Calling GnuPG "email encryption software" really understates its importance. It's also used in countless applications to encrypt data at rest, and GPG signatures are used to secure the distribution of software. For instance, GPG is an essential part of the package managers of Debian, Ubuntu, and RedHat.
Seems odd that the MANY projects dependent on GPG don't donate enough to GPG to employ one guy.
Do Free Software project with funding 'pay it forward' to the volunteers on other projects they heavily depend on? (I don't really know) If not, they deserve to suffer the consequences.
I freely confess to being flabbergasted by these displays
of less-than-rigorous thought processes.
How would a free software project 'pay it forward'?
They are in a very similar position, aren't they?
Edit: For some reason, I can't reply to child comments (probably a cool-off time-out at work?).
Just a short note here, then: $1.25e6 for the FSF translates
to 10 developers like Koch being paid (the donation page quotes "120000 EUR").
That's ten. For the whole FSF. As an example of a well-funded project.
I'm not going to comment on that. HN would rightly give me months of cool-off time.
There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year. These projects are usually end user facing, in a way that their dependencies aren't.
It seems reasonable that these projects should consider adding items to their budget to redistribute funds to projects that they depend on.
Some probably do this, however I think the GP was suggesting that something like this become more common.
> There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year.
Too bad OpenSSL wasn't one of them until after the big "heartbleed" incident.
The core infrastructure projects don't seem to get as much funding as they ought to, especially given almost everyone relies on them (even if they don't realize it).
Prior to Heartbleed and the industry rallying to fund critical projects, OpenSSL only received an average of $2,000 USD a year[1]... that's pathetic.
Over the next three years, the Linux Foundation will receive a combined total of $3.9 million from Google, Intel, Amazon and others to fund core infrastructure projects such as OpenSSL. Sounds good until you take a step back...
> Intel will invest "$300 million to help improve the pipeline for women and minorities, actively support the hiring and retention of diverse candidates, and fund programs that support the positive representation of women and minorities in technology and gaming industries."
> "Google Gives $775,000 to Nonprofit for Tech Diversity
CODE2040 said Monday it received $775,000 in grants from the tech giant to support the launch of free training programs for more than 5,000 black and Latino college engineering students over the next two years."
It's interesting with the Outreach programme in GNOME (I think that's what it's called), because if you periodically look at planet.gnome.org, there are interesting things going on with developers within that outreach programme.
But there are also justified backlashes to the programme, given that there is a perceived priority given to the programme in some areas instead of writing software. The argument is that not everyone and their dog needs to be involved with writing software, so why should we encourage them to? You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Strangely we do in IT though, where it is the belief that we should make EVERYONE code!
> You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Yes you do. Every single fucking time this comes up someone says "you don't see this in construction". It's rebutted every time it comes up and it's really fucking easy to do a simple web search to find examples of programmes to get men into teaching or nursing or to get women or minorities into construction.
Replying to myself to mention that I am neither for or against the GNOME outreach programme!! - I am entirely an observer! I haven't used GNOME since GNOME2 due to disliking the new interface; I periodically check on there to see what's going on GNOME world and it is quite interesting, both for developments and also for what's going on internally with disagreements and discussions between people.
I thought I ought to add that because I suspect people are thinking that I dislike the programme? Either that or people like down voting with no reply.
With regard to the encouragement for everyone and their dog to take up coding, I see it a lot but in truth I do not see the same things in other professions - I have never seen a push to make youngsters take an interest in banking or journalism yet over here in the UK there is a push to make programming/coding a part of the national curriculum for youngsters, hence the introduction of the Raspberry Pi to encourage that.
Didn't GNOME almost go bust last year and hold an emergency donation drive, due entirely to granting too many paid internships (or similar) to people who aren't established GNOME developers, or even programmers?
No. The GNOME foundation is managing the funds of the outreach program (which doesn't have anything to do with GNOME, really, except it started there), so when some of the sponsors (think big corps) of the outreach programme didn't pay their agreed upon share on time, the foundation ended up in trouble. It was simply a liquidity problem which was solved when they received the sponsorship money.
That's at least how I think it went, you can go look it up, the details are online.
In addition, some projects that are not well-funded as a project are "funded" in the sense that companies pay people to work on them, for example Microsoft paying Simon Peyton Jones to work on GHC.
Firefox is kinda special because they get a lot money from whoever pays them to be the default search engine, doesn't matter if it's Google or Microsoft or Yahoo. There's only so much software that can get away with that, GPG certainly can't.
All of the Debian developers are volunteers, am I wrong? Slackware can barely support one employee, the founder. OpenSSH falls under OpenBSD, which also supports just the founder, everyone else volunteers, and they DO volunteer some serious time and do important things. They also had problems raising funds, there were discussions on HN about that here, and I'm sure there will be more in a year or two.
From: http://www.openbsdfoundation.org/campaign2014.html :
* If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.
This is kinda depressing.
Is there someone from the Debian project here? I'm wondering if they could afford to run their own mirrors around the world if they had to. Could they cover hardware, colo and bandwidth costs, if they had to? I'm just curious.
> There's only so much software that can get away with that, GPG certainly can't.
That's the point -- the ones that can should support the ones that can't, which are often foundational components of the reason the ones that can, can get money in the first place.
Perhaps GPG should annually auction off which nation-state security service or online advertising company's public key gets automatically added to the recipients list for each encrypted message? </cynical>
Debian... seems to mostly get by on volunteer labor and be ok with it, or it did when I was involved with them. Has that changed? I suspect that in some ways Debian is underfunded given the amount of work they do. Perhaps money would make some things happen faster there.
The Apache Software Foundation does a decent job at fundraising, and even employs a few people to do stuff like administration. Most of the projects get by with companies that pay people to work on them, which seems to work out pretty well.
Firefox/Mozilla make most of their money with deals: Google and Yahoo, last I remember.
I don't know about OpenSSH.
It's possible, but mostly donations don't seem to work unless it's big chunks of money from companies.
> The Apache Software Foundation does a decent job at
> fundraising, and even employs a few people to do stuff
> like administration. Most of the projects get by with
> companies that pay people to work on them, which seems
> to work out pretty well.
The ASF budget is roughly 1.2 million a year, the bulk of
which goes to maintaining infrastructure for 200+ projects.
The significant losses due to Ubuntu development and related expenses are why Canonical as-of-late has been turning focus away from Ubuntu towards other markets such as Mobile and especially Enterprise (a la Red Hat's turf).
Ubuntu itself is a central part of their cloud business, so Ubuntu is indeed profitable for them. What's not profitable is their desktop and end users' market.
That's not quite how it gets expensed (nor how it works).
Canonical's cloud business might be profitable (even though Canonical as a whole is very-mush-so-not), however their cloud business is not coupled to Ubuntu, ie. they could use any Linux Distro, or any OS for the matter.
Ubuntu is a total loss center for Canonical. It's surprising to a lot of people given it's popularity... but popularity doesn't equal profitability... especially when most users don't pay anything for the software (not even support fees).
Not sure what "of course" means here... it's very possible to be profitable off your OS Development division... look at Red Hat, SUSE, etc. They pay for the development from support payments... they collect support payments because enterprise wants their OS... it's a positive feedback loop. The better the OS, the more enterprise pays, the more funding RH can put into the OS dev team, the better the OS gets, the more support fees they collect, etc etc etc...
Canonical has not been able to successfully charge for support like RH and SUSE have figured out.
> But it is a net gain for the company, and in fact without it the rest wouldn't exist.
It's not a net gain unless the company can be profitable as a whole and subsidize (and justify the enormous expense) off-put by tertiary services, etc.
... right now Ubuntu project is responsible for Canonical being perpetually in the red... every quarter, since their foundation. Canonical could very well just run enterprise support contracts, or push their cloud services. They don't have to use Ubuntu... any OS would suffice. They aren't somehow coupled to Ubuntu to the point if Ubuntu didn't exist, Canonical wouldn't either.
I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Circa 2008, before the Unity and Pulseaudio switches, it was considered by pretty much everyone the premiere Linux distro. I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
Even today Dell is still doing Sputnik and in European countries you can buy HP hardware with Linux. Why is Canonical not taking advantage of the fact that they could be making money off support for their desktop OS through all the hardware vendors?
> I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Ubuntu has never been profitable for Canonical. Shuttleworth's game-plan was always long-term minded regarding Ubuntu -- but as we've seen as-of-late, Canonical is shifting focus to other markets they view as potentially profitable. Shuttleworth has committed to keeping Ubuntu alive, but it's no longer Canonical's sole hope for income.
> I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
This isn't just a problem for Ubuntu, but for most end-user linux distros. People always joke with Linus when the "year of the Linux desktop" will finally arrive... The people who use Linux as their daily driver generally don't need the support, and for the ones who do, well it's a lot less marketshare than Windows.
> Even today Dell is still doing Sputnik
Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
It's weird too, because Sputnik is $50 more expensive than the windows version of the same hardware. (probably some Microsoft deal going on here).
Linux comes pre-installed on majority of server hardware (server hardware than comes with any OS at all that is), and Linux dominates this field. But the "year of the linux desktop" hasn't quite arrived yet. I do hope it comes soon.
> Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
I've used System76 and Zareason. System76 are Ubuntu-only (and the hardware may have issue with other distros); Zareason will support any Linux.
You know, I actually didn't know about Zareason. Their website seems to have pretty reasonable price for the hardware you are getting, and I love having a choice of my preferred distro to run (I'm a Fedora guy).
I run full-time linux on my laptop and my goto hardware has typically been a Thinkpad T series.
> Canonical is shifting focus to other markets they view as potentially profitable.
Is it about profits, or - I'm going to be kind of cynical here - chasing taillights? The way they seem to bounce around from one thing to another (mobile phones! embedded!) makes it feel like the latter.
> The way they seem to bounce around from one thing to another
I tend to agree... modern Canonical feels like a company that lacks focus (probably because they aren't quite sure what the focus ought to be after realizing Ubuntu might not ever turn a profit for them).
The people who would buy computers with Linux probably wouldn't pay for tech support. Enterprises might, but not individuals. Plus I suspect that Microsoft is pretty keen to defend Windows on the consumer front - I've heard stories of deep OEM discounts on the condition that they don't offer alternative OSes.
I mean in the same way you buy a Dell notebook and get two years of phone support, you would get the same with a Dell Ubuntu notebook but Canonical would provide it and Dell would pay them for it.
I mean that the people who would buy a Dell Ubuntu notebook mostly wouldn't use phone support. If Dell thinks the same, they wouldn't pay Canonical very much to provide that support. They do now sell the XPS 'Developer edition' with Ubuntu; I have no idea whether they pay Canonical for support, or how much that makes.
The FSF had revenue of 1.25 million in 2013. I'm not trying to comment on where it came from or where it went to. I'm only pointing out that they are not in a very similar position.
Typical credit card fees are 2.9% + 30c. Assuming that they have regular fees at not non-profit rates(which tend to be lower), it would make their average donation amount to be around $7.14
With that many transactions they should be able to negotiate a lower fee than that. My company did a bit over 4 million in CC transactions last year and our rate is 1.9% and I believe the flat rate per transaction is 25 cents.
As someone else pointed out 2.75%-2.9% is common, often thre is a charge per transaction too (on the order of 25cents after it's all said and done). The fee can change based on the card type (the merchant pays a higher fee on rewards cards normally...someone has to pay for rewards!) and international purchases can have additional fees. Charges backs can also bump up fees, ditto for outsourced fraud protection.
