Hacker News new | comments | show | ask | jobs | submit login
Email Encryption Software Relies on One Guy, Who Is Going Broke (propublica.org)
2088 points by r0h1n on Feb 5, 2015 | hide | past | web | favorite | 453 comments



Calling GnuPG "email encryption software" really understates its importance. It's also used in countless applications to encrypt data at rest, and GPG signatures are used to secure the distribution of software. For instance, GPG is an essential part of the package managers of Debian, Ubuntu, and RedHat.

Here is a link to the donation page: https://gnupg.org/donate/index.html


Seems odd that the MANY projects dependent on GPG don't donate enough to GPG to employ one guy.

Do Free Software project with funding 'pay it forward' to the volunteers on other projects they heavily depend on? (I don't really know) If not, they deserve to suffer the consequences.


I freely confess to being flabbergasted by these displays of less-than-rigorous thought processes.

How would a free software project 'pay it forward'?

They are in a very similar position, aren't they?

Edit: For some reason, I can't reply to child comments (probably a cool-off time-out at work?).

Just a short note here, then: $1.25e6 for the FSF translates to 10 developers like Koch being paid (the donation page quotes "120000 EUR").

That's ten. For the whole FSF. As an example of a well-funded project. I'm not going to comment on that. HN would rightly give me months of cool-off time.


There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year. These projects are usually end user facing, in a way that their dependencies aren't.

It seems reasonable that these projects should consider adding items to their budget to redistribute funds to projects that they depend on.

Some probably do this, however I think the GP was suggesting that something like this become more common.


> There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year.

Too bad OpenSSL wasn't one of them until after the big "heartbleed" incident.

The core infrastructure projects don't seem to get as much funding as they ought to, especially given almost everyone relies on them (even if they don't realize it).

Prior to Heartbleed and the industry rallying to fund critical projects, OpenSSL only received an average of $2,000 USD a year[1]... that's pathetic.

[1] http://arstechnica.com/information-technology/2014/04/tech-g...


Arguably, OpenBSD deserves that funding more for the ongoing process of fixing the OpenSSL codebase than OpenSSL does for making it as awful as it is.


Over the next three years, the Linux Foundation will receive a combined total of $3.9 million from Google, Intel, Amazon and others to fund core infrastructure projects such as OpenSSL. Sounds good until you take a step back...

> Intel will invest "$300 million to help improve the pipeline for women and minorities, actively support the hiring and retention of diverse candidates, and fund programs that support the positive representation of women and minorities in technology and gaming industries."

http://www.wired.com/2015/01/intel-diversity/

> "Google Gives $775,000 to Nonprofit for Tech Diversity CODE2040 said Monday it received $775,000 in grants from the tech giant to support the launch of free training programs for more than 5,000 black and Latino college engineering students over the next two years."

http://blogs.wsj.com/digits/2015/02/02/google-gives-775000-t...


I bet they also spent crazy money on non-diversity related things like employee perks or lobbying.


It's interesting with the Outreach programme in GNOME (I think that's what it's called), because if you periodically look at planet.gnome.org, there are interesting things going on with developers within that outreach programme.

But there are also justified backlashes to the programme, given that there is a perceived priority given to the programme in some areas instead of writing software. The argument is that not everyone and their dog needs to be involved with writing software, so why should we encourage them to? You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".

Strangely we do in IT though, where it is the belief that we should make EVERYONE code!

The "I will fight you and I will win" response from Emmanuelle Bassi is a particularly horrible/strange/passionate reaction from one of the guys involved with the programme: see http://blogs.gnome.org/tvb/2014/09/12/im-looking-at-you/comm...


> You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".

Yes you do. Every single fucking time this comes up someone says "you don't see this in construction". It's rebutted every time it comes up and it's really fucking easy to do a simple web search to find examples of programmes to get men into teaching or nursing or to get women or minorities into construction.

Example links have been posted to HN many times.


I wiped your profanity and spittle off my screen.

I haven't seen anything like this here in the UK. Is it a US thing?

BTW, I wasn't advocating for or against in this GNOME argument. I am entirely an observer and was highlighting the arguments made by both.


Replying to myself to mention that I am neither for or against the GNOME outreach programme!! - I am entirely an observer! I haven't used GNOME since GNOME2 due to disliking the new interface; I periodically check on there to see what's going on GNOME world and it is quite interesting, both for developments and also for what's going on internally with disagreements and discussions between people.

I thought I ought to add that because I suspect people are thinking that I dislike the programme? Either that or people like down voting with no reply.

With regard to the encouragement for everyone and their dog to take up coding, I see it a lot but in truth I do not see the same things in other professions - I have never seen a push to make youngsters take an interest in banking or journalism yet over here in the UK there is a push to make programming/coding a part of the national curriculum for youngsters, hence the introduction of the Raspberry Pi to encourage that.


Didn't GNOME almost go bust last year and hold an emergency donation drive, due entirely to granting too many paid internships (or similar) to people who aren't established GNOME developers, or even programmers?


No. The GNOME foundation is managing the funds of the outreach program (which doesn't have anything to do with GNOME, really, except it started there), so when some of the sponsors (think big corps) of the outreach programme didn't pay their agreed upon share on time, the foundation ended up in trouble. It was simply a liquidity problem which was solved when they received the sponsorship money.

That's at least how I think it went, you can go look it up, the details are online.


> There are many free software projects that are decently or well funded.

Which ones are those?


Debian, Ubuntu, OpenSSH, Firefox, Apache, etc.

In addition, some projects that are not well-funded as a project are "funded" in the sense that companies pay people to work on them, for example Microsoft paying Simon Peyton Jones to work on GHC.


Firefox is kinda special because they get a lot money from whoever pays them to be the default search engine, doesn't matter if it's Google or Microsoft or Yahoo. There's only so much software that can get away with that, GPG certainly can't.

All of the Debian developers are volunteers, am I wrong? Slackware can barely support one employee, the founder. OpenSSH falls under OpenBSD, which also supports just the founder, everyone else volunteers, and they DO volunteer some serious time and do important things. They also had problems raising funds, there were discussions on HN about that here, and I'm sure there will be more in a year or two.

From: http://www.openbsdfoundation.org/campaign2014.html : * If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal. * If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal. * If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.

This is kinda depressing.

Is there someone from the Debian project here? I'm wondering if they could afford to run their own mirrors around the world if they had to. Could they cover hardware, colo and bandwidth costs, if they had to? I'm just curious.


> There's only so much software that can get away with that, GPG certainly can't.

That's the point -- the ones that can should support the ones that can't, which are often foundational components of the reason the ones that can, can get money in the first place.


Perhaps GPG should annually auction off which nation-state security service or online advertising company's public key gets automatically added to the recipients list for each encrypted message? </cynical>


It's a complex topic, so I think it's best to look at different funding models differently.

Ubuntu is funded by Canonical. http://en.wikipedia.org/wiki/Mark_Shuttleworth in other words. So one big donor.

Debian... seems to mostly get by on volunteer labor and be ok with it, or it did when I was involved with them. Has that changed? I suspect that in some ways Debian is underfunded given the amount of work they do. Perhaps money would make some things happen faster there.

The Apache Software Foundation does a decent job at fundraising, and even employs a few people to do stuff like administration. Most of the projects get by with companies that pay people to work on them, which seems to work out pretty well.

Firefox/Mozilla make most of their money with deals: Google and Yahoo, last I remember.

I don't know about OpenSSH.

It's possible, but mostly donations don't seem to work unless it's big chunks of money from companies.


    > The Apache Software Foundation does a decent job at
    > fundraising, and even employs a few people to do stuff
    > like administration. Most of the projects get by with
    > companies that pay people to work on them, which seems
    > to work out pretty well.
The ASF budget is roughly 1.2 million a year, the bulk of which goes to maintaining infrastructure for 200+ projects.

https://www.apache.org/foundation/records/minutes/2014/board...

As a 501c(3) non-profit, it is constrained as to what it can do with donations.


AFAIK Ubuntu is profitable for Canonical, so I wouldn't call that a donation.


> AFAIK Ubuntu is profitable for Canonical, so I wouldn't call that a donation.

Unfortunately, that is very far from true.

Ubuntu was negative $21 million USD in 2013[1]. Canonical would literally make money by just not doing Ubuntu anymore.[2]

(Every time Canonical is on the verge of bankruptcy, Shuttleworth re-seeds back into the company from his personal checkbook)

[1] http://www.scribd.com/doc/199373896/Canonical-Group-Limited-...

(the numbers are represented in thousands, so 21,343 is 21,343,000)

[2] http://www.wired.co.uk/news/archive/2013-08/13/mark-shuttlew...

