I'll happily fund however much it will take to get them to religiously follow SemVer. Because there are soooo many breaking changes in patch releases that it's nearly impossible to keep our automation pipeline around gpg2 working consistently.
I just set up a recurring donation for what I think is fair given my (very small) use of GPG.
I can't help but cynically wonder how much funding GPG would get just from the various journalists in this donation video making a decent salary who claim that GPG is indispensable for their work.
Another case of free software tragedy of the commons.
I understand the need to fund things, but could someone illuminate for a end consumer of the software what requires 15k euros a month development for GnuPG? Yes new cyphers/PRNGs/hashes come online, but it doesn't seem to be moving as quickly as other internet infrastructure (GnuTLS, X.org, SSL, NTPD) products.
It seems like things that were sponsored by major organizations because they saw the good in having their name associated with a product or service in favor of getting the "internet at large" to pay for things that have become ingrained as "But it's free so why should we pay for it?"
Useful spending of that money would be UX issues, making the horror that is using this stuff bearable.
Usability is atrocious and if you do not use it all the time you have to google the simplest things (for which the results are mostly outdated or wrong or bad practice so you have to be careful with which explanation you follow) which the software itself could explain to you.
"Useful spending of that money would be UX issues, making the horror that is using this stuff bearable."
100%. Freeze all work on crypto except for fixes for new problems that show up. All rest of money goes to hiring a UX expert for a design that anyone can pick up for common case and then implementing it.
An alternative might just be to expose more of the underlying functionality via non-interactive interfaces, to encourage third-party/FOSS simplified interfaces for specific tasks.
Even trying to use a bash script to automate things is tricky because of gpg2's interactivity. I'm sure it was put there to improve usability, of course :) (which it does, in the interactive case).
I'd generally agree. Although I think this is rather something the people behind Enigmail should figure out. The vast majority of gpg users will never interact with it over the terminal, probably.
You're right. Not only GnuPG but everything around it (mostly email clients) are in dire need of a UX overhaul.
Presenting such a complicated technical topic only in it's purely technical form is not enough imho. Clear and concise explanation for each and every action and item that gets displayed (and the whys!) would do wonders.
The page gives some informations about where the money will go:
> This money will firstly allow us to continue our maintenance of GnuPG. We also intend to use it to fund our work on the Gnuk security token. And, one new project that it will support is a book called "An Advanced Introduction to GnuPG." A book for developers who want to integrate GnuPG into their programs, and need to understand the various concepts, the important security tradeoffs, and common pitfalls; for digital security trainers who need to understand GnuPG to be able to make sound recommendations to users; and, of course, for enthusiasts.
I agree with waldfee that it would probably be a very good idea to invest a chunk of that money into UI improvements. GnuPG is not exactly the friendliest program out there, even for those of us who are very comfortable doing everything from the command line.
Exactly my thoughts. Also, many people have given up signing emails with pgp as most recipients use cloud based service like Gmail making it almost useless. This leaves a small niche community where both ends are outside the cloud based email network like journalist usecase maybe.
signing emails is by far not the only use-case for gpg. The entire package signing infrastructure of all linux distributions is underpinned by gpg. Even if they spend all of the 15K each month on having a single developer audit and improve the code-base, I'd be fine with that.
And the pool's automated management infrastructure prunes misbehaving hosts pretty quickly (e.g. not responding, out of sync, etc). See "servers in the pool" and "servers currently not in the pool" here:
Well I'm just reporting the reality that the keyservers are down when I want to use them, almost without fail.
I suspect that gpg isn't trying multiple servers in the pool but only trying the first A record it finds. I've had to edit hosts to select a functioning key server in the pool many times.
Before I learned about the SKS Keyservers pool, I had my "keyserver hkp://pgp.mit.edu" in my ~/.gnupg/dirmngr.conf, and that never failed for me unless I was in a strangely firewalled environment. Maybe try that?
I run one of the many keyservers. I have various checks running regularly to make sure everything's fine, both on my own server, some selected other servers, and the pool in general.It's rare to have an issue, and bad servers get taken out the pool within an hour thanks to the pool's automated checks (which are completely separate from my own).
What sort of issues are you seeing? What server are you querying? Where in the world are you located?
There's a bunch of servers out there -- https://sks-keyservers.net/status/ -- but most tend to be in North America and Europe. That might be an issue, depending on where you are.
I was wondering, how do they sustain such an effort ? I mean, working on GunPG is not exactly a simple task (I guess), so how do they fund themselves ? I understand the donations campaigns, but when that money dries off ? I read that the main dev had to work on other things not related to GunPG. Does it mean that we do have somebody working on GunPG with a sheer level of pragmatic altruism (i.e. working for close to nothing as long as he can feed its family) ? I'd like to know what it feels like to work on GnuPG from the inside...
I wonder if they've reached out to news organisations like The Guardian and NYT. Also, perhaps human rights charities could make reasonable contributions once someone explains the importance of the project?
If I may derail this thread even further:
I find XMPP+OMEMO even better. The security concept is basically identical to Signal but users don't have to rely on particular servers and a widespread adaption would end the problem that people who use different servers/clients can't talk to each other.
Also, there are great apps for XMPP. For desktop user there is Gajim[0], for Android there is conversations[1] and the apple folks have ChatSecure [2].
No. Signal identities are connected to phone numbers (which is fine for most people, but not fine for the very people who actually need end-to-end encryption) and Signal is not fully open-source like GPG is.