This is partly why I stopped donating to the FSF. They're dumping some amount of that money into misguided PR campaigns rather than helping out the developers trying to make free software better.
1.25 million USD is really not a lot of money at all... especially given all of the projects the FSF supports under the GNU umbrella.
If they had zero expenses other than staffers, at a very modest 65,000 USD a year that would not even cover 20 people.
The EFF, FSF are the only real "good guys" out there fighting for your techie rights every day... They could really use your donations and support (even if you don't agree 100% with all of their message).
> How would a free software project 'pay it forward'?
As mentioned by the grandparent comment, GPG is in use by Debian, Ubuntu and RedHat package managers. Whether or not you count those three as free software they have plenty of money to pay forward to a piece of software that underpins their entire stacks.
Unless I've missed something big in the past 2 years even the Debian Project Leader is still a volunteer[0]. If most/all money's going to operating costs it's hard to make the case they're holding out on somebody. They also have a record of treating their upstream quite well so I'd need some evidence to believe they're dropping the ball.
I am having a hard time to find financial statements from Debian.
Ubuntu, or rather Canonical, being a private company, doesn't seem to release financial information.
The Ubuntu main page doesn't even provide a 'donate' link anymore.
Which leaves RedHat, at last. A public company, of course[0]:
Operating profit 2014: $ 1.3e9
Net total income 2014: $ 178.3e6
This article claims that $222k was the budget for 2012 for Debian, down at the bottom. It also claims the budget should be $19B, if paid at market rates.
You're off on your numbers. The 120k are for him plus one developer. By that estimate that's 20 people for the FSF.
However, a lot of commercial entities use pgp as core of their business: all software packaged for the linux world is signed with gpg one way or another. All commercial distributions depend on it at their very core. I'm amazed that they don't fund gpg at least partially.
The thing is, the underfunded dependencies that are the most vital are those that are widely used by many projects. If it was normal to chuck a small percentage of available funds to dependencies, the money would start to add up.
A cultural and structural change is needed when things like GPG get nothing, while viral, superficial and gimmicky work gets snapped up for millions or billions, when end users choose free products that threaten privacy and flood our world with advertising rather than pay the price of a cup of coffee for quality trustworthy products.
What this and all other software projects need is marketing. There is just too much noise out there. We landed on a comet last year and we still needed marketing to let the people know about it. If we invented free energy tomorrow, we'd all hear about it via some sort of marketing. Marketing is much, much easier to implement than cultural and structural change.
"Pay it forward" means to grant a favor or gift on a random person, in remembrance of one who did a favor for you before. The idea is to initiate a chain of favors and gifts to brighten the world in general.
It's a play on words though, by analogy with "Pay it back" which is returning a favor to one who did a favor for you first (like paying back a debt). In the case of large distros being heavily reliant on GPG and other upstream projects, I think the applicable term here is "pay it back".
Upstream developers helped out Debian, et al, and now Debian needs to pay those developers back. Arguably, by gifting their distros to the world at large, they're already "paying it forward".
Me too. This software is too important to not have someone dedicated to it full time.
I left a note that he (like the EFF and the ACLU) should have a recurring donation option, or at least an option to receive a once yearly email asking for a donation. There are many people that would happily go with a recurring donation if that option were available.
Watching the bar on the GnuPG homepage is pretty encouraging. Since the article was written, we've donated nearly €30k more. It looks like the problem was that people hadn't heard about it, not that we're all too selfish to donate.
I just chipped in $25.
Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way to the funding target.
This was posted on HN 2 months before I donated £50 at that time so i wouldn't say it didn't get enough exposure.
It's just that it takes a lot of media attention to get you to your goal plus a lot of the donations a coming from regular developer who understand the importance of this instead of the big companies profiting from this software.
GPG is an integral part of the Open and Free internet.
Imagine all the workflows that depend on verified encryption signatures like Debian, Ubuntu, etc and that's just software distribution, not counting privacy issues like journalists, political dissidents, whistle blowers, etc using it for secure communications.
It was pretty easy to donate, took me less than 2 minutes. I encourage everybody that is able to make a donation, however small, every euro counts.
Ditto. Was just talking with one of my employees this week about setting up encrypted email. Right now we use OTR chat for any sensitive stuff, but that's not always the most convenient channel. Like most others I had no idea this project was so under-funded.
Really happy to see that this post on HN has traction, and delighted to watch the counter go up. GPG and other security projects need a way better tech PR push.
We're our own worst enemies. Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it. Because then you're just "greedy" and not pure enough.
But that'll never change unless all of a sudden we say "Ok, on the count of 3, everybody stop giving away their hard-earned expertise for free. 1... 2... 3..." We're like musicians nowadays. We love it, so we do it without insisting on compensation.
A few months ago, I Show HN'd an open source project, but reserved the copyright to the code. The commenters immediately took note of this and I felt compelled to switch it to an MIT license. (It was open source for security reasons, if you're wondering.) I'm glad I did, but the point remains: there was pressure to conform.
> Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it.
Er, the first to keep their source closed and try to charge for it happened a long time ago, and there are huge numbers of developers at firms from one-man shops to massive megacorps still doing it today.
The idea that closed-source for-profit development is a novel idea that violates norms in the software development community and that everyone is afraid to try is cute, but, you know, completely contrary to the actual facts of both the current state and history of software development.
Why in the world would this be downvoted? There is nothing inflammatory about this post at all. He's bringing up a widely debated point in our industry.
> nobody would trust closed source encryption software.
ORLY? Have you read much source for BitLocker or FileVault, recently? WhatsApp? Skype? And those are just the most popular ones off the top of my head...
No, and I wouldn't trust myself to read it either. But, there's a fair chance that someone I trust eventually will and that they'll point it out when they see something fishy.
I see the encouragement to switch to an open source model a lot too. When a closed-source or close-licensed project is posted, you get a few commenters saying how great it'd be if the project was open source because then the community would benefit. Call me a cynic but in reality, this likely means "please make the source and licence more open so that I can use it without paying you".
I say this because I know that when I am looking for libraries to use at work in commercial software, I have to look for BSD-style code and now actively steer clear from GPL and LGPL code (static builds for me please).
It isn't to be malicious but it's mainly because I would like to continue living. Giving away things I have spent years working on doesn't pay my mortgage or put food on the table.
> where nobody wants to be the first to keep their source closed and try to charge for it
Seems like there's another option -- open source your project and also charge for a license to use it. By open sourcing people will trust it more which will cause its value to go up. And then more people would be willing to pay for it.
> Seems like there's another option -- open source your project and also charge for a license to use it.
If you open source your project, unless you're using an unusual definition of open source, you've provided a free-of-charge, sublicensable license to use, modify, and distribute it. (Or, at least, a license that the licensee is free to sublicense without charging the sublicensee or paying an additional fee to you, so even if you are charging for the direct licenses, the more you sell the greater the probability that it will be available at no charge.)
You could open source it and charge a fee for professional support, however, which is a fairly common model.
As I understand it, that's what he did. He open sourced it and kept copyright on it. That would mean that everybody would be free to read it as posted but wouldn't be able to use it or distribute it without permission.
Releasing something under an open source license usually involves retaining copyright but is, itself, giving permission to use, distribute, modify, and distribute modifications. Pretty much every open source project either retains copyright of the work or is composed of the work of developers who each retain copyright of their portion of the work.
The problem is that in practice most people in almost any free software project do not have the funds personally to afford donating all the time.
I mean, I feel the burn when I give money to Debian, Arch, KDE, etc - but I do it because I know I have to, because the software is so important to me. The $500 or so I donate each year is a lot of money to me, and I'm in the US - I cannot imagine how much donating to these projects would hurt the international users who make significantly less than the 15-25k or so I make annually.
I don't know how KDE managed it, but Blue Systems (http://en.wikipedia.org/wiki/Blue_Systems) is a Germany company founded by one Clemens Tönnies, Jr. Don't know anything about the guy, but he is somehow paying 10+ KDE devs without a business model. I've donated a lot to Kubuntu, but I cannot imagine in a million years they get enough donor money to fund all the devs they employ.
But those kinds of philanthropies, the way Mark Shuttleworth keeps Canonical afloat, seems to me to be the only practical way to keep free software afloat. You cannot ask a million destitute people to donate money they need to eat or sleep comfortably, but we as a community don't have the charisma or ears to get fat cat donors to foot the bills. Probably because software freedom does not matter as much when you are wealthy - you can just pay to get the software you want made anyway, and you might even be able to bribe companies to give you the source if you care enough.
And I recognize a huge portion of the donor pool for most free software projects isn't either end of this spectrum, but people like me making something above the poverty line and below extravagance that donate what they can where they can, but that is consistently shown to not be enough. And I imagine it is more because it takes millions of average joes paying dollars to match what one millionaire can do in an instant.
If it's a registered non profit you can donate and 'write it off' too. The idea that a 'big company' should do the donating is short sighted. That big company is made up of individuals. If everyone reading this donated $100, the problem posed by the article would disappear.
My point is that it's probably easier to get a company that is turning a profit off of something to donate a single large sum, than to convince a million people to donate $1.
If your effort is half as good, you still get half million people to donate $1.
On the company case, one million is not pocket change, so this will be a serious decision that has to be approved by several independent branches within the organization, each with veto power. Screw one of those and it's a deal breaker.
Furthermore, I'd say that this decision is one that is particularly difficult to frame for the company. While corporations do understand direct costs very very well, they are practically hardwired to ignore/exploit the gift economy. So the discussion will be stirred towards what indirect benefits will the company receive from donating to a worthy cause (public relations, tax exceptions, etc) and away from the consequences of letting a (unacknowledged) strategic partner to go under.
Not to say that a corporation cannot assume stewardship of a distressed project, but it almost always requires executive fiat to get over the bureaucracy.
It's easier still for a business to pay for a support contract, contributing to Canonical's revenue. Perhaps they could send a small fraction of that money to projects like GPG.
Ubuntu is not making money, and Mark Shuttleworth keeps infusing the company with his own pocketbook whenever it goes in the red. They might be doing something on the server / corporate support contracts end nowadays, that has really taken off in the last few years, but you might as well just ask Mark to hire Werner Koch.
Red Hat is among the largest funders of OSS development in the world. We need more companies acting like Red Hat.
I don't know how we get there when companies like Apple eat such a huge portion of the consumer OS and application dollar and companies like Microsoft and Oracle eat such a huge portion of the corporate dollar.
Red hat pays people to write open source software. The skinflints are the companies publishing closed source stuff and the consumers using free software.
My name isn't even on the list of recent donors anymore, that's going fast! Maybe he'll wake up tomorrow and hit refresh a couple times to be sure there's nothing wrong with the counter, hehe.
...which indicates to me that GnuPG wasn't sold properly. It's not just a "privacy tool" -- it's one of the ways that software (including OpenSSL) is securely distributed. I would guess that quite a few of the CII's members benefit from GnuPG and don't even realize it.
GPG's goal is about privacy, while OpenSSL is more of a toolbox with most of the tools you need for anything crypto-related.
I imagine those people need to control integrity of the software, to make sure it is deployed correctly on their servers and distributed securely to their clients and users, and OpenSSL has all they need for that. Privacy, OTOH, is unneeded because they are not (or rather much less) after their own or their users' privacy.