The significant losses due to Ubuntu development and related expenses are why Canonical as-of-late has been turning focus away from Ubuntu towards other markets such as Mobile and especially Enterprise (a la Red Hat's turf).


Ubuntu itself is a central part of their cloud business, so Ubuntu is indeed profitable for them. What's not profitable is their desktop and end users' market.


That's not quite how it gets expensed (nor how it works).

Canonical's cloud business might be profitable (even though Canonical as a whole is very-mush-so-not), however their cloud business is not coupled to Ubuntu, ie. they could use any Linux Distro, or any OS for the matter.

Ubuntu is a total loss center for Canonical. It's surprising to a lot of people given it's popularity... but popularity doesn't equal profitability... especially when most users don't pay anything for the software (not even support fees).


"Ubuntu is a total loss center for Canonical"

Typical beancounter mentality.

Probably comes with a suggestion of closing this division and going with something else

OF COURSE this department loses money. But it is a net gain for the company, and in fact without it the rest wouldn't exist.


> OF COURSE this department loses money.

Not sure what "of course" means here... it's very possible to be profitable off your OS Development division... look at Red Hat, SUSE, etc. They pay for the development from support payments... they collect support payments because enterprise wants their OS... it's a positive feedback loop. The better the OS, the more enterprise pays, the more funding RH can put into the OS dev team, the better the OS gets, the more support fees they collect, etc etc etc...

Canonical has not been able to successfully charge for support like RH and SUSE have figured out.

> But it is a net gain for the company, and in fact without it the rest wouldn't exist.

It's not a net gain unless the company can be profitable as a whole and subsidize (and justify the enormous expense) off-put by tertiary services, etc.

... right now Ubuntu project is responsible for Canonical being perpetually in the red... every quarter, since their foundation. Canonical could very well just run enterprise support contracts, or push their cloud services. They don't have to use Ubuntu... any OS would suffice. They aren't somehow coupled to Ubuntu to the point if Ubuntu didn't exist, Canonical wouldn't either.


I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.

Circa 2008, before the Unity and Pulseaudio switches, it was considered by pretty much everyone the premiere Linux distro. I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.

Even today Dell is still doing Sputnik and in European countries you can buy HP hardware with Linux. Why is Canonical not taking advantage of the fact that they could be making money off support for their desktop OS through all the hardware vendors?


> I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.

Ubuntu has never been profitable for Canonical. Shuttleworth's game-plan was always long-term minded regarding Ubuntu -- but as we've seen as-of-late, Canonical is shifting focus to other markets they view as potentially profitable. Shuttleworth has committed to keeping Ubuntu alive, but it's no longer Canonical's sole hope for income.

> I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.

This isn't just a problem for Ubuntu, but for most end-user linux distros. People always joke with Linus when the "year of the Linux desktop" will finally arrive... The people who use Linux as their daily driver generally don't need the support, and for the ones who do, well it's a lot less marketshare than Windows.

> Even today Dell is still doing Sputnik

Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.

It's weird too, because Sputnik is $50 more expensive than the windows version of the same hardware. (probably some Microsoft deal going on here).

Linux comes pre-installed on majority of server hardware (server hardware than comes with any OS at all that is), and Linux dominates this field. But the "year of the linux desktop" hasn't quite arrived yet. I do hope it comes soon.


> Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.

I've used System76 and Zareason. System76 are Ubuntu-only (and the hardware may have issue with other distros); Zareason will support any Linux.


You know, I actually didn't know about Zareason. Their website seems to have pretty reasonable price for the hardware you are getting, and I love having a choice of my preferred distro to run (I'm a Fedora guy).

I run full-time linux on my laptop and my goto hardware has typically been a Thinkpad T series.


> Canonical is shifting focus to other markets they view as potentially profitable.

Is it about profits, or - I'm going to be kind of cynical here - chasing taillights? The way they seem to bounce around from one thing to another (mobile phones! embedded!) makes it feel like the latter.


> The way they seem to bounce around from one thing to another

I tend to agree... modern Canonical feels like a company that lacks focus (probably because they aren't quite sure what the focus ought to be after realizing Ubuntu might not ever turn a profit for them).


The people who would buy computers with Linux probably wouldn't pay for tech support. Enterprises might, but not individuals. Plus I suspect that Microsoft is pretty keen to defend Windows on the consumer front - I've heard stories of deep OEM discounts on the condition that they don't offer alternative OSes.


I mean in the same way you buy a Dell notebook and get two years of phone support, you would get the same with a Dell Ubuntu notebook but Canonical would provide it and Dell would pay them for it.


I mean that the people who would buy a Dell Ubuntu notebook mostly wouldn't use phone support. If Dell thinks the same, they wouldn't pay Canonical very much to provide that support. They do now sell the XPS 'Developer edition' with Ubuntu; I have no idea whether they pay Canonical for support, or how much that makes.


I've never heard one way or the other whether it is or not; I'd be curious to see some data.


Name a few. I know very very few and the funding goals are very very modest most of the time (they don't really convey the idea of full time devs)


https://www.fsf.org/about/financial

The FSF had revenue of 1.25 million in 2013. I'm not trying to comment on where it came from or where it went to. I'm only pointing out that they are not in a very similar position.


Those are some rather interesting documents, thanks!

In 2013 FSF paid $ 689,239 in salaries and, astoundingly!, $ 48,995 in credit card fees.


FIY: That's 3.8% assuming everybody donated by credit card.

Anybody got an idea why they pay so much?


Typical credit card fees are 2.9% + 30c. Assuming that they have regular fees at not non-profit rates(which tend to be lower), it would make their average donation amount to be around $7.14

Source: 48995/689239 = (x*.029+.30)/x


With that many transactions they should be able to negotiate a lower fee than that. My company did a bit over 4 million in CC transactions last year and our rate is 1.9% and I believe the flat rate per transaction is 25 cents.


That's in the ballpark for monthly membership fees. ~$10/month.


As someone else pointed out 2.75%-2.9% is common, often thre is a charge per transaction too (on the order of 25cents after it's all said and done). The fee can change based on the card type (the merchant pays a higher fee on rewards cards normally...someone has to pay for rewards!) and international purchases can have additional fees. Charges backs can also bump up fees, ditto for outsourced fraud protection.


2.9% is fairly standard with Stripe et. al., but fees from things like chargebacks could probably add up to another 1%.


Maybe it includes unfavorable (normal for credit card xactions) exchange rate conversions?


My understanding is that credit cards give you the best exchange rates available at retail.

Some banks do tack on a foreign transaction fee though, but that goes on the payer.


Aren't these generally dumped on the person paying?


This is partly why I stopped donating to the FSF. They're dumping some amount of that money into misguided PR campaigns rather than helping out the developers trying to make free software better.


1.25 million USD is really not a lot of money at all... especially given all of the projects the FSF supports under the GNU umbrella.

If they had zero expenses other than staffers, at a very modest 65,000 USD a year that would not even cover 20 people.

The EFF, FSF are the only real "good guys" out there fighting for your techie rights every day... They could really use your donations and support (even if you don't agree 100% with all of their message).


So… enough pay for about 20 developers?


In India? Do you know how expensive developers are? (Especially fully loaded, ie with all the overhead that a company has to pay.)


More like 8 or 10. There are costs beside that: hardware, hosting, office, internet, etc. etc. The math doesn't work that way ;)


> How would a free software project 'pay it forward'?

As mentioned by the grandparent comment, GPG is in use by Debian, Ubuntu and RedHat package managers. Whether or not you count those three as free software they have plenty of money to pay forward to a piece of software that underpins their entire stacks.


Unless I've missed something big in the past 2 years even the Debian Project Leader is still a volunteer[0]. If most/all money's going to operating costs it's hard to make the case they're holding out on somebody. They also have a record of treating their upstream quite well so I'd need some evidence to believe they're dropping the ball.

[0] - https://lists.debian.org/debian-vote/2013/03/msg00095.html


The point isn't easily settled, it seems:

I am having a hard time to find financial statements from Debian.

Ubuntu, or rather Canonical, being a private company, doesn't seem to release financial information. The Ubuntu main page doesn't even provide a 'donate' link anymore.

Which leaves RedHat, at last. A public company, of course[0]:

   Operating profit 2014: $ 1.3e9
   Net total income 2014: $ 178.3e6
[0] http://investors.redhat.com/financials-statements.cfm


Software in Public Interest handles debian's donations. The latest treasurer report from SPI can be found here: http://lists.spi-inc.org/pipermail/spi-general/2014-November...

