Email Encryption Software Relies on One Guy, Who Is Going Broke

Calling GnuPG &quot;email encryption software&quot; really understates its importance. It&#x27;s also used in countless applications to encrypt data at rest, and GPG signatures are used to secure the distribution of software. For instance, GPG is an essential part of the package managers of Debian, Ubuntu, and RedHat.<p>Here is a link to the donation page: <a href="https://gnupg.org/donate/index.html" rel="nofollow">https:&#x2F;&#x2F;gnupg.org&#x2F;donate&#x2F;index.html</a>

Apparently Stripe and Facebook just stepped in to pledge $50K&#x2F;year each.<p><a href="https://twitter.com/stripe/status/563449352635432960" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;stripe&#x2F;status&#x2F;563449352635432960</a>

I&#x27;ve been complaining about this on HN before; lot&#x27;s of startups built chat apps on top of GPG during the whole Snowden thing and Werner can&#x27;t raise $120,000.<p>I&#x27;m really glad Pro Publica picked it up, but I also think <i>we</i> need to change to way <i>we</i> think about critical software like GPG. The GPG Tools team (GPG for Apple Mail) recently stated they need to charge for the tool in the future because they simply can&#x27;t handle to amount of work anymore (it&#x27;s still GPL) — the response from <i>us</i> was nothing but outrage.<p>&#x2F;&#x2F; I just realized all of this is mentioned in the article. My bad.

I had no idea this project (and others) had so few contributors. I&#x27;d love to be involved in some Open Source project but I always feel like &quot;yeh there&#x27;s probably millions of people far more talented than me wanting to contribute&quot; and I&#x27;ve no idea how to start. Some people suggest taking a look at the open bug lists for software you use frequently, but on the few occasions I&#x27;ve tried that (python, gcc, and a couple of others) I&#x27;ve ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it&#x27;s sort of intimidating.<p>I did manage to do some isolated contributions to Open Corporates (<a href="http://turbot.opencorporates.com" rel="nofollow">http:&#x2F;&#x2F;turbot.opencorporates.com</a>) where the community are super-welcoming and very patient, but I&#x27;ve felt a little isolated and like I&#x27;m not exactly giving much back. Apologies for the mildly-OT rambling.

I think the biggest problem is visibility for these projects. They need to be louder. In the case of openssl, I had no idea that they were severly underfunded (until heartbleed).<p>Same for GPG until now. I didn&#x27;t hear they asked for donations.<p>And I doubt I&#x27;m the only one. So I quickly checked if maybe this was big on HN at a point and I just missed it.<p><a href="https://hn.algolia.com/?query=GPG%20donation&amp;sort=byPopularity&amp;prefix&amp;page=0&amp;dateRange=all&amp;type=story" rel="nofollow">https:&#x2F;&#x2F;hn.algolia.com&#x2F;?query=GPG%20donation&amp;sort=byPopulari...</a> <a href="https://hn.algolia.com/?query=GPG%20fund&amp;sort=byPopularity&amp;prefix&amp;page=0&amp;dateRange=all&amp;type=story" rel="nofollow">https:&#x2F;&#x2F;hn.algolia.com&#x2F;?query=GPG%20fund&amp;sort=byPopularity&amp;p...</a> <a href="https://hn.algolia.com/?query=GPG%20money&amp;sort=byPopularity&amp;prefix=false&amp;page=0&amp;dateRange=all&amp;type=story" rel="nofollow">https:&#x2F;&#x2F;hn.algolia.com&#x2F;?query=GPG%20money&amp;sort=byPopularity&amp;...</a><p>Nope. It&#x27;s not just me.<p>If not even the most technical people (that actually know what GPG and openssl are without looking it up) don&#x27;t hear about this, how are regular people going to find out where to throw their donations at?<p>I think people would donate if they knew about it. I&#x27;m going to send this guy $100 and consider it a license fee, because he deserves it.

I wonder sometimes if this is the legacy that RMS was thinking about. Sometimes, in my more cynical moments, it seems like we have somehow managed to trick a whole generation of programmers into giving &quot;free stuff&quot; to the world, enabling the creation of the very successful mega corporations which have then kept the value for themselves.<p>Would it be impossible to create some sort of stipend program at FSF? After all the creation and maintenance of software is allowed to cost money under the GPL.

We are collecting nominations for our DuckDuckGo yearly FOSS donations at <a href="https://duck.co/forum/thread/11753/foss-donation-nominations-2015-edition" rel="nofollow">https:&#x2F;&#x2F;duck.co&#x2F;forum&#x2F;thread&#x2F;11753&#x2F;foss-donation-nominations...</a>. The theme this year is mainstream privacy. This seems to fit well and we&#x27;d welcome others. Donations will go out soon.

