use the funds as efficiently as possible, but we can't demand that everyone's
life circumstances be identical.

------
jackreichert
It would be really great if you could run an apt-get/yum filter on your server
and retrieve a list of donate links for the open source services you rely on.

Ideally, a GPL+donate-what-you-can would really help maintain these projects.

------
BjoernKW
The problem boils down to "Really I am better at programming than this
business stuff.".

Someone with his talent and expertise should have no problem with getting
highly paid consulting gigs. Then he could continue working on GPG in his free
time and even use the consulting income for hiring additional programmers to
work on GPG. There are quite a few product-based businesses that could be
built upon GPG as well (secure email, corporate communication tools, some kind
of public-key-based social network come to mind ...). These could be used to
support the continued development of GPG itself.

It's of course not as easy as it sounds. Not everybody wants to deal with 'all
that business stuff' and that's fine but then by all means find someone who
can help you with that part. If you want to change the world sometimes
idealism alone just isn't enough. You also have to proactively deal with the
everyday stuff like where the cashflow for paying the bills will come from
next month.

There's also a problem with the purism put forth by some of the 'free as in
freedom' enthusiasts, most notably Richard Stallman, who seem to gloss over
the fact that coders have to make a living, too or who even frown upon making
money with software altogether. Software eats the world but even RMS can't eat
software.

How many successful larger companies come to mind whose business model is
based upon open source? Red Hat, Ubuntu and that's about it. If we truly want
to avoid dilemmas like this one we also need to think about how to
successfully implement sustainable open source business models.

~~~
Kalium
Stallman doesn't and has never glossed over that programmers need to make a
living. He has no qualms about charging for software and has happily done it
himself. He says it's wrong to use licenses to force people into depending on
you.

~~~
BjoernKW
Good point. It's not that clear and easy in all cases though. Besides,
Stallman once disparaged SaaS business models as unfree and essentially a
problem to be dealt with. While that in way makes sense from his point of
view, it's problematic for developers who try to make a living with providing
a useful service.

I very much agree for all system software and especially cryptographic and
security-related software.

What about a developer or a company though that's put several years worth of
work into developing a particularly useful novel solution to a specific
business problem? If they use a proprietary license they'll at first force
others into depending on them once they start using the software but is that
really wrong in every case? If on the other hand they immediately release
their code under an open source license they might effectively commoditize
their novel solution. Sure, they might be able to recoup some of their up-
front investment but in most cases this won't be a sustainable business model.

Releasing the source code only to paying customers might seem like an obvious
solution but depending on the nature of the software and the industry the
customers might decide to just pay once and afterwards sideline the developer.
Continued innovation can serve as an incentive to pay for updates but again
this doesn't apply to all fields and industries. Licenses such as AGPL might
be a remedy, too but from experience I can see that software licensed under
these or similar terms is mostly avoided in business contexts. I'm not sure if
there's any company that's built a viable long-term business on a dual-
licensing model.

Not every closed source (or only partially open source) software product is
created with malicious "Let's blackmail the customer into using our software
forever." intent. Sometimes, it just makes good sense. However, in those cases
I think companies should at least make provisions for releasing the code if
they go out of business.

------
duckingtest
I think he should start a US nonprofit, or even better start cooperating with
an international one, as that would allow people to deduct donations from
their income. It's a lot easier to donate if you know that otherwise 30%-50%
of that would go to the ever hungry state...

edit: It turns out every EU citizen can deduct a donation to GnuPG from their
incomes!

[https://www.wauland.de/en/donation.html#61](https://www.wauland.de/en/donation.html#61)

------
rdl
Wow, they have done a pretty bad job of promoting their donation campaign. I
use GPG, I love GPG, and I hadn't heard about it.

If they'd done it before 12-31, they could have easily gotten a lot more
donations (due to tax year), especially from companies (who IIRC don't need it
to be a 501c3).

Helping GPG market itself, especially for fundraising, would be a great way
for a non-technical privacy advocate type to contribute meaningfully. I think
a lot of those people exist.

------
kogir
This is sad but not super surprising. Historically, if you had money and
wanted a reasonable UI and cleaner integrations, you bought PGP (now from
Symantec). GPG was always for people unwilling to pay.