For some reason SPI has not put out an annual report since 2012: http://www.spi-inc.org/corporate/annual-reports/2012.pdf


This article claims that $222k was the budget for 2012 for Debian, down at the bottom. It also claims the budget should be $19B, if paid at market rates.

http://www.pc-freak.net/blog/what-is-the-development-costs-o...


> The Ubuntu main page doesn't even provide a 'donate' link anymore

Try to download it: http://www.ubuntu.com/download/desktop/contribute/?version=1...


Here's Canonical's 2013 numbers:

http://www.scribd.com/doc/199373896/Canonical-Group-Limited-...

21 million USD negative, largely due to Ubuntu development and related expenses.

Canonical has never been profitable, which is why Shuttleworth constantly re-invests his own personal capital in the company.


You're off on your numbers. The 120k are for him plus one developer. By that estimate that's 20 people for the FSF.

However, a lot of commercial entities use pgp as core of their business: all software packaged for the linux world is signed with gpg one way or another. All commercial distributions depend on it at their very core. I'm amazed that they don't fund gpg at least partially.


I'm not surprised. For the same reason OpenSSH should be very well founded, and if I recall correctly it's not the case.

One of the points of open source is that software becomes a commodity, and that will always hurt OSS founding.


The thing is, the underfunded dependencies that are the most vital are those that are widely used by many projects. If it was normal to chuck a small percentage of available funds to dependencies, the money would start to add up.


A cultural and structural change is needed when things like GPG get nothing, while viral, superficial and gimmicky work gets snapped up for millions or billions, when end users choose free products that threaten privacy and flood our world with advertising rather than pay the price of a cup of coffee for quality trustworthy products.

Even sadder is the fact that these "free" things actually cost us much, much more. https://news.ycombinator.com/item?id=8585237


What this and all other software projects need is marketing. There is just too much noise out there. We landed on a comet last year and we still needed marketing to let the people know about it. If we invented free energy tomorrow, we'd all hear about it via some sort of marketing. Marketing is much, much easier to implement than cultural and structural change.


"Pay it forward" means to grant a favor or gift on a random person, in remembrance of one who did a favor for you before. The idea is to initiate a chain of favors and gifts to brighten the world in general.

It's a play on words though, by analogy with "Pay it back" which is returning a favor to one who did a favor for you first (like paying back a debt). In the case of large distros being heavily reliant on GPG and other upstream projects, I think the applicable term here is "pay it back".

Upstream developers helped out Debian, et al, and now Debian needs to pay those developers back. Arguably, by gifting their distros to the world at large, they're already "paying it forward".


Open Source = The kindness of strangers.


Is GPG complex?


Thanks for the link, just donated!


Me too. This software is too important to not have someone dedicated to it full time.

I left a note that he (like the EFF and the ACLU) should have a recurring donation option, or at least an option to receive a once yearly email asking for a donation. There are many people that would happily go with a recurring donation if that option were available.


A patreon would be a good option. I would happily give $1 a month


Yep, but on the other hand it is probably better to give $20 every two years. Less transaction cost.


Watching the bar on the GnuPG homepage is pretty encouraging. Since the article was written, we've donated nearly €30k more. It looks like the problem was that people hadn't heard about it, not that we're all too selfish to donate.

I just chipped in $25.

Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way to the funding target.


This was posted on HN 2 months before I donated £50 at that time so i wouldn't say it didn't get enough exposure.

It's just that it takes a lot of media attention to get you to your goal plus a lot of the donations a coming from regular developer who understand the importance of this instead of the big companies profiting from this software.


It still progresses, now (21:47 UTC) only 12% left to the target.


Target exceeded, and I don't think this even includes the EUR 100k from Stripe & Facebook.


GPG is an integral part of the Open and Free internet.

Imagine all the workflows that depend on verified encryption signatures like Debian, Ubuntu, etc and that's just software distribution, not counting privacy issues like journalists, political dissidents, whistle blowers, etc using it for secure communications.

It was pretty easy to donate, took me less than 2 minutes. I encourage everybody that is able to make a donation, however small, every euro counts.


Ditto. Was just talking with one of my employees this week about setting up encrypted email. Right now we use OTR chat for any sensitive stuff, but that's not always the most convenient channel. Like most others I had no idea this project was so under-funded.


This might be one of a few places where I will upvote "me too"-comments.

And, as others have pointed out it is easy and you can choose between cc and PayPal.


This is one of the few instances that I've heard about something for the first time and immediately pulled out my credit card to donate.


I donated last year, and just donated again.

Really happy to see that this post on HN has traction, and delighted to watch the counter go up. GPG and other security projects need a way better tech PR push.


(me too)

Interesting to see more people have donated so far in 2015 than the whole of 2014.


Me too.


Me too! 25EUR. Many thanks for bringing this to my attention


Me too!


Of course on the other hand, it is overstated here too.

Email Encryption Software Relies on One Guy

Err... did PGP recently go bankrupt?

Edit: Crap, it's worse, they seem to have been acquired by Symantec. Is it still any good?


What is the simplest program out there right now, open-source, that will let me sign binaries with a key?

I'm experimenting to do a dead-simple licensing system using SSL certs and signing--rough idea is, cert is from me, and when it expires, software says "lol no get new cert".

I'm sure this has been done before, but the amount of custom license management code I've seen in the wild makes me wonder...


Probably OpenBSD's signify.

You are of course aware signatures don't solve the licensing problem however, which is a Trusted Client problem (i.e. unsolvable).


I'll check that out. Thank you!


By all means. Ed25519 (which underlies signify) is a pretty decent modern signature scheme. (tweetnacl.c also implements it, in less code.)

It also seems you want to expire things, so I do feel I have to warn you that signatures are a totally separate thing to a secure time source, which is a whole different bag of marbles.

However, since what you're designing sounds like a logic bomb/copy protection/DRM system, I must say what I've been saying for the last quarter-century or so: please do not design your software to deliberately fail. That is a bad call: trust me on this one. Any crypto that you do to support it, even if the crypto itself is sound, is just tapdancing around a failure state.


So, use case would be something like:

Software is shareware, gets a little naggy within 30 days of license expiration, send money to get a new license file, which makes the nagging go away. No cessation of service.

I'm not worried about clock spoofing--I assume basically good-faith customers.

Signing would help people from just copy-pasting certificates around. If they want to go into the executable and rewrite the routines, well, there's only so much one can do, yes?


If you assume basically good-faith users: why nag them? After they registered? Aren't they assuming basically good-faith authors? Why do you think people who you'd nag after they registered would copy-paste keys but not download a crack?

(Your registrations are time-limited? That's very unusual for self-described "shareware". That's pretty much "commercial, but your demo nags".)

You're welcome to choose whatever business model works for you, of course, but take it from me, this one's straight from the early '90s. I hope it works for your users too.


It's a non-trivial task to design software that will deliberately fail and cannot be easily by-passed with a debugger.


A massive understatement, for any software that is itself non-trivial.

And unfortunately, the harder someone tries to reach that goal, the more fragile their software becomes. A lose/lose situation.

It really is better to engineer software to work, not to fail.


Yes it has, there are a variety of licensing solutions for Mac OS X that do this (the openssl verify signed cert for licensing).

For example: https://github.com/glebd/cocoafob or https://github.com/bdrister/AquaticPrime


Why aren't those organisations paying him money?


You are using Ubuntu, I see from your profile. How much have you paid them?

This is how the stories goes: we haven't figured out how to make good work worthwhile.

Perhaps we can learn something from our vast experience in profitably peddling shit?


We're our own worst enemies. Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it. Because then you're just "greedy" and not pure enough.

But that'll never change unless all of a sudden we say "Ok, on the count of 3, everybody stop giving away their hard-earned expertise for free. 1... 2... 3..." We're like musicians nowadays. We love it, so we do it without insisting on compensation.

A few months ago, I Show HN'd an open source project, but reserved the copyright to the code. The commenters immediately took note of this and I felt compelled to switch it to an MIT license. (It was open source for security reasons, if you're wondering.) I'm glad I did, but the point remains: there was pressure to conform.


> Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it.

Er, the first to keep their source closed and try to charge for it happened a long time ago, and there are huge numbers of developers at firms from one-man shops to massive megacorps still doing it today.

The idea that closed-source for-profit development is a novel idea that violates norms in the software development community and that everyone is afraid to try is cute, but, you know, completely contrary to the actual facts of both the current state and history of software development.


Why in the world would this be downvoted? There is nothing inflammatory about this post at all. He's bringing up a widely debated point in our industry.


Probably because we're talking about encryption software ITT, and nobody would trust closed source encryption software.


> nobody would trust closed source encryption software.