Thanks for the donation link, I just used it. It seems odd to me that an article bemoaning the fact that GnuPG's author is going broke gives no information at all on how to help rectify that condition.
> It's also used in countless applications to encrypt data at rest
exactly. Given the number of corporate laptops encrypted by the corporate IT with that software , and thus definitely some "license" style good money were paid by the corporations to some entities ... i never believed in the magical concept of trickle down and sounds like it doesn't work here too.
What is the simplest program out there right now, open-source, that will let me sign binaries with a key?
I'm experimenting to do a dead-simple licensing system using SSL certs and signing--rough idea is, cert is from me, and when it expires, software says "lol no get new cert".
I'm sure this has been done before, but the amount of custom license management code I've seen in the wild makes me wonder...
By all means. Ed25519 (which underlies signify) is a pretty decent modern signature scheme. (tweetnacl.c also implements it, in less code.)
It also seems you want to expire things, so I do feel I have to warn you that signatures are a totally separate thing to a secure time source, which is a whole different bag of marbles.
However, since what you're designing sounds like a logic bomb/copy protection/DRM system, I must say what I've been saying for the last quarter-century or so: please do not design your software to deliberately fail. That is a bad call: trust me on this one. Any crypto that you do to support it, even if the crypto itself is sound, is just tapdancing around a failure state.
Software is shareware, gets a little naggy within 30 days of license expiration, send money to get a new license file, which makes the nagging go away. No cessation of service.
I'm not worried about clock spoofing--I assume basically good-faith customers.
Signing would help people from just copy-pasting certificates around. If they want to go into the executable and rewrite the routines, well, there's only so much one can do, yes?
If you assume basically good-faith users: why nag them? After they registered? Aren't they assuming basically good-faith authors? Why do you think people who you'd nag after they registered would copy-paste keys but not download a crack?
(Your registrations are time-limited? That's very unusual for self-described "shareware". That's pretty much "commercial, but your demo nags".)
You're welcome to choose whatever business model works for you, of course, but take it from me, this one's straight from the early '90s. I hope it works for your users too.
That's awesome, but it's weird to me that Facebook, etc. will happily pay a senior engineer a total compensation of $200k+ yet only pledge $50k for the maintainer of a critical tool. Not trying to look a gift horse in the mouth here, just odd perception of the priorities here.
Facebook gets all of the value produced by their own developers, but the benefits of GPG are shared. If every big tech company matched Facebook's $50k, the total sponsorship would be equivalent to several engineer salaries.
I'd guess that whoever downvoted you thought this was a troll meant to start a flamewar with C++ vs. PHP and whether one or the other is more difficult (read "better" or "a real language").
It's interesting to note though, that Facebook does uses PHP and C++ extensively. And Facebook maintains a large a number of open source PHP and C++ projects. So I suppose that some Facebook engineers are more involved with PHP and some more involved with C++.
But more importantly, I don't think Facebook engineers are bound to a technology. They think about how to solve problems. If PHP is the best tool to solve a problem, they'll use that. If it's C++, they'll use that instead.
Ah I hadn't thought of that about the flamewar. I use both languages (now mainly C++ as I don't need to use PHP for the stuff I am writing anymore).
You're right about them using the right tool for the job - their entire HipHop etc. (whatever it is called now) creations to convert PHP to C++ and run a C++ web server are a good indication of this. Good point!
I've been complaining about this on HN before; lot's of startups built chat apps on top of GPG during the whole Snowden thing and Werner can't raise $120,000.
I'm really glad Pro Publica picked it up, but I also think we need to change to way we think about critical software like GPG. The GPG Tools team (GPG for Apple Mail) recently stated they need to charge for the tool in the future because they simply can't handle to amount of work anymore (it's still GPL) — the response from us was nothing but outrage.
// I just realized all of this is mentioned in the article. My bad.
>I also think we need to change to way we think about critical software like GPG
Maybe the lesson here is not to license important software under such permissive licenses. Make it open source and free for non-commercial, require a donation if it is used in a commercial product. I don't really see how you can give something away for free and then expect companies to volunteer to pay for it.
> open source and free for non-commercial, require a donation if it is used in a commercial product
Every serious definition of 'open source' or 'free software' says that you can't discriminate by field of endeavour - if you have one set of rules for commercial use and one for non-commercial use, it's not really open source. And the nature of donations is that you can't require them.
That's not to say that you can't build a business model around open source software. You can charge for pre-built binaries, you can charge for exceptions to the GPL license to build proprietary software with it (this is what Qt used to do), or you can charge for services associated with the code (e.g. running a hosted service). You can even technically charge for the code itself, though since anyone who buys it can resell it or give it away, that sounds precarious.
We call it Free and Open Source Software for a reason. Open Source means the code is open (i.e., you can study it), Free means it's licensed under a Free Software license (it doesn't necessarily mean free of charge).
People usually omit the "Free and" part when they talk about FOSS.
You are about the open source part: http://opensource.org/osd. The 'Naming' section of your link references the osd.
Calling it just one or the other is enough though. Being "under a Free Software license" by definition means "the code is open (i.e. you can study it), so no need to say "and Open Source".
I do however prefer calling it free software over open source as I find the free software definition simpler and than the osd. And also because the term open source seems to place importance on the code being 'open' instead of 'libre', which you'll here rms talking about everytime someone says open source.
"Free software" has issues as well as a term, since free can obviously mean two things, gratis or libre. However, once the reader/listener has understood the difference between free of charge software and software that preserves your freedom to study, modify and redistribute it, I think open source is the more problematic term as it can more easily cause confusion as demonstrated by your comment (where you think open source means that the code just has to be 'open').
> The kind of "open source" I was talking about is source code that is released under a non-free software license. What do we call that?
"obnoxious".
More seriously, typically something like "look but don't touch", or "proprietary with source available", or "source available under a restrictive license". Microsoft used to call it "shared source", and that term still has those connotations too.
Definitely not "open source", though; that means more than just "has source available".
It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.
The Unreal Engine is an example for this kind of business model on a large scale. KoboldTouch (used to be?) an example for the same on a very, very small scale (less than 5 people). I really don't see anything "obnoxious" about it.
> It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.
Yeah, that's a very different case. It's indeed moderately common for proprietary software frameworks/engines to include source, so that their paying customers can modify and redistribute, but cannot redistribute in source form (modified or otherwise). That's not any more obnoxious than any other kind of proprietary software distribution, and I wouldn't call it "look but don't touch", though it certainly isn't open source or free software.
The case I'm talking about is software with publically available source, but under a restrictive license that doesn't satisfy the OSI or FSF or DFSG definitions. For instance, many random projects on github that don't bother applying a license, or rar (the archive format implementation), or tarsnap, or the extremely obnoxious JSON license.
There's nothing wrong with doing that. Feel free to do whatever you want. But what you are talking about is not "Open Source". That term has a (different) meaning. If use "open source" for that, you will confused and trick people.
"open source" has been in use as a term in tech for a long time. It means (essentially) the same thing as "free software". Licences that disallow derivations (or commerical derivations) would not fall under the defintion of "open source" that nearly everyone uses.
You are free to come up with your own defintion of popular, agreed up terms. But this will lead to problems when you're using a different definition from everyone else.
It might be a little tricky in the case of GPG since it is really a GPL port of the commercial PGP software. So a major reason for it's original existence is that it is GPL code.
Gpg is not a port of some PGP version but an implementation of rfc4880 and earlier open standards. I actually took great care not to look at any "open source" PGP code. The reasons why dual-licensing does not work is that I assigned the copyright to the FSF in 1998 and when I terminated that contract 2 years ago too many other other hackers have code in it or assigned it to the FSF. Thus there is no way for anyone to switch to a dual-license.
I think parent was badly worded/thought out, but points to a real strategy. He said "charge for commercial use", which is definitely illegal, but what a lot of projects do is dual-license open source and proprietary. If you're a non-commercial project, you'll usually just use the open source version; if you're commercial, you'll want to be able to both link the project into a proprietary codebase and get support guarantees, so you pay for the proprietary license.
It is not "definitely illegal" to set license terms to whatever one wishes including restricting commercial use. The GPL hinges upon copyright to enforce it's provisions. Copying privileges are revoked for people who violate the license. This is a legal "hack" to get around the need to establish a contract or exchange funds. The same sort of rules can be applied for any other criteria such as the type of user. If I want to prohibit blue-eyed people from using my software I am free to do so. Dual licensing isn't a requirement to do this.
This is exactly what we ( http://linphone.org ) do: we have a GPLV2 license that's used in many many open source projects, and we have a specific license for commercial projects, for which we provide support and ability to not disclose the sources that our clients might modify.
This kind of way to function give enough money to employ 10 people, and also secured a lot of new developments (encryption, video, etc.). Disclaimer: I'm just an employee, not the founder.
I would advise him to switch to that kind of licensing, if he wishes to. There's no reason he shouldn't be able to live through his work.
One problem with that strategy is it forces you to use a licence with some sort of restriction (like copyleft) to make dual-licensing useful. You can of course dual-license a BSD or MIT licensed project but no one would use the "dual" part of the dual-license since the copyfree license allows them to do everything they need.
If you do this, the problem with dual-licensing a copyleft project is as follows:
-The copyleft license allows use in other projects with the same copyleft license
-The "dual" part allows use in proprietary licensed project (the stated enemy of the copyleft license)
-The ones left out are projects that use other copyleft licenses and copyfree licenses.
In my opinion dual-licensing copyleft licensed projects is a mockery of the purpose of copyleft.
All this is however irrelevant to the discussion about funding core FLOSS software. It doesn't matter the license, the challenges to funding such a project are the same.
Don't forget that permissive licenses are one of the main reasons people widely adopt these tools in the first place.
I hear you though. Free of charge and open source need to be two separate things (not all the time, of course). Cutting costs in FOSS development usually means spending less time on websites, documentation/support and UIs, which hurts the projects in the long term. It's a vicious cycle.
It's nice in theory, but then the defintiion of "commerical" can mess it up, and can be subject to how judges (anywhere in the world interpret it). A german court ruled that "non-commerical" (in a CC licence) meant only for personal use, and non-personal entities had to pay. https://www.techdirt.com/articles/20140326/11405526695/germa...
I had no idea this project (and others) had so few contributors. I'd love to be involved in some Open Source project but I always feel like "yeh there's probably millions of people far more talented than me wanting to contribute" and I've no idea how to start. Some people suggest taking a look at the open bug lists for software you use frequently, but on the few occasions I've tried that (python, gcc, and a couple of others) I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.
I did manage to do some isolated contributions to Open Corporates (http://turbot.opencorporates.com) where the community are super-welcoming and very patient, but I've felt a little isolated and like I'm not exactly giving much back. Apologies for the mildly-OT rambling.
I'd suggest looking for smaller repos to contribute to. Much less daunting, much more opportunity. My small OS contributions have been where a small repo, owned by one guy, does mostly what I'm looking for but I want some feature or notice some bug. Then it is easy to work on it/fix and do a pull request. They're usually happy for the activity.
> I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.
Sometimes it's small things, like documentation. For example:
I've sometimes wondered whether it'd be worth mid-to-large open source projects doing more triage for bugs. Because I'm in a similar position: I'm happy to make small fixes to stuff I use, but I'm not familiar enough with many codebases to fix big bugs. If I could pull up a list of bugs sorted by "expected ease of fix", I think I'd contribute a lot more.
