ProPublica has an article on Werner Koch, author of GnuPG, and his difficulties in getting funding.
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.
Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
Although Werner appears to have resolved his issues, with a grant from the Linux Foundation and various donations, this article does provide a history of GnuPG and raise the issues around the funding of some key software infrastructure.
Also covered at Hackernews and LWN.
Related Stories
What projects does the community like to donate to?
In the past, I've donated to EFF, Mint, Wikipedia (though this is controversial), Project Gutenburg and the Internet Archive. I just stumbled on torservers.net where you can fund Tor exit nodes. I guess GPG would also be a good candidate — the maintainer, Werner Koch's struggle for funding has been discussed here on SN before.
Do you guys have any other recommendations? Bounty Source looks interesting.
(Score: 3, Disagree) by ikanreed on Friday February 06 2015, @05:30PM
Working on open source is a kind of charity that instead gets treated like any other nerd hobby, often with more sanctimony than things that add no value, like pop culture fascinations.
If it's of no value to big corporations, then it's not going to see a dime of funding.
(Score: 1, Funny) by Anonymous Coward on Friday February 06 2015, @10:17PM
Well yeah! Nobody respects stuff that doesn't make money. And nobody but nobody respects stuff that nobody understands. Only the most worthless losers make free techie crap for computers. GPG is the worst of the worthless loser projects. Encryption is for terrorists! GPG is free techie crap that absolutely should not be made. And that's why Koch deserves to die in prison. Take away his money and give it to winners. Winners deserve money because they're winners.
(Score: 3, Interesting) by Anonymous Coward on Friday February 06 2015, @05:36PM
It's hard to make a living if you're giving your source-code and time away for free.
How's this all supposed to work?
Donations, sponsorships?
Services (training, belly-dancing)?
Paid feature development?
Books, mugs, t-shirsts?
What are the viable ways that "self-employed" open-source developers can feed and house themselves?
(Score: 5, Interesting) by urza9814 on Friday February 06 2015, @07:37PM
Perhaps we ought to fund public software the same way we fund public scientific research?
(Score: 0) by Anonymous Coward on Friday February 06 2015, @09:48PM
Perhaps we ought to fund public software the same way we fund public scientific research?
so nerds submit their proposals to some government committee and the government under-funds them instead?
chances are it would be politically driven and unless you had your own team of lobbyists or donated to political campaigns you're screwed
government-funded scientific research always has either a political motive or is driven by industry lobbying (look at how hard it is for established universities to get funding)
forming and growing organizations seems like the best approach (for both resources and credibility), like the linux foundation, apache foundation, debian project, etc. when you're big enough and your software is widely used, start lobbying big users that depend on your software (like governments and corporations)
(Score: 1, Informative) by Anonymous Coward on Saturday February 07 2015, @12:07AM
Wow, you don't know shit about what you're talking about! Spend YOUR fucking weekend, on YOUR fucking free time, sequestered in a hotel doing an NSF proposal review sometime dipshit. Oh my holy fucking shit Batman, you are an ignorant ass.
(Score: 2) by Aiwendil on Friday February 06 2015, @08:26PM
Would be kinda nice if something akin to patreon existed but for open source and/or research
(Score: 3, Informative) by Zanothis on Friday February 06 2015, @09:58PM
A cursory glance indicates that one could use Patreon to fund open source software. Is there some restriction that I'm missing that would exclude FOSS?
Section 1 of the Patreon TOS [patreon.com] includes (emphasis added):
[T]he Service makes accessible various content, including, but not limited to, videos, photographs, images, artwork, graphics, audio clips, comments, data, text, software, scripts, projects, other material and information, and associated trademarks and copyrightable works (collectively, "Content").
(Score: 2) by Aiwendil on Friday February 06 2015, @10:21PM
In part I was unaware of that, and in part I havn't really looked at patreon since it was new (it is admittedly time to do so again).
However I was thinking broader, iirc patreon was intended to pay "per produced unit" - the drawback with that when it comes to research and more complex projects is that a "unit" can take months or years. So a slightly different model would be needed.
(Score: 0) by Anonymous Coward on Friday February 06 2015, @11:36PM
Folks need to watch e.g. "Amadeus" again and imagine, instead of 1 patron, a group of patrons who are actually peers.
The 'Net really has changed the world.
There was a recent story about a factory worker in the Detroit area whose car crapped out and he can't afford to repair/register/insure it.
He has a 23 mile round trip to work each day.
The local public transit system has been gutted, so he walks most of that distance.
(It wasn't specified why he didn't buy a used bicycle.)
Anyway, the story made the news (like Werner Koch's did) and now he's awash in donations to get another car.
The squeeky wheel gets the grease and a writer who works for a periodical is always looking for a good human interest story to flog.
My question about the encryption app is:
Is the maintenance of that 1 app a fulltime job?
I remember that Warren (the chief at MEPIS) couldn't keep things going based on what he was getting in donations and he had to get a fulltime job working for someone else.
He's still the top guy there and MEPIS is still alive and is still a solid distro.