ORLY? Have you read much source for BitLocker or FileVault, recently? WhatsApp? Skype? And those are just the most popular ones off the top of my head...


No, and I wouldn't trust myself to read it either. But, there's a fair chance that someone I trust eventually will and that they'll point it out when they see something fishy.


Nobody wants to pay for infrastructure. Devs expect it all for free, even if it puts you in a Turing tar pit of plugins.


If anyone suggests it's not ok to make a living out of your chosen profession it's pretty okay to ignore their advice.

Some source is better to be open for all stakeholders, others... it's more or less irrelevant, unless you believe the entire world is out to get you.


I see the encouragement to switch to an open source model a lot too. When a closed-source or close-licensed project is posted, you get a few commenters saying how great it'd be if the project was open source because then the community would benefit. Call me a cynic but in reality, this likely means "please make the source and licence more open so that I can use it without paying you".

I say this because I know that when I am looking for libraries to use at work in commercial software, I have to look for BSD-style code and now actively steer clear from GPL and LGPL code (static builds for me please).

It isn't to be malicious but it's mainly because I would like to continue living. Giving away things I have spent years working on doesn't pay my mortgage or put food on the table.


> where nobody wants to be the first to keep their source closed and try to charge for it

Seems like there's another option -- open source your project and also charge for a license to use it. By open sourcing people will trust it more which will cause its value to go up. And then more people would be willing to pay for it.


> Seems like there's another option -- open source your project and also charge for a license to use it.

If you open source your project, unless you're using an unusual definition of open source, you've provided a free-of-charge, sublicensable license to use, modify, and distribute it. (Or, at least, a license that the licensee is free to sublicense without charging the sublicensee or paying an additional fee to you, so even if you are charging for the direct licenses, the more you sell the greater the probability that it will be available at no charge.)

You could open source it and charge a fee for professional support, however, which is a fairly common model.


As I understand it, that's what he did. He open sourced it and kept copyright on it. That would mean that everybody would be free to read it as posted but wouldn't be able to use it or distribute it without permission.


Releasing something under an open source license usually involves retaining copyright but is, itself, giving permission to use, distribute, modify, and distribute modifications. Pretty much every open source project either retains copyright of the work or is composed of the work of developers who each retain copyright of their portion of the work.


The anti-GPL , pro-BSD/MIT consumers are a selfish minority.

But there are library authors who publish BSD (governnent funding) who can't partner with GPL. It's unfortunate.


The problem is that in practice most people in almost any free software project do not have the funds personally to afford donating all the time.

I mean, I feel the burn when I give money to Debian, Arch, KDE, etc - but I do it because I know I have to, because the software is so important to me. The $500 or so I donate each year is a lot of money to me, and I'm in the US - I cannot imagine how much donating to these projects would hurt the international users who make significantly less than the 15-25k or so I make annually.

I don't know how KDE managed it, but Blue Systems (http://en.wikipedia.org/wiki/Blue_Systems) is a Germany company founded by one Clemens Tönnies, Jr. Don't know anything about the guy, but he is somehow paying 10+ KDE devs without a business model. I've donated a lot to Kubuntu, but I cannot imagine in a million years they get enough donor money to fund all the devs they employ.

But those kinds of philanthropies, the way Mark Shuttleworth keeps Canonical afloat, seems to me to be the only practical way to keep free software afloat. You cannot ask a million destitute people to donate money they need to eat or sleep comfortably, but we as a community don't have the charisma or ears to get fat cat donors to foot the bills. Probably because software freedom does not matter as much when you are wealthy - you can just pay to get the software you want made anyway, and you might even be able to bribe companies to give you the source if you care enough.

And I recognize a huge portion of the donor pool for most free software projects isn't either end of this spectrum, but people like me making something above the poverty line and below extravagance that donate what they can where they can, but that is consistently shown to not be enough. And I imagine it is more because it takes millions of average joes paying dollars to match what one millionaire can do in an instant.


> You are using Ubuntu, I see from your profile. How much have you paid them?

It's easier for businesses to write off these type donations (and make them for significant amounts) than for private individuals to do so.


If it's a registered non profit you can donate and 'write it off' too. The idea that a 'big company' should do the donating is short sighted. That big company is made up of individuals. If everyone reading this donated $100, the problem posed by the article would disappear.


The numbers are a bit harder to meet than that, as gpg isn't the only project that needs funding. Heartbleed was caused by a similar issue.


My point is that it's probably easier to get a company that is turning a profit off of something to donate a single large sum, than to convince a million people to donate $1.


Beg to disagree.

If your effort is half as good, you still get half million people to donate $1.

On the company case, one million is not pocket change, so this will be a serious decision that has to be approved by several independent branches within the organization, each with veto power. Screw one of those and it's a deal breaker.

Furthermore, I'd say that this decision is one that is particularly difficult to frame for the company. While corporations do understand direct costs very very well, they are practically hardwired to ignore/exploit the gift economy. So the discussion will be stirred towards what indirect benefits will the company receive from donating to a worthy cause (public relations, tax exceptions, etc) and away from the consequences of letting a (unacknowledged) strategic partner to go under.

Not to say that a corporation cannot assume stewardship of a distressed project, but it almost always requires executive fiat to get over the bureaucracy.


>It's easier for businesses

Far simpler not to even bother at all.


It's easier still for a business to pay for a support contract, contributing to Canonical's revenue. Perhaps they could send a small fraction of that money to projects like GPG.


Tu quoque?


Ubuntu used to (and do sometimes) send banners and CDs. That costs money. Ubuntu/Canonical have money. Why haven't they given some for GPG?


Ubuntu is not making money, and Mark Shuttleworth keeps infusing the company with his own pocketbook whenever it goes in the red. They might be doing something on the server / corporate support contracts end nowadays, that has really taken off in the last few years, but you might as well just ask Mark to hire Werner Koch.


For the most part, they're open source and have no significant revenue.

Or they're small for-profit companies and they can't spare the revenue.

Or they're large companies and no one with a budget and decision power is even aware they use the product.

Or they're Red Hat... With limited budget for this and unlimited needs to cover.


Red Hat is among the largest funders of OSS development in the world. We need more companies acting like Red Hat.

I don't know how we get there when companies like Apple eat such a huge portion of the consumer OS and application dollar and companies like Microsoft and Oracle eat such a huge portion of the corporate dollar.


Red hat pays people to write open source software. The skinflints are the companies publishing closed source stuff and the consumers using free software.


The counter on the kindly linked donation page went from EUR 49.470 to EUR 65.126 in the last 60 minutes (precisely).


That's really cool. When people unite...

My name isn't even on the list of recent donors anymore, that's going fast! Maybe he'll wake up tomorrow and hit refresh a couple times to be sure there's nothing wrong with the counter, hehe.


Was unware about funding issues. Just donated 20 EUR.


I dont see a way to contact anyone there. Can they please add bitcoin?


"If you like to donate Bitcoins you may use the Wau Holland Stiftung account too."

Link: https://www.wauland.de/en/donation.html#61


Looks like quite a few donations are coming through!

https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzk...


So, over 10383.30 USD if he manages to cash it out.


Shouldn't it be part of that Core Infrastructure Initiative project then?


The Linux Foundation's Core Infrastructure Initiative agreed to fund Werner $60,000 several weeks ago for his critical GnuPG work.

https://twitter.com/gnupg/status/563456662024228865


Matthew Green, who sits on the CII's advisory board, tweeted:

"CII does what's beneficial to its members. Privacy tools aren't" [https://twitter.com/matthew_d_green/status/56338899320386764...]

...which indicates to me that GnuPG wasn't sold properly. It's not just a "privacy tool" -- it's one of the ways that software (including OpenSSL) is securely distributed. I would guess that quite a few of the CII's members benefit from GnuPG and don't even realize it.


In what world are privacy tools not beneficial to the CII? And how does OpenSSL not fall under "privacy tool"??


GPG's goal is about privacy, while OpenSSL is more of a toolbox with most of the tools you need for anything crypto-related.

I imagine those people need to control integrity of the software, to make sure it is deployed correctly on their servers and distributed securely to their clients and users, and OpenSSL has all they need for that. Privacy, OTOH, is unneeded because they are not (or rather much less) after their own or their users' privacy.


CII is a consortium of consumers of free software, not publishers. If openSSL meds gpg, openssl should spend its funding on gpg.

Perhaps via a "Free Core Infrastructure Initiative"


Thanks for the donation link, I just used it. It seems odd to me that an article bemoaning the fact that GnuPG's author is going broke gives no information at all on how to help rectify that condition.


