I agree more would be better, but aren't there several now, such as the Free Software Foundation, the Software Freedom Conservancy, and the Apache Software Foundation?
The problem with such organizations is their donations only go to affiliated projects. Mozilla donates to mozilla projecs, apache donates to apache projects, fsf donates to fsf projects and so on.
Relying donations from occasional news cannot be healthy for the project. I imagine that during the next week the project will be able to amass a significant amount of donations but whenever this article is forgotten, the cash inflow will trickle.
I kinda wish that such organizations could make patreon accounts. Or maybe a non-profit service with the same idea. The point is, it's hard to keep track of all the projects that need money and to manage such donations without blowing your budget.
I can think of a few projects that I rely on a daily basis: firefox, xfce, fsf, freedesktop, python, debian, openbsd, transmission torrent, the gnome foundation, vlc, and there is probably a lot more that I can't remember right now.
I'm really dismayed that the Core Infrastructure Initiative, which was created in the aftermath of Heartbleed to fund OpenSSL and other critical software, has chosen to prioritize NTP, and not GnuPG[1]. Most of the companies that rely on OpenSSL are probably using a distro that uses GPG to securely distribute the OpenSSL package.
NTP is important as well. If I remember correctly, that decision was made around the time that NTPD was found to have multiple exploits allowing amplification attacks. Given that there are so many publicly available NTP servers, that makes it a pretty important project.
The fact is that all of these projects need better funding. Frankly it surprises me that large multinational corporations that care about security don't just fund these people. The downside risk for them is terrible.
Back when, there were one time acts of funding such as the red hat and va linux ipos that gave shares to authors of the software they were distributing.
... maybe the problem is people working for free and giving software away for free? The open source culture is a vehicle for entrepreneurs and investors to profit from others' work without compensation. It's that simple.
Hoping for donations to reasonably compensate developers is beyond naive.
I was thinking the same thing. It would be nice if there was some donations hub for open source projects with some sort of mixed Patreon/Humble-Bundle mechanic were you could donate N bucks to X open source software projects, one time or in a monthly basis.
The difficulties I see with this approach is 1) getting a trustworthy intermediate and 2) how to select the projects to allow the donations for. But 2) shouldn't be that hard because the users could, in the end, pick who they want to donate to.
Can someone explain why GPG in the person of Werner Koch isn't substantially funded under FSFE?
My first thought was the Software Freedom Conservancy. The only reasons I see for them not to take GPG under their wing are lack of will (but why?), sense of funding priorities (but why?), or the possibility that some GPG constituents would be concerned about associating GPG strongly with a US-based organization.
Because this article is misleading. Apparantly, Koch has been subsidized by the german government thus felt no need to be used the FSFE. Secondly, gpg isn't really used for enterprise email, SMIME is or commercial php.
There's a history of Koch that is pretty ugly. He tried to start a consulting company with said government money and seems to have a "pay me to fix bugs" attitude. This breathless "omg must donate now" sentiment dominant here is highly questionable.
gpg should be under and funded by FSFE not via begdonations and german government funding.
I have that "pay me to fix bugs" attitude, too. After all, my chosen profession is software developer and one of the things my employer pays me to do is fix bugs.
There's nothing wrong with that attitude. There's no reason why he should be doing work without pay.
If people send him bug fixes and he refuses to merge them, that's something else. But he doesn't have to work for nothing. I assume that whatever money he may be receiving from the German government may be used for other kinds of developments, not bugs that don't affect him.
Why wouldn't you be concerned if it fell under a US-based organisation? A country that has admittedly no qualms in doing anything, from torture to murder, to get their own way? Long live the petrodollar.
Calling GnuPG "email encryption software" really understates its importance. It's also used in countless applications to encrypt data at rest, and GPG signatures are used to secure the distribution of software. For instance, GPG is an essential part of the package managers of Debian, Ubuntu, and RedHat.
GPG is an integral part of the Open and Free internet.
Imagine all the workflows that depend on verified encryption signatures like Debian, Ubuntu, etc and that's just software distribution, not counting privacy issues like journalists, political dissidents, whistle blowers, etc using it for secure communications.
It was pretty easy to donate, took me less than 2 minutes. I encourage everybody that is able to make a donation, however small, every euro counts.
Me too. This software is too important to not have someone dedicated to it full time.
I left a note that he (like the EFF and the ACLU) should have a recurring donation option, or at least an option to receive a once yearly email asking for a donation. There are many people that would happily go with a recurring donation if that option were available.
Ditto. Was just talking with one of my employees this week about setting up encrypted email. Right now we use OTR chat for any sensitive stuff, but that's not always the most convenient channel. Like most others I had no idea this project was so under-funded.
Watching the bar on the GnuPG homepage is pretty encouraging. Since the article was written, we've donated nearly €30k more. It looks like the problem was that people hadn't heard about it, not that we're all too selfish to donate.
I just chipped in $25.
Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way to the funding target.
This was posted on HN 2 months before I donated £50 at that time so i wouldn't say it didn't get enough exposure.
It's just that it takes a lot of media attention to get you to your goal plus a lot of the donations a coming from regular developer who understand the importance of this instead of the big companies profiting from this software.
Really happy to see that this post on HN has traction, and delighted to watch the counter go up. GPG and other security projects need a way better tech PR push.
What is the simplest program out there right now, open-source, that will let me sign binaries with a key?
I'm experimenting to do a dead-simple licensing system using SSL certs and signing--rough idea is, cert is from me, and when it expires, software says "lol no get new cert".
I'm sure this has been done before, but the amount of custom license management code I've seen in the wild makes me wonder...
By all means. Ed25519 (which underlies signify) is a pretty decent modern signature scheme. (tweetnacl.c also implements it, in less code.)
It also seems you want to expire things, so I do feel I have to warn you that signatures are a totally separate thing to a secure time source, which is a whole different bag of marbles.