I think the biggest problem is visibility for these projects.
They need to be louder.
In the case of openssl, I had no idea that they were severly underfunded (until heartbleed).
Same for GPG until now. I didn't hear they asked for donations.
And I doubt I'm the only one. So I quickly checked if maybe this was big on HN at a point and I just missed it.
If not even the most technical people (that actually know what GPG and openssl are without looking it up) don't hear about this, how are regular people going to find out where to throw their donations at?
I think people would donate if they knew about it. I'm going to send this guy $100 and consider it a license fee, because he deserves it.
EDIT: An example of development that is slow-coming: library support. Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.
Wrapping the command line should be a little bit safer from a security perspective, since a memory exfiltration bug won't transfer across processes. Just don't use the shell between the wrapper and the command.
Is this really the case? I recall that proper library support is slow-coming, not because of security model concerns, but because "doing it right" takes more time / money that there is in GPG development at the moment.
EDIT: For example, I believe that it would require rewriting a lot of code, and that means said code would need to be audited to make sure no security bugs were introduced. It's "easier" to just wrap the current command-line tools because they are a known quantity.
> Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.
IIUC this is intentional design of GPG 1.x vs GPG 2.x: the former is statically linked binaires for "security reasons" while the latter is a shared lib (libgcrypt) + binaries with exactly the same features.
I'm wondering if there is a meta-donation page that lists a bunch of the most important open source projects, how you can donate to them and their yearly funding goals (and how many developers are being supported).
Gratipay (gittip) comes to mind, but that's a donation mechanism, rather than the information collection you're describing. Sounds like a good idea for a project. IMO, the hardest part of that will be accurately prioritizing which projects are critical, very important, moderately important, etc.
That could be an interesting project for someone. I suspect the hardest bit would be how you determine which projects are most important or most deserving of donations. As soon as money is involved, people will try to game it and spam it.
I think the package managers should add links to donate to projects. So I open up Synaptic to install GPG and in the description see that I can donate and they're only at 25% of their funding goal.
Another key would be to add a real commercial justification to pay for projects instead of just donating. Often for tax and regulatory purposes businesses can't just spend money on fun, frivolous things unless they want to make a mess of their accounting. Maybe something like for each $50 you spend you get to ask one question on a mailing list or message board.
>I think people would donate if they knew about it.
Oh certainly, I use GPG on a daily basis, yet it never even occurred to me that such an ubiquitous project would have trouble gathering funds!
I tossed in a donation as soon as I saw the link in the article.
---
I remember jOOq (a Java SQL DSL) had similar troubles raising donations. They ended up moving to a commercial licensing model for 3.2+ that provides connectors for "enterprise" databases as well as professional support.
Had I seen a banner asking for donations, I would've gladly donated what they're now charging for licenses. -- It is an excellent library.
However I feel like the tooling does them a disservice. When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?
> When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?
That's a good point.
Not sure how this can be technically addressed though
This issue has been bugging me lately, given that I would like to start a product-oriented business, but I'm only one guy, who has to freelance to pay the bills.
The problem, I think, lies in the lack of balance between different types of "users", their ability to absorb risk, and their ability to advertise.
For an individual developer, new product development is a chicken-or-egg issue: you need money to live, but you can't make money off of an infant project. On the other hand, a corporation can siphon funds off of profitable projects into R&D, and the larger the company, the longer they can do it. There is a certain level of financial security that removes emotional burdens that can be real impediments to development progress. There is a singular focus that can be achieved by the developers in such a situation: one 100% focused developer is more than twice as productive as one 50% focused developer, all else being equal.
It's also extremely difficult for an individual developer to get the word out on their project. But if Google even breaths a hint that they are doing something, a subreddit will be made for it overnight and TechCrunch will assign a team of reporters to cover breaking news.
So from the start, the individual is behind the 8-ball in terms of being able to maintain a certain pace of development and gain mindshare for it. If you're entering an existing market, a lot of times the only way to gain traction for your project, to get any attention and get anything out of it, is to have to open source it just to meet other developer's expectations.
But I suspect the vast majority of people who want "open source" really only want it as a security blanket and aren't actually going to look at it. I completely admit that I'm included in that group.
For a corporation, what's the worst that can happen? In other words, who is going to fork their source? Another individual? They won't be able to keep up. Another corporation? They have to compete in both code and marketing, which isn't so attractive. It might be--all things considered--an equivalent effort to just start a competing product. Maybe even a little less effort, because you don't have to dance around collaboration and contribution issues.
But for an individual, it's a significantly higher impact of a problem. If I make a tool, release it open source, and--say--Google decides that it's great and they want to use it, even if I license under the GPLv3, they can very easily strong-arm me out of the driver seat. They could be in complete compliance with the license and contribute all of their changes back, but their marketing machine could easily put themselves at the forefront of developers' minds as the source of that project.
Is "closed now, open later" the solution? I don't know, that's always sounded to me like "closed now, closed later". See Android. What good is Android being open source if, by the time the source for the latest version is released, they've abandoned it for a new version?
Correct me if I'm wrong. I'd like to be wrong, so I know in which direction to take my own business development. But it just seems like there are several types of power, and individual, independent developers have few that large corps do not, whereas large corps have several that indies do not.
There's no general answer to your question. It's like game theory, depends on the players and context (technical, legal, financial, market maturity).
Juce and PyQt were created by single developers, so it's not impossible. Staking out and defending a niche would be a prerequisite, open-source or proprietary.
Is there a list of specific answers? I don't even know of all the ways one could organize a project. I suspect that might generally be the case for a lot of people, too. Publishing and promoting a project is a completely different skill set from developing it. It feels like the majority of developers default to thinking of "release open source" or even just "release" as meaning "publish on Github with the MIT license" plus maybe "post one link on Hacker News". That is a way, but is it actually the way that is in their best interests?
I have a library project right now that I provide dual-licensed under GPLv3 and a paid, proprietary license. It's not typical to release libraries under the GPL rather than, say, the LGPL or MIT. My reasoning is "code or coin, you gotta give something." I have no idea if it will actually work (and I'm not banking on it working, I wrote the thing for my own use first and foremost), but I am starting to think that I would rather nobody use my code than everyone if it meant I didn't get anything out of it past an 'at-a-boy.
Put another way, if I were Ryan Dahl, having gotten Node.js started off on my own, and I still had to work for a living, I'd be pretty freaking pissed. (https://groups.google.com/forum/#!topic/nodejs/hfajgpvGTLY) Maybe the actual Ryan Dahl doesn't care (and maybe he chooses to work, I don't know the exact details), but it would seriously bother me.
The basic recipe for software biz success is the same whether proprietary or libre. ~80% of revenue comes from ~20% of customers and features. Ship something into the market somehow anyhow so you can identify the critical 20%. Then you can commoditize (open) the remaining 80% of features to reduce costs and help the long tail to become self-supporting. Pricing and defending and growing the revenue features is then like any other business, i.e. strategic conflict with other mice who will come after your cheese.
"Open" is as much a state of mind and development practices as it is a license. JIRA shipped with full source code while remaining proprietary. This removed customer concerns about JIRA going out of business, no need for source escrow. Customers ended up making modifications to the source, which then influenced the Atlassian roadmap. Conversely, one can have an open-source license, but a dev culture that rejects external input, e.g. Calibre. If a vendor focuses on business goals first, then creates a culture to support those goals, license choices will become clearer.
There are useful history lessons among these links:
7) Any good book on organized crime / unregulated business. Boundary conditions inform risk management, i.e. early recognition of failure scenarios to be avoided.
I wonder sometimes if this is the legacy that RMS was thinking about. Sometimes, in my more cynical moments, it seems like we have somehow managed to trick a whole generation of programmers into giving "free stuff" to the world, enabling the creation of the very successful mega corporations which have then kept the value for themselves.
Would it be impossible to create some sort of stipend program at FSF? After all the creation and maintenance of software is allowed to cost money under the GPL.
As jordigh points out, RMS has always been quite happy to charge money for software. For example, the FSF sells a $5,000 "Deluxe Distribution" compiled for a platform of your choice: http://gnu.ist.utl.pt/order/order.html I've spoken to various people at the FSF, and they're generally quite enthusiastic about charging money for GPLed software.
But to make a larger point, if you try to model RMS's behavior using cynicism, you'll tend to make inaccurate predictions. To use a metaphor, his brain is running slightly non-standard software: His social skills are not quite compatible with standard protocols, but he will go to far greater than ordinary lengths to uphold his personal moral principles. I've dealt with RMS and/or the FSF a couple of times, and once I decided to assume that RMS wants exactly what he claims he wants, dealing with the FSF was actually rather pleasant.
Thus, if Stallman thought that programmers should live ascetic lives, he would have written long essays justifying why this was correct. But instead, he wrote long essays about why sharing and hacking on software was a Good Thing, and added (almost as an aside) that you are welcome to charge as much as the market will bear, and that doing so may often be a good decision.
FWIW, RMS does live mostly as a nomadic ascetic (sort of like a Buddhist monk surviving on alms), which suggests that he believes that is an acceptable lifestyle for a hacker.
> I wonder sometimes if this is the legacy that RMS was thinking about.
No.
Free software was never about no money being involved. In fact, RMS himself used to get a lot of money by selling free software. Back in the day when Emacs was too big for the internet, RMS used to sell Emacs tapes at 100 USD each (with documentation and source code, of course).
In fact, he still thinks that you should be charging money for distributing free software:
Distributing free software is an opportunity to raise funds for
development. Don't waste it!
He also thinks selling exceptions to the GPL is another good way to support yourself. FFTW and Qt are two prominent projects I can think of that did this.
The GPL itself is anti-freeloading. We give you the code, you can do whatever you want with it, but if you want to build on top of ours, you have to give back. It's all about levelling the playing field for everyone.
I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.
Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
> but if you want to build on top of ours, you have to give back
No! Nowhere does the GPL says you have to give back to developers, you just have to give everything to the users (and more specifically to your users), because they are the one with the product and the modifications. If they happen to be upstream developers, then sure, they will get the changes too, but that is not the primary goal of the license. It's all about the user being Libre.
Thanks for the links. So I wonder if you could charge for cloning a repo in Github. You know put your code there, but git clone (or fork) doesn't work unless you feed it a onetime key, so you goto Github, "buy" your key, then pass it into your git command line
git clone --token=0x1515151 <repospec>
and git allows the clone to happen and tags it with the clone token. No token and you don't get to get a copy of the source.
If that would work it would be an interesting way of selling your software.
Well, that would require github making some changes server-side, but it seems like an entirely reasonable thing to do. You can browse the source, but you can't really download it until you pay.
There's no reason why free software should just be given away. The point is to make sure users have the source code and the permission to modify it and redistribute it. It was never to make sure they don't have to pay in order to acquire the software.
Sure, if they can redistribute it, perhaps they could undercut you, but if we believe that piracy doesn't really hurt sales that badly, it seems likely that this secondary moneyless distribution might not substantially hurt the primary one.
> We give you the code, you can do whatever you want with it, but if you want to build on top of ours
The problem here is determining where the divide between "using the software" and "building on top of ours" is. The line becomes blurry when the software is (e.g.) a library where the basic use of the library is to base other software off of it (as opposed to a desktop app -- e.g. GnuCash -- where "usage" has a more straight-forward meaning).
Which is why there's an explicit form of the GPL for libraries; the LGPL.