For the record I donated. I'm just pointing out that writing something that's
bundled and distributed as part of something else means nobody thinks about
your project, or in many cases even realizes they're using it.

~~~
abandonliberty
PGP went commercial to deal with lawsuits, but it is still open source.

I would like if someone with more understanding of the situation could outline
the risks of allowing PGP to be the only implementation.

~~~
dredmorbius
PGP is _not_ open source.

Parts of its source code are _viewable_ and _reviewable_ , associated with key
cryptographic functions. Much of what PGP builds is structure around that, and
most of that _isn 't_ open in any sense of the word.

Phil Zimmerman (who's long since left the building) _does_ understand the
value of source review, and the team who supported PGP continued that legacy.
But it was _quite_ limited in scope.

That said, PGP also did work with other implementations, including GPG, to
resolve compatibility issues -- I'm aware of a few of those personally myself.

~~~
abandonliberty
Could the unreviewed code be a liability?

------
excel2flow
For that matter, I don't know what I would do without BouncyCastle:
[https://www.bouncycastle.org/donate/index.cgi](https://www.bouncycastle.org/donate/index.cgi)

This article made me think about donating.

------
Dowwie
In the meanwhile, a very funny card game about exploding kittens has raised
more than 5 Million USD on kickstarter

------
api
This is why "free as in beer" is a problem for "free as in freedom." Just to
maintain things costs money because people take money to live, not to mention
how much it costs to field things that are competitive on UI/UX and other
metrics with big closed ecosystems.

~~~
longlivegnu
[https://news.ycombinator.com/item?id=9004435](https://news.ycombinator.com/item?id=9004435)

------
joycey
Here's something I think should get more love and is pretty relevant: a
service that will automatically pay a percentage of Bitcoin donations for
every submission to a GitHub repository:
[https://github.com/WhisperSystems/BitHub](https://github.com/WhisperSystems/BitHub)

So if you donate to Open Whisper Systems, you can see that your donations are
going directly to those that are contributing to the project, and you get paid
more if you're contributing more. I've sent in a few PR's to their iOS repo,
and it'd be awesome to see it implemented in other privacy OSS projects. It's
obviously not a perfect system, but I think it's a pretty cool way of funding
OSS.

~~~
tjl
I'm part of the SymPy project and we opted out of a similar program
tip4commit. It's a bit easy to game. If you do it per commit, someone could
just break up their work in smaller commits. The same thing with pull
requests.

I can see bounties for issues fixed, but a per commit system is fundamentally
flawed.

------
danso
Hopefully this article leads to a call-to-arms in the dev community to come up
with best marketing/fundraising practices. I know that the idea of meritocracy
is very powerful (and not altogether _wrong_ )...but it's a tragedy when great
software doesn't get the minimal exposure because of relatively easy friction
problems that can be fixed.

I think of all the random, stupid things I've backed on Kickstarter, simply
because I saw it on a friend's Twitter feed...things like GnuPG may not get as
much consumer reaction as most Kickstarter widgets, but there are enough
developers with disposable income who would happily donate to open-source-in-
need if such causes were just slightly more visible.

------
guiambros
This is amazing news. Glad to see companies that benefit so much from free
software helping to pay it forward.

 _Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch
informed us that last week he was awarded a one-time grant of $60,000 from
Linux Foundation 's Core Infrastructure Initiative. Werner told us he only
received permission to disclose it after our article published. Meanwhile,
since our story was posted, donations flooded Werner's website donation page
and he reached his funding goal of $137,000. In addition, Facebook and the
online payment processor Stripe each pledged to donate $50,000 a year to
Koch’s project._

------
corin_
Meta-question, ideally aimed at Daniel if you're reading this, but not
interesting enough to email you plus wondering what community members think:

Normally I'd be against comments like "donated" that add nothing else, and
would downvote them for that. But in this case, does seeing lots of other
people say they've donated make other readers more likely to donate
themselves? If so, does that outweigh the negative of the page filling up with
otherwise-pointless comments?

I've not downvoted any, but would be interested in any opinions as to whether
or not you have/would downvote them and why.

~~~
dang
I think such comments are fine in this thread. This is an unusual case, and
such things don't come up all that often.

If it started to get predictable it would be a different story.