However, since what you're designing sounds like a logic bomb/copy protection/DRM system, I must say what I've been saying for the last quarter-century or so: please do not design your software to deliberately fail. That is a bad call: trust me on this one. Any crypto that you do to support it, even if the crypto itself is sound, is just tapdancing around a failure state.
Software is shareware, gets a little naggy within 30 days of license expiration, send money to get a new license file, which makes the nagging go away. No cessation of service.
I'm not worried about clock spoofing--I assume basically good-faith customers.
Signing would help people from just copy-pasting certificates around. If they want to go into the executable and rewrite the routines, well, there's only so much one can do, yes?
If you assume basically good-faith users: why nag them? After they registered? Aren't they assuming basically good-faith authors? Why do you think people who you'd nag after they registered would copy-paste keys but not download a crack?
(Your registrations are time-limited? That's very unusual for self-described "shareware". That's pretty much "commercial, but your demo nags".)
You're welcome to choose whatever business model works for you, of course, but take it from me, this one's straight from the early '90s. I hope it works for your users too.
We're our own worst enemies. Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it. Because then you're just "greedy" and not pure enough.
But that'll never change unless all of a sudden we say "Ok, on the count of 3, everybody stop giving away their hard-earned expertise for free. 1... 2... 3..." We're like musicians nowadays. We love it, so we do it without insisting on compensation.
A few months ago, I Show HN'd an open source project, but reserved the copyright to the code. The commenters immediately took note of this and I felt compelled to switch it to an MIT license. (It was open source for security reasons, if you're wondering.) I'm glad I did, but the point remains: there was pressure to conform.
Why in the world would this be downvoted? There is nothing inflammatory about this post at all. He's bringing up a widely debated point in our industry.
> nobody would trust closed source encryption software.
ORLY? Have you read much source for BitLocker or FileVault, recently? WhatsApp? Skype? And those are just the most popular ones off the top of my head...
No, and I wouldn't trust myself to read it either. But, there's a fair chance that someone I trust eventually will and that they'll point it out when they see something fishy.
> Software developers have this sort of circular firing squad where nobody wants to be the first to keep their source closed and try to charge for it.
Er, the first to keep their source closed and try to charge for it happened a long time ago, and there are huge numbers of developers at firms from one-man shops to massive megacorps still doing it today.
The idea that closed-source for-profit development is a novel idea that violates norms in the software development community and that everyone is afraid to try is cute, but, you know, completely contrary to the actual facts of both the current state and history of software development.
> where nobody wants to be the first to keep their source closed and try to charge for it
Seems like there's another option -- open source your project and also charge for a license to use it. By open sourcing people will trust it more which will cause its value to go up. And then more people would be willing to pay for it.
As I understand it, that's what he did. He open sourced it and kept copyright on it. That would mean that everybody would be free to read it as posted but wouldn't be able to use it or distribute it without permission.
Releasing something under an open source license usually involves retaining copyright but is, itself, giving permission to use, distribute, modify, and distribute modifications. Pretty much every open source project either retains copyright of the work or is composed of the work of developers who each retain copyright of their portion of the work.
> Seems like there's another option -- open source your project and also charge for a license to use it.
If you open source your project, unless you're using an unusual definition of open source, you've provided a free-of-charge, sublicensable license to use, modify, and distribute it. (Or, at least, a license that the licensee is free to sublicense without charging the sublicensee or paying an additional fee to you, so even if you are charging for the direct licenses, the more you sell the greater the probability that it will be available at no charge.)
You could open source it and charge a fee for professional support, however, which is a fairly common model.
I see the encouragement to switch to an open source model a lot too. When a closed-source or close-licensed project is posted, you get a few commenters saying how great it'd be if the project was open source because then the community would benefit. Call me a cynic but in reality, this likely means "please make the source and licence more open so that I can use it without paying you".
I say this because I know that when I am looking for libraries to use at work in commercial software, I have to look for BSD-style code and now actively steer clear from GPL and LGPL code (static builds for me please).
It isn't to be malicious but it's mainly because I would like to continue living. Giving away things I have spent years working on doesn't pay my mortgage or put food on the table.
If it's a registered non profit you can donate and 'write it off' too. The idea that a 'big company' should do the donating is short sighted. That big company is made up of individuals. If everyone reading this donated $100, the problem posed by the article would disappear.
My point is that it's probably easier to get a company that is turning a profit off of something to donate a single large sum, than to convince a million people to donate $1.
If your effort is half as good, you still get half million people to donate $1.
On the company case, one million is not pocket change, so this will be a serious decision that has to be approved by several independent branches within the organization, each with veto power. Screw one of those and it's a deal breaker.
Furthermore, I'd say that this decision is one that is particularly difficult to frame for the company. While corporations do understand direct costs very very well, they are practically hardwired to ignore/exploit the gift economy. So the discussion will be stirred towards what indirect benefits will the company receive from donating to a worthy cause (public relations, tax exceptions, etc) and away from the consequences of letting a (unacknowledged) strategic partner to go under.
Not to say that a corporation cannot assume stewardship of a distressed project, but it almost always requires executive fiat to get over the bureaucracy.
It's easier still for a business to pay for a support contract, contributing to Canonical's revenue. Perhaps they could send a small fraction of that money to projects like GPG.
Ubuntu is not making money, and Mark Shuttleworth keeps infusing the company with his own pocketbook whenever it goes in the red. They might be doing something on the server / corporate support contracts end nowadays, that has really taken off in the last few years, but you might as well just ask Mark to hire Werner Koch.
The problem is that in practice most people in almost any free software project do not have the funds personally to afford donating all the time.
I mean, I feel the burn when I give money to Debian, Arch, KDE, etc - but I do it because I know I have to, because the software is so important to me. The $500 or so I donate each year is a lot of money to me, and I'm in the US - I cannot imagine how much donating to these projects would hurt the international users who make significantly less than the 15-25k or so I make annually.