Can someone explain why GPG in the person of Werner Koch isn&#x27;t substantially funded under FSFE?<p>My first thought was the Software Freedom Conservancy. The only reasons I see for them not to take GPG under their wing are lack of will (but why?), sense of funding priorities (but why?), or the possibility that some GPG constituents would be concerned about associating GPG strongly with a US-based organization.

Given the general scarcity of talent in the business, it should really be trivial for a high end IT security consultancy to pay Werner a €3000&#x2F;month (ie. enough to live on, if not extravagantly) retainer to be available ~10 hours a month to consult on encryption matters (or something like that).<p>I wonder if it all really comes down to &quot;Really I am better at programming than this business stuff.&quot; or if there is some unstated dogmatism that gets in the way.<p>It seems to me there&#x27;s a parallel to someone like Moxie Marlinspike who&#x27;s vaguely in the same field, but seems to be doing very well for himself.

For bitcoin donations, you can go to [1], which gives the address as 12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq [2]. The address is not generated per user, and is dedicated to GnuPG.<p>[1] <a href="https://www.wauland.de/en/donation.nojs.html" rel="nofollow">https:&#x2F;&#x2F;www.wauland.de&#x2F;en&#x2F;donation.nojs.html</a><p>[2] <a href="https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq" rel="nofollow">https:&#x2F;&#x2F;blockchain.info&#x2F;address&#x2F;12LKeo24XCzgz6ASSxcUa8BvUfzk...</a>

&quot;Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation&#x27;s Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner&#x27;s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.&quot;<p>The problem, in other words, was that lots of people like me, who depend everyday on gpg and are thankful for it, would have supported it over all these years <i>if only we had known that its maintainer was barely scraping by on $25K a year.</i><p>Kudos to Pro Publica for bringing this to everyone&#x27;s attention.

GnuPG sounds like a prime candidate for Linux Foundation&#x27;s core infrastructure initiative. <a href="http://www.linuxfoundation.org/programs/core-infrastructure-initiative" rel="nofollow">http:&#x2F;&#x2F;www.linuxfoundation.org&#x2F;programs&#x2F;core-infrastructure-...</a><p>If they&#x27;re willing to fund a new NTP implementation then they should be able to drop a few coins in the GnuPG bucket too

In the last hour or so (I think since this hit the front page) there have been approximately €2000 of donations added to the drive at <a href="https://gnupg.org/" rel="nofollow">https:&#x2F;&#x2F;gnupg.org&#x2F;</a>, nudging it over €40000.<p>Please do your part, and keep that bar moving.

He&#x27;s been voluntarily cheated. He should take a job, take care of himself (no one else will), and give gpg whatever time he has left, if he has the energy.

The problem of reward for innovation is one that goes back a <i>long</i> ways under the market &#x2F; capitalist system.<p>The tale of the unrewarded genius is legion, one set of substantiation is presented in Gregory Clark&#x27;s <i>A Farewell to Alms</i> looking at key inventors of the early Industrial Revolution: John Kay (flying shuttle), James Hargreaves (spinning jenny), Richard Arkwright (spinning frame), Samuel Crompton (spinning mule), Reverend Edmund Cartwright (power loom), Eli Whitney (cotton gin), and Richard Roberts (power loom, machine tools).<p>Of the list, Kay, Hargreaves, and Roberts died in poverty. Crompton and Cartwright were granted substantial payments by acts of Parliament (£5,000 and £10,000 respectively), Whitney made money through arms sales to the U.S. government, and of the lot, only Arkwright earned significant wealth, half a million pounds, <i>after</i> his patents stopped being honored by other manufacturers.<p>Invention and information goods fare poorly in economic systems.<p>Most of us are coloured by the experience of Microsoft from 1980 - 2000 or so, but what is generally <i>not</i> recognized is that <i>Microsoft as a seller of &quot;shrink-wrap&quot; software was exceptionally anomalous</i>. Most other pure-play software firms were nowhere <i>near</i> as profitable as Microsoft. Some <i>technology</i> companies had large revenues, but they were often based on hardware (Sun, HP), professional services (Oracle, Price Waterhouse), or both (IBM). Hardware does well, but has a small fraction of the profit margin of software, and professional services -- brains by the bucketful -- is <i>very</i> difficult to scale. Companies which do well at the latter almost always have a distinctly mafia-like reputation (IBM, EDS, Oracle, PWC, Accenture, etc.).<p>Werner&#x27;s situation is unfortunate, and I really do hope he finds a way to survive. He&#x27;s hardly alone, and frankly, the proprietary commercial model has proven highly problematic as well.