------
droque
I wonder if a patreon-like (or even patreon itself) would be more effective
raising donations than just one-time donations. I know enough people that
swear by gpg, so it doesn't strikes me as hard finding a base.

------
liveoneggs
[http://en.wikipedia.org/wiki/Netpgp](http://en.wikipedia.org/wiki/Netpgp)

------
csl
So I just donated €20 and I invite others to do it as well.

(And they use Stripe for payments, which of course is relevant here on HN. And
as a first time user, it was a breeze to donate.)

~~~
daddykotex
I gave a little €5, but I'll gladly give more when I have more income, I'm
still a student :P

I used PayPal and it went like a breeze too.

------
kylec
I wish there was a sort of "Patreon for open source" nonprofit service where I
can support projects like GnuPG, OpenBSD, etc all in one place.

~~~
unreal37
Would Patreon or Gittip (which has changed its name to something I can't
recall at the moment) not work for this?

In fact, Gittip's original mission was tips for open source projects.

~~~
mholt
Gratipay. Unfortunately their execution has been a bit poor, and it's under-
delivering. There's too high a barrier to start donating and there's no clear
option for one-time donations.

------
Samumu
Would it help if some highly visible figure like Snowden or Poitras weighed in
in some interview? I mean, they probably have a lot on their shoulders already
but I cannot see anyone else who would be more motivated and more efficient at
this task.

I am probably missing something though. They must be somehow aware of the
situation already and not consider it a top priority for some reason.

------
gojomo
The need here is characterized as 'money'. And yes, at a reductionist level,
that's the issue.

But perhaps what GPG and Koch really need is management and marketing, to
build sustaining, recurring support for the project.

That would involve getting this sort of attention on a regular basis, and
asking for financial support in ever-improving ways. Also, having enough
structure that key people aren't tripped up by local tax and legal issues, and
the project is well-prepared to survive the surprises and tragedies that
eventually challenge every longstanding effort.

Sometimes, a precocious developer or development team, or even volunteer
advocates in the community, can do this themselves. But also some people have
no talent or appetite for self-promotion and support work. The proclivity for
these tasks may even be negatively-correlated with the particular technical
abilities required in some domains.

GPG doesn't just need a fish today. It needs a fisherman... or fisherwoman.

------
hughes
Lack of funds doesn't even sound like the biggest problem here. If the project
relies on one guy, what happens when he's gone? Seems like something this
important should have a higher bus factor.

[http://en.wikipedia.org/wiki/Bus_factor](http://en.wikipedia.org/wiki/Bus_factor)

------
fellowshipofone
Just like many here, I had no idea, and this is so important. I hope HN
community will blow up this donation page!

------
javajosh
This is a terribly injustice, and points to a larger systematic problem, that
we software practitioners benefit greatly from the efforts of others to whom
we barely offer anything back.

And while the media can help (as in this case) what we should be looking for
are systems to help with the situation. My ideal would be a system that
monitors my package manager activity, and then using an algorithm I control,
allocates "pieces of the pie" to each package I install and use. Then I
determine how big the pie should be, and how it should be funded. E.g. if I'm
working for a company, I'd request as part of my contract that I get a $200/mo
software budget. Or I could just fund it myself.

If even a small fraction of us did something like this, the open-source world
would blossom, and injustices like this one would be eliminated.

------
madhudj
Where can I see the list of all such Softwares (the essential and free) and
the people behind them?

Is there a single place where the following details can be found?

Program Name, Company / Group Name, Description of the software, Link to their
website, Yearly Budget (Required), Funded so far (out of the total yearly
budget), How many people in the team?, Options to donate

I feel that the real problem is that the folks behind these amazing softwares
are either too busy / too nice / too shy (for philosophical reasons) to
promote, organize, gather funds? And in the busy world, their very existence
is forgotten by the rest of us.

If there are none like this, why not we build one and I would like to start it
so others can join in later. To help these guys around the year and not just
when we get to see an blog post like this one.

Any thoughts / comments ?

------
0xdeadbeefbabe
So, it wasn't a donation, but Snowden that kept this developer going? I'm
freaking out a little thinking this implies you can't buy dedication or even
good software. Donating is a good thing of course, but it doesn't solve this
really disturbing meta-problem.

------
anigbrowl
This is a clear example of market failure. When I've been grumpy over the last
year over how torrent piracy affects indie cinema (the sector where I work)