I don't know how KDE managed it, but Blue Systems (http://en.wikipedia.org/wiki/Blue_Systems) is a Germany company founded by one Clemens Tönnies, Jr. Don't know anything about the guy, but he is somehow paying 10+ KDE devs without a business model. I've donated a lot to Kubuntu, but I cannot imagine in a million years they get enough donor money to fund all the devs they employ.
But those kinds of philanthropies, the way Mark Shuttleworth keeps Canonical afloat, seems to me to be the only practical way to keep free software afloat. You cannot ask a million destitute people to donate money they need to eat or sleep comfortably, but we as a community don't have the charisma or ears to get fat cat donors to foot the bills. Probably because software freedom does not matter as much when you are wealthy - you can just pay to get the software you want made anyway, and you might even be able to bribe companies to give you the source if you care enough.
And I recognize a huge portion of the donor pool for most free software projects isn't either end of this spectrum, but people like me making something above the poverty line and below extravagance that donate what they can where they can, but that is consistently shown to not be enough. And I imagine it is more because it takes millions of average joes paying dollars to match what one millionaire can do in an instant.
Red hat pays people to write open source software. The skinflints are the companies publishing closed source stuff and the consumers using free software.
Red Hat is among the largest funders of OSS development in the world. We need more companies acting like Red Hat.
I don't know how we get there when companies like Apple eat such a huge portion of the consumer OS and application dollar and companies like Microsoft and Oracle eat such a huge portion of the corporate dollar.
Seems odd that the MANY projects dependent on GPG don't donate enough to GPG to employ one guy.
Do Free Software project with funding 'pay it forward' to the volunteers on other projects they heavily depend on? (I don't really know) If not, they deserve to suffer the consequences.
I freely confess to being flabbergasted by these displays
of less-than-rigorous thought processes.
How would a free software project 'pay it forward'?
They are in a very similar position, aren't they?
Edit: For some reason, I can't reply to child comments (probably a cool-off time-out at work?).
Just a short note here, then: $1.25e6 for the FSF translates
to 10 developers like Koch being paid (the donation page quotes "120000 EUR").
That's ten. For the whole FSF. As an example of a well-funded project.
I'm not going to comment on that. HN would rightly give me months of cool-off time.
There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year. These projects are usually end user facing, in a way that their dependencies aren't.
It seems reasonable that these projects should consider adding items to their budget to redistribute funds to projects that they depend on.
Some probably do this, however I think the GP was suggesting that something like this become more common.
In addition, some projects that are not well-funded as a project are "funded" in the sense that companies pay people to work on them, for example Microsoft paying Simon Peyton Jones to work on GHC.
Debian... seems to mostly get by on volunteer labor and be ok with it, or it did when I was involved with them. Has that changed? I suspect that in some ways Debian is underfunded given the amount of work they do. Perhaps money would make some things happen faster there.
The Apache Software Foundation does a decent job at fundraising, and even employs a few people to do stuff like administration. Most of the projects get by with companies that pay people to work on them, which seems to work out pretty well.
Firefox/Mozilla make most of their money with deals: Google and Yahoo, last I remember.
I don't know about OpenSSH.
It's possible, but mostly donations don't seem to work unless it's big chunks of money from companies.
The significant losses due to Ubuntu development and related expenses are why Canonical as-of-late has been turning focus away from Ubuntu towards other markets such as Mobile and especially Enterprise (a la Red Hat's turf).
I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Circa 2008, before the Unity and Pulseaudio switches, it was considered by pretty much everyone the premiere Linux distro. I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
Even today Dell is still doing Sputnik and in European countries you can buy HP hardware with Linux. Why is Canonical not taking advantage of the fact that they could be making money off support for their desktop OS through all the hardware vendors?
The people who would buy computers with Linux probably wouldn't pay for tech support. Enterprises might, but not individuals. Plus I suspect that Microsoft is pretty keen to defend Windows on the consumer front - I've heard stories of deep OEM discounts on the condition that they don't offer alternative OSes.
I mean in the same way you buy a Dell notebook and get two years of phone support, you would get the same with a Dell Ubuntu notebook but Canonical would provide it and Dell would pay them for it.
I mean that the people who would buy a Dell Ubuntu notebook mostly wouldn't use phone support. If Dell thinks the same, they wouldn't pay Canonical very much to provide that support. They do now sell the XPS 'Developer edition' with Ubuntu; I have no idea whether they pay Canonical for support, or how much that makes.
> I wonder what happened behind the scenes that basically killed Ubuntu in its tracks.
Ubuntu has never been profitable for Canonical. Shuttleworth's game-plan was always long-term minded regarding Ubuntu -- but as we've seen as-of-late, Canonical is shifting focus to other markets they view as potentially profitable. Shuttleworth has committed to keeping Ubuntu alive, but it's no longer Canonical's sole hope for income.
> I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
This isn't just a problem for Ubuntu, but for most end-user linux distros. People always joke with Linus when the "year of the Linux desktop" will finally arrive... The people who use Linux as their daily driver generally don't need the support, and for the ones who do, well it's a lot less marketshare than Windows.
> Even today Dell is still doing Sputnik
Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
It's weird too, because Sputnik is $50 more expensive than the windows version of the same hardware. (probably some Microsoft deal going on here).
Linux comes pre-installed on majority of server hardware (server hardware than comes with any OS at all that is), and Linux dominates this field. But the "year of the linux desktop" hasn't quite arrived yet. I do hope it comes soon.
> Canonical is shifting focus to other markets they view as potentially profitable.
Is it about profits, or - I'm going to be kind of cynical here - chasing taillights? The way they seem to bounce around from one thing to another (mobile phones! embedded!) makes it feel like the latter.
> The way they seem to bounce around from one thing to another
I tend to agree... modern Canonical feels like a company that lacks focus (probably because they aren't quite sure what the focus ought to be after realizing Ubuntu might not ever turn a profit for them).
> Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
I've used System76 and Zareason. System76 are Ubuntu-only (and the hardware may have issue with other distros); Zareason will support any Linux.
You know, I actually didn't know about Zareason. Their website seems to have pretty reasonable price for the hardware you are getting, and I love having a choice of my preferred distro to run (I'm a Fedora guy).
I run full-time linux on my laptop and my goto hardware has typically been a Thinkpad T series.
Ubuntu itself is a central part of their cloud business, so Ubuntu is indeed profitable for them. What's not profitable is their desktop and end users' market.
That's not quite how it gets expensed (nor how it works).
Canonical's cloud business might be profitable (even though Canonical as a whole is very-mush-so-not), however their cloud business is not coupled to Ubuntu, ie. they could use any Linux Distro, or any OS for the matter.
Ubuntu is a total loss center for Canonical. It's surprising to a lot of people given it's popularity... but popularity doesn't equal profitability... especially when most users don't pay anything for the software (not even support fees).
Not sure what "of course" means here... it's very possible to be profitable off your OS Development division... look at Red Hat, SUSE, etc. They pay for the development from support payments... they collect support payments because enterprise wants their OS... it's a positive feedback loop. The better the OS, the more enterprise pays, the more funding RH can put into the OS dev team, the better the OS gets, the more support fees they collect, etc etc etc...
Canonical has not been able to successfully charge for support like RH and SUSE have figured out.
> But it is a net gain for the company, and in fact without it the rest wouldn't exist.
It's not a net gain unless the company can be profitable as a whole and subsidize (and justify the enormous expense) off-put by tertiary services, etc.
... right now Ubuntu project is responsible for Canonical being perpetually in the red... every quarter, since their foundation. Canonical could very well just run enterprise support contracts, or push their cloud services. They don't have to use Ubuntu... any OS would suffice. They aren't somehow coupled to Ubuntu to the point if Ubuntu didn't exist, Canonical wouldn't either.
> The Apache Software Foundation does a decent job at
> fundraising, and even employs a few people to do stuff
> like administration. Most of the projects get by with
> companies that pay people to work on them, which seems
> to work out pretty well.
The ASF budget is roughly 1.2 million a year, the bulk of
which goes to maintaining infrastructure for 200+ projects.
Firefox is kinda special because they get a lot money from whoever pays them to be the default search engine, doesn't matter if it's Google or Microsoft or Yahoo. There's only so much software that can get away with that, GPG certainly can't.
All of the Debian developers are volunteers, am I wrong? Slackware can barely support one employee, the founder. OpenSSH falls under OpenBSD, which also supports just the founder, everyone else volunteers, and they DO volunteer some serious time and do important things. They also had problems raising funds, there were discussions on HN about that here, and I'm sure there will be more in a year or two.
From: http://www.openbsdfoundation.org/campaign2014.html :
* If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal.
* If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.
This is kinda depressing.
Is there someone from the Debian project here? I'm wondering if they could afford to run their own mirrors around the world if they had to. Could they cover hardware, colo and bandwidth costs, if they had to? I'm just curious.
Perhaps GPG should annually auction off which nation-state security service or online advertising company's public key gets automatically added to the recipients list for each encrypted message? </cynical>
> There's only so much software that can get away with that, GPG certainly can't.
That's the point -- the ones that can should support the ones that can't, which are often foundational components of the reason the ones that can, can get money in the first place.
> There are many free software projects that are decently or well funded. They have no problem meeting their donation requests, and having a good budget year over year.
Too bad OpenSSL wasn't one of them until after the big "heartbleed" incident.
The core infrastructure projects don't seem to get as much funding as they ought to, especially given almost everyone relies on them (even if they don't realize it).
Prior to Heartbleed and the industry rallying to fund critical projects, OpenSSL only received an average of $2,000 USD a year[1]... that's pathetic.
Over the next three years, the Linux Foundation will receive a combined total of $3.9 million from Google, Intel, Amazon and others to fund core infrastructure projects such as OpenSSL. Sounds good until you take a step back...
> Intel will invest "$300 million to help improve the pipeline for women and minorities, actively support the hiring and retention of diverse candidates, and fund programs that support the positive representation of women and minorities in technology and gaming industries."
> "Google Gives $775,000 to Nonprofit for Tech Diversity
CODE2040 said Monday it received $775,000 in grants from the tech giant to support the launch of free training programs for more than 5,000 black and Latino college engineering students over the next two years."
It's interesting with the Outreach programme in GNOME (I think that's what it's called), because if you periodically look at planet.gnome.org, there are interesting things going on with developers within that outreach programme.
But there are also justified backlashes to the programme, given that there is a perceived priority given to the programme in some areas instead of writing software. The argument is that not everyone and their dog needs to be involved with writing software, so why should we encourage them to? You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Strangely we do in IT though, where it is the belief that we should make EVERYONE code!
> You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Yes you do. Every single fucking time this comes up someone says "you don't see this in construction". It's rebutted every time it comes up and it's really fucking easy to do a simple web search to find examples of programmes to get men into teaching or nursing or to get women or minorities into construction.
Didn't GNOME almost go bust last year and hold an emergency donation drive, due entirely to granting too many paid internships (or similar) to people who aren't established GNOME developers, or even programmers?
No. The GNOME foundation is managing the funds of the outreach program (which doesn't have anything to do with GNOME, really, except it started there), so when some of the sponsors (think big corps) of the outreach programme didn't pay their agreed upon share on time, the foundation ended up in trouble. It was simply a liquidity problem which was solved when they received the sponsorship money.
That's at least how I think it went, you can go look it up, the details are online.
Replying to myself to mention that I am neither for or against the GNOME outreach programme!! - I am entirely an observer! I haven't used GNOME since GNOME2 due to disliking the new interface; I periodically check on there to see what's going on GNOME world and it is quite interesting, both for developments and also for what's going on internally with disagreements and discussions between people.