I&#x27;ve just donated. It&#x27;s an important project and Werner Koch needs to be rewarded.<p>I feel that we, as a community, are really bad at supporting some of the opensource projects that powers our infrastructure. I&#x27;m not sure what can be done to improve this. Maybe we need a foundation that raises money for those projects and does the marketing needed to remind us to donate.<p>I for one wouldn&#x27;t mind giving say 30 euros&#x2F;month to be redistributed between projects like GPG, openssh, varnish, nginx, openssl...

It&#x27;s a sad day when Farmville can become a billion dollar business and Werner can&#x27;t feed his kids. I&#x27;m curious if he&#x27;s truly living on ~$20k&#x2F;year. That seems ridiculously low for life in Germany. Or if he&#x27;s got other sources of income to bolster that.<p>Either way, what really needs to happen is companies that build programs off his work need to make a concerted effort to donate to the project. Heck, set aside a small percentage of revenue and consider it a cost of business.

And this is the weird conflict with open source software. OSS is primarily written because somebody needed it and didn&#x27;t have it. If they have it, and it works, they have no need to write it or support it. Eventually somebody stops supporting it, and then we all realize we&#x27;re in trouble, somebody forks it and support is taken up by somebody who needs it.<p>I think this works. It&#x27;s sad that it depends on exploiting the virtually unpaid work of a few committed die-hards. But basically, it&#x27;s the only way we can have good gratis software without something stupid like bundling ads, lack of source code or &#x27;services-based&#x27; models. It&#x27;s clear from all the other unfunded OSS projects that corporate sponsorship isn&#x27;t going to happen unless they&#x27;re getting something in return.

There does seem to be a need for an &quot;Internet fund&quot;. Pick 100 of the core free technologies that everyone relies on and pay people to maintain them.

&quot;Stallman urged the crowd to write their own version of PGP. &#x27;We can&#x27;t export it, but if you write it, we can import it,&#x27; he said.&quot;<p>&quot;Inspired, Koch decided to try. &#x27;I figured I can do it,&#x27; he recalled.&quot;<p>&quot;Koch&#x27;s software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn&#x27;t subject to U.S. export restrictions.&quot;<p>Brilliant :)

Here are Felix (&quot;fefe&quot;) von Leitner&#x27;s comments <a href="http://translate.google.com/translate?js=n&amp;sl=de&amp;tl=en&amp;u=http://blog.fefe.de/?q=gnupg" rel="nofollow">http:&#x2F;&#x2F;translate.google.com&#x2F;translate?js=n&amp;sl=de&amp;tl=en&amp;u=htt...</a> Not that I would share his views, but he is a relatively well known German security expert and free software activist (dietlibc). He knows GnuPG pretty well and basically says: Werner, you don&#x27;t deserve our donations, stop crying, get a day job and maintain GnuPG in your spare time.

This feels like &quot;WorldVision&quot; for programmers. The wealthy pouring support on the forgotten, decrying the unjust conditions, only to forget about them and return to their normal lives.<p>Unlike the poor children of the world - Koch&#x27;s decisions are wholly responsible for his current predicament.<p>The &quot;market&quot; doesn&#x27;t care about individuals like Koch, and he chose to continue despite his efforts not being reciprocated&#x2F;acknowledged.<p>I&#x27;d like to say that Koch should have abandoned the project, and if the market saw that maintenance&#x2F;development of GPG was important, it would have happened.<p>However, it&#x27;s not a perfect world - and there are probably plenty of pieces of critical software installed on our systems that are no longer maintained.<p>Would GPG have become one of these unmaintained codebases had Koch acted in his own self interest?<p>Or, would have another organisation&#x2F;individual funded someone else to maintain and develop it?

&quot;He says he&#x27;s made about $25,000 per year since 2001 — a fraction of what he could earn in private industry&quot;<p>The developer of git-annex assistant was happy when he received $20,000 on Kickstarter and he said with this money he could dedicate his time on this project for a full year. [1]<p>Maybe he could also start a Kickstarter&#x2F;Indiegogo etc campaign so that he could hire another full-time developer? If enough people find this additional workforce on this project worthwhile, it will be funded.<p>[1] <a href="https://www.kickstarter.com/projects/joeyh/git-annex-assistant-like-dropbox-but-with-your-own" rel="nofollow">https:&#x2F;&#x2F;www.kickstarter.com&#x2F;projects&#x2F;joeyh&#x2F;git-annex-assista...</a>

It would be really great if you could run an apt-get&#x2F;yum filter on your server and retrieve a list of donate links for the open source services you rely on.<p>Ideally, a GPL+donate-what-you-can would really help maintain these projects.