> It's also used in countless applications to encrypt data at rest

exactly. Given the number of corporate laptops encrypted by the corporate IT with that software , and thus definitely some "license" style good money were paid by the corporations to some entities ... i never believed in the magical concept of trickle down and sounds like it doesn't work here too.


Alright. Donated.


something like this is just too important to not donate money to.


Apparently Stripe and Facebook just stepped in to pledge $50K/year each.

https://twitter.com/stripe/status/563449352635432960


And the Linux Foundation kicked in $60K!



Werner Koch will have a very pleasant surprise when he wakes up in a couple of hours. Looking forward to an updated GnuPG splash page and blog post.


And please note that the Linux Foundation's Core Infrastructure Initiative funded him prior to the article.


I think we're talking about the same donation. It's recent.


That's awesome, but it's weird to me that Facebook, etc. will happily pay a senior engineer a total compensation of $200k+ yet only pledge $50k for the maintainer of a critical tool. Not trying to look a gift horse in the mouth here, just odd perception of the priorities here.


Facebook gets all of the value produced by their own developers, but the benefits of GPG are shared. If every big tech company matched Facebook's $50k, the total sponsorship would be equivalent to several engineer salaries.


They have to pay the engineer $200k, or he walks. They didn't have to pay the $50k.


Out of interest, what does this senior engineer have to do? Is it C++ or PHP?

EDIT: Someone downvoted me, not sure why, but I am genuinely curious what the senior engineer does?


I'd guess that whoever downvoted you thought this was a troll meant to start a flamewar with C++ vs. PHP and whether one or the other is more difficult (read "better" or "a real language").

It's interesting to note though, that Facebook does uses PHP and C++ extensively. And Facebook maintains a large a number of open source PHP and C++ projects. So I suppose that some Facebook engineers are more involved with PHP and some more involved with C++.

But more importantly, I don't think Facebook engineers are bound to a technology. They think about how to solve problems. If PHP is the best tool to solve a problem, they'll use that. If it's C++, they'll use that instead.


Ah I hadn't thought of that about the flamewar. I use both languages (now mainly C++ as I don't need to use PHP for the stuff I am writing anymore).

You're right about them using the right tool for the job - their entire HipHop etc. (whatever it is called now) creations to convert PHP to C++ and run a C++ web server are a good indication of this. Good point!



Never forget that you made that happen.


Who?


Possibly everyone who upvoted this post or shared it one way or another.


Slacktivism?


But if it gets results....


Hmm, from the sounds of the article, enigmail could use some love as well. A thousand a year? Now I feel bad about complaining about the interface.


I've been complaining about this on HN before; lot's of startups built chat apps on top of GPG during the whole Snowden thing and Werner can't raise $120,000.

I'm really glad Pro Publica picked it up, but I also think we need to change to way we think about critical software like GPG. The GPG Tools team (GPG for Apple Mail) recently stated they need to charge for the tool in the future because they simply can't handle to amount of work anymore (it's still GPL) — the response from us was nothing but outrage.

// I just realized all of this is mentioned in the article. My bad.


>I also think we need to change to way we think about critical software like GPG

Maybe the lesson here is not to license important software under such permissive licenses. Make it open source and free for non-commercial, require a donation if it is used in a commercial product. I don't really see how you can give something away for free and then expect companies to volunteer to pay for it.


> open source and free for non-commercial, require a donation if it is used in a commercial product

Every serious definition of 'open source' or 'free software' says that you can't discriminate by field of endeavour - if you have one set of rules for commercial use and one for non-commercial use, it's not really open source. And the nature of donations is that you can't require them.

That's not to say that you can't build a business model around open source software. You can charge for pre-built binaries, you can charge for exceptions to the GPL license to build proprietary software with it (this is what Qt used to do), or you can charge for services associated with the code (e.g. running a hosted service). You can even technically charge for the code itself, though since anyone who buys it can resell it or give it away, that sounds precarious.


Nope.

We call it Free and Open Source Software for a reason. Open Source means the code is open (i.e., you can study it), Free means it's licensed under a Free Software license (it doesn't necessarily mean free of charge).

People usually omit the "Free and" part when they talk about FOSS.

https://en.wikipedia.org/wiki/Free_and_open-source_software

// Anybody want to tell me why you vote me down? Am I wrong?


You are about the open source part: http://opensource.org/osd. The 'Naming' section of your link references the osd.

Calling it just one or the other is enough though. Being "under a Free Software license" by definition means "the code is open (i.e. you can study it), so no need to say "and Open Source".

I do however prefer calling it free software over open source as I find the free software definition simpler and than the osd. And also because the term open source seems to place importance on the code being 'open' instead of 'libre', which you'll here rms talking about everytime someone says open source.

"Free software" has issues as well as a term, since free can obviously mean two things, gratis or libre. However, once the reader/listener has understood the difference between free of charge software and software that preserves your freedom to study, modify and redistribute it, I think open source is the more problematic term as it can more easily cause confusion as demonstrated by your comment (where you think open source means that the code just has to be 'open').


Almost nobody would call merely viewable source "open source". Certainly not the OSI.


I see. I call that free software, because "having access to the source code" is part of free software licenses.

The kind of "open source" I was talking about is source code that is released under a non-free software license. What do we call that?

---

@alexvoda "it's not really open source" is the part I tried to contradict. I may have been wrong though.


> The kind of "open source" I was talking about is source code that is released under a non-free software license. What do we call that?

"obnoxious".

More seriously, typically something like "look but don't touch", or "proprietary with source available", or "source available under a restrictive license". Microsoft used to call it "shared source", and that term still has those connotations too.

Definitely not "open source", though; that means more than just "has source available".


It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.

The Unreal Engine is an example for this kind of business model on a large scale. KoboldTouch (used to be?) an example for the same on a very, very small scale (less than 5 people). I really don't see anything "obnoxious" about it.


> It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.

Yeah, that's a very different case. It's indeed moderately common for proprietary software frameworks/engines to include source, so that their paying customers can modify and redistribute, but cannot redistribute in source form (modified or otherwise). That's not any more obnoxious than any other kind of proprietary software distribution, and I wouldn't call it "look but don't touch", though it certainly isn't open source or free software.

The case I'm talking about is software with publically available source, but under a restrictive license that doesn't satisfy the OSI or FSF or DFSG definitions. For instance, many random projects on github that don't bother applying a license, or rar (the archive format implementation), or tarsnap, or the extremely obnoxious JSON license.


There's nothing wrong with doing that. Feel free to do whatever you want. But what you are talking about is not "Open Source". That term has a (different) meaning. If use "open source" for that, you will confused and trick people.


"open source" has been in use as a term in tech for a long time. It means (essentially) the same thing as "free software". Licences that disallow derivations (or commerical derivations) would not fall under the defintion of "open source" that nearly everyone uses.

You are free to come up with your own defintion of popular, agreed up terms. But this will lead to problems when you're using a different definition from everyone else.


For practical purposes, free and open source software are the same things with the same licenses. They're just different philosophies and goals.


Does Open Source guarantee the right to publish derivative source?


Yes, look up the definition:

http://opensource.org/osd-annotated


Nope what? You didn't actually contradict anything he said.


Your mention of exceptions to the GPL is probably what the OP was talking about http://en.wikipedia.org/wiki/Multi-licensing

It might be a little tricky in the case of GPG since it is really a GPL port of the commercial PGP software. So a major reason for it's original existence is that it is GPL code.


Gpg is not a port of some PGP version but an implementation of rfc4880 and earlier open standards. I actually took great care not to look at any "open source" PGP code. The reasons why dual-licensing does not work is that I assigned the copyright to the FSF in 1998 and when I terminated that contract 2 years ago too many other other hackers have code in it or assigned it to the FSF. Thus there is no way for anyone to switch to a dual-license.


I think parent was badly worded/thought out, but points to a real strategy. He said "charge for commercial use", which is definitely illegal, but what a lot of projects do is dual-license open source and proprietary. If you're a non-commercial project, you'll usually just use the open source version; if you're commercial, you'll want to be able to both link the project into a proprietary codebase and get support guarantees, so you pay for the proprietary license.


It is not "definitely illegal" to set license terms to whatever one wishes including restricting commercial use. The GPL hinges upon copyright to enforce it's provisions. Copying privileges are revoked for people who violate the license. This is a legal "hack" to get around the need to establish a contract or exchange funds. The same sort of rules can be applied for any other criteria such as the type of user. If I want to prohibit blue-eyed people from using my software I am free to do so. Dual licensing isn't a requirement to do this.


This is exactly what we ( http://linphone.org ) do: we have a GPLV2 license that's used in many many open source projects, and we have a specific license for commercial projects, for which we provide support and ability to not disclose the sources that our clients might modify.