-- gewg_
(Score: 2) by Jeremiah Cornelius on Saturday February 07 2015, @02:00AM
You'd think RedHat and Canonical - who rely on GPG to secure their code submissions and dev communications - would fund some of this. They subsidized crap like PulseAudio, and scheme-based window managers.
You're betting on the pantomime horse...
(Score: 4, Informative) by looorg on Friday February 06 2015, @05:40PM
I'm not arguing that he doesn't deserve every buck he gets etc but how is he going broke? If you look at the bottom of his donation page there is a summary of donations. There might be something wrong with it, such as the year in question. In 2015 and "this year" should be the same year in this cause should it not? Anyway ...
"In 2015 we received 4304 donations of 140409 € .
In this year we received 4595 donations of 150364 € ."
The last sum there would be about $170k. If he makes approximately that amount in donations per year I don't see how he could be going broke from working on this project. Even if this was his fulltime gig and he didnt do anything else but work on this project.
(Score: 5, Informative) by isostatic on Friday February 06 2015, @05:52PM
Like most "can't afford it" things that get press coverage, the problem is fixed
The article says
He says he's made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.
...
But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.
However it's all fixed now:
Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.
(Score: 0) by Anonymous Coward on Friday February 06 2015, @05:53PM
RTFS: he's getting support from the Linux foundation... now.
Also, if you dig a little deeper, he probably has expenses related to hosting, etc. that mean the donations aren't 100% going toward food, clothing and shelter for him and his family.
(Score: 1, Insightful) by Anonymous Coward on Friday February 06 2015, @06:56PM
Still even WITH hosting... Its not like he needs 24/7 1hr SLA level hosting... He is pulling in 160-170k a year. Something does not add up. There is either a large missing ongoing expense going on. Or he is not very good with money. Most people are very bad with money. So playing the odds here...
I work with some very smart people. But over the years I have found being smart does not mean they know jack about investing and managing money. I try to help them out with advice and systems but they usually do not get it. I usually recommend something like 'mint', 'quicken', or 'you need a budget' to start with. Then track for awhile. Then find out what your real goals are. Perhaps you are spending 2400 dollars a year on cable TV yet you only watch 1 show. You would be better of buying/renting seasons of shows. Perhaps you swing by that local coffee shop 2 times a day and drop 5 bucks each time. You would be better off grinding and making your own (or a kurig or similar system). Small lifestyle changes, like my examples, that can get you equivalent or better yet you end up with more money.
Something is missing here. We do not have enough information to make judgments. It looks like he got the funding he was looking for. But is that the whole picture? That amount of cash and that small of a business. Sounds like poor money management... But like I said not enough info.
(Score: 3, Informative) by VitalMoss on Friday February 06 2015, @07:08PM
It never stated that he is pulling in 167k a year. I think you may have misread the article.
Also, after the article broke, a flood of donations came in, including funding by the linux foundation and a pledge from two companies to pay 50k each towards Koch's Project.
(Score: 0) by Anonymous Coward on Friday February 06 2015, @07:51PM
A few responses up. He got that off the dudes website of what he was getting per year.
(Score: 0) by Anonymous Coward on Friday February 06 2015, @10:06PM
One word.
Taxes!
(Score: 1) by nishi.b on Saturday February 07 2015, @01:18AM
(Score: 3, Flamebait) by PizzaRollPlinkett on Friday February 06 2015, @05:48PM
The flaw in "open source" - remember, we can't call it free software any longer - is that corporations like Google and Apple exploit it to make billions, but rarely give much back. Why can't some of these companies fund "open source" projects they depend on out of their huge stockpiles of cash that they made by exploiting "open source"? So the case for giving away your labor is hard to make. This is an end that free software advocates don't really seem to have ever considered (from what I've seen, other than selling tapes of Emacs and GCC to pay for computers), and the vacuum was entered by "open source" spin doctors who turned free software based on principle into "open source" that corporations like to exploit.
(E-mail me if you want a pizza roll!)
(Score: 2, Insightful) by zugedneb on Friday February 06 2015, @06:38PM
without mentioning sources and channels, the reason is this:
They have to wall it in politics, rules and regulations to actually get the marketshare and eventually the billions...
If they would just "put it online", everyone would benefit, and the billions would not be rolling, or would be rolling to others as well...
And so is it for many companies using free/open software: they do not publish the modifications, bugs because they do not want to let anyone glimpse or suspect how efficient the staff is, what edge they will have in the next product... and so on...
old saying: "a troll is a window into the soul of humanity" + also: https://en.wikipedia.org/wiki/Operation_Ajax
(Score: 2) by tangomargarine on Friday February 06 2015, @07:01PM
The flaw in "open source" - remember, we can't call it free software any longer -
RMS disagrees rather strongly with that assertion. What's your logic?