The problem boils down to &quot;Really I am better at programming than this business stuff.&quot;.<p>Someone with his talent and expertise should have no problem with getting highly paid consulting gigs. Then he could continue working on GPG in his free time and even use the consulting income for hiring additional programmers to work on GPG. There are quite a few product-based businesses that could be built upon GPG as well (secure email, corporate communication tools, some kind of public-key-based social network come to mind ...). These could be used to support the continued development of GPG itself.<p>It&#x27;s of course not as easy as it sounds. Not everybody wants to deal with &#x27;all that business stuff&#x27; and that&#x27;s fine but then by all means find someone who can help you with that part. If you want to change the world sometimes idealism alone just isn&#x27;t enough. You also have to proactively deal with the everyday stuff like where the cashflow for paying the bills will come from next month.<p>There&#x27;s also a problem with the purism put forth by some of the &#x27;free as in freedom&#x27; enthusiasts, most notably Richard Stallman, who seem to gloss over the fact that coders have to make a living, too or who even frown upon making money with software altogether. Software eats the world but even RMS can&#x27;t eat software.<p>How many successful larger companies come to mind whose business model is based upon open source? Red Hat, Ubuntu and that&#x27;s about it. If we truly want to avoid dilemmas like this one we also need to think about how to successfully implement sustainable open source business models.

I think he should start a US nonprofit, or even better start cooperating with an international one, as that would allow people to deduct donations from their income. It&#x27;s a lot easier to donate if you know that otherwise 30%-50% of that would go to the ever hungry state...<p>edit: It turns out every EU citizen can deduct a donation to GnuPG from their incomes!<p><a href="https://www.wauland.de/en/donation.html#61" rel="nofollow">https:&#x2F;&#x2F;www.wauland.de&#x2F;en&#x2F;donation.html#61</a>

Wow, they have done a pretty bad job of promoting their donation campaign. I use GPG, I love GPG, and I hadn&#x27;t heard about it.<p>If they&#x27;d done it before 12-31, they could have easily gotten a lot more donations (due to tax year), especially from companies (who IIRC don&#x27;t need it to be a 501c3).<p>Helping GPG market itself, especially for fundraising, would be a great way for a non-technical privacy advocate type to contribute meaningfully. I think a lot of those people exist.

This is sad but not super surprising. Historically, if you had money and wanted a reasonable UI and cleaner integrations, you bought PGP (now from Symantec). GPG was always for people unwilling to pay.<p>For the record I donated. I&#x27;m just pointing out that writing something that&#x27;s bundled and distributed as part of something else means nobody thinks about your project, or in many cases even realizes they&#x27;re using it.

For that matter, I don&#x27;t know what I would do without BouncyCastle: <a href="https://www.bouncycastle.org/donate/index.cgi" rel="nofollow">https:&#x2F;&#x2F;www.bouncycastle.org&#x2F;donate&#x2F;index.cgi</a><p>This article made me think about donating.

In the meanwhile, a very funny card game about exploding kittens has raised more than 5 Million USD on kickstarter

This is why &quot;free as in beer&quot; is a problem for &quot;free as in freedom.&quot; Just to maintain things costs money because people take money to live, not to mention how much it costs to field things that are competitive on UI&#x2F;UX and other metrics with big closed ecosystems.

Here&#x27;s something I think should get more love and is pretty relevant: a service that will automatically pay a percentage of Bitcoin donations for every submission to a GitHub repository: <a href="https://github.com/WhisperSystems/BitHub" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;WhisperSystems&#x2F;BitHub</a><p>So if you donate to Open Whisper Systems, you can see that your donations are going directly to those that are contributing to the project, and you get paid more if you&#x27;re contributing more. I&#x27;ve sent in a few PR&#x27;s to their iOS repo, and it&#x27;d be awesome to see it implemented in other privacy OSS projects. It&#x27;s obviously not a perfect system, but I think it&#x27;s a pretty cool way of funding OSS.

Hopefully this article leads to a call-to-arms in the dev community to come up with best marketing&#x2F;fundraising practices. I know that the idea of meritocracy is very powerful (and not altogether <i>wrong</i>)...but it&#x27;s a tragedy when great software doesn&#x27;t get the minimal exposure because of relatively easy friction problems that can be fixed.<p>I think of all the random, stupid things I&#x27;ve backed on Kickstarter, simply because I saw it on a friend&#x27;s Twitter feed...things like GnuPG may not get as much consumer reaction as most Kickstarter widgets, but there are enough developers with disposable income who would happily donate to open-source-in-need if such causes were just slightly more visible.