This kind of way to function give enough money to employ 10 people, and also secured a lot of new developments (encryption, video, etc.). Disclaimer: I'm just an employee, not the founder.

I would advise him to switch to that kind of licensing, if he wishes to. There's no reason he shouldn't be able to live through his work.


One problem with that strategy is it forces you to use a licence with some sort of restriction (like copyleft) to make dual-licensing useful. You can of course dual-license a BSD or MIT licensed project but no one would use the "dual" part of the dual-license since the copyfree license allows them to do everything they need.

If you do this, the problem with dual-licensing a copyleft project is as follows:

-The copyleft license allows use in other projects with the same copyleft license

-The "dual" part allows use in proprietary licensed project (the stated enemy of the copyleft license)

-The ones left out are projects that use other copyleft licenses and copyfree licenses.

In my opinion dual-licensing copyleft licensed projects is a mockery of the purpose of copyleft.

All this is however irrelevant to the discussion about funding core FLOSS software. It doesn't matter the license, the challenges to funding such a project are the same.


Don't forget that permissive licenses are one of the main reasons people widely adopt these tools in the first place.

I hear you though. Free of charge and open source need to be two separate things (not all the time, of course). Cutting costs in FOSS development usually means spending less time on websites, documentation/support and UIs, which hurts the projects in the long term. It's a vicious cycle.


It's nice in theory, but then the defintiion of "commerical" can mess it up, and can be subject to how judges (anywhere in the world interpret it). A german court ruled that "non-commerical" (in a CC licence) meant only for personal use, and non-personal entities had to pay. https://www.techdirt.com/articles/20140326/11405526695/germa...


Affero GPL would be a much better choice.

GPL lets anyone running a webapp pretty much ignore everything in the GPL license.


I had no idea this project (and others) had so few contributors. I'd love to be involved in some Open Source project but I always feel like "yeh there's probably millions of people far more talented than me wanting to contribute" and I've no idea how to start. Some people suggest taking a look at the open bug lists for software you use frequently, but on the few occasions I've tried that (python, gcc, and a couple of others) I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.

I did manage to do some isolated contributions to Open Corporates (http://turbot.opencorporates.com) where the community are super-welcoming and very patient, but I've felt a little isolated and like I'm not exactly giving much back. Apologies for the mildly-OT rambling.


I'd suggest looking for smaller repos to contribute to. Much less daunting, much more opportunity. My small OS contributions have been where a small repo, owned by one guy, does mostly what I'm looking for but I want some feature or notice some bug. Then it is easy to work on it/fix and do a pull request. They're usually happy for the activity.


> I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.

Sometimes it's small things, like documentation. For example:

http://bugs.python.org/issue17701


Good point, but you have to admit that the site does not look inviting at all and that a novice has no idea where to start.


https://www.mozilla.org/en-US/contribute/

Mozilla is quite friendly and makes it easy to contribute. I've had quite a pleasant experience whenever I tried to make a contribution.


KDE actually marks easy jobs as junior jobs for new contributors:

https://bugs.kde.org/buglist.cgi?bug_status=UNCONFIRMED&bug_...

And their bug tracker is fairly pretty too.


I've sometimes wondered whether it'd be worth mid-to-large open source projects doing more triage for bugs. Because I'm in a similar position: I'm happy to make small fixes to stuff I use, but I'm not familiar enough with many codebases to fix big bugs. If I could pull up a list of bugs sorted by "expected ease of fix", I think I'd contribute a lot more.


Many people do, e.g. bugs tagged E-easy in rust bug DB

https://github.com/rust-lang/rust/labels/E-easy


I stand corrected! Never seen that before. Pretty awesome.


I would suggest you to look also at high-priority free software projects: https://www.fsf.org/campaigns/priority-projects.


I think the biggest problem is visibility for these projects. They need to be louder. In the case of openssl, I had no idea that they were severly underfunded (until heartbleed).

Same for GPG until now. I didn't hear they asked for donations.

And I doubt I'm the only one. So I quickly checked if maybe this was big on HN at a point and I just missed it.

https://hn.algolia.com/?query=GPG%20donation&sort=byPopulari... https://hn.algolia.com/?query=GPG%20fund&sort=byPopularity&p... https://hn.algolia.com/?query=GPG%20money&sort=byPopularity&...

Nope. It's not just me.

If not even the most technical people (that actually know what GPG and openssl are without looking it up) don't hear about this, how are regular people going to find out where to throw their donations at?

I think people would donate if they knew about it. I'm going to send this guy $100 and consider it a license fee, because he deserves it.


I knew that the developer pool for GPG was pretty small, and that this is a big reason why development isn't always fast.

On the other hand, I had no idea that he was working full-time on it, and having money trouble.

Also: If you search for "GPG Koch" you can come across this comment:

https://news.ycombinator.com/item?id=6942254

EDIT: An example of development that is slow-coming: library support. Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.


Wrapping the command line should be a little bit safer from a security perspective, since a memory exfiltration bug won't transfer across processes. Just don't use the shell between the wrapper and the command.


Is this really the case? I recall that proper library support is slow-coming, not because of security model concerns, but because "doing it right" takes more time / money that there is in GPG development at the moment.

EDIT: For example, I believe that it would require rewriting a lot of code, and that means said code would need to be audited to make sure no security bugs were introduced. It's "easier" to just wrap the current command-line tools because they are a known quantity.


I'm sure you're right, but because of this "laziness" we get a slight security boost at the cost of a slight performance loss.


> Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.

IIUC this is intentional design of GPG 1.x vs GPG 2.x: the former is statically linked binaires for "security reasons" while the latter is a shared lib (libgcrypt) + binaries with exactly the same features.


is gpgme not a proper library?

https://www.gnupg.org/%28it%29/related_software/gpgme/index....

I haven't used it, so I really don't know.


It's a library that talks through the shell. I was kinda disappointed when I learned that. But it may be on purpose, as someone else mentioned.

I've used it while making bindings for it for my Scheme project: https://github.com/cslarsen/mickey-scheme/tree/master/lib/op...


I'm wondering if there is a meta-donation page that lists a bunch of the most important open source projects, how you can donate to them and their yearly funding goals (and how many developers are being supported).


Gratipay (gittip) comes to mind, but that's a donation mechanism, rather than the information collection you're describing. Sounds like a good idea for a project. IMO, the hardest part of that will be accurately prioritizing which projects are critical, very important, moderately important, etc.


Freedom of the Press Foundation does this although they target projects and organizations that focus on issues related to the press and journalism.

Example: https://freedom.press/bundle/encryption-tools-journalists


Here it is: https://www.fsf.org/campaigns/priority-projects. It seems not all of them have clear 'donate' buttons, but donating to fsf with a comment might work.


That could be an interesting project for someone. I suspect the hardest bit would be how you determine which projects are most important or most deserving of donations. As soon as money is involved, people will try to game it and spam it.


I think the package managers should add links to donate to projects. So I open up Synaptic to install GPG and in the description see that I can donate and they're only at 25% of their funding goal.

Another key would be to add a real commercial justification to pay for projects instead of just donating. Often for tax and regulatory purposes businesses can't just spend money on fun, frivolous things unless they want to make a mess of their accounting. Maybe something like for each $50 you spend you get to ask one question on a mailing list or message board.


I think the simplest method would be to consider total amount of donated money.


As in projects that are attracting lots of donations are probably important? Or as in projects that aren't getting many donations probably need more?


You should have tried searching for GnuPG: https://hn.algolia.com/?query=GnuPG&sort=byPopularity&prefix...

I remember it made the front page (but that might have been during business hours here in europe).


>I think people would donate if they knew about it.

Oh certainly, I use GPG on a daily basis, yet it never even occurred to me that such an ubiquitous project would have trouble gathering funds!

I tossed in a donation as soon as I saw the link in the article.

---

I remember jOOq (a Java SQL DSL) had similar troubles raising donations. They ended up moving to a commercial licensing model for 3.2+ that provides connectors for "enterprise" databases as well as professional support.

Had I seen a banner asking for donations, I would've gladly donated what they're now charging for licenses. -- It is an excellent library.

However I feel like the tooling does them a disservice. When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?


> When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?

That's a good point.

Not sure how this can be technically addressed though


This issue has been bugging me lately, given that I would like to start a product-oriented business, but I'm only one guy, who has to freelance to pay the bills.

The problem, I think, lies in the lack of balance between different types of "users", their ability to absorb risk, and their ability to advertise.