There still exists uncertainty and ways around it (You can execute GPL programs or write shell scripts so that GPL programs execute your code) such that you don't have to distribute the major parts of your codebase, but the GPL has an explicitly different version for libraries that are supposed to be linked in to non-free software vs libraries that are cores of GPL software.
My biggest objective criticism of the GPL licenses (i.e., not tied to whether it conforms to some ideology or other, but sticking to "mere" quality issues) is that they are all excessively tightly tied to the C runtime in how they are specified. It's reasonably clear to me what GPL and the LGPL mean in the world of C, but the more your runtime deviates from that, the more the license becomes a matter of interpretation. Arguably, nothing that isn't in C or C++ ought to be GPL'ed or LGPL'ed; even if you want to copyleft your code you arguably ought to use a different license that makes sense with regard to your code.
The FSF's interpretation of the GPL and LGPL has never made a distinction between static and dynamic linking. A lot of other armchair internet lawyers, make this distinction, though. ;-)
Eben Moglen seems to think, as I understand it, that it depends on how you distribute the thing. If you link dynamically but distribute the whole thing together as if it were a whole, it's a single work and all should be under the GPL. Other situations seem less clear.
This is the rub though. If you are (e.g.) distributing a desktop app that uses a LGPL library, you may not be able to assume that the library is installed on your target platform. For example, you may use libxml2 for XML parsing, but not be able to assume that it's installed on Windows (assuming for the sake of argument that libxml2 was LGPL instead of MIT licensed).
It's one thing to "cash in" on a GPL/LGPL project (e.g. writing a nice GUI around GnuPG, but not giving back to the project) where you are just wrapping the functionality of the GPL/LGPL project. It's another thing entirely to just use a support library (like an xml parser) where the library itself is not the main functionality of the program and have someone saying that your project has to be GPL.
That line of thinking goes both way. A game designer might need a supporting graphic library, but graphic itself is no the main function of the game. The developer just want to wrap the functionality of the library, yet the license of the game is now dictated by the graphic library. Releasing the whole work under a open license would be piracy.
Same problem exist with complete overhaul mods to game. Counter strike simply wrapped around half-life. Half-life was not the main function of CS, yet if they had been giving out CS with half-life under a open license it would again be piracy.
Thus it is hard to see a world where copyright would allow someone to ignore the license as long the "library" is not the main functionality. It would be a nice world, a world with remixing and a explosion of creativity, but a very different world from one that we got now.
> I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.
> Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
As an indie app developer, I already struggle with people ripping off my apps and publishing them in various app marketplaces under similar or identical names, or taking my web app, wrapping it and charging money for it.
I have to imagine that if I used a free software licence, this would happen a lot more, and I wouldn't be able to issue takedown requests. Someone searching for the name of my app might find five or ten similar or identical looking results and have no idea which is mine. These other results might serve ads, track user behavior, gather personal information or perform other anti-user operations, leveraging the popular reputation my apps have built to do so.
I think issuing trademark infringements notices is fine as far as handling this problem for free software.
If people want to bundle "my" GNU Octave and modify it randomly delete the users hard drive, that's ok. Free software allows this. Just don't call it GNU Octave, call it GNU DiskDestroyer or something.
You can still retain trademark rights and copyright to art assets, which for most apps should be as effective as copyright to prevent ripoffs. (Which isn't saying much. Copyright doesn't seem to be very effective to prevent ripoffs, unfortunately.)
There is a considerable portion of the open source community which views capitalizing on software as inherently immoral. As soon as Werner Koch started charging money for it, most people would switch to a free fork or distribute it on the black market to spite him.
I don't see this happening with FFTW or Qt. Apparently selling exceptions is fine? I can imagine a market for selling GPG exceptions.
Also, I know some free games are sold on app stores. Wesnoth comes to mind. Have people come to spite the Wesnoth developers and put the same game on the app store without a fee?
You only have to look at any thread here about copyright or piracy to see indignation at the very idea of charging money. People believe that software being free (for every definition of free) is a fundamental human right, and part of the justification made for piracy is that no one has the right to profit from software, and the for-profit distribution models need to be disrupted and undermined.
You can list a couple of exceptions, sure. But I'll see you that and raise you all of The Pirate Bay.
You're arguing against a straw man. The free software community has stood by using free licenses and selling exceptions and dual licensing. The FSF explicitly sells its code and gives you the source along with it. The community holds that software should be free as-in libre, not free as-in beer. This is a distinction that has been made time and time again.
That is, you are always free to charge money, but you are not free to withhold source or prevent modifications/redistribution of those modifications, because this restricts the rights of other human beings. Or said another way, your freedom stops where my nose begins.
Assuming I'm reading this [1] right, the FSF seem to believe that Apple App Store (where the majority of mobile app profits are being made) isn't compatible with the GPL.
You don't, but as I pointed out this seems to be where the majority of app revenue still comes from. Cutting that out as an option makes it much more difficult to make much money from app development.
App stores are profitable for a small number of UX experts. It's very hard for me to imagine many open source apps having good enough UX to survive the app store hunger games.
It doesn't seem to be happening this way because FSF fundamentalists like RMS want the whole hog to be 'Free Software' not just 'Open Source'. Any compromise is unacceptable even if it means cutting off their nose to spite their face.
Open source and free software are synonyms. They refer to the same category of software. RMS doesn't have anything against open source software. He's got something against people de-emphasising the freedom parts of free software by calling it open source, but he doesn't think non-copyleft licenses are doing any harm.
You're really mischaracterizing the VLC case. It wasn't "a single open source contributor with an ideological conflict," but one of the lead contributors pointing out the incompatibility between the GPL and Apple Store ToS.[0]
By the way, VLC has been relicensed as MPL and is now available for iOS again.[1]
Somewhat ironically, the GPL is much more amenable to getting money from software than the Apache, BSD, and other more permissive licenses. Most profitable companies built around Open Source software use the GPL (Apache being the notable exception).
There's simply very little reason for someone to pay for BSD licensed software, but there is reason to pay for GPLed software (even if only to get a different license for it).
I don't think a generation has been tricked into giving "free" (as in beer) software; I think the generation brought it on themselves, and continues to do so. We've always been free (as in speech) to charge money for our free (as in speech) software.
People are very eager to work for free on free (as in speech) software just for the pats-on-the-back from "the community", it seems to me, at least as often as people do it because they're truly passionate about their craft.
With the rise of "have a github profile/opensource contributions" in job posting descriptions, it's only going to get worse. "Open source" is very rapidly becoming the "unpaid internship" model of hiring and distributing work in the software industry, and it breeds a sort of contempt for the notion of receiving compensation for one's efforts. I'm not sure that's a good thing with all the very-much-for-profit activity around software development.
It's a big problem with the culture of (a lot of) the software development community. Having a culture of demanding access to the source of your software is a good thing, but having a culture of demanding all software for no cost is a bad thing.
We are collecting nominations for our DuckDuckGo yearly FOSS donations at https://duck.co/forum/thread/11753/foss-donation-nominations.... The theme this year is mainstream privacy. This seems to fit well and we'd welcome others. Donations will go out soon.
Can someone explain why GPG in the person of Werner Koch isn't substantially funded under FSFE?
My first thought was the Software Freedom Conservancy. The only reasons I see for them not to take GPG under their wing are lack of will (but why?), sense of funding priorities (but why?), or the possibility that some GPG constituents would be concerned about associating GPG strongly with a US-based organization.
Because this article is misleading. Apparantly, Koch has been subsidized by the german government thus felt no need to be used the FSFE. Secondly, gpg isn't really used for enterprise email, SMIME is or commercial php.
There's a history of Koch that is pretty ugly. He tried to start a consulting company with said government money and seems to have a "pay me to fix bugs" attitude. This breathless "omg must donate now" sentiment dominant here is highly questionable.
gpg should be under and funded by FSFE not via begdonations and german government funding.
I have that "pay me to fix bugs" attitude, too. After all, my chosen profession is software developer and one of the things my employer pays me to do is fix bugs.
There's nothing wrong with that attitude. There's no reason why he should be doing work without pay.
If people send him bug fixes and he refuses to merge them, that's something else. But he doesn't have to work for nothing. I assume that whatever money he may be receiving from the German government may be used for other kinds of developments, not bugs that don't affect him.
Why wouldn't you be concerned if it fell under a US-based organisation? A country that has admittedly no qualms in doing anything, from torture to murder, to get their own way? Long live the petrodollar.
Given the general scarcity of talent in the business, it should really be trivial for a high end IT security consultancy to pay Werner a €3000/month (ie. enough to live on, if not extravagantly) retainer to be available ~10 hours a month to consult on encryption matters (or something like that).
I wonder if it all really comes down to "Really I am better at programming than this business stuff." or if there is some unstated dogmatism that gets in the way.
It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.
The task of maintaining GPG isn't principally cryptographic. GPG is one of those classic un-fun projects that the open source community is notorious for neglecting. So the problem isn't finding and funding cryptographic experts to work on it; the problem is finding Werner Koches who are willing to take on the slog of making sure GPG continues to work.
Look at how many crappy, trivially broken crypto messaging systems are posted to HN every year. Some of them even get funded! Nobody wants to work on GPG, which makes what Koch is doing even more important.
Whether the work is "principally cryptographic" or not means fantastically little for it's business value, what matters is that the fraction of the value Werner is capturing is almost unmeasurably small. What Werner needs isn't donations, it's a vehicle for capturing some of the value he's creating.
The idea I suggested (a consultancy retainer) is a way of converting his name into cash. At 10 hours a month, his function would mostly be limited to the company being able to say that he works for them, maybe have him join some high-level meetings, more than actually doing programming for clients.
You're in the general security business, you seem to be pretty good at business in general: don't you know someone who could turn hiring Werner and two devs to work on GPG into cash?
And the reason OpenSSL and OpenSSH and, I don't know, every other open source project that has spare-time developers have developers committing code for free would be...
>It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.
Moxie Marlinspike was doing well for himself when he was squatting in pgh and train-hopping, too. Some people are just better at coercing life into doing what they want to do. I think it helps that Moxie is probably a few standard deviations more intelligent than most humans, but that's just a bonus.
For bitcoin donations, you can go to [1], which gives the address as 12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq [2]. The address is not generated per user, and is dedicated to GnuPG.
Can someone signal boost this on bitcointalk or other bitcoin communities? They are huge users of PGP. I don't have accounts on any of those sites or I'd do it myself.
The Wau Holland Stiftung takes the BTC and pays it out to the GnuPG project. Its a foundation that has its roots in the CCC and supports all kind of open source and/or hactivists projects.
"Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project."
The problem, in other words, was that lots of people like me, who depend everyday on gpg and are thankful for it, would have supported it over all these years if only we had known that its maintainer was barely scraping by on $25K a year.
Kudos to Pro Publica for bringing this to everyone's attention.
In the last hour or so (I think since this hit the front page) there have been approximately €2000 of donations added to the drive at https://gnupg.org/, nudging it over €40000.
He's been voluntarily cheated. He should take a job, take care of himself (no one else will), and give gpg whatever time he has left, if he has the energy.
Whether he's been cheated or not depends on your values. Many people cheerfully give up revenue maximization in order to perform some service they perceive to be of great value. You can't really have a meaningful political movement without such people.