it's for similar reasons; putting work out there and depending on the goodwill
of the public is simply not a viable economic strategy. It's a basic fact of
human psychology that people gauge the value of something by what they paid
for it, or even what other people would have paid with it and what they
therefore feel they're 'getting away with' if they managed to obtain it
without paying.

 _In December, he launched a fundraising campaign that has garnered about
$43,000 to date — far short of his goal of $137,000 — which would allow him to
pay himself a decent salary and hire a full-time developer._

Think of what Koch might be able to achieve if he were in a position to direct
other people in addition to writing code, or even to write code without the
distractions of a precarious financial life.

Innovators, whether in arts, technology, or whatever sector, do not like
relying on donations or shaking a hat in front of people. It's a shitty,
degrading way to work. Nobody becomes better at what they do through constant
negative reinforcement of their economic inferiority; and yet the notion of
even the most minimal royalty obligation or assertion of a private economic
interest is enough to bring out glibertarians* in droves ranting about the
selfishness and futility of trying to put a price on something that has zero
marginal cost of distribution. Digital assets _do_ have zero marginal cost of
distribution, but they have significant fixed costs of creation, and the
failure to acknowledge that by disavowing the notion of _any_ property
interest in digital goods __are undermining the entire market concept in favor
of a new variation of serfdom. Saying that society should change and institute
a basic income guarantee is all very well, but that 's not going to put food
on the table for anyone in the near term (except possibly a few enterprising
economic raconteurs who are willing to take up the role of court jester).

One possible option for Koch would be to crank out the next version of GPG;
post a changelog of all the desirable new features/bug fixes etc., and then
run a Kickstarter to raise the funds that would persuade him to release it -
in other words, to withhold the new version until people put their money where
their mouths are. But I'm pretty sure he doesn't want to do that, for 3
reasons: first, many people would just carry on with whatever they currently
have, regardless of security liability etc., because what's already available
is 'good enough'; two, he'd become the target of the internet hate machine,
albeit on a smallish scale; and three, a bunch of indignant people would fork
the existing code on Github and offer their innovations for free, a hundred
flowers would bloom, and 3 months later 99 of them would have shriveled up and
died, while the codebase would have have irreparably fragmented.

What we need is some sort of new economic model that does not force innovators
to sacrifice their comparative economic advantage (ie their primary technical
or artistic skill, on which they should be concentrating their efforts) on
guilt marketing, public beggary, or drafting of grant applications.The
copyright system could provide such a mechanism, but focusing only on the
cases where it's broken or unfair to consumers has led many hackers and
digiterati to throw the baby out with the bathwater, making things _much_
harder on small-scale producers whose interestes the system was instituted to
protect in the first place.

* people who identify as libertarians but who have little experience of structural economic disadvantage

 __in the economic sense of things that are literally good to have

------
colindean
If your company uses the fruits of this project's labor, your company should
probably be reserving at last a little honorarium to the people behind it.

Give directly, or encourage them use something like Gratipay or Patreon or
whatnot.

------
frevd
The whole commercial industry is relying on open-source components,
arbitraging what should cost money in the first place to build a business,
then assuming that people do it for the fun primarily (which is not completely
untrue), maintenance though costs money, but to give edits back should be the
role of the earning community, not the original founder. Licensing might help
here, just too many people are offering their works for free (read there will
always be somebody with a free alternative). It's kinda weird to expect
something else and proclaim free software..

------
MysticFear
Don't forgot to donate to ProPublica for covering an unsexy story as well.

~~~
rtconner
ProPublica is the pinnacle of journalism right now.

------
GolfyMcG
Facebook and Stripe are stepping up:
[https://twitter.com/stripe/status/563449352635432960](https://twitter.com/stripe/status/563449352635432960)

------
dataminer
Just donated, GPG is quite a critical part of open source ecosystem.

Please donate

------
beaknit
Just donate, for christ's sake

------
pcthrowaway
> Like many people who build security software, Koch believes that offering
> the underlying software code for free is the best way to demonstrate that
> there are no hidden backdoors in it giving access to spy agencies or others.

