> Fortunately, and this is still not common with free software, we have now established a way of financing the development while keeping all our software free and freely available for everyone.
> Our model is similar to the way RedHat manages RHEL and Fedora:
I looked around the website for a bit and didn't find a blog post or anything indicating what they've replaced the donation revenue stream with. Have they been employed? Are they doing consulting?
"GnuPG VS-Desktop" has been approved by the BSI for encrypting secret files/messages in the German government (VS=Verschlusssache) so I'm guessing that's where most of the money is coming from.
“ GnuPG.com, Düsseldorf, Germany
Offers commercial grade support, customized development, porting to new platforms, help with integrating GnuPG into customer projects, code audits, and more. GnuPG.com is a brand of g10code GmbH; owned and run by GnuPG´s and Gpg4win´s principal authors.”
I'm confused as well, it's not clear from that post what the new structure is, or how sustainable, or if there are back-up plans. It just says, that there is a new structure essentially.
I'd appreciate it if someone helped me understand, or get more context.
1. a lack of good support via an API/libraries (the standard way to communicate with it seemed to be shelling out to the binary and trying to parse its output
for a long time)
2. terrible UX, especially around the trust model - web of trust is great in theory and for geeks but doesn't work well in practice, and the terms used to explain it invited dangerous misinterpretations (to mark a key as trusted in the sense of "I verified that this fingerprint belongs to that person", you're expected to sign it, NOT mark it as "trusted" - the latter actually causes all keys signed by that key to be trusted, making it a "CA").
These may be addressed by now, but I think this is too little too late.
I dont think those are addressed now. I needed gpg for the first time recently. After fiddling with documentation and weird terms, approaches etc I decided it is not worth whatever it does. My time would be better spent if I learned how to knit or something.
Very confusing post. It doesn’t explain how they are now making money--which is probably relevant for some folks to trust them to protect online privacy.
I think they did explain it, although I had to read it a few times to find it. If I understand correctly, they're charging for "the actual binary of the MSI installer for Windows and client specific configuration files." It sounds like they're doing so under the name "GnuPG VS-Desktop." I think it's related to selling services through https://gnupg.com/gnupg-desktop.de.html, but I'm not entirely sure.
> Those with SEPA donations, please cancel them and redirect your funds to other projects which are more in need of financial support. The donations done via Stripe or PayPal have already been canceled.
> Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
Recall that this was in the wake of Heartbleed, a vulnerability that exposed our dependence on OpenSSL, another critical, and chronically underfunded project.
The project got a nice boost after that article, leading to this Ars Technica story about the windfall:
> Given the ramshackle state of massive GnuPG code base, it's not clear what's the best path forward.
Comparing the list of CVEs for major cryptographic software OpenSSL, OpenVPN, OpenSSH and GnuPG implementation of OpenPGP, GnuPG has stood up pretty well for three decades:
The main shortcoming of OpenPGP standard is lack of modern authentication. It has MDC, which works in most cases, but isn’t best practice nowadays. There is an update to RFC4880 in progress, RFC4880bis draft, which is presumably considered by sequoia-gpg. The file format is also apparently disliked by some people, but end users care about results. If RFC4880bis is standardized, the gap between OpenPGP and alternatives is closed. Then, using a heavily audited standard and code is preferred.
I read GnuPG is used by organizations requiring high security, eg, intelligence agencies, NSA, state-level actors (presumably shadow brokers etc), banks etc.
It’s still good to have competing options. But let’s focus on facts.
This does not look like an especially reassuring track record! People should keep in mind that GnuPG is a legacy C codebase. Nobody would implement a tool like GnuPG in 2021 the way GnuPG is implemented; we accept its implementation because of path dependency, not because it's especially sound.
I don't think your supposition that GnuPG is beloved of "NSA and state-level actors" really qualifies as "facts". The industry standard "secure email" system for banks is simply a TLS web interface that you post your emails to; banks don't use PGP for secure communications. I haven't, of course, worked for all the banks, so if you've got a counterexample, please provide those facts for us to evaluate.
Obviously, the documentation of a proposed design for AEAD support in an RFC doesn't close the gap --- users care about results, as you say, and so what matters, to the exclusion of all else --- is what the installed base of GnuPG clients supports. Which is why Sequoia's years of support of (I think?) EAX mode AEAD encryption hasn't moved the needle for the moribund PGP ecosystem.