At 53 years old and $25,000/year, he almost certainly has not prepared for any reasonably comfortable or safe/secure retirement (not knowing anything else about his personal life). There will come a point where he simply cannot work. He must take care of himself first. Or, to put it another way, if he doesn't take care of himself, then he'll reach a point where he can no longer take care of GPG, much less any dependents.
He lives in Germany, I imagine they have some form of a state retirement program.
I'm actually curious now of how many first world countries are as backwards as the US where if you retire without any personal savings you are extremely screwed.
You are not that much better off in Germany or generally North Europe, because pensions are earned through payments during career (three pillars: tax-like mandatory contribution, voluntary contribution, and thirdly a private insurance), and if you are not able to accumulate that kind of savings (which in some cases are more like "years worked for system" than actual money saved) then your old-age pension is going to be not entirely unlike the old-age social security in the U.S.
It's not normally in me, but I'd like to be a little forgiving toward users of GPG and similar infrastructure, particularly money-making BigCos. Open source, particularly reliance on open source by said MM BigCos, is relatively new.
It may not be financial ingratitude. It may be that we just haven't reached a sensible equilibrium between the two symbiotic ecosystems. At some point in the future, "due diligence" might commonly include identifying these sorts of tools, and their developers, and deciding either to not use the tool or to fund the tool's health.
By the time he searches for a new job, interviews, successfully gets a new job, stops contributing, and people finally NOTICE that he's abandoned the project: it's already too late.
You can offer him all the $5 donations in the world, but he has a full-time job now and has no reason to return to this life of "financial ingratitude".
I'm pretty sure we all would miss him working on it, either directly or indirectly, I think, as developers, we do a horrible job of assessing our blind spots when it comes to infrastructure.
I'm not saying that GPG is exactly where it needs to be, but is it lost? The code is out there and it is in use by many around the world. Just to play devil's advocate, what's wrong with stopping development on it?
I think it is cruel, heartless and selfish to expect a poor man to work for the benefit of the world without benefit to himself. If it's done by free will it is awesome, but is astoundingly arrogant to expect someone to do it by default.
That is absolutely not what would happen. Some organization that relies on it would fork it and maintain the fork. It would be highly likely they would even ask him to consult.
The problem of reward for innovation is one that goes back a long ways under the market / capitalist system.
The tale of the unrewarded genius is legion, one set of substantiation is presented in Gregory Clark's A Farewell to Alms looking at key inventors of the early Industrial Revolution: John Kay (flying shuttle), James Hargreaves (spinning jenny), Richard Arkwright (spinning frame), Samuel Crompton (spinning mule), Reverend Edmund Cartwright (power loom), Eli Whitney (cotton gin), and Richard Roberts (power loom, machine tools).
Of the list, Kay, Hargreaves, and Roberts died in poverty. Crompton and Cartwright were granted substantial payments by acts of Parliament (£5,000 and £10,000 respectively), Whitney made money through arms sales to the U.S. government, and of the lot, only Arkwright earned significant wealth, half a million pounds, after his patents stopped being honored by other manufacturers.
Invention and information goods fare poorly in economic systems.
Most of us are coloured by the experience of Microsoft from 1980 - 2000 or so, but what is generally not recognized is that Microsoft as a seller of "shrink-wrap" software was exceptionally anomalous. Most other pure-play software firms were nowhere near as profitable as Microsoft. Some technology companies had large revenues, but they were often based on hardware (Sun, HP), professional services (Oracle, Price Waterhouse), or both (IBM). Hardware does well, but has a small fraction of the profit margin of software, and professional services -- brains by the bucketful -- is very difficult to scale. Companies which do well at the latter almost always have a distinctly mafia-like reputation (IBM, EDS, Oracle, PWC, Accenture, etc.).
Werner's situation is unfortunate, and I really do hope he finds a way to survive. He's hardly alone, and frankly, the proprietary commercial model has proven highly problematic as well.
I've just donated. It's an important project and Werner Koch needs to be rewarded.
I feel that we, as a community, are really bad at supporting some of the opensource projects that powers our infrastructure. I'm not sure what can be done to improve this. Maybe we need a foundation that raises money for those projects and does the marketing needed to remind us to donate.
I for one wouldn't mind giving say 30 euros/month to be redistributed between projects like GPG, openssh, varnish, nginx, openssl...
You are right that we, as a community, are really bad at supporting key open source infrastructure. But I also think that relying on donations from individuals like us is a fundamentally wrong model. I don't benefit directly from GPG, but I benefit from many services that make use of GPG and make lots of money off of me.
I completely agree that the services and companies that rely on those technologies should also contribute.
But as a software developer, I use openssh daily in my job. I use tmux, I use nginx, I use openssl and a lot more opensource projects and they allow me to make a living. So, it makes sense for me to contribute.
I don't disagree at all, but as you say, you do those things in your job. It's likely that you also use them outside your job for personal purposes, which is why I agree that it makes sense for you to contribute. But most employees don't (and shouldn't) feel like it's their duty to pay for the tools they use to do their jobs.
After the big openssl bug, wasn't there some intent among some of the existing foundations to try to identify open source keystone projects and get them additional attention & support? It seems like the privacy advocacy groups might route some spending to GPG just as a pragmatic matter.
It's a sad day when Farmville can become a billion dollar business and Werner can't feed his kids. I'm curious if he's truly living on ~$20k/year. That seems ridiculously low for life in Germany. Or if he's got other sources of income to bolster that.
Either way, what really needs to happen is companies that build programs off his work need to make a concerted effort to donate to the project. Heck, set aside a small percentage of revenue and consider it a cost of business.
And this is the weird conflict with open source software. OSS is primarily written because somebody needed it and didn't have it. If they have it, and it works, they have no need to write it or support it. Eventually somebody stops supporting it, and then we all realize we're in trouble, somebody forks it and support is taken up by somebody who needs it.
I think this works. It's sad that it depends on exploiting the virtually unpaid work of a few committed die-hards. But basically, it's the only way we can have good gratis software without something stupid like bundling ads, lack of source code or 'services-based' models. It's clear from all the other unfunded OSS projects that corporate sponsorship isn't going to happen unless they're getting something in return.
I'm really dismayed that the Core Infrastructure Initiative, which was created in the aftermath of Heartbleed to fund OpenSSL and other critical software, has chosen to prioritize NTP, and not GnuPG[1]. Most of the companies that rely on OpenSSL are probably using a distro that uses GPG to securely distribute the OpenSSL package.
NTP is important as well. If I remember correctly, that decision was made around the time that NTPD was found to have multiple exploits allowing amplification attacks. Given that there are so many publicly available NTP servers, that makes it a pretty important project.
The fact is that all of these projects need better funding. Frankly it surprises me that large multinational corporations that care about security don't just fund these people. The downside risk for them is terrible.
I agree more would be better, but aren't there several now, such as the Free Software Foundation, the Software Freedom Conservancy, and the Apache Software Foundation?
The problem with such organizations is their donations only go to affiliated projects. Mozilla donates to mozilla projecs, apache donates to apache projects, fsf donates to fsf projects and so on.
Relying donations from occasional news cannot be healthy for the project. I imagine that during the next week the project will be able to amass a significant amount of donations but whenever this article is forgotten, the cash inflow will trickle.
I kinda wish that such organizations could make patreon accounts. Or maybe a non-profit service with the same idea. The point is, it's hard to keep track of all the projects that need money and to manage such donations without blowing your budget.
I can think of a few projects that I rely on a daily basis: firefox, xfce, fsf, freedesktop, python, debian, openbsd, transmission torrent, the gnome foundation, vlc, and there is probably a lot more that I can't remember right now.
I was thinking the same thing. It would be nice if there was some donations hub for open source projects with some sort of mixed Patreon/Humble-Bundle mechanic were you could donate N bucks to X open source software projects, one time or in a monthly basis.
The difficulties I see with this approach is 1) getting a trustworthy intermediate and 2) how to select the projects to allow the donations for. But 2) shouldn't be that hard because the users could, in the end, pick who they want to donate to.
... maybe the problem is people working for free and giving software away for free? The open source culture is a vehicle for entrepreneurs and investors to profit from others' work without compensation. It's that simple.
Hoping for donations to reasonably compensate developers is beyond naive.
Back when, there were one time acts of funding such as the red hat and va linux ipos that gave shares to authors of the software they were distributing.
"Stallman urged the crowd to write their own version of PGP. 'We can't export it, but if you write it, we can import it,' he said."
"Inspired, Koch decided to try. 'I figured I can do it,' he recalled."
"Koch's software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn't subject to U.S. export restrictions."
Here are Felix ("fefe") von Leitner's comments http://translate.google.com/translate?js=n&sl=de&tl=en&u=htt...
Not that I would share his views, but he is a relatively well known German security expert and free software activist (dietlibc). He knows GnuPG pretty well and basically says: Werner, you don't deserve our donations, stop crying, get a day job and maintain GnuPG in your spare time.
This feels like "WorldVision" for programmers. The wealthy pouring support on the forgotten, decrying the unjust conditions, only to forget about them and return to their normal lives.
Unlike the poor children of the world - Koch's decisions are wholly responsible for his current predicament.
The "market" doesn't care about individuals like Koch, and he chose to continue despite his efforts not being reciprocated/acknowledged.
I'd like to say that Koch should have abandoned the project, and if the market saw that maintenance/development of GPG was important, it would have happened.
However, it's not a perfect world - and there are probably plenty of pieces of critical software installed on our systems that are no longer maintained.
Would GPG have become one of these unmaintained codebases had Koch acted in his own self interest?
Or, would have another organisation/individual funded someone else to maintain and develop it?
"He says he's made about $25,000 per year since 2001 — a fraction of what he could earn in private industry"
The developer of git-annex assistant was happy when he received $20,000 on Kickstarter and he said with this money he could dedicate his time on this project for a full year. [1]
Maybe he could also start a Kickstarter/Indiegogo etc campaign so that he could hire another full-time developer? If enough people find this additional workforce on this project worthwhile, it will be funded.
Cost of living varies widely. Having no dependents and living in an inexpensive place is great. Obviously, it's better for us to fund people who use the funds as efficiently as possible, but we can't demand that everyone's life circumstances be identical.
It would be really great if you could run an apt-get/yum filter on your server and retrieve a list of donate links for the open source services you rely on.
Ideally, a GPL+donate-what-you-can would really help maintain these projects.
The problem boils down to "Really I am better at programming than this business stuff.".
Someone with his talent and expertise should have no problem with getting highly paid consulting gigs. Then he could continue working on GPG in his free time and even use the consulting income for hiring additional programmers to work on GPG. There are quite a few product-based businesses that could be built upon GPG as well (secure email, corporate communication tools, some kind of public-key-based social network come to mind ...). These could be used to support the continued development of GPG itself.
It's of course not as easy as it sounds. Not everybody wants to deal with 'all that business stuff' and that's fine but then by all means find someone who can help you with that part. If you want to change the world sometimes idealism alone just isn't enough. You also have to proactively deal with the everyday stuff like where the cashflow for paying the bills will come from next month.
There's also a problem with the purism put forth by some of the 'free as in freedom' enthusiasts, most notably Richard Stallman, who seem to gloss over the fact that coders have to make a living, too or who even frown upon making money with software altogether. Software eats the world but even RMS can't eat software.
How many successful larger companies come to mind whose business model is based upon open source? Red Hat, Ubuntu and that's about it. If we truly want to avoid dilemmas like this one we also need to think about how to successfully implement sustainable open source business models.