This is amazing news. Glad to see companies that benefit so much from free software helping to pay it forward.<p><i>Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation&#x27;s Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner&#x27;s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.</i>

Meta-question, ideally aimed at Daniel if you&#x27;re reading this, but not interesting enough to email you plus wondering what community members think:<p>Normally I&#x27;d be against comments like &quot;donated&quot; that add nothing else, and would downvote them for that. But in this case, does seeing lots of other people say they&#x27;ve donated make other readers more likely to donate themselves? If so, does that outweigh the negative of the page filling up with otherwise-pointless comments?<p>I&#x27;ve not downvoted any, but would be interested in any opinions as to whether or not you have&#x2F;would downvote them and why.

I wonder if a patreon-like (or even patreon itself) would be more effective raising donations than just one-time donations. I know enough people that swear by gpg, so it doesn&#x27;t strikes me as hard finding a base.

<a href="http://en.wikipedia.org/wiki/Netpgp" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Netpgp</a>

So I just donated €20 and I invite others to do it as well.<p>(And they use Stripe for payments, which of course is relevant here on HN. And as a first time user, it was a breeze to donate.)

I wish there was a sort of &quot;Patreon for open source&quot; nonprofit service where I can support projects like GnuPG, OpenBSD, etc all in one place.

Would it help if some highly visible figure like Snowden or Poitras weighed in in some interview? I mean, they probably have a lot on their shoulders already but I cannot see anyone else who would be more motivated and more efficient at this task.<p>I am probably missing something though. They must be somehow aware of the situation already and not consider it a top priority for some reason.

The need here is characterized as &#x27;money&#x27;. And yes, at a reductionist level, that&#x27;s the issue.<p>But perhaps what GPG and Koch really need is management and marketing, to build sustaining, recurring support for the project.<p>That would involve getting this sort of attention on a regular basis, and asking for financial support in ever-improving ways. Also, having enough structure that key people aren&#x27;t tripped up by local tax and legal issues, and the project is well-prepared to survive the surprises and tragedies that eventually challenge every longstanding effort.<p>Sometimes, a precocious developer or development team, or even volunteer advocates in the community, can do this themselves. But also some people have no talent or appetite for self-promotion and support work. The proclivity for these tasks may even be negatively-correlated with the particular technical abilities required in some domains.<p>GPG doesn&#x27;t just need a fish today. It needs a fisherman... or fisherwoman.

Lack of funds doesn&#x27;t even sound like the biggest problem here. If the project relies on one guy, what happens when he&#x27;s gone? Seems like something this important should have a higher bus factor.<p><a href="http://en.wikipedia.org/wiki/Bus_factor" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Bus_factor</a>

Just like many here, I had no idea, and this is so important. I hope HN community will blow up this donation page!

This is a terribly injustice, and points to a larger systematic problem, that we software practitioners benefit greatly from the efforts of others to whom we barely offer anything back.<p>And while the media can help (as in this case) what we should be looking for are systems to help with the situation. My ideal would be a system that monitors my package manager activity, and then using an algorithm I control, allocates &quot;pieces of the pie&quot; to each package I install and use. Then I determine how big the pie should be, and how it should be funded. E.g. if I&#x27;m working for a company, I&#x27;d request as part of my contract that I get a $200&#x2F;mo software budget. Or I could just fund it myself.<p>If even a small fraction of us did something like this, the open-source world would blossom, and injustices like this one would be eliminated.

Where can I see the list of all such Softwares (the essential and free) and the people behind them?<p>Is there a single place where the following details can be found?<p>Program Name, Company &#x2F; Group Name, Description of the software, Link to their website, Yearly Budget (Required), Funded so far (out of the total yearly budget), How many people in the team?, Options to donate<p>I feel that the real problem is that the folks behind these amazing softwares are either too busy &#x2F; too nice &#x2F; too shy (for philosophical reasons) to promote, organize, gather funds? And in the busy world, their very existence is forgotten by the rest of us.<p>If there are none like this, why not we build one and I would like to start it so others can join in later. To help these guys around the year and not just when we get to see an blog post like this one.<p>Any thoughts &#x2F; comments ?

So, it wasn&#x27;t a donation, but Snowden that kept this developer going? I&#x27;m freaking out a little thinking this implies you can&#x27;t buy dedication or even good software. Donating is a good thing of course, but it doesn&#x27;t solve this really disturbing meta-problem.