Since OpenPGP is normally used in offline and stateless applications like encrypted email and encrypted files there is no need for some sort of session oriented authentication. The content itself is signed and thus authenticated. So the MDC is not normally needed either, it is just an integrity check for the edge case of unauthenticated encryption. The only time the alleged deficiencies of the MDC come into play is when doing symmetrical encryption.
This is good; donating to GnuPG was not an especially effective way of protecting at-risk users, and it's better that the project be supported by the niche userbase (apparently: the German government) that actually uses PGP in 2021, rather than trying to make a social cause out of a (pretty controversial) file format.
I think there are multiple reasons it's good. It's good for security as you've articulated.
It's also good as an example of sustainable open source development via the consulting model. We've seen a lot of hand-wringing about FOSS funding lately. It may not be as flashy or high-profile as VC-funded open core projects with all their ubiquitous marketing, beautiful websites, and submarine PR. But it's a way to make a living by exchanging useful value in exchange for moderate fees, rather than asking for charity or signing up for an unsustainable investment deal.
I've always found it annoying that there isn't a properly supported python package for gnupg. There were like two or three forks that were maintained properly but each one had its "time". It's very confusing for people to begin with using PGP since you have to understand which one to use and the history and why they all exists. A lot of fuss if you ask me.
There's a package called PGPy. It's a python implementation of PGP. BSD-3-Clause licensed. https://github.com/SecurityInnovation/PGPy When testing it out GnuPG compatibility, I just had to add the --rfc4880 when encrypting with GnuPG. Then PGPy could decrypt it using the private key generated by GnuPG. PGPy supports key generation and encryption too.
> Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses.
They’re paying for a Windows installer. Building Windows code from source is not something most Windows users are capable of.
well then, redirect your funds to sequoia-pgp.org then. they make a good alternative, which is more secure than gpg. several former gnupg developers work on that as werner did not want to work on citrical issues back then.
Age can't authenticate when encrypting to a public key because it doesn't support signatures. So don't use it in this mode unless you know what you are doing.
Most people should just use GPG for stuff like this.
Has it been independently audited at all? I looked around and didn't find anything about it.
It's probably maybe fine, and of course code can change at any time, but with software focused on security, it would seem more necessary than, say, an audio player (excluding improbable situations).
Either way, It's nice to see a GPG alt written in Go.
The only thing PGP did correctly, and very well, is the concept of persistent identity. Keybase recognized this and uses PGP as the toehold, then from there, created a secure auditable chain of NACL keys. The PGP 'web of trust' and non-repudiability nature of PGP messages each failed for good reason.
[+] [-] rectang|4 years ago|reply
> Our model is similar to the way RedHat manages RHEL and Fedora:
I looked around the website for a bit and didn't find a blog post or anything indicating what they've replaced the donation revenue stream with. Have they been employed? Are they doing consulting?
[+] [-] formerly_proven|4 years ago|reply
[+] [-] moondev|4 years ago|reply
[+] [-] kerneis|4 years ago|reply
https://gnupg.org/blog/20220102-a-new-future-for-gnupg.html
[+] [-] colechristensen|4 years ago|reply
[+] [-] slashfoo|4 years ago|reply
I'd appreciate it if someone helped me understand, or get more context.
[+] [-] zikduruqe|4 years ago|reply
[+] [-] vmception|4 years ago|reply
[+] [-] tgsovlerkhgsel|4 years ago|reply
1. a lack of good support via an API/libraries (the standard way to communicate with it seemed to be shelling out to the binary and trying to parse its output for a long time)
2. terrible UX, especially around the trust model - web of trust is great in theory and for geeks but doesn't work well in practice, and the terms used to explain it invited dangerous misinterpretations (to mark a key as trusted in the sense of "I verified that this fingerprint belongs to that person", you're expected to sign it, NOT mark it as "trusted" - the latter actually causes all keys signed by that key to be trusted, making it a "CA").
These may be addressed by now, but I think this is too little too late.