Stallman doesn't and has never glossed over that programmers need to make a living. He has no qualms about charging for software and has happily done it himself. He says it's wrong to use licenses to force people into depending on you.
Good point. It's not that clear and easy in all cases though. Besides, Stallman once disparaged SaaS business models as unfree and essentially a problem to be dealt with. While that in way makes sense from his point of view, it's problematic for developers who try to make a living with providing a useful service.
I very much agree for all system software and especially cryptographic and security-related software.
What about a developer or a company though that's put several years worth of work into developing a particularly useful novel solution to a specific business problem? If they use a proprietary license they'll at first force others into depending on them once they start using the software but is that really wrong in every case? If on the other hand they immediately release their code under an open source license they might effectively commoditize their novel solution. Sure, they might be able to recoup some of their up-front investment but in most cases this won't be a sustainable business model.
Releasing the source code only to paying customers might seem like an obvious solution but depending on the nature of the software and the industry the customers might decide to just pay once and afterwards sideline the developer. Continued innovation can serve as an incentive to pay for updates but again this doesn't apply to all fields and industries. Licenses such as AGPL might be a remedy, too but from experience I can see that software licensed under these or similar terms is mostly avoided in business contexts. I'm not sure if there's any company that's built a viable long-term business on a dual-licensing model.
Not every closed source (or only partially open source) software product is created with malicious "Let's blackmail the customer into using our software forever." intent. Sometimes, it just makes good sense. However, in those cases I think companies should at least make provisions for releasing the code if they go out of business.
>There's also a problem with the purism put forth by some of the 'free as in freedom' enthusiasts, most notably Richard Stallman, who seem to gloss over the fact that coders have to make a living, too or who even frown upon making money with software altogether. Software eats the world but even RMS can't eat software.
Here you are saying "free as in freedom", while obviously referring to "free as in beer." Your earnings shouldn't be a function of then number of lawyers you employ (to make air-tight licenses.) That doesn't imply you are not allowed to make money if you have too few lawyers. It implies the opposite, actually.
You're right. The problem is though that it's not always that easy to distinguish between beer and freedom in this context. Depending on the software and the industry those two might be intrinsically connected.
Besides, you might need a large number of lawyers anyway, for example if a company decides to simply disregard your carefully crafted open source license.
I think he should start a US nonprofit, or even better start cooperating with an international one, as that would allow people to deduct donations from their income. It's a lot easier to donate if you know that otherwise 30%-50% of that would go to the ever hungry state...
edit: It turns out every EU citizen can deduct a donation to GnuPG from their incomes!
Wow, they have done a pretty bad job of promoting their donation campaign. I use GPG, I love GPG, and I hadn't heard about it.
If they'd done it before 12-31, they could have easily gotten a lot more donations (due to tax year), especially from companies (who IIRC don't need it to be a 501c3).
Helping GPG market itself, especially for fundraising, would be a great way for a non-technical privacy advocate type to contribute meaningfully. I think a lot of those people exist.
This is sad but not super surprising. Historically, if you had money and wanted a reasonable UI and cleaner integrations, you bought PGP (now from Symantec). GPG was always for people unwilling to pay.
For the record I donated. I'm just pointing out that writing something that's bundled and distributed as part of something else means nobody thinks about your project, or in many cases even realizes they're using it.
Parts of its source code are viewable and reviewable, associated with key cryptographic functions. Much of what PGP builds is structure around that, and most of that isn't open in any sense of the word.
Phil Zimmerman (who's long since left the building) does understand the value of source review, and the team who supported PGP continued that legacy. But it was quite limited in scope.
That said, PGP also did work with other implementations, including GPG, to resolve compatibility issues -- I'm aware of a few of those personally myself.
His point stands though. GPG never caught on as a commercial product or something that people would pay for. Both are Open Source, that's not the issue.
This is why "free as in beer" is a problem for "free as in freedom." Just to maintain things costs money because people take money to live, not to mention how much it costs to field things that are competitive on UI/UX and other metrics with big closed ecosystems.
Here's something I think should get more love and is pretty relevant: a service that will automatically pay a percentage of Bitcoin donations for every submission to a GitHub repository: https://github.com/WhisperSystems/BitHub
So if you donate to Open Whisper Systems, you can see that your donations are going directly to those that are contributing to the project, and you get paid more if you're contributing more. I've sent in a few PR's to their iOS repo, and it'd be awesome to see it implemented in other privacy OSS projects. It's obviously not a perfect system, but I think it's a pretty cool way of funding OSS.
I'm part of the SymPy project and we opted out of a similar program tip4commit. It's a bit easy to game. If you do it per commit, someone could just break up their work in smaller commits. The same thing with pull requests.
I can see bounties for issues fixed, but a per commit system is fundamentally flawed.
Hopefully this article leads to a call-to-arms in the dev community to come up with best marketing/fundraising practices. I know that the idea of meritocracy is very powerful (and not altogether wrong)...but it's a tragedy when great software doesn't get the minimal exposure because of relatively easy friction problems that can be fixed.
I think of all the random, stupid things I've backed on Kickstarter, simply because I saw it on a friend's Twitter feed...things like GnuPG may not get as much consumer reaction as most Kickstarter widgets, but there are enough developers with disposable income who would happily donate to open-source-in-need if such causes were just slightly more visible.
This is amazing news. Glad to see companies that benefit so much from free software helping to pay it forward.
Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.
Meta-question, ideally aimed at Daniel if you're reading this, but not interesting enough to email you plus wondering what community members think:
Normally I'd be against comments like "donated" that add nothing else, and would downvote them for that. But in this case, does seeing lots of other people say they've donated make other readers more likely to donate themselves? If so, does that outweigh the negative of the page filling up with otherwise-pointless comments?
I've not downvoted any, but would be interested in any opinions as to whether or not you have/would downvote them and why.
I upvoted each person who said they donated or had something else that contributes to the thread.
I reason that saying that you donated and perhaps how much, is in fact a good thread contribution. At least this time, I'll take this on a case by case basis. Generally, however - I guess I'm against it since it clutters threads.
I wonder if a patreon-like (or even patreon itself) would be more effective raising donations than just one-time donations. I know enough people that swear by gpg, so it doesn't strikes me as hard finding a base.
Gratipay. Unfortunately their execution has been a bit poor, and it's under-delivering. There's too high a barrier to start donating and there's no clear option for one-time donations.
Would it help if some highly visible figure like Snowden or Poitras weighed in in some interview? I mean, they probably have a lot on their shoulders already but I cannot see anyone else who would be more motivated and more efficient at this task.
I am probably missing something though. They must be somehow aware of the situation already and not consider it a top priority for some reason.
The need here is characterized as 'money'. And yes, at a reductionist level, that's the issue.
But perhaps what GPG and Koch really need is management and marketing, to build sustaining, recurring support for the project.
That would involve getting this sort of attention on a regular basis, and asking for financial support in ever-improving ways. Also, having enough structure that key people aren't tripped up by local tax and legal issues, and the project is well-prepared to survive the surprises and tragedies that eventually challenge every longstanding effort.
Sometimes, a precocious developer or development team, or even volunteer advocates in the community, can do this themselves. But also some people have no talent or appetite for self-promotion and support work. The proclivity for these tasks may even be negatively-correlated with the particular technical abilities required in some domains.
GPG doesn't just need a fish today. It needs a fisherman... or fisherwoman.
Lack of funds doesn't even sound like the biggest problem here. If the project relies on one guy, what happens when he's gone? Seems like something this important should have a higher bus factor.
This is a terribly injustice, and points to a larger systematic problem, that we software practitioners benefit greatly from the efforts of others to whom we barely offer anything back.
And while the media can help (as in this case) what we should be looking for are systems to help with the situation. My ideal would be a system that monitors my package manager activity, and then using an algorithm I control, allocates "pieces of the pie" to each package I install and use. Then I determine how big the pie should be, and how it should be funded. E.g. if I'm working for a company, I'd request as part of my contract that I get a $200/mo software budget. Or I could just fund it myself.
If even a small fraction of us did something like this, the open-source world would blossom, and injustices like this one would be eliminated.
Where can I see the list of all such Softwares (the essential and free) and the people behind them?
Is there a single place where the following details can be found?
Program Name,
Company / Group Name,
Description of the software,
Link to their website,
Yearly Budget (Required),
Funded so far (out of the total yearly budget),
How many people in the team?,
Options to donate
I feel that the real problem is that the folks behind these amazing softwares are either too busy / too nice / too shy (for philosophical reasons) to promote, organize, gather funds? And in the busy world, their very existence is forgotten by the rest of us.
If there are none like this, why not we build one and I would like to start it so others can join in later. To help these guys around the year and not just when we get to see an blog post like this one.
So, it wasn't a donation, but Snowden that kept this developer going? I'm freaking out a little thinking this implies you can't buy dedication or even good software. Donating is a good thing of course, but it doesn't solve this really disturbing meta-problem.
This is a clear example of market failure. When I've been grumpy over the last year over how torrent piracy affects indie cinema (the sector where I work) it's for similar reasons; putting work out there and depending on the goodwill of the public is simply not a viable economic strategy. It's a basic fact of human psychology that people gauge the value of something by what they paid for it, or even what other people would have paid with it and what they therefore feel they're 'getting away with' if they managed to obtain it without paying.
In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.
Think of what Koch might be able to achieve if he were in a position to direct other people in addition to writing code, or even to write code without the distractions of a precarious financial life.
Innovators, whether in arts, technology, or whatever sector, do not like relying on donations or shaking a hat in front of people. It's a shitty, degrading way to work. Nobody becomes better at what they do through constant negative reinforcement of their economic inferiority; and yet the notion of even the most minimal royalty obligation or assertion of a private economic interest is enough to bring out glibertarians* in droves ranting about the selfishness and futility of trying to put a price on something that has zero marginal cost of distribution. Digital assets do have zero marginal cost of distribution, but they have significant fixed costs of creation, and the failure to acknowledge that by disavowing the notion of any property interest in digital goods are undermining the entire market concept in favor of a new variation of serfdom. Saying that society should change and institute a basic income guarantee is all very well, but that's not going to put food on the table for anyone in the near term (except possibly a few enterprising economic raconteurs who are willing to take up the role of court jester).
One possible option for Koch would be to crank out the next version of GPG; post a changelog of all the desirable new features/bug fixes etc., and then run a Kickstarter to raise the funds that would persuade him to release it - in other words, to withhold the new version until people put their money where their mouths are. But I'm pretty sure he doesn't want to do that, for 3 reasons: first, many people would just carry on with whatever they currently have, regardless of security liability etc., because what's already available is 'good enough'; two, he'd become the target of the internet hate machine, albeit on a smallish scale; and three, a bunch of indignant people would fork the existing code on Github and offer their innovations for free, a hundred flowers would bloom, and 3 months later 99 of them would have shriveled up and died, while the codebase would have have irreparably fragmented.
What we need is some sort of new economic model that does not force innovators to sacrifice their comparative economic advantage (ie their primary technical or artistic skill, on which they should be concentrating their efforts) on guilt marketing, public beggary, or drafting of grant applications.The copyright system could provide such a mechanism, but focusing only on the cases where it's broken or unfair to consumers has led many hackers and digiterati to throw the baby out with the bathwater, making things much harder on small-scale producers whose interestes the system was instituted to protect in the first place.