This is a clear example of market failure. When I&#x27;ve been grumpy over the last year over how torrent piracy affects indie cinema (the sector where I work) it&#x27;s for similar reasons; putting work out there and depending on the goodwill of the public is simply not a viable economic strategy. It&#x27;s a basic fact of human psychology that people gauge the value of something by what they paid for it, or even what other people would have paid with it and what they therefore feel they&#x27;re &#x27;getting away with&#x27; if they managed to obtain it without paying.<p><i>In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.</i><p>Think of what Koch might be able to achieve if he were in a position to direct other people in addition to writing code, or even to write code without the distractions of a precarious financial life.<p>Innovators, whether in arts, technology, or whatever sector, do not like relying on donations or shaking a hat in front of people. It&#x27;s a shitty, degrading way to work. Nobody becomes better at what they do through constant negative reinforcement of their economic inferiority; and yet the notion of even the most minimal royalty obligation or assertion of a private economic interest is enough to bring out glibertarians* in droves ranting about the selfishness and futility of trying to put a price on something that has zero marginal cost of distribution. Digital assets <i>do</i> have zero marginal cost of distribution, but they have significant fixed costs of creation, and the failure to acknowledge that by disavowing the notion of <i>any</i> property interest in digital goods<i></i> are undermining the entire market concept in favor of a new variation of serfdom. Saying that society should change and institute a basic income guarantee is all very well, but that&#x27;s not going to put food on the table for anyone in the near term (except possibly a few enterprising economic raconteurs who are willing to take up the role of court jester).<p>One possible option for Koch would be to crank out the next version of GPG; post a changelog of all the desirable new features&#x2F;bug fixes etc., and then run a Kickstarter to raise the funds that would persuade him to release it - in other words, to withhold the new version until people put their money where their mouths are. But I&#x27;m pretty sure he doesn&#x27;t want to do that, for 3 reasons: first, many people would just carry on with whatever they currently have, regardless of security liability etc., because what&#x27;s already available is &#x27;good enough&#x27;; two, he&#x27;d become the target of the internet hate machine, albeit on a smallish scale; and three, a bunch of indignant people would fork the existing code on Github and offer their innovations for free, a hundred flowers would bloom, and 3 months later 99 of them would have shriveled up and died, while the codebase would have have irreparably fragmented.<p>What we need is some sort of new economic model that does not force innovators to sacrifice their comparative economic advantage (ie their primary technical or artistic skill, on which they should be concentrating their efforts) on guilt marketing, public beggary, or drafting of grant applications.The copyright system could provide such a mechanism, but focusing only on the cases where it&#x27;s broken or unfair to consumers has led many hackers and digiterati to throw the baby out with the bathwater, making things <i>much</i> harder on small-scale producers whose interestes the system was instituted to protect in the first place.<p>* people who identify as libertarians but who have little experience of structural economic disadvantage<p><i></i> in the economic sense of things that are literally good to have

If your company uses the fruits of this project&#x27;s labor, your company should probably be reserving at last a little honorarium to the people behind it.<p>Give directly, or encourage them use something like Gratipay or Patreon or whatnot.

The whole commercial industry is relying on open-source components, arbitraging what should cost money in the first place to build a business, then assuming that people do it for the fun primarily (which is not completely untrue), maintenance though costs money, but to give edits back should be the role of the earning community, not the original founder. Licensing might help here, just too many people are offering their works for free (read there will always be somebody with a free alternative). It&#x27;s kinda weird to expect something else and proclaim free software..

Don&#x27;t forgot to donate to ProPublica for covering an unsexy story as well.

Facebook and Stripe are stepping up: <a href="https://twitter.com/stripe/status/563449352635432960" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;stripe&#x2F;status&#x2F;563449352635432960</a>

Just donated, GPG is quite a critical part of open source ecosystem.<p>Please donate

Just donate, for christ&#x27;s sake

&gt; Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others.<p>I&#x27;m guessing this is a problem with the journalist misunderstanding the subject, who probably said publishing it as free software (which is not the same as giving it away for free) is the best way to demonstrate that it is secure.

I noticed the rather pitifully empty donation bar last week, and made a mental node to chip in a little bit as soon as I could. Donated €5 today, and visited the website again just now and the donation bar is more than full, which is just incredible.<p>Werner&#x27;s engagement on the mailing lists is awesome enough, let alone the software he writes. Genuinely glad for the guy that he&#x27;s getting some of the financial support he needs.

Just donated, and you should too!<p><a href="https://gnupg.org/cgi-bin/procdonate.cgi" rel="nofollow">https:&#x2F;&#x2F;gnupg.org&#x2F;cgi-bin&#x2F;procdonate.cgi</a>

this is precisely the question I asked here - <a href="https://news.ycombinator.com/item?id=8863782" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8863782</a><p>This is frustrating - a lot of these projects dont get funded just because of one reason: discoverability. People dont know that these projects need funding. OpenSSH was another. No telling how many others.

