I donated £50. I use GPG to encrypt every unencrypted incoming email in my inbox (I'm self hosted) so that nothing is stored unencrypted. I had one server breach a year ago (due to me not updating...), but thanks to gpg I knew my mails were secure from prying eyes.
I sore the mails unencrypted locally though. Being able to search them is too useful to give up.
Disk encryption only protects against physical theft of the drive, which is not the primary concern with most servers. If a server is up 24/7 and I hack into it, it doesn't matter that the drive is encrypted since I have access to the decrypted files anyway. Encrypting incoming emails works because the mail server doesn't really care what the content of the email is, so decryption keys don't have to be stored on the server.
Here's my over engineered setup:
https://github.com/jakeogh/gpgmda
It attempts to also store the metadata encrypted. Admittedly got a bit carried away trying to hide mtimes.
Just use a procmail rule to call gpg on every incoming email before it's stored using your public key, then your client (configured with your private key) can decrypt every email as normal.
This is the part that scares me the most when it comes to security related open source systems, tools and software. What if there is suddenly no maintainer for a project? If the project is too complex to fork and there is no one willing to invest in development - would it not leave the door open for a project to be overtaken/maintained by surveillance authorities themselves?
Also, I get the feeling that most people take projects like these for granted, shouldn't security companies that rely on these projects at least want to try and keep them alive by donations?
I am surprised that the developers don't just seek sponsorship from corporate entities, especially with distributions which can get given priority support.
Asking the populous to donate seems like a short term fix.
It doesn't really make sense for a corporation to fund development outside of its organization.
First, how would you bill it? Tax-deductible gifts to a charity? To an individual, at the rate of a salary, to develop and maintain a product you want to use? Sounds an awful lot like employment. Somebody would need to pay taxes on it, and then there's the laws in whatever countries you're working to consider.
Second, there's the immediate lack of benefits to funding someone outside your company. If you want a particular feature or fix done, you can't demand this person do it as they don't work for you. And if they quit, you'll have to hire someone to maintain it anyway, right? And if you need some domain-specific expertise or customization down the road, you'll again need to hire an expert for your company. It just makes a whole lot more sense to hire and keep an expert in-house that maintains the code, rather than gift to some rando some large chunk of money to work on something without addressing your company-specific needs.
Third, if you wanted funding, you'd probably have to show you have a board made up of the companies that fund you and some industry peers, have a roadmap, processes for discovering, addressing and solving issues, etc... basically your own little organization to manage everything. Just one guy doing code isn't necessarily enough for sponsors to take you seriously.
The problem here is that there's just one developer. Open source projects usually only work if there's many developers working on it a little at a time; then you don't need to pay full salaries and it won't go into disrepair. But for whatever reason (stagnation, disrepair, difficulty working with the community, obsolescence, etc) nobody is interested in working on it or with them. To me, that's a recipe for disaster: it means there's a 'smell' with this project, and maybe someone should fork it and do what they want with it now.
(I actually work and have worked in companies where this has happened... nobody is going to get funding approved to give money to someone outside their company for something that would be better served in-house)
It looks like an organization called "g10code GmbH" is in charge of funding development, not "some rando", and indeed it seems like they're willing to enter in to contracts with companies for development of specific features that company might need[1].
I don't know how the tax situation for donations works out for a GmbH, but they seem to be in a similar position as several other open source projects.
Various parties fund Tor development by giving money to "The Tor Project, Inc.", a 501(c)(3) corporation[2].
The same is true of Freenet, "The Freenet Project Inc", another 501(c)(3) is in charge of funding development, and Google itself has been among the entities that have donated[3].
What makes you think that forking it will suddenly bring more developers?
Why wouldn't that developer try and contribute patches first to the existing project?
If you look at the git summary output you will see that one person Werner Koch was responsible for 82.4% of the work, NIIBE Yakuta was the next closest at 5.4% and it only goes straight off the cliff from there.
And it can get even worse with a proprietary system, if the company goes bankrupt, then there's no system or code left at all... or they may open source it. Although, the companies that open source their code after going bankrupt are extremely rare.
But then there's the question, what will the clients do with that code? If it is a large system, it would take months to continue development on it - and who would pay for it? The most likely outcome is that the clients will go to the nearest competitor.
I always want to donate to such causes, and always the only options are creditcard or paypal. I don't have a creditcard and I refuse to use paypal.
Last time Wikipedia asked for donations, they had a nice iDEAL (the online payment system in the Netherlands) option right there on the first page. I entered €50,- pressed a button and presto. Done.
Moral of the story: if you want donations, invest some time into making it super easy to get donations. I can't imagine there isn't some online service that'll let people pay in just about every possible payment method there is.
Not saying they shouldn't do that, but virtual prepaid CCs are available in many countries, including in the Netherlands, from what I can gather, like https://www.3vcard.nl/
Are they usable in different countries? I know that, unfortunately, some prepaid CCs issued in the US can't be used in other countries, for instance. But maybe that's less likely to be the case in Europe, or, really, just about anywhere else.
I made a credit card donation through Stripe, but it was declined and flagged as potential fraud by my credit card company (Amex). I was able to donate successfully after logging into my credit card web site, verifying that I had attempted the transaction, and then resubmitting the donation on the GPG site.
So if you get an error message during the donation process, check for messages from your credit card account.
If your company pays Symantec for PGP Desktop, think about switching to GnuPG related projects. I think a license for a single PGP Desktop copy is $100 USD. Ask your boss if you can send $100 to GnuPGP instead of giving it to Symantec (because honestly, Symantec PGP Desktop is terrible and buggy software).
I saw that as well and couldn't help but wonder what fraction of their costs are development and what fraction are hosting. After all, there are free hosting alternatives for open source projects, e.g., GitHub, so if hosting is a significant cost, why not simply eliminate it?
This is a complicated story. The BND's priorities have changed (they are now migrating to Windows internally instead of GNU/Linux). FOSS is also a lower priority. See this video from the German Bundestag about funding GPG and related projects: http://vimeo.com/111715711 . (TLDR: We already gave them some money. Others should step in and cover the bill.)
>they are now migrating to Windows internally instead of GNU/Linux
Do you know why? Is it because it just makes it more convenient for everyone if the BND just gives the NSA access to their machines directly? I'm not even completely joking. What could possibly be the rationale for doing that?
Politics, internal power struggles, all the usual things in an administration. I also heard this is not yet set in stone and may change again with their next president. BTW, he meant the BSI (Federal IT security agency) and not the BND (foreign secret service, aka the CIA's German stable lads).
Maybe they should do a crowd funding campaign, if anything those requests seem to get more media attention and hence momentum. Lots of people use Gnupg indirectly ("infrastructurally" if that's a word...) and might simply not think of donating because of the project's low visibility as a tool in or component of a larger system.
You mean another one? Wouldn't be such a bad idea, they have done that in the past according to this[1] blog post, and it seems to have been incredibly successful: "36.741 EUR raised out of 24.000 target".
You may donate to Wau Holland, who take bitcoins for gnupg.
Stripe announced a long time ago that they will support bitcoins and they seem to have a closed Beta for this. However it has still not gone live. I try to avoid working with yet another payment provider just for converting bitcoins to Euros. For bookkeeping it is much easier not to take care of assets with large fluctuation.
[wk@gnupg.org]
I can't do anything about GnuPG not accepting Bitcoin, but can fix your lack of Bitcoins. Check your wallet, the one with the address you posted on your site, I left a small tip for your open source work.
APT is secured using GnuPG https://wiki.debian.org/SecureApt and that is enough contribution to my peace of mind for me to donate.