[+] [-] eknkc|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] BMorearty|4 years ago|reply
[+] [-] fishtoaster|4 years ago|reply
[+] [-] flatiron|4 years ago|reply
[+] [-] repomies69|4 years ago|reply
[+] [-] DarylZero|4 years ago|reply
[+] [-] SloopJon|4 years ago|reply
> Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
https://www.propublica.org/article/the-worlds-email-encrypti...
https://news.ycombinator.com/item?id=9003791
Recall that this was in the wake of Heartbleed, a vulnerability that exposed our dependence on OpenSSL, another critical, and chronically underfunded project.
The project got a nice boost after that article, leading to this Ars Technica story about the windfall:
> Given the ramshackle state of massive GnuPG code base, it's not clear what's the best path forward.
http://arstechnica.com/security/2015/02/once-starving-gnupg-...
https://news.ycombinator.com/item?id=9011138
Nonetheless, a fundraising campaign followed just two years later. It turns out that $150K isn't actually that much of a windfall.
[+] [-] aborsy|4 years ago|reply
https://www.cvedetails.com/vendor/4711/Gnupg.html
The main shortcoming of OpenPGP standard is lack of modern authentication. It has MDC, which works in most cases, but isn’t best practice nowadays. There is an update to RFC4880 in progress, RFC4880bis draft, which is presumably considered by sequoia-gpg. The file format is also apparently disliked by some people, but end users care about results. If RFC4880bis is standardized, the gap between OpenPGP and alternatives is closed. Then, using a heavily audited standard and code is preferred.
I read GnuPG is used by organizations requiring high security, eg, intelligence agencies, NSA, state-level actors (presumably shadow brokers etc), banks etc.
It’s still good to have competing options. But let’s focus on facts.
[+] [-] tptacek|4 years ago|reply
I don't think your supposition that GnuPG is beloved of "NSA and state-level actors" really qualifies as "facts". The industry standard "secure email" system for banks is simply a TLS web interface that you post your emails to; banks don't use PGP for secure communications. I haven't, of course, worked for all the banks, so if you've got a counterexample, please provide those facts for us to evaluate.
Obviously, the documentation of a proposed design for AEAD support in an RFC doesn't close the gap --- users care about results, as you say, and so what matters, to the exclusion of all else --- is what the installed base of GnuPG clients supports. Which is why Sequoia's years of support of (I think?) EAX mode AEAD encryption hasn't moved the needle for the moribund PGP ecosystem.
[+] [-] CiPHPerCoder|4 years ago|reply
Make sure you also look for libgcrypt, which had a lot of cryptographic weaknesses in the 2010s.
https://www.cvedetails.com/vulnerability-list/vendor_id-4711...
[+] [-] upofadown|4 years ago|reply
This article covers this in more detail:
* https://articles.59.ca/doku.php?id=pgpfan:authenticated
So if OpenPGP never gets upgraded authenticated encryption no one will care much.
[+] [-] tptacek|4 years ago|reply
[+] [-] rectang|4 years ago|reply
It's also good as an example of sustainable open source development via the consulting model. We've seen a lot of hand-wringing about FOSS funding lately. It may not be as flashy or high-profile as VC-funded open core projects with all their ubiquitous marketing, beautiful websites, and submarine PR. But it's a way to make a living by exchanging useful value in exchange for moderate fees, rather than asking for charity or signing up for an unsustainable investment deal.
[+] [-] zikohh|4 years ago|reply
[+] [-] jarrell_mark|4 years ago|reply
[+] [-] ArchOversight|4 years ago|reply
[+] [-] einpoklum|4 years ago|reply
[+] [-] ralph84|4 years ago|reply
They’re paying for a Windows installer. Building Windows code from source is not something most Windows users are capable of.
[+] [-] deknos|4 years ago|reply
[+] [-] seanieb|4 years ago|reply
(For everything you think you should use PGP for please use Age - https://github.com/FiloSottile/age)
[+] [-] upofadown|4 years ago|reply
Most people should just use GPG for stuff like this.
[+] [-] nitrogen|4 years ago|reply
[+] [-] toastedwedge|4 years ago|reply
It's probably maybe fine, and of course code can change at any time, but with software focused on security, it would seem more necessary than, say, an audio player (excluding improbable situations).
Either way, It's nice to see a GPG alt written in Go.
[+] [-] exabrial|4 years ago|reply
[+] [-] Zamicol|4 years ago|reply
[+] [-] loeg|4 years ago|reply
[+] [-] deknos|4 years ago|reply