I think we need a change in the way we look at open source software. It must not necessarily be free of charge. The real benefits of open source are often something other than being free of charge, like in this case. Maybe we need a new licence allowing charge for commercial use and giving benefits or discounts on the amount of contribution made to the project?

Hopefully a sign of things to come. Way prefer to give my cash to someone that dilligently works away out of the public eye, but also gets some reward when its recognized. My cynical side says someone will pop out soon and say its compromised and he&#x27;s had an NSL, but that part of me is killing me so I choose to hope not.

GNU is awesome in the way that &#x27;Citizen Kane&#x27; is awesome. It is awesome because of what it accomplished given the context in which it was created. The context has changed but GNU, by and large, has not. &quot;Free Software&quot; gave us BSD and Linux, but it is also partially responsible for the privacy issues of Google and Facebook (neither of which would be as competitive if they had to pay licensing fees to Microsoft and Oracle, and they give their services away in exchange for monetizing user data), Heartbleed and similar bugs (these projects are not properly funded for security audits and&#x2F;or maintenance), and the expectation that one should work for free (if you don&#x27;t have a job the first thing you do is start working on open source projects to show what you can do). Richard Stallman is arguing for the freedom of software, not people. Unless we change society such that its citizens will be provided for regardless of how they spend their afternoons open source needs a new business model. As software becomes more pervasive finding alternative models will become more urgent. And, it&#x27;s already very urgent.

Could he not just change the license to require commercial usage by companies with more than $x annual revenue to pay $y in license fees?<p>Could still remain open source and free for majority of applications if x was high enough. Also, creates a system where those reaping the most also pay the most.

Just announced - &quot;Stripe and Facebook are going to sponsor @gnupg development with $50k&#x2F;year each.&quot; - <a href="https://twitter.com/stripe/status/563449352635432960" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;stripe&#x2F;status&#x2F;563449352635432960</a>

Never tell people &#x2F; managers that you love your Job. That&#x27;s one foolproof way for people to expect you to do it for free or close to it.<p>Your payment comes in the form of praise.<p>I think that was the mistake made here. A mistake made by many artists.

Donated 20 euros. It&#x27;s amazing, in some hours has one from 40.000 to 58.000!

It&#x27;s a bit disappointing that G10code[1] https identity verification fails. May be it makes sense given that he&#x27;s short on $$$$.<p>[1] <a href="https://g10code.com/" rel="nofollow">https:&#x2F;&#x2F;g10code.com&#x2F;</a>

I would like to repost a comment from reddit[1] that makes some good points:<p>&quot;That title is pretty laughable.<p>Enterprise E-Mail Encryption solutions do NOT use gnupg, and most enterprise customers do not even use openpgp, they use X.509&#x2F;SMIME. I know the world top 10 server side enterprise e-mail encryption solutions and the majority uses java with either bouncycastle or ajak encryption, for PGP or openssl&#x2F;bouncycastle for SMIME. There are some solutions that use gnupg but those are very small and again - most people do not use openpgp in the business world. Mostly automotive uses it like Porsche, VW etc. for encrypting e-mail traffic. Gnupg is mostly used for e-mail by your skilled engineers in private or while communicating with kernel developers etc. Either by using enigmail&#x2F;mutt&#x2F;command line whatever.<p>Nothing based on e-mail would &quot;break&quot; if gnupg went missing.<p>Now lets get back to Mr. Koch - gnupg was sponsored by the German Government - in all these years - Mr. Koch tried to build a consulting company&#x2F;enterprise solution out of it - but he failed because there were already existing solutions that were far better than anything he could come up with. Moreover asking Mr. Koch to fix specific bugs in gnupg which was as i said sponsored resulted in simply &quot;pay me XXX amount or i wont do it&quot; - thats how Mr. Koch worked.<p>Ask any code auditor&#x2F;reviewer worth his salt and he will tell you gnupg is a mess, it is worse than openssl in most cases - why ? Ask Mr. Koch.<p>I just want to remind everyone carefully judge, before thinking about donating to Mr. Koch or his company. I already noticed he received well over 50k today just because of this false article.<p>This guy got funding multiple times from the german government for implementing and maintaing gnupg. This was never a fulltime job - adding patches and a few features is what any open source developer does in his free time. Mr. Koch tried to build a business upon this government funded software, and it failed. He already had multiple fundraisers in his careers to keep his company going. Does he deserve your money ? It is not like gnupg would be dead without him - he is not the only one doing anything - there are many developers in the community who are doing their share too.<p>Arent there other things more deserving of funding than the failed economical existence of one guy ? An open source developer that wants to contribute free software does not need your money to survive! Did Mr. Richard Stallman or Linus Torvalds ever beg people for money because they cant buy their next meal ? Did the BSD Foundation plea to you they cant make days end ? No - they never did - and they still were able to produce free open source software.<p>Mr. Koch does not deserve your money, if anything successors of him should receive funding if they need to - but not to survive - because they most likely got a real job already and doing this in their free time. &quot;<p>[1] <a href="http://www.reddit.com/r/programming/comments/2uw2gt/the_worlds_email_encryption_software_relies_on/coc9qxv" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;2uw2gt&#x2F;the_worl...</a>