I'm guessing this is a problem with the journalist misunderstanding the
subject, who probably said publishing it as free software (which is not the
same as giving it away for free) is the best way to demonstrate that it is
secure.

------
D4AHNGM
I noticed the rather pitifully empty donation bar last week, and made a mental
node to chip in a little bit as soon as I could. Donated €5 today, and visited
the website again just now and the donation bar is more than full, which is
just incredible.

Werner's engagement on the mailing lists is awesome enough, let alone the
software he writes. Genuinely glad for the guy that he's getting some of the
financial support he needs.

------
jakemcgraw
Just donated, and you should too!

[https://gnupg.org/cgi-bin/procdonate.cgi](https://gnupg.org/cgi-
bin/procdonate.cgi)

------
sandGorgon
this is precisely the question I asked here -
[https://news.ycombinator.com/item?id=8863782](https://news.ycombinator.com/item?id=8863782)

This is frustrating - a lot of these projects dont get funded just because of
one reason: discoverability. People dont know that these projects need
funding. OpenSSH was another. No telling how many others.

------
olla
I think we need a change in the way we look at open source software. It must
not necessarily be free of charge. The real benefits of open source are often
something other than being free of charge, like in this case. Maybe we need a
new licence allowing charge for commercial use and giving benefits or
discounts on the amount of contribution made to the project?

------
harkyns_castle
Hopefully a sign of things to come. Way prefer to give my cash to someone that
dilligently works away out of the public eye, but also gets some reward when
its recognized. My cynical side says someone will pop out soon and say its
compromised and he's had an NSL, but that part of me is killing me so I choose
to hope not.

------
whatsgood
GNU is awesome in the way that 'Citizen Kane' is awesome. It is awesome
because of what it accomplished given the context in which it was created. The
context has changed but GNU, by and large, has not. "Free Software" gave us
BSD and Linux, but it is also partially responsible for the privacy issues of
Google and Facebook (neither of which would be as competitive if they had to
pay licensing fees to Microsoft and Oracle, and they give their services away
in exchange for monetizing user data), Heartbleed and similar bugs (these
projects are not properly funded for security audits and/or maintenance), and
the expectation that one should work for free (if you don't have a job the
first thing you do is start working on open source projects to show what you
can do). Richard Stallman is arguing for the freedom of software, not people.
Unless we change society such that its citizens will be provided for
regardless of how they spend their afternoons open source needs a new business
model. As software becomes more pervasive finding alternative models will
become more urgent. And, it's already very urgent.

~~~
walterbell
Thought experiment: if there was no GPLv2, only GPLv3, would the same concerns
apply?

Have you come across promising alternative models? These would need to exhibit
some properties of GNU-style free software and some properties of cash-cow
commercial software. Thus, technical run-time mechanisms for software
composition will play a key role in the new legal framework, just as _linking_
(e.g. GPL vs LGPL) did in the GNU ecosystem.

Today we have microservices, containers, etc - which allow composition of
software with different licenses, T&C and biz models.

~~~
whatsgood
just saying, i don't think this guy is going broke for lack of trying.

------
conductr
Could he not just change the license to require commercial usage by companies
with more than $x annual revenue to pay $y in license fees?

Could still remain open source and free for majority of applications if x was
high enough. Also, creates a system where those reaping the most also pay the
most.

------
whyleym
Just announced - "Stripe and Facebook are going to sponsor @gnupg development
with $50k/year each." \-
[https://twitter.com/stripe/status/563449352635432960](https://twitter.com/stripe/status/563449352635432960)

------
microcolonel
I've donated to the project in the past, I wasn't aware of just how far in the
hole he was until today.

Also, I just cloned the repository and it's a bit of a mess, if anything I'm
ashamed that I haven't been doing anything about it directly.

------
carrotleads
Never tell people / managers that you love your Job. That's one foolproof way
for people to expect you to do it for free or close to it.

Your payment comes in the form of praise.

I think that was the mistake made here. A mistake made by many artists.

------
viccuad
Donated 20 euros. It's amazing, in some hours has one from 40.000 to 58.000!

------
slowpoison
It's a bit disappointing that G10code[1] https identity verification fails.
May be it makes sense given that he's short on $$$$.