For an individual developer, new product development is a chicken-or-egg issue: you need money to live, but you can't make money off of an infant project. On the other hand, a corporation can siphon funds off of profitable projects into R&D, and the larger the company, the longer they can do it. There is a certain level of financial security that removes emotional burdens that can be real impediments to development progress. There is a singular focus that can be achieved by the developers in such a situation: one 100% focused developer is more than twice as productive as one 50% focused developer, all else being equal.

It's also extremely difficult for an individual developer to get the word out on their project. But if Google even breaths a hint that they are doing something, a subreddit will be made for it overnight and TechCrunch will assign a team of reporters to cover breaking news.

So from the start, the individual is behind the 8-ball in terms of being able to maintain a certain pace of development and gain mindshare for it. If you're entering an existing market, a lot of times the only way to gain traction for your project, to get any attention and get anything out of it, is to have to open source it just to meet other developer's expectations.

But I suspect the vast majority of people who want "open source" really only want it as a security blanket and aren't actually going to look at it. I completely admit that I'm included in that group.

For a corporation, what's the worst that can happen? In other words, who is going to fork their source? Another individual? They won't be able to keep up. Another corporation? They have to compete in both code and marketing, which isn't so attractive. It might be--all things considered--an equivalent effort to just start a competing product. Maybe even a little less effort, because you don't have to dance around collaboration and contribution issues.

But for an individual, it's a significantly higher impact of a problem. If I make a tool, release it open source, and--say--Google decides that it's great and they want to use it, even if I license under the GPLv3, they can very easily strong-arm me out of the driver seat. They could be in complete compliance with the license and contribute all of their changes back, but their marketing machine could easily put themselves at the forefront of developers' minds as the source of that project.

Is "closed now, open later" the solution? I don't know, that's always sounded to me like "closed now, closed later". See Android. What good is Android being open source if, by the time the source for the latest version is released, they've abandoned it for a new version?

Correct me if I'm wrong. I'd like to be wrong, so I know in which direction to take my own business development. But it just seems like there are several types of power, and individual, independent developers have few that large corps do not, whereas large corps have several that indies do not.


There's no general answer to your question. It's like game theory, depends on the players and context (technical, legal, financial, market maturity).

Juce and PyQt were created by single developers, so it's not impossible. Staking out and defending a niche would be a prerequisite, open-source or proprietary.


Is there a list of specific answers? I don't even know of all the ways one could organize a project. I suspect that might generally be the case for a lot of people, too. Publishing and promoting a project is a completely different skill set from developing it. It feels like the majority of developers default to thinking of "release open source" or even just "release" as meaning "publish on Github with the MIT license" plus maybe "post one link on Hacker News". That is a way, but is it actually the way that is in their best interests?

I have a library project right now that I provide dual-licensed under GPLv3 and a paid, proprietary license. It's not typical to release libraries under the GPL rather than, say, the LGPL or MIT. My reasoning is "code or coin, you gotta give something." I have no idea if it will actually work (and I'm not banking on it working, I wrote the thing for my own use first and foremost), but I am starting to think that I would rather nobody use my code than everyone if it meant I didn't get anything out of it past an 'at-a-boy.

Put another way, if I were Ryan Dahl, having gotten Node.js started off on my own, and I still had to work for a living, I'd be pretty freaking pissed. (https://groups.google.com/forum/#!topic/nodejs/hfajgpvGTLY) Maybe the actual Ryan Dahl doesn't care (and maybe he chooses to work, I don't know the exact details), but it would seriously bother me.


The basic recipe for software biz success is the same whether proprietary or libre. ~80% of revenue comes from ~20% of customers and features. Ship something into the market somehow anyhow so you can identify the critical 20%. Then you can commoditize (open) the remaining 80% of features to reduce costs and help the long tail to become self-supporting. Pricing and defending and growing the revenue features is then like any other business, i.e. strategic conflict with other mice who will come after your cheese.

"Open" is as much a state of mind and development practices as it is a license. JIRA shipped with full source code while remaining proprietary. This removed customer concerns about JIRA going out of business, no need for source escrow. Customers ended up making modifications to the source, which then influenced the Atlassian roadmap. Conversely, one can have an open-source license, but a dev culture that rejects external input, e.g. Calibre. If a vendor focuses on business goals first, then creates a culture to support those goals, license choices will become clearer.

There are useful history lessons among these links:

1) Free Software Business mailing list archives (1993 to early 2000s), http://www.crynwr.com/cgi-bin/ezmlm-cgi?iis:0:201311#b

2) Self-publishing docs+screencasts with 90% royalties, earned railstutorial over six figures in a market where most technical books are lucky to earn $10K. Relevant to OSS biz models: https://news.ycombinator.com/item?id=7350265 & screencast toolchain: https://news.ycombinator.com/item?id=8932387

3) Bootstrapping 101, http://discuss.bootstrapped.fm/ & http://www.startupsfortherestofus.com/

4) ISV (Stardock) 2014 report, http://www.stardock.com/press/CustomerReports/Stardock2014.p...

Resources on business models:

5) The Business Model: Theoretical Roots, Recent Developments, Future Research, 2010, https://noppa.aalto.fi/noppa/kurssi/23e21090/luennot/23E2109...

6) Free Software and OSS Business Models, 2008, http://www.springer.com/cda/content/document/cda_downloaddoc...

7) Any good book on organized crime / unregulated business. Boundary conditions inform risk management, i.e. early recognition of failure scenarios to be avoided.


I wonder sometimes if this is the legacy that RMS was thinking about. Sometimes, in my more cynical moments, it seems like we have somehow managed to trick a whole generation of programmers into giving "free stuff" to the world, enabling the creation of the very successful mega corporations which have then kept the value for themselves.

Would it be impossible to create some sort of stipend program at FSF? After all the creation and maintenance of software is allowed to cost money under the GPL.


As jordigh points out, RMS has always been quite happy to charge money for software. For example, the FSF sells a $5,000 "Deluxe Distribution" compiled for a platform of your choice: http://gnu.ist.utl.pt/order/order.html I've spoken to various people at the FSF, and they're generally quite enthusiastic about charging money for GPLed software.

But to make a larger point, if you try to model RMS's behavior using cynicism, you'll tend to make inaccurate predictions. To use a metaphor, his brain is running slightly non-standard software: His social skills are not quite compatible with standard protocols, but he will go to far greater than ordinary lengths to uphold his personal moral principles. I've dealt with RMS and/or the FSF a couple of times, and once I decided to assume that RMS wants exactly what he claims he wants, dealing with the FSF was actually rather pleasant.

Thus, if Stallman thought that programmers should live ascetic lives, he would have written long essays justifying why this was correct. But instead, he wrote long essays about why sharing and hacking on software was a Good Thing, and added (almost as an aside) that you are welcome to charge as much as the market will bear, and that doing so may often be a good decision.


FWIW, RMS does live mostly as a nomadic ascetic (sort of like a Buddhist monk surviving on alms), which suggests that he believes that is an acceptable lifestyle for a hacker.


One can choose to adopt a certain lifestyle without believing that everyone else should also adopt it.


> I wonder sometimes if this is the legacy that RMS was thinking about.

No.

Free software was never about no money being involved. In fact, RMS himself used to get a lot of money by selling free software. Back in the day when Emacs was too big for the internet, RMS used to sell Emacs tapes at 100 USD each (with documentation and source code, of course).

In fact, he still thinks that you should be charging money for distributing free software:

    Distributing free software is an opportunity to raise funds for
    development. Don't waste it!
https://www.gnu.org/philosophy/selling.html

He also thinks selling exceptions to the GPL is another good way to support yourself. FFTW and Qt are two prominent projects I can think of that did this.

https://www.fsf.org/blogs/rms/selling-exceptions

The GPL itself is anti-freeloading. We give you the code, you can do whatever you want with it, but if you want to build on top of ours, you have to give back. It's all about levelling the playing field for everyone.

I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.

Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.


> but if you want to build on top of ours, you have to give back

No! Nowhere does the GPL says you have to give back to developers, you just have to give everything to the users (and more specifically to your users), because they are the one with the product and the modifications. If they happen to be upstream developers, then sure, they will get the changes too, but that is not the primary goal of the license. It's all about the user being Libre.


Thanks for the links. So I wonder if you could charge for cloning a repo in Github. You know put your code there, but git clone (or fork) doesn't work unless you feed it a onetime key, so you goto Github, "buy" your key, then pass it into your git command line

   git clone --token=0x1515151 <repospec>
and git allows the clone to happen and tags it with the clone token. No token and you don't get to get a copy of the source.

If that would work it would be an interesting way of selling your software.


Well, that would require github making some changes server-side, but it seems like an entirely reasonable thing to do. You can browse the source, but you can't really download it until you pay.