https://www.gnu.org/philosophy/words-to-avoid.html [gnu.org]
https://www.gnu.org/philosophy/open-source-misses-the-point.html [gnu.org]
If both OSS and FS are under the GPL I don't understand what makes OSS more exploitable.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by PizzaRollPlinkett on Saturday February 07 2015, @09:34PM
I meant spin doctors (O'Reilly and others) have co-opted what used to be "free software" (RMS, GNU, etc) and rebranded/spun/Orwelled it into "open source" which is free-to-exploit for big companies. Sometimes they give back, sometimes they don't. But the "open source" spin is what gave rise to walled gardens and closed platforms built on "open source" technology - corporations exploit the "open source" software for their own gain, and a lot of them make billions, but they don't support the ideals or aims of free software in any way. So we get iOS, Google Play, Chromecast, and other platforms. Sure, they have every right to do that under the license terms, but ... you know ... they make billions. Why would I work for free to create technology that some corporation will exploit to make billions? Kind of self-defeating, and I don't think the original free software movement ever anticipated what is happening now with walled gardens.
(E-mail me if you want a pizza roll!)
(Score: 3, Insightful) by Ken_g6 on Friday February 06 2015, @09:25PM
Apparently open source can't get corporate support unless you can guilt the corporations into it.
(Score: 2) by hash14 on Saturday February 07 2015, @12:09AM
Too lazy to look up references right now, but my recollection is that Google (and maybe a few other companies) decided to donate more back to OpenSSL and maybe some other projects in the wake of the heartbleed bug. Or something like that.
Here's a link: http://time.com/75440/google-amazon-microsoft-openssl-heartbleed/ [time.com]
Of course, they also forked it which probably isn't a huge help. I think tech companies also have a history of donating to projects like wikipedia as well.
(Score: 3, Insightful) by wonkey_monkey on Friday February 06 2015, @05:51PM
The World’s Email Encryption Software
Really? This is all there is? There's no other email encryption software? At all?
systemd is Roko's Basilisk
(Score: 2) by tibman on Friday February 06 2015, @05:57PM
Sounds like there is a couple more out there but i didn't check to see if they were just rebranded versions of GPG: http://en.wikipedia.org/wiki/Email_encryption#Setting_up_and_Using_Email_Encryption [wikipedia.org]
SN won't survive on lurkers alone. Write comments.
(Score: 5, Informative) by magamo on Friday February 06 2015, @06:04PM
Most of the software in the linked by the wikipedia article you cite are wrappers around either PGP or GPG.
(Score: 1) by tftp on Friday February 06 2015, @11:36PM
Of course, every MS Office install on the planet contains encryption for Outlook, written by Microsoft - and it works fine if you set it up.
(Score: 2) by tibman on Friday February 06 2015, @11:56PM
I'll try to get it setup at work on Monday. I took a look and i couldn't just generate a key pair. It sent me to a list of sites to purchase a "digital ID" from. Found a tutorial online about how to create a digital cert for vba projects. It is self-signed, of course. I'll send it to a co-worker and see what the warning looks like to accept/verify the email.
SN won't survive on lurkers alone. Write comments.
(Score: 2, Informative) by tftp on Saturday February 07 2015, @12:50AM
It uses the Certificate Authority model simply because the WoT is simply unworkable - even among geeks. I have never seen how self-signed certificates work in Outlook. However I have seen many times that properly signed certificates work fine. Comodo offers free certificates [instantssl.com], so I don't see much point in fiddling with self-signed ones.
(Score: 2) by tibman on Saturday February 07 2015, @01:10AM
I guess i'm silly when it comes to certs. It looks like Comodo will generate one for you (which means they see the private key) but you can't have them sign a public key that you generated. Going to do it anyways though : ) But i wouldn't do it for my personal email, too paranoid! Thanks for the link.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Friday February 06 2015, @06:47PM
> Really? This is all there is? There's no other email encryption software? At all?
s/mime is the only other standard on the radar and even then s/mime is pretty rare, more likely to be embedded in corporate email systems than found in the wild.
(Score: 5, Interesting) by jmorris on Friday February 06 2015, @06:47PM
Of course there is more. If Phil Zimmerman had went a slightly different direction his PGP would be the standard. The first versions were open source, heck they printed it in a book to legally get it out of the U.S. and OCRed it back. The source was Free.
(Score: 2, Insightful) by Bill, Shooter Of Bul on Friday February 06 2015, @08:28PM
Yeah, that's a terrible headline. As if Public key was the only encryption method, As if Email was the only use for Public Key Encryption. But headline writers need to write headlines that a common person can understand. So I totally understand why it ended up the way it did.
(Score: 1) by GeorgeScuttles on Saturday February 07 2015, @08:06PM
I've been using PGP in various forms for the better part of two decades, fondly remembering buying it on a 5 1/4" floppy back when the software was export controlled. I definitely gave him a donation, because I think programmers need to be paid.
That being said, I think the idea of PGP in email is hopeless, because it requires both sides to download the software, share keys (even on a server). For email encryption/protection, instead I rely on https://burner.link/ [burner.link] That sucker only requires me to follow the API. The other side gets a dumb link, such that the attachment isn't sent unencrypted from email server to server. A couple of years back, I asked my tax prep people if they had pgp, so I could email them my documents--and their eyes glazed over. This year, they get a email with a link to the file download.