[1] [https://g10code.com/](https://g10code.com/)

~~~
serf
it's just self-signed.

All that means is that you are transferring trust to the owner of the site,
rather than a CA, to properly deal with his own secure key, and that browsers
hate it; but who cares about that part.

I trust the GnuPG set of tools, and I have so for quite sometime. On the
opposite side of things I have witnessed a _ton_ of CA hacks in recent
years...

------
bndr
I would like to repost a comment from reddit[1] that makes some good points:

"That title is pretty laughable.

Enterprise E-Mail Encryption solutions do NOT use gnupg, and most enterprise
customers do not even use openpgp, they use X.509/SMIME. I know the world top
10 server side enterprise e-mail encryption solutions and the majority uses
java with either bouncycastle or ajak encryption, for PGP or
openssl/bouncycastle for SMIME. There are some solutions that use gnupg but
those are very small and again - most people do not use openpgp in the
business world. Mostly automotive uses it like Porsche, VW etc. for encrypting
e-mail traffic. Gnupg is mostly used for e-mail by your skilled engineers in
private or while communicating with kernel developers etc. Either by using
enigmail/mutt/command line whatever.

Nothing based on e-mail would "break" if gnupg went missing.

Now lets get back to Mr. Koch - gnupg was sponsored by the German Government -
in all these years - Mr. Koch tried to build a consulting company/enterprise
solution out of it - but he failed because there were already existing
solutions that were far better than anything he could come up with. Moreover
asking Mr. Koch to fix specific bugs in gnupg which was as i said sponsored
resulted in simply "pay me XXX amount or i wont do it" \- thats how Mr. Koch
worked.

Ask any code auditor/reviewer worth his salt and he will tell you gnupg is a
mess, it is worse than openssl in most cases - why ? Ask Mr. Koch.

I just want to remind everyone carefully judge, before thinking about donating
to Mr. Koch or his company. I already noticed he received well over 50k today
just because of this false article.

This guy got funding multiple times from the german government for
implementing and maintaing gnupg. This was never a fulltime job - adding
patches and a few features is what any open source developer does in his free
time. Mr. Koch tried to build a business upon this government funded software,
and it failed. He already had multiple fundraisers in his careers to keep his
company going. Does he deserve your money ? It is not like gnupg would be dead
without him - he is not the only one doing anything - there are many
developers in the community who are doing their share too.

Arent there other things more deserving of funding than the failed economical
existence of one guy ? An open source developer that wants to contribute free
software does not need your money to survive! Did Mr. Richard Stallman or
Linus Torvalds ever beg people for money because they cant buy their next meal
? Did the BSD Foundation plea to you they cant make days end ? No - they never
did - and they still were able to produce free open source software.

Mr. Koch does not deserve your money, if anything successors of him should
receive funding if they need to - but not to survive - because they most
likely got a real job already and doing this in their free time. "

[1]
[http://www.reddit.com/r/programming/comments/2uw2gt/the_worl...](http://www.reddit.com/r/programming/comments/2uw2gt/the_worlds_email_encryption_software_relies_on/coc9qxv)

~~~
zvrba
I tried to submit a patch for GnuPG that would enable it to use "proprietary"
PKCS#11 smart-cards instead of "open" OpenPGP smart-cards. Line of though
being, users may already have S/MIME generated keys on their smart-cards, so
why not use the same keys with PGP too? In the end, a key is just a number.

The request was refused [1] with ridiculous arguments [1] about PKCS#11 not
being "needed in free software world".

After that, I started playing with S/MIME and found out it was much more user-
friendly than GPG. (After the initial setup.)

[1] Here you can find links to relevant threads:
[http://zvrba.net/software/gpg_pkcs11.html](http://zvrba.net/software/gpg_pkcs11.html)

~~~
dd9jn
It was not about proprietary smartcards but about the proprietary driver
software required to use those smartcards.

If the vendors would open the specs of their smartcards it would be easy to
write a driver. Some did and we support them in GnuPG. Most of them don't and
we may even assume they want to hide their little secrets in their drivers. It
is all the same as with all the proprietary hardware drivers. Look at decades
of LKML for similar discussions.