There's no reason why free software should just be given away. The point is to make sure users have the source code and the permission to modify it and redistribute it. It was never to make sure they don't have to pay in order to acquire the software.

Sure, if they can redistribute it, perhaps they could undercut you, but if we believe that piracy doesn't really hurt sales that badly, it seems likely that this secondary moneyless distribution might not substantially hurt the primary one.


> We give you the code, you can do whatever you want with it, but if you want to build on top of ours

The problem here is determining where the divide between "using the software" and "building on top of ours" is. The line becomes blurry when the software is (e.g.) a library where the basic use of the library is to base other software off of it (as opposed to a desktop app -- e.g. GnuCash -- where "usage" has a more straight-forward meaning).


Which is why there's an explicit form of the GPL for libraries; the LGPL.

There still exists uncertainty and ways around it (You can execute GPL programs or write shell scripts so that GPL programs execute your code) such that you don't have to distribute the major parts of your codebase, but the GPL has an explicitly different version for libraries that are supposed to be linked in to non-free software vs libraries that are cores of GPL software.


I was under the impression that there were issues, even with the LGPL. E.g. static vs. dynamic linking.


My biggest objective criticism of the GPL licenses (i.e., not tied to whether it conforms to some ideology or other, but sticking to "mere" quality issues) is that they are all excessively tightly tied to the C runtime in how they are specified. It's reasonably clear to me what GPL and the LGPL mean in the world of C, but the more your runtime deviates from that, the more the license becomes a matter of interpretation. Arguably, nothing that isn't in C or C++ ought to be GPL'ed or LGPL'ed; even if you want to copyleft your code you arguably ought to use a different license that makes sense with regard to your code.


The FSF's interpretation of the GPL and LGPL has never made a distinction between static and dynamic linking. A lot of other armchair internet lawyers, make this distinction, though. ;-)

Eben Moglen seems to think, as I understand it, that it depends on how you distribute the thing. If you link dynamically but distribute the whole thing together as if it were a whole, it's a single work and all should be under the GPL. Other situations seem less clear.


This is the rub though. If you are (e.g.) distributing a desktop app that uses a LGPL library, you may not be able to assume that the library is installed on your target platform. For example, you may use libxml2 for XML parsing, but not be able to assume that it's installed on Windows (assuming for the sake of argument that libxml2 was LGPL instead of MIT licensed).

It's one thing to "cash in" on a GPL/LGPL project (e.g. writing a nice GUI around GnuPG, but not giving back to the project) where you are just wrapping the functionality of the GPL/LGPL project. It's another thing entirely to just use a support library (like an xml parser) where the library itself is not the main functionality of the program and have someone saying that your project has to be GPL.


That line of thinking goes both way. A game designer might need a supporting graphic library, but graphic itself is no the main function of the game. The developer just want to wrap the functionality of the library, yet the license of the game is now dictated by the graphic library. Releasing the whole work under a open license would be piracy.

Same problem exist with complete overhaul mods to game. Counter strike simply wrapped around half-life. Half-life was not the main function of CS, yet if they had been giving out CS with half-life under a open license it would again be piracy.

Thus it is hard to see a world where copyright would allow someone to ignore the license as long the "library" is not the main functionality. It would be a nice world, a world with remixing and a explosion of creativity, but a very different world from one that we got now.


> I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.

> Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.

As an indie app developer, I already struggle with people ripping off my apps and publishing them in various app marketplaces under similar or identical names, or taking my web app, wrapping it and charging money for it.

I have to imagine that if I used a free software licence, this would happen a lot more, and I wouldn't be able to issue takedown requests. Someone searching for the name of my app might find five or ten similar or identical looking results and have no idea which is mine. These other results might serve ads, track user behavior, gather personal information or perform other anti-user operations, leveraging the popular reputation my apps have built to do so.


I think issuing trademark infringements notices is fine as far as handling this problem for free software.

If people want to bundle "my" GNU Octave and modify it randomly delete the users hard drive, that's ok. Free software allows this. Just don't call it GNU Octave, call it GNU DiskDestroyer or something.


You can still retain trademark rights and copyright to art assets, which for most apps should be as effective as copyright to prevent ripoffs. (Which isn't saying much. Copyright doesn't seem to be very effective to prevent ripoffs, unfortunately.)


There is a considerable portion of the open source community which views capitalizing on software as inherently immoral. As soon as Werner Koch started charging money for it, most people would switch to a free fork or distribute it on the black market to spite him.


I don't see this happening with FFTW or Qt. Apparently selling exceptions is fine? I can imagine a market for selling GPG exceptions.

Also, I know some free games are sold on app stores. Wesnoth comes to mind. Have people come to spite the Wesnoth developers and put the same game on the app store without a fee?


You only have to look at any thread here about copyright or piracy to see indignation at the very idea of charging money. People believe that software being free (for every definition of free) is a fundamental human right, and part of the justification made for piracy is that no one has the right to profit from software, and the for-profit distribution models need to be disrupted and undermined.

You can list a couple of exceptions, sure. But I'll see you that and raise you all of The Pirate Bay.


You're arguing against a straw man. The free software community has stood by using free licenses and selling exceptions and dual licensing. The FSF explicitly sells its code and gives you the source along with it. The community holds that software should be free as-in libre, not free as-in beer. This is a distinction that has been made time and time again.

That is, you are always free to charge money, but you are not free to withhold source or prevent modifications/redistribution of those modifications, because this restricts the rights of other human beings. Or said another way, your freedom stops where my nose begins.


That was when distribution was via physical media. People don't value bits on the wire the same way nor view "distribution" as a valuable function.


Then is selling apps on app stores not profitable anymore? I was under the impression that it was.


Assuming I'm reading this [1] right, the FSF seem to believe that Apple App Store (where the majority of mobile app profits are being made) isn't compatible with the GPL.

[1] https://www.fsf.org/blogs/licensing/more-about-the-app-store...


You don't have to have the Apple store to have an app store. I believe Apple even lost in court the exclusive trademark rights to "app store".


You don't, but as I pointed out this seems to be where the majority of app revenue still comes from. Cutting that out as an option makes it much more difficult to make much money from app development.


App stores are profitable for a small number of UX experts. It's very hard for me to imagine many open source apps having good enough UX to survive the app store hunger games.


It doesn't seem to be happening this way because FSF fundamentalists like RMS want the whole hog to be 'Free Software' not just 'Open Source'. Any compromise is unacceptable even if it means cutting off their nose to spite their face.

See what happened to VLC as an example.


Open source and free software are synonyms. They refer to the same category of software. RMS doesn't have anything against open source software. He's got something against people de-emphasising the freedom parts of free software by calling it open source, but he doesn't think non-copyleft licenses are doing any harm.



> Sadly, it doesn't seem to be happening this way. I don't understand why not.

In at least one case it's because a single open source contributor with an ideological conflict with App Stores was able to get an app removed:

http://www.tuaw.com/2011/01/08/vlc-app-removed-from-app-stor...


You're really mischaracterizing the VLC case. It wasn't "a single open source contributor with an ideological conflict," but one of the lead contributors pointing out the incompatibility between the GPL and Apple Store ToS.[0]

By the way, VLC has been relicensed as MPL and is now available for iOS again.[1]

[0]https://www.fsf.org/news/2010-05-app-store-compliance/ [1]http://www.videolan.org/vlc/download-ios.html


Somewhat ironically, the GPL is much more amenable to getting money from software than the Apache, BSD, and other more permissive licenses. Most profitable companies built around Open Source software use the GPL (Apache being the notable exception).

There's simply very little reason for someone to pay for BSD licensed software, but there is reason to pay for GPLed software (even if only to get a different license for it).


I don't think a generation has been tricked into giving "free" (as in beer) software; I think the generation brought it on themselves, and continues to do so. We've always been free (as in speech) to charge money for our free (as in speech) software.

People are very eager to work for free on free (as in speech) software just for the pats-on-the-back from "the community", it seems to me, at least as often as people do it because they're truly passionate about their craft.

With the rise of "have a github profile/opensource contributions" in job posting descriptions, it's only going to get worse. "Open source" is very rapidly becoming the "unpaid internship" model of hiring and distributing work in the software industry, and it breeds a sort of contempt for the notion of receiving compensation for one's efforts. I'm not sure that's a good thing with all the very-much-for-profit activity around software development.


It's a big problem with the culture of (a lot of) the software development community. Having a culture of demanding access to the source of your software is a good thing, but having a culture of demanding all software for no cost is a bad thing.


Free software means "free as in speech" not "free as in beer".

More

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: