back to article Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash

Werner Koch is looking at a big payday after pulling in over $150,000 to fund the continuing development of his crucial open-source GNU Privacy Guard encryption tools. Koch, 53, is a leading light in the free software movement: in 1999, he released GPG, which uses the OpenPGP standard to safeguard the communications of …

  1. streaky

    Rely On

    I don't know that rely on is quite the right word, it's not like there aren't other options if GPG didn't exist; it'd probably help if companies that *directly* profit from selling stuff that uses chipped in a bit though..

    1. Voland's right hand Silver badge

      Re: Rely On

      Actually - for PGP compatible key formats and PGP compatible options there is not. The old PGP 2.x series which is available as software is obsolete by all standards. As far as using it all - ALL Linux distros and nearly all other free software uses distribution mechanisms based on PGP formats for signing implemented via GPG.

      While it is theoretically possible to move them to x509, doing so will require a considerable amount of effort. Additionally, x509 is centralized trust anchor, while PGP is a trust mesh. So you completely change the trust model. IMHO the mesh is more appropriate for free software development as there is no center and even Ubuntu or RHAT do not have the means to maintain a CA with all the associated security and trust procedures.

      1. streaky

        Re: Rely On

        It's fairly easy to argue that 509 is a better model for what PGP is used for in the linux environment - the only difference is the stack and an authority can revoke keys on behalf of people they certify keys for; which actually if you're say debian isn't necessarily a bad thing. If you're signing packages with a key signed signed by the debian project's trust anchor and that key goes awol and the dev themselves are awol debian can revoke the key on behalf of that developer - this isn't actually a bad thing. With PGP packages are signed by a central package key which if compromised in some way (more likely because more people have access) the key for the entire repo needs replacing on everybody's system rather than a revoke->reissue->re-sign process for the affected packages.

        Also I wasn't arguing it wouldn't be a major task, I was simply stating that we could probably live without it.

  2. vagabondo

    How to donate

    Apologies if my reader missed it (I have found the new layout considerably less "accessible" than the old one.), but I would have appreciated donation details (or links to} in the article.

    Credit card:


    Bank transfer, tax certificate, etc:

    1. dogged

      Re: How to donate


      Werner is a hero.

      1. Trevor_Pott Gold badge

        Re: How to donate

        Agreed. I don't have much, but I have, I'll donate.

  3. gnufrontier

    Scooge McCorps

    This isn't the first time that we have been treated to stories of free software being used by corporations who could easily support a project. No corporation deserves any kind of fealty. That includes the "Scientology of Tech", Apple.

    1. Trevor_Pott Gold badge

      Re: Scooge McCorps

      The point of free software is that others are free to use it.

      1. Mark 65

        Re: Scooge McCorps

        Strictly speaking that's true but I've always viewed it a bit more like shareware - if you really get genuine utility out of it you should really help out the person who wrote it such that the project can continue to thrive. After all, you'll benefit from any future improvements and you've been able to fully kick the tyres on it. I'll be perfectly honest in that I don't apply this to every little script and utility I've found/used but more-so those where I'd be pissed if they were discontinued.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like