~~~
zvrba
Sorry, I don't buy this. PKCS#11 is a standard, wide-spread, user-space API
for accessing cryptographic tokens, just like POSIX is a standard API to
access operating system services. I guess it's about the time to write a
"driver" for each supported OS instead of relying on libc, because the user's
installation cannot be trusted?

------
simonvc
Donated.

------
yeukhon
So why not hire the guy to work on this as a full time employee? Stripe /
Facebook / Google or even Mozilla should have the money to hire him as full
time and only work on GnuPG.

------
vitd
I wonder if his software would be more well known if it were more useable?
I've tried using it on a few occasions over the past 10-20 years and have had
a very hard time doing so.

------
pinjiz
Just donated 50€, hopefully the goal of 120.000€ will be exceeded!

~~~
rnhmjoj
The goal is now exceeded! The progress bar is even overflowing the box.

------
lajarre
No one pointing to the fact that GPG has major issues like no perfect forward
secrecy? Are we celebrating that big-brother money is funding a (out)dated
technology??

------
dhfromkorea
This is an epitome that corresponds to Peter Thiel's thesis statement:
contribution to a society and (financial) reward are independent variables.

------
mavsman
Unbelievable that this article gets this guy a paycheck. He deserves it but
it's still amazing. We live in the future.

------
go1979
I like his office setup. Dual monitors, raised base for monitors, plexo? lamp,
white board, real keyboard.

~~~
daveloyall
IBM Model 30. One of the few keyboards that doubles as a melee weapon. :)

------
ixtli
I donate to the EFF regularly and would really like to see them put some of
their money towards this.

------
coldcode
Why is there no Kickstarter equivalent for ongoing open source projects
instead of just new things?

------
the-tesla-809
Is there some hacker group online that specializes on Crypto that can donate
time and or money?

------
gordon_freeman
when I first saw this post on HN, the donation was around 60% of the goal.
Just now I see it exceeded 120000 € of the goal. I bet HN readers donated a
good amount today after reading the top-trending news. Great activism!

------
drodgers
"Mihai'); DROP TABLE Donors" (from the donors page) is an asshole.

------
JeremyS
Donated...

------
theklub
Its ok, he got like 200k in 24 hours so he's good now.

------
finid
By itself, Google could pay that guy's salary and even hire another dev to
help him. Red Hat could do the same. In fact there are any number of companies
that can step in and do the right thing.

------
cha_os
Just donated and you should too... ;) Great project!

------
jtwebman
I am sure if he quit someone would pick it up.

------
jprince
Gave him 5$. Thanks HN for showing this.

------
keyle
big shout to the journalist that actually reported the issue instead of
vaporware shenanigans. @JuliaAngwin

------
JoachimS
The funding target has now been met!

------
dreamdu5t
This shouldn't be odd to anyone who's spent a large amount of time releasing
open source. You just end up being used and uncompensated. At best you get a
job offer from it.

It's really sad to me how many companies benefit from open source (including
my own software) without the author ever being compensated.

It's hard for me to get motivated to do anything open source anymore because
of the feeling that I'm just a gullible idiot in the end.

The feeling when I fix issues opened by people at VC-backed companies with
millions of dollars is really really nasty. I always feel like such an idiot.

~~~
briandear
The question is, have you asked for compensation? And, there are plenty of
devs at those evil VC-backed companies that give a lot in terms of open source
contributions. Those millions of dollars aren't being used to buy private
jets; they're paying salaries to devs just like you.

~~~
dreamdu5t
Are you talking about job offers or are you saying that companies cut checks
to open source devs at the behest of requests for some money? Who does this?

If you're talking about job offers, you can get jobs _without_ spending off
time doing open source. I look over at my co-workers who probably make similar
salary as me and they don't do much open source.

------
patronagezero
No worries, I'm sure everyone contributes more to their respective governments
to break encryption than they'll every send to anyone seeking to protect it.
Send more money to this guy if you want to feel better about your shitty
(respective) country or self. Better yet, just donate to the EFF like a
uselessly trendy dweeb. Being a decent citizen isn't about standing up for
what's right or wrong (that makes you a terrorist), instead it's about sending
money to your respective, government-approved cause.