I thought I ought to add that because I suspect people are thinking that I dislike the programme? Either that or people like down voting with no reply.
With regard to the encouragement for everyone and their dog to take up coding, I see it a lot but in truth I do not see the same things in other professions - I have never seen a push to make youngsters take an interest in banking or journalism yet over here in the UK there is a push to make programming/coding a part of the national curriculum for youngsters, hence the introduction of the Raspberry Pi to encourage that.
The FSF had revenue of 1.25 million in 2013. I'm not trying to comment on where it came from or where it went to. I'm only pointing out that they are not in a very similar position.
Typical credit card fees are 2.9% + 30c. Assuming that they have regular fees at not non-profit rates(which tend to be lower), it would make their average donation amount to be around $7.14
With that many transactions they should be able to negotiate a lower fee than that. My company did a bit over 4 million in CC transactions last year and our rate is 1.9% and I believe the flat rate per transaction is 25 cents.
As someone else pointed out 2.75%-2.9% is common, often thre is a charge per transaction too (on the order of 25cents after it's all said and done). The fee can change based on the card type (the merchant pays a higher fee on rewards cards normally...someone has to pay for rewards!) and international purchases can have additional fees. Charges backs can also bump up fees, ditto for outsourced fraud protection.
This is partly why I stopped donating to the FSF. They're dumping some amount of that money into misguided PR campaigns rather than helping out the developers trying to make free software better.
1.25 million USD is really not a lot of money at all... especially given all of the projects the FSF supports under the GNU umbrella.
If they had zero expenses other than staffers, at a very modest 65,000 USD a year that would not even cover 20 people.
The EFF, FSF are the only real "good guys" out there fighting for your techie rights every day... They could really use your donations and support (even if you don't agree 100% with all of their message).
> How would a free software project 'pay it forward'?
As mentioned by the grandparent comment, GPG is in use by Debian, Ubuntu and RedHat package managers. Whether or not you count those three as free software they have plenty of money to pay forward to a piece of software that underpins their entire stacks.
I am having a hard time to find financial statements from Debian.
Ubuntu, or rather Canonical, being a private company, doesn't seem to release financial information.
The Ubuntu main page doesn't even provide a 'donate' link anymore.
Which leaves RedHat, at last. A public company, of course[0]:
Operating profit 2014: $ 1.3e9
Net total income 2014: $ 178.3e6
This article claims that $222k was the budget for 2012 for Debian, down at the bottom. It also claims the budget should be $19B, if paid at market rates.
Unless I've missed something big in the past 2 years even the Debian Project Leader is still a volunteer[0]. If most/all money's going to operating costs it's hard to make the case they're holding out on somebody. They also have a record of treating their upstream quite well so I'd need some evidence to believe they're dropping the ball.
The thing is, the underfunded dependencies that are the most vital are those that are widely used by many projects. If it was normal to chuck a small percentage of available funds to dependencies, the money would start to add up.
You're off on your numbers. The 120k are for him plus one developer. By that estimate that's 20 people for the FSF.
However, a lot of commercial entities use pgp as core of their business: all software packaged for the linux world is signed with gpg one way or another. All commercial distributions depend on it at their very core. I'm amazed that they don't fund gpg at least partially.
A cultural and structural change is needed when things like GPG get nothing, while viral, superficial and gimmicky work gets snapped up for millions or billions, when end users choose free products that threaten privacy and flood our world with advertising rather than pay the price of a cup of coffee for quality trustworthy products.
What this and all other software projects need is marketing. There is just too much noise out there. We landed on a comet last year and we still needed marketing to let the people know about it. If we invented free energy tomorrow, we'd all hear about it via some sort of marketing. Marketing is much, much easier to implement than cultural and structural change.
"Pay it forward" means to grant a favor or gift on a random person, in remembrance of one who did a favor for you before. The idea is to initiate a chain of favors and gifts to brighten the world in general.
It's a play on words though, by analogy with "Pay it back" which is returning a favor to one who did a favor for you first (like paying back a debt). In the case of large distros being heavily reliant on GPG and other upstream projects, I think the applicable term here is "pay it back".
Upstream developers helped out Debian, et al, and now Debian needs to pay those developers back. Arguably, by gifting their distros to the world at large, they're already "paying it forward".
...which indicates to me that GnuPG wasn't sold properly. It's not just a "privacy tool" -- it's one of the ways that software (including OpenSSL) is securely distributed. I would guess that quite a few of the CII's members benefit from GnuPG and don't even realize it.
GPG's goal is about privacy, while OpenSSL is more of a toolbox with most of the tools you need for anything crypto-related.
I imagine those people need to control integrity of the software, to make sure it is deployed correctly on their servers and distributed securely to their clients and users, and OpenSSL has all they need for that. Privacy, OTOH, is unneeded because they are not (or rather much less) after their own or their users' privacy.
My name isn't even on the list of recent donors anymore, that's going fast! Maybe he'll wake up tomorrow and hit refresh a couple times to be sure there's nothing wrong with the counter, hehe.
Thanks for the donation link, I just used it. It seems odd to me that an article bemoaning the fact that GnuPG's author is going broke gives no information at all on how to help rectify that condition.
> It's also used in countless applications to encrypt data at rest
exactly. Given the number of corporate laptops encrypted by the corporate IT with that software , and thus definitely some "license" style good money were paid by the corporations to some entities ... i never believed in the magical concept of trickle down and sounds like it doesn't work here too.
I've been complaining about this on HN before; lot's of startups built chat apps on top of GPG during the whole Snowden thing and Werner can't raise $120,000.
I'm really glad Pro Publica picked it up, but I also think we need to change to way we think about critical software like GPG. The GPG Tools team (GPG for Apple Mail) recently stated they need to charge for the tool in the future because they simply can't handle to amount of work anymore (it's still GPL) — the response from us was nothing but outrage.