Donated.

So why not hire the guy to work on this as a full time employee? Stripe &#x2F; Facebook &#x2F; Google or even Mozilla should have the money to hire him as full time and only work on GnuPG.

I wonder if his software would be more well known if it were more useable? I&#x27;ve tried using it on a few occasions over the past 10-20 years and have had a very hard time doing so.

Just donated 50€, hopefully the goal of 120.000€ will be exceeded!

No one pointing to the fact that GPG has major issues like no perfect forward secrecy? Are we celebrating that big-brother money is funding a (out)dated technology??

This is an epitome that corresponds to Peter Thiel&#x27;s thesis statement: contribution to a society and (financial) reward are independent variables.

Unbelievable that this article gets this guy a paycheck. He deserves it but it&#x27;s still amazing. We live in the future.

I like his office setup. Dual monitors, raised base for monitors, plexo? lamp, white board, real keyboard.

I donate to the EFF regularly and would really like to see them put some of their money towards this.

Why is there no Kickstarter equivalent for ongoing open source projects instead of just new things?

Is there some hacker group online that specializes on Crypto that can donate time and or money?

when I first saw this post on HN, the donation was around 60% of the goal. Just now I see it exceeded 120000 € of the goal. I bet HN readers donated a good amount today after reading the top-trending news. Great activism!

&quot;Mihai&#x27;); DROP TABLE Donors&quot; (from the donors page) is an asshole.

Donated...

Its ok, he got like 200k in 24 hours so he&#x27;s good now.

By itself, Google could pay that guy&#x27;s salary and even hire another dev to help him. Red Hat could do the same. In fact there are any number of companies that can step in and do the right thing.

Just donated and you should too... ;) Great project!

I am sure if he quit someone would pick it up.

Gave him 5$. Thanks HN for showing this.

big shout to the journalist that actually reported the issue instead of vaporware shenanigans. @JuliaAngwin

The funding target has now been met!

This shouldn&#x27;t be odd to anyone who&#x27;s spent a large amount of time releasing open source. You just end up being used and uncompensated. At best you get a job offer from it.<p>It&#x27;s really sad to me how many companies benefit from open source (including my own software) without the author ever being compensated.<p>It&#x27;s hard for me to get motivated to do anything open source anymore because of the feeling that I&#x27;m just a gullible idiot in the end.<p>The feeling when I fix issues opened by people at VC-backed companies with millions of dollars is really really nasty. I always feel like such an idiot.

I&#x27;ve donated to the project in the past, I wasn&#x27;t aware of just how far in the hole he was until today.<p>Also, I just cloned the repository and it&#x27;s a bit of a mess, if anything I&#x27;m ashamed that I haven&#x27;t been doing anything about it directly.

No worries, I&#x27;m sure everyone contributes more to their respective governments to break encryption than they&#x27;ll every send to anyone seeking to protect it. Send more money to this guy if you want to feel better about your shitty (respective) country or self. Better yet, just donate to the EFF like a uselessly trendy dweeb. Being a decent citizen isn&#x27;t about standing up for what&#x27;s right or wrong (that makes you a terrorist), instead it&#x27;s about sending money to your respective, government-approved cause.

The question is the wrong one. The better question is: why does so much software choose to depend on an underfunded library?

why doesn&#x27;t he watch some youtube videos on lean startups, write a business plan and raise some VC money?

But wait, I thought fame and accomplishment and helping lots of people were supposed to be enough for software authors, that somehow making people pay for software was evil, that it&#x27;s OK if everyone just copies your source code and uses it, that an Open And Free Internet would be self-sustaining?<p>&#x2F;sarc

Let&#x27;s send him some money directly: <a href="https://www.tilt.com/campaigns/werner-koch-deserves-to-get-paid" rel="nofollow">https:&#x2F;&#x2F;www.tilt.com&#x2F;campaigns&#x2F;werner-koch-deserves-to-get-p...</a>