* people who identify as libertarians but who have little experience of structural economic disadvantage
in the economic sense of things that are literally good to have
If your company uses the fruits of this project's labor, your company should probably be reserving at last a little honorarium to the people behind it.
Give directly, or encourage them use something like Gratipay or Patreon or whatnot.
The whole commercial industry is relying on open-source components, arbitraging what should cost money in the first place to build a business, then assuming that people do it for the fun primarily (which is not completely untrue), maintenance though costs money, but to give edits back should be the role of the earning community, not the original founder. Licensing might help here, just too many people are offering their works for free (read there will always be somebody with a free alternative). It's kinda weird to expect something else and proclaim free software..
> Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others.
I'm guessing this is a problem with the journalist misunderstanding the subject, who probably said publishing it as free software (which is not the same as giving it away for free) is the best way to demonstrate that it is secure.
I noticed the rather pitifully empty donation bar last week, and made a mental node to chip in a little bit as soon as I could. Donated €5 today, and visited the website again just now and the donation bar is more than full, which is just incredible.
Werner's engagement on the mailing lists is awesome enough, let alone the software he writes. Genuinely glad for the guy that he's getting some of the financial support he needs.
This is frustrating - a lot of these projects dont get funded just because of one reason: discoverability. People dont know that these projects need funding. OpenSSH was another. No telling how many others.
I think we need a change in the way we look at open source software. It must not necessarily be free of charge. The real benefits of open source are often something other than being free of charge, like in this case. Maybe we need a new licence allowing charge for commercial use and giving benefits or discounts on the amount of contribution made to the project?
Hopefully a sign of things to come. Way prefer to give my cash to someone that dilligently works away out of the public eye, but also gets some reward when its recognized. My cynical side says someone will pop out soon and say its compromised and he's had an NSL, but that part of me is killing me so I choose to hope not.
GNU is awesome in the way that 'Citizen Kane' is awesome. It is awesome because of what it accomplished given the context in which it was created. The context has changed but GNU, by and large, has not. "Free Software" gave us BSD and Linux, but it is also partially responsible for the privacy issues of Google and Facebook (neither of which would be as competitive if they had to pay licensing fees to Microsoft and Oracle, and they give their services away in exchange for monetizing user data), Heartbleed and similar bugs (these projects are not properly funded for security audits and/or maintenance), and the expectation that one should work for free (if you don't have a job the first thing you do is start working on open source projects to show what you can do). Richard Stallman is arguing for the freedom of software, not people. Unless we change society such that its citizens will be provided for regardless of how they spend their afternoons open source needs a new business model. As software becomes more pervasive finding alternative models will become more urgent. And, it's already very urgent.
Thought experiment: if there was no GPLv2, only GPLv3, would the same concerns apply?
Have you come across promising alternative models? These would need to exhibit some properties of GNU-style free software and some properties of cash-cow commercial software. Thus, technical run-time mechanisms for software composition will play a key role in the new legal framework, just as linking (e.g. GPL vs LGPL) did in the GNU ecosystem.
Today we have microservices, containers, etc - which allow composition of software with different licenses, T&C and biz models.
Could he not just change the license to require commercial usage by companies with more than $x annual revenue to pay $y in license fees?
Could still remain open source and free for majority of applications if x was high enough. Also, creates a system where those reaping the most also pay the most.
All that means is that you are transferring trust to the owner of the site, rather than a CA, to properly deal with his own secure key, and that browsers hate it; but who cares about that part.
I trust the GnuPG set of tools, and I have so for quite sometime. On the opposite side of things I have witnessed a ton of CA hacks in recent years...
I would like to repost a comment from reddit[1] that makes some good points:
"That title is pretty laughable.
Enterprise E-Mail Encryption solutions do NOT use gnupg, and most enterprise customers do not even use openpgp, they use X.509/SMIME.
I know the world top 10 server side enterprise e-mail encryption solutions and the majority uses java with either bouncycastle or ajak encryption, for PGP or openssl/bouncycastle for SMIME. There are some solutions that use gnupg but those are very small and again - most people do not use openpgp in the business world. Mostly automotive uses it like Porsche, VW etc. for encrypting e-mail traffic.
Gnupg is mostly used for e-mail by your skilled engineers in private or while communicating with kernel developers etc. Either by using enigmail/mutt/command line whatever.
Nothing based on e-mail would "break" if gnupg went missing.
Now lets get back to Mr. Koch - gnupg was sponsored by the German Government - in all these years - Mr. Koch tried to build a consulting company/enterprise solution out of it - but he failed because there were already existing solutions that were far better than anything he could come up with. Moreover asking Mr. Koch to fix specific bugs in gnupg which was as i said sponsored resulted in simply "pay me XXX amount or i wont do it" - thats how Mr. Koch worked.
Ask any code auditor/reviewer worth his salt and he will tell you gnupg is a mess, it is worse than openssl in most cases - why ? Ask Mr. Koch.
I just want to remind everyone carefully judge, before thinking about donating to Mr. Koch or his company. I already noticed he received well over 50k today just because of this false article.
This guy got funding multiple times from the german government for implementing and maintaing gnupg. This was never a fulltime job - adding patches and a few features is what any open source developer does in his free time. Mr. Koch tried to build a business upon this government funded software, and it failed. He already had multiple fundraisers in his careers to keep his company going. Does he deserve your money ? It is not like gnupg would be dead without him - he is not the only one doing anything - there are many developers in the community who are doing their share too.
Arent there other things more deserving of funding than the failed economical existence of one guy ? An open source developer that wants to contribute free software does not need your money to survive! Did Mr. Richard Stallman or Linus Torvalds ever beg people for money because they cant buy their next meal ? Did the BSD Foundation plea to you they cant make days end ? No - they never did - and they still were able to produce free open source software.
Mr. Koch does not deserve your money, if anything successors of him should receive funding if they need to - but not to survive - because they most likely got a real job already and doing this in their free time.
"
I tried to submit a patch for GnuPG that would enable it to use "proprietary" PKCS#11 smart-cards instead of "open" OpenPGP smart-cards. Line of though being, users may already have S/MIME generated keys on their smart-cards, so why not use the same keys with PGP too? In the end, a key is just a number.
The request was refused [1] with ridiculous arguments [1] about PKCS#11 not being "needed in free software world".
After that, I started playing with S/MIME and found out it was much more user-friendly than GPG. (After the initial setup.)
It was not about proprietary smartcards but about the proprietary driver software required to use those smartcards.
If the vendors would open the specs of their smartcards it would be easy to write a driver. Some did and we support them in GnuPG. Most of them don't and we may even assume they want to hide their little secrets in their drivers. It is all the same as with all the proprietary hardware drivers. Look at decades of LKML for similar discussions.
Sorry, I don't buy this. PKCS#11 is a standard, wide-spread, user-space API for accessing cryptographic tokens, just like POSIX is a standard API to access operating system services. I guess it's about the time to write a "driver" for each supported OS instead of relying on libc, because the user's installation cannot be trusted?
So why not hire the guy to work on this as a full time employee? Stripe / Facebook / Google or even Mozilla should have the money to hire him as full time and only work on GnuPG.
I wonder if his software would be more well known if it were more useable? I've tried using it on a few occasions over the past 10-20 years and have had a very hard time doing so.
No one pointing to the fact that GPG has major issues like no perfect forward secrecy? Are we celebrating that big-brother money is funding a (out)dated technology??
when I first saw this post on HN, the donation was around 60% of the goal. Just now I see it exceeded 120000 € of the goal. I bet HN readers donated a good amount today after reading the top-trending news. Great activism!
By itself, Google could pay that guy's salary and even hire another dev to help him. Red Hat could do the same. In fact there are any number of companies that can step in and do the right thing.
This shouldn't be odd to anyone who's spent a large amount of time releasing open source. You just end up being used and uncompensated. At best you get a job offer from it.
It's really sad to me how many companies benefit from open source (including my own software) without the author ever being compensated.
It's hard for me to get motivated to do anything open source anymore because of the feeling that I'm just a gullible idiot in the end.
The feeling when I fix issues opened by people at VC-backed companies with millions of dollars is really really nasty. I always feel like such an idiot.
The question is, have you asked for compensation? And, there are plenty of devs at those evil VC-backed companies that give a lot in terms of open source contributions. Those millions of dollars aren't being used to buy private jets; they're paying salaries to devs just like you.
Are you talking about job offers or are you saying that companies cut checks to open source devs at the behest of requests for some money? Who does this?
If you're talking about job offers, you can get jobs without spending off time doing open source. I look over at my co-workers who probably make similar salary as me and they don't do much open source.
No worries, I'm sure everyone contributes more to their respective governments to break encryption than they'll every send to anyone seeking to protect it. Send more money to this guy if you want to feel better about your shitty (respective) country or self. Better yet, just donate to the EFF like a uselessly trendy dweeb. Being a decent citizen isn't about standing up for what's right or wrong (that makes you a terrorist), instead it's about sending money to your respective, government-approved cause.
That, and there's unlikely to be a compelling story for VCs here. There are many many projects that are great and valuable to humanity and yet are not VC fundable.
But wait, I thought fame and accomplishment and helping lots of people were supposed to be enough for software authors, that somehow making people pay for software was evil, that it's OK if everyone just copies your source code and uses it, that an Open And Free Internet would be self-sustaining?
Making people pay for software might still be evil, but supporting software with teaching how to use it, documenting it, publishing books about it, making conferences, supporting it is what I think is a reasonable way for oss spirited souls to make money.
SQLite comes as an example - while completely free, public-domain, what might (I don't know for sure) be making money for the three people behind it is the extensive test suite, various other extensions (compression, security) and possibly support/integration/customizations for specific needs (less memory/cpu usage, or who knows what..)
When you buy a dinner at a restaurant, the chef ought to be compelled to share the recipe? No one forces you to eat at restaurants or use software. You are free to make your own.
Free until Apple decides to stop offering it. Or if they stop allowing users to install the software you develop. Or if future versions are released with onerous, unacceptable licensing terms.
When you use proprietary software, you are at the mercy of the company who distributes software to you.
Just one of many obvious examples that plenty of tools are available "allowing them the freedom to improve their lot." Nobody is stopping them, nobody is "keeping your users under your thumb". Improve your lot? do it yourself, or pay the engineers accordingly.
Oh, sure, Apple et al can change their minds and charge outrageous fees and demand outrageous licensing terms. Nonetheless, lots of affordable tools are available.
And before you take the opposing view any farther: I come from an era & mindset of building advanced computers from scratch. I reject the argument you offer of "by not giving them the source code you are [oppressing them]", because I'm trained in building computers starting from sand, and writing software starting with toggling in op codes with manual switches. I've written format converters (with no guiding documentation) to overcome the bounds you imply.
If you want someone to put in the effort to create complex software, maybe you should understand that they should be paid for that effort - one price to use it, and a higher price to get the detailed source code. If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
Rhetorical question: If nobody is stopping them, there is no harm in giving them the source code, right? So why don’t you?
> I've written format converters (with no guiding documentation) to overcome the bounds you imply.
Please do not assume that everybody should be like yourself.
> If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
There’s an easy way to rectify this – just don’t call it selling. Call it renting, which is what it practically is. The thing which I get when I buy software today is by no practical definition my property: its utility is deliberately limited by the manufacturer, and I am both legally and practically prohibited to extend that limit or repair it.
Here is a link to the donation page: https://gnupg.org/donate/index.html