// I just realized all of this is mentioned in the article. My bad.
>I also think we need to change to way we think about critical software like GPG
Maybe the lesson here is not to license important software under such permissive licenses. Make it open source and free for non-commercial, require a donation if it is used in a commercial product. I don't really see how you can give something away for free and then expect companies to volunteer to pay for it.
> open source and free for non-commercial, require a donation if it is used in a commercial product
Every serious definition of 'open source' or 'free software' says that you can't discriminate by field of endeavour - if you have one set of rules for commercial use and one for non-commercial use, it's not really open source. And the nature of donations is that you can't require them.
That's not to say that you can't build a business model around open source software. You can charge for pre-built binaries, you can charge for exceptions to the GPL license to build proprietary software with it (this is what Qt used to do), or you can charge for services associated with the code (e.g. running a hosted service). You can even technically charge for the code itself, though since anyone who buys it can resell it or give it away, that sounds precarious.
We call it Free and Open Source Software for a reason. Open Source means the code is open (i.e., you can study it), Free means it's licensed under a Free Software license (it doesn't necessarily mean free of charge).
People usually omit the "Free and" part when they talk about FOSS.
> The kind of "open source" I was talking about is source code that is released under a non-free software license. What do we call that?
"obnoxious".
More seriously, typically something like "look but don't touch", or "proprietary with source available", or "source available under a restrictive license". Microsoft used to call it "shared source", and that term still has those connotations too.
Definitely not "open source", though; that means more than just "has source available".
It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.
The Unreal Engine is an example for this kind of business model on a large scale. KoboldTouch (used to be?) an example for the same on a very, very small scale (less than 5 people). I really don't see anything "obnoxious" about it.
> It's common practice in the game industry to license/pay for access to the source code. Whether you end up changing it or not is up to you, but at least you have a choice. This might not be true for Microsoft's "public" source code. I don't know. It looks like we're talking about two very different domains.
Yeah, that's a very different case. It's indeed moderately common for proprietary software frameworks/engines to include source, so that their paying customers can modify and redistribute, but cannot redistribute in source form (modified or otherwise). That's not any more obnoxious than any other kind of proprietary software distribution, and I wouldn't call it "look but don't touch", though it certainly isn't open source or free software.
The case I'm talking about is software with publically available source, but under a restrictive license that doesn't satisfy the OSI or FSF or DFSG definitions. For instance, many random projects on github that don't bother applying a license, or rar (the archive format implementation), or tarsnap, or the extremely obnoxious JSON license.
There's nothing wrong with doing that. Feel free to do whatever you want. But what you are talking about is not "Open Source". That term has a (different) meaning. If use "open source" for that, you will confused and trick people.
"open source" has been in use as a term in tech for a long time. It means (essentially) the same thing as "free software". Licences that disallow derivations (or commerical derivations) would not fall under the defintion of "open source" that nearly everyone uses.
You are free to come up with your own defintion of popular, agreed up terms. But this will lead to problems when you're using a different definition from everyone else.
You are about the open source part: http://opensource.org/osd. The 'Naming' section of your link references the osd.
Calling it just one or the other is enough though. Being "under a Free Software license" by definition means "the code is open (i.e. you can study it), so no need to say "and Open Source".
I do however prefer calling it free software over open source as I find the free software definition simpler and than the osd. And also because the term open source seems to place importance on the code being 'open' instead of 'libre', which you'll here rms talking about everytime someone says open source.
"Free software" has issues as well as a term, since free can obviously mean two things, gratis or libre. However, once the reader/listener has understood the difference between free of charge software and software that preserves your freedom to study, modify and redistribute it, I think open source is the more problematic term as it can more easily cause confusion as demonstrated by your comment (where you think open source means that the code just has to be 'open').
I think parent was badly worded/thought out, but points to a real strategy. He said "charge for commercial use", which is definitely illegal, but what a lot of projects do is dual-license open source and proprietary. If you're a non-commercial project, you'll usually just use the open source version; if you're commercial, you'll want to be able to both link the project into a proprietary codebase and get support guarantees, so you pay for the proprietary license.
It is not "definitely illegal" to set license terms to whatever one wishes including restricting commercial use. The GPL hinges upon copyright to enforce it's provisions. Copying privileges are revoked for people who violate the license. This is a legal "hack" to get around the need to establish a contract or exchange funds. The same sort of rules can be applied for any other criteria such as the type of user. If I want to prohibit blue-eyed people from using my software I am free to do so. Dual licensing isn't a requirement to do this.
This is exactly what we ( http://linphone.org ) do: we have a GPLV2 license that's used in many many open source projects, and we have a specific license for commercial projects, for which we provide support and ability to not disclose the sources that our clients might modify.
This kind of way to function give enough money to employ 10 people, and also secured a lot of new developments (encryption, video, etc.). Disclaimer: I'm just an employee, not the founder.
I would advise him to switch to that kind of licensing, if he wishes to. There's no reason he shouldn't be able to live through his work.
One problem with that strategy is it forces you to use a licence with some sort of restriction (like copyleft) to make dual-licensing useful. You can of course dual-license a BSD or MIT licensed project but no one would use the "dual" part of the dual-license since the copyfree license allows them to do everything they need.
If you do this, the problem with dual-licensing a copyleft project is as follows:
-The copyleft license allows use in other projects with the same copyleft license
-The "dual" part allows use in proprietary licensed project (the stated enemy of the copyleft license)
-The ones left out are projects that use other copyleft licenses and copyfree licenses.
In my opinion dual-licensing copyleft licensed projects is a mockery of the purpose of copyleft.
All this is however irrelevant to the discussion about funding core FLOSS software. It doesn't matter the license, the challenges to funding such a project are the same.
It might be a little tricky in the case of GPG since it is really a GPL port of the commercial PGP software. So a major reason for it's original existence is that it is GPL code.
