
GnuPG Fundraising Rally - teythoon
https://gnupg.org/donate
======
im_down_w_otp
I'll happily fund however much it will take to get them to religiously follow
SemVer. Because there are soooo many breaking changes in patch releases that
it's nearly impossible to keep our automation pipeline around gpg2 working
consistently.

~~~
hdhzy
Out of curiosity: what kind of automation? Signing artifacts?

~~~
im_down_w_otp
Creating keys, certifying keys, signing artifacts, publishing keys, etc.

------
avar
I just set up a recurring donation for what I think is fair given my (very
small) use of GPG.

I can't help but cynically wonder how much funding GPG would get just from the
various journalists in this donation video making a decent salary who claim
that GPG is indispensable for their work.

Another case of free software tragedy of the commons.

------
hasteur
I understand the need to fund things, but could someone illuminate for a end
consumer of the software what requires 15k euros a month development for
GnuPG? Yes new cyphers/PRNGs/hashes come online, but it doesn't seem to be
moving as quickly as other internet infrastructure (GnuTLS, X.org, SSL, NTPD)
products.

It seems like things that were sponsored by major organizations because they
saw the good in having their name associated with a product or service in
favor of getting the "internet at large" to pay for things that have become
ingrained as "But it's free so why should we pay for it?"

~~~
waldfee
Useful spending of that money would be UX issues, making the horror that is
using this stuff bearable.

Usability is atrocious and if you do not use it all the time you have to
google the simplest things (for which the results are mostly outdated or wrong
or bad practice so you have to be careful with which explanation you follow)
which the software itself could explain to you.

~~~
cJ0th
I'd generally agree. Although I think this is rather something the people
behind Enigmail should figure out. The vast majority of gpg users will never
interact with it over the terminal, probably.

~~~
waldfee
You're right. Not only GnuPG but everything around it (mostly email clients)
are in dire need of a UX overhaul.

Presenting such a complicated technical topic only in it's purely technical
form is not enough imho. Clear and concise explanation for each and every
action and item that gets displayed (and the whys!) would do wonders.

------
dd9jn
There are also translations to German, French and Japanese:

[https://gnupg.org/donate/index.ja.html](https://gnupg.org/donate/index.ja.html)
[https://gnupg.org/donate/index.fr.html](https://gnupg.org/donate/index.fr.html)
[https://gnupg.org/donate/index.de.html](https://gnupg.org/donate/index.de.html)

------
RX14
I hope they spend some of that money on the keyservers, they seem to be down
every time I want to grab some gpg keys.

~~~
AbacusAvenger
Keyservers are hosted by volunteers as part of a distributed pool of hosts:

[https://sks-keyservers.net/](https://sks-keyservers.net/)

And the pool's automated management infrastructure prunes misbehaving hosts
pretty quickly (e.g. not responding, out of sync, etc). See "servers in the
pool" and "servers currently not in the pool" here:

[https://sks-keyservers.net/status/](https://sks-keyservers.net/status/)

~~~
RX14
Well I'm just reporting the reality that the keyservers are down when I want
to use them, almost without fail.

I suspect that gpg isn't trying multiple servers in the pool but only trying
the first A record it finds. I've had to edit hosts to select a functioning
key server in the pool many times.

~~~
AbacusAvenger
Before I learned about the SKS Keyservers pool, I had my "keyserver
hkp://pgp.mit.edu" in my ~/.gnupg/dirmngr.conf, and that never failed for me
unless I was in a strangely firewalled environment. Maybe try that?

------
wiz21c
I was wondering, how do they sustain such an effort ? I mean, working on GunPG
is not exactly a simple task (I guess), so how do they fund themselves ? I
understand the donations campaigns, but when that money dries off ? I read
that the main dev had to work on other things not related to GunPG. Does it
mean that we do have somebody working on GunPG with a sheer level of pragmatic
altruism (i.e. working for close to nothing as long as he can feed its family)
? I'd like to know what it feels like to work on GnuPG from the inside...

~~~
rainwolf
The project was on the brink of collapsing a few years back, there was a
ProPublica article back then that shed some light on what you're asking.

[https://www.propublica.org/article/the-worlds-email-
encrypti...](https://www.propublica.org/article/the-worlds-email-encryption-
software-relies-on-one-guy-who-is-going-broke)

------
philjackson
I wonder if they've reached out to news organisations like The Guardian and
NYT. Also, perhaps human rights charities could make reasonable contributions
once someone explains the importance of the project?

------
VMG
Should I fund improvements to Signal instead?

~~~
102030485868
Both GnuPG and Signal are great projects, but GnuPG has a different use case
from Signal.

You should, ideally, try to fund improvements to both projects.

~~~
cJ0th
> [...] Signal are great projects

If I may derail this thread even further: I find XMPP+OMEMO even better. The
security concept is basically identical to Signal but users don't have to rely
on particular servers and a widespread adaption would end the problem that
people who use different servers/clients can't talk to each other.

Also, there are great apps for XMPP. For desktop user there is Gajim[0], for
Android there is conversations[1] and the apple folks have ChatSecure [2].

[0] [https://gajim.org/](https://gajim.org/) [1]
[https://conversations.im/](https://conversations.im/) [2]
[https://chatsecure.org/](https://chatsecure.org/)