------
mwsherman
The question is the wrong one. The better question is: why does so much
software choose to depend on an underfunded library?

~~~
72deluxe
Because they can get the source and not have to pay a penny for it? For
businesses, that's a good selling point.

------
snissn
why doesn't he watch some youtube videos on lean startups, write a business
plan and raise some VC money?

~~~
vbezhenar
Probably because he's good at writing code, not writing business plans and
raising money.

~~~
itistoday2
That, and there's unlikely to be a compelling story for VCs here. There are
many _many_ projects that are great and valuable to humanity and yet are not
VC fundable.

------
ctdonath
But wait, I thought fame and accomplishment and helping lots of people were
supposed to be enough for software authors, that somehow making people pay for
software was evil, that it's OK if everyone just copies your source code and
uses it, that an Open And Free Internet would be self-sustaining?

/sarc

~~~
malkia
Making people pay for software might still be evil, but supporting software
with teaching how to use it, documenting it, publishing books about it, making
conferences, supporting it is what I think is a reasonable way for oss
spirited souls to make money.

SQLite comes as an example - while completely free, public-domain, what might
(I don't know for sure) be making money for the three people behind it is the
extensive test suite, various other extensions (compression, security) and
possibly support/integration/customizations for specific needs (less
memory/cpu usage, or who knows what..)

I'm also amazed at Mike Pall's luajit's effort, and he keeps his sponsors page
here: [http://luajit.org/sponsors.html](http://luajit.org/sponsors.html)

I've never used directly GPG, but since I'm debian/ubuntu user I've donated
money after reading one of the posts here.

~~~
teddyh
Making people pay for software is _not_ evil. It is _not giving those same
people the source code_ that is evil.

This is because by not giving them the source code you are keeping your users
under your thumb and not allowing them the freedom to improve their lot.

~~~
ctdonath
[https://developer.apple.com/xcode/downloads/](https://developer.apple.com/xcode/downloads/)

Free. Improve your lot however you like.

~~~
teddyh
How does Apple figure into this? I did not mention Apple, I was countering the
parent’s FUD, which also did not mention Apple.

~~~
ctdonath
Just one of many obvious examples that plenty of tools are available "allowing
them the freedom to improve their lot." Nobody is stopping them, nobody is
"keeping your users under your thumb". Improve your lot? do it yourself, or
pay the engineers accordingly.

Oh, sure, Apple et al can change their minds and charge outrageous fees and
demand outrageous licensing terms. Nonetheless, lots of affordable tools are
available.

And before you take the opposing view any farther: I come from an era &
mindset of building advanced computers from scratch. I reject the argument you
offer of "by not giving them the source code you are [oppressing them]",
because I'm trained in building computers starting from _sand_ , and writing
software starting with toggling in op codes with manual switches. I've written
format converters (with no guiding documentation) to overcome the bounds you
imply.

If you want someone to put in the effort to create complex software, maybe you
should understand that they should be paid for that effort - one price to use
it, and a higher price to get the detailed source code. If you're paying the
price of a few cups of coffee to use it, heck yeah you're not getting the
complete body of work a team spent years creating.

~~~
teddyh
Rhetorical question: If nobody is stopping them, there is no harm in giving
them the source code, right? So why don’t you?

> _I 've written format converters (with no guiding documentation) to overcome
> the bounds you imply._

Please do not assume that everybody should be like yourself.

> _If you 're paying the price of a few cups of coffee to use it, heck yeah
> you're not getting the complete body of work a team spent years creating._

There’s an easy way to rectify this – just don’t call it _selling_. Call it
_renting_ , which is what it practically is. The thing which I get when I buy
software today is by no practical definition my property: its utility is
deliberately limited by the manufacturer, and I am both legally and
practically prohibited to extend that limit or repair it.

------
kentf
Let's send him some money directly: [https://www.tilt.com/campaigns/werner-
koch-deserves-to-get-p...](https://www.tilt.com/campaigns/werner-koch-
deserves-to-get-paid)

~~~
k2enemy
Why is that better than the GnuPG donate page:
[https://www.gnupg.org/donate/index.html](https://www.gnupg.org/donate/index.html)?

~~~
AstroJetson
It worked well for me when I donated.

Looks like this is working, the number is way up. A little advertising goes a
long way.