Gpg is not a port of some PGP version but an implementation of rfc4880 and earlier open standards. I actually took great care not to look at any "open source" PGP code. The reasons why dual-licensing does not work is that I assigned the copyright to the FSF in 1998 and when I terminated that contract 2 years ago too many other other hackers have code in it or assigned it to the FSF. Thus there is no way for anyone to switch to a dual-license.
Don't forget that permissive licenses are one of the main reasons people widely adopt these tools in the first place.
I hear you though. Free of charge and open source need to be two separate things (not all the time, of course). Cutting costs in FOSS development usually means spending less time on websites, documentation/support and UIs, which hurts the projects in the long term. It's a vicious cycle.
It's nice in theory, but then the defintiion of "commerical" can mess it up, and can be subject to how judges (anywhere in the world interpret it). A german court ruled that "non-commerical" (in a CC licence) meant only for personal use, and non-personal entities had to pay. https://www.techdirt.com/articles/20140326/11405526695/germa...
This is sad but not super surprising. Historically, if you had money and wanted a reasonable UI and cleaner integrations, you bought PGP (now from Symantec). GPG was always for people unwilling to pay.
For the record I donated. I'm just pointing out that writing something that's bundled and distributed as part of something else means nobody thinks about your project, or in many cases even realizes they're using it.
His point stands though. GPG never caught on as a commercial product or something that people would pay for. Both are Open Source, that's not the issue.
Parts of its source code are viewable and reviewable, associated with key cryptographic functions. Much of what PGP builds is structure around that, and most of that isn't open in any sense of the word.
Phil Zimmerman (who's long since left the building) does understand the value of source review, and the team who supported PGP continued that legacy. But it was quite limited in scope.
That said, PGP also did work with other implementations, including GPG, to resolve compatibility issues -- I'm aware of a few of those personally myself.
I think the biggest problem is visibility for these projects.
They need to be louder.
In the case of openssl, I had no idea that they were severly underfunded (until heartbleed).
Same for GPG until now. I didn't hear they asked for donations.
And I doubt I'm the only one. So I quickly checked if maybe this was big on HN at a point and I just missed it.
If not even the most technical people (that actually know what GPG and openssl are without looking it up) don't hear about this, how are regular people going to find out where to throw their donations at?
I think people would donate if they knew about it. I'm going to send this guy $100 and consider it a license fee, because he deserves it.
EDIT: An example of development that is slow-coming: library support. Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.
Wrapping the command line should be a little bit safer from a security perspective, since a memory exfiltration bug won't transfer across processes. Just don't use the shell between the wrapper and the command.
Is this really the case? I recall that proper library support is slow-coming, not because of security model concerns, but because "doing it right" takes more time / money that there is in GPG development at the moment.
EDIT: For example, I believe that it would require rewriting a lot of code, and that means said code would need to be audited to make sure no security bugs were introduced. It's "easier" to just wrap the current command-line tools because they are a known quantity.
> Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.
IIUC this is intentional design of GPG 1.x vs GPG 2.x: the former is statically linked binaires for "security reasons" while the latter is a shared lib (libgcrypt) + binaries with exactly the same features.
I'm wondering if there is a meta-donation page that lists a bunch of the most important open source projects, how you can donate to them and their yearly funding goals (and how many developers are being supported).
That could be an interesting project for someone. I suspect the hardest bit would be how you determine which projects are most important or most deserving of donations. As soon as money is involved, people will try to game it and spam it.
I think the package managers should add links to donate to projects. So I open up Synaptic to install GPG and in the description see that I can donate and they're only at 25% of their funding goal.
Another key would be to add a real commercial justification to pay for projects instead of just donating. Often for tax and regulatory purposes businesses can't just spend money on fun, frivolous things unless they want to make a mess of their accounting. Maybe something like for each $50 you spend you get to ask one question on a mailing list or message board.
Gratipay (gittip) comes to mind, but that's a donation mechanism, rather than the information collection you're describing. Sounds like a good idea for a project. IMO, the hardest part of that will be accurately prioritizing which projects are critical, very important, moderately important, etc.
>I think people would donate if they knew about it.
Oh certainly, I use GPG on a daily basis, yet it never even occurred to me that such an ubiquitous project would have trouble gathering funds!
I tossed in a donation as soon as I saw the link in the article.
---
I remember jOOq (a Java SQL DSL) had similar troubles raising donations. They ended up moving to a commercial licensing model for 3.2+ that provides connectors for "enterprise" databases as well as professional support.
Had I seen a banner asking for donations, I would've gladly donated what they're now charging for licenses. -- It is an excellent library.
However I feel like the tooling does them a disservice. When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?
> When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?
That's a good point.
Not sure how this can be technically addressed though
This issue has been bugging me lately, given that I would like to start a product-oriented business, but I'm only one guy, who has to freelance to pay the bills.
The problem, I think, lies in the lack of balance between different types of "users", their ability to absorb risk, and their ability to advertise.
For an individual developer, new product development is a chicken-or-egg issue: you need money to live, but you can't make money off of an infant project. On the other hand, a corporation can siphon funds off of profitable projects into R&D, and the larger the company, the longer they can do it. There is a certain level of financial security that removes emotional burdens that can be real impediments to development progress. There is a singular focus that can be achieved by the developers in such a situation: one 100% focused developer is more than twice as productive as one 50% focused developer, all else being equal.
It's also extremely difficult for an individual developer to get the word out on their project. But if Google even breaths a hint that they are doing something, a subreddit will be made for it overnight and TechCrunch will assign a team of reporters to cover breaking news.
So from the start, the individual is behind the 8-ball in terms of being able to maintain a certain pace of development and gain mindshare for it. If you're entering an existing market, a lot of times the only way to gain traction for your project, to get any attention and get anything out of it, is to have to open source it just to meet other developer's expectations.
But I suspect the vast majority of people who want "open source" really only want it as a security blanket and aren't actually going to look at it. I completely admit that I'm included in that group.
For a corporation, what's the worst that can happen? In other words, who is going to fork their source? Another individual? They won't be able to keep up. Another corporation? They have to compete in both code and marketing, which isn't so attractive. It might be--all things considered--an equivalent effort to just start a competing product. Maybe even a little less effort, because you don't have to dance around collaboration and contribution issues.
But for an individual, it's a significantly higher impact of a problem. If I make a tool, release it open source, and--say--Google decides that it's great and they want to use it, even if I license under the GPLv3, they can very easily strong-arm me out of the driver seat. They could be in complete compliance with the license and contribute all of their changes back, but their marketing machine could easily put themselves at the forefront of developers' minds as the source of that project.
Is "closed now, open later" the solution? I don't know, that's always sounded to me like "closed now, closed later". See Android. What good is Android being open source if, by the time the source for the latest version is released, they've abandoned it for a new version?
Correct me if I'm wrong. I'd like to be wrong, so I know in which direction to take my own business development. But it just seems like there are several types of power, and individual, independent developers have few that large corps do not, whereas large corps have several that indies do not.
There's no general answer to your question. It's like game theory, depends on the players and context (technical, legal, financial, market maturity).
Juce and PyQt were created by single developers, so it's not impossible. Staking out and defending a niche would be a prerequisite, open-source or proprietary.
Is there a list of specific answers? I don't even know of all the ways one could organize a project. I suspect that might generally be the case for a lot of people, too. Publishing and promoting a project is a completely different skill set from developing it. It feels like the majority of developers default to thinking of "release open source" or even just "release" as meaning "publish on Github with the MIT license" plus maybe "post one link on Hacker News". That is a way, but is it actually the way that is in their best interests?
I have a library project right now that I provide dual-licensed under GPLv3 and a paid, proprietary license. It's not typical to release libraries under the GPL rather than, say, the LGPL or MIT. My reasoning is "code or coin, you gotta give something." I have no idea if it will actually work (and I'm not banking on it working, I wrote the thing for my own use first and foremost), but I am starting to think that I would rather nobody use my code than everyone if it meant I didn't get anything out of it past an 'at-a-boy.
Put another way, if I were Ryan Dahl, having gotten Node.js started off on my own, and I still had to work for a living, I'd be pretty freaking pissed. (https://groups.google.com/forum/#!topic/nodejs/hfajgpvGTLY) Maybe the actual Ryan Dahl doesn't care (and maybe he chooses to work, I don't know the exact details), but it would seriously bother me.
The basic recipe for software biz success is the same whether proprietary or libre. ~80% of revenue comes from ~20% of customers and features. Ship something into the market somehow anyhow so you can identify the critical 20%. Then you can commoditize (open) the remaining 80% of features to reduce costs and help the long tail to become self-supporting. Pricing and defending and growing the revenue features is then like any other business, i.e. strategic conflict with other mice who will come after your cheese.
"Open" is as much a state of mind and development practices as it is a license. JIRA shipped with full source code while remaining proprietary. This removed customer concerns about JIRA going out of business, no need for source escrow. Customers ended up making modifications to the source, which then influenced the Atlassian roadmap. Conversely, one can have an open-source license, but a dev culture that rejects external input, e.g. Calibre. If a vendor focuses on business goals first, then creates a culture to support those goals, license choices will become clearer.
There are useful history lessons among these links:
7) Any good book on organized crime / unregulated business. Boundary conditions inform risk management, i.e. early recognition of failure scenarios to be avoided.
It's a sad day when Farmville can become a billion dollar business and Werner can't feed his kids. I'm curious if he's truly living on ~$20k/year. That seems ridiculously low for life in Germany. Or if he's got other sources of income to bolster that.
Either way, what really needs to happen is companies that build programs off his work need to make a concerted effort to donate to the project. Heck, set aside a small percentage of revenue and consider it a cost of business.
I had no idea this project (and others) had so few contributors. I'd love to be involved in some Open Source project but I always feel like "yeh there's probably millions of people far more talented than me wanting to contribute" and I've no idea how to start. Some people suggest taking a look at the open bug lists for software you use frequently, but on the few occasions I've tried that (python, gcc, and a couple of others) I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.
I did manage to do some isolated contributions to Open Corporates (http://turbot.opencorporates.com) where the community are super-welcoming and very patient, but I've felt a little isolated and like I'm not exactly giving much back. Apologies for the mildly-OT rambling.
> I've ended up digging through lists of tough bugs each with fairly impressive sounding discussions by people who are way more familiar with the whole ecosystem than I am and it's sort of intimidating.
Sometimes it's small things, like documentation. For example:
I'd suggest looking for smaller repos to contribute to. Much less daunting, much more opportunity. My small OS contributions have been where a small repo, owned by one guy, does mostly what I'm looking for but I want some feature or notice some bug. Then it is easy to work on it/fix and do a pull request. They're usually happy for the activity.
I've sometimes wondered whether it'd be worth mid-to-large open source projects doing more triage for bugs. Because I'm in a similar position: I'm happy to make small fixes to stuff I use, but I'm not familiar enough with many codebases to fix big bugs. If I could pull up a list of bugs sorted by "expected ease of fix", I think I'd contribute a lot more.
He's been voluntarily cheated. He should take a job, take care of himself (no one else will), and give gpg whatever time he has left, if he has the energy.
By the time he searches for a new job, interviews, successfully gets a new job, stops contributing, and people finally NOTICE that he's abandoned the project: it's already too late.
You can offer him all the $5 donations in the world, but he has a full-time job now and has no reason to return to this life of "financial ingratitude".
I'm pretty sure we all would miss him working on it, either directly or indirectly, I think, as developers, we do a horrible job of assessing our blind spots when it comes to infrastructure.
It's not normally in me, but I'd like to be a little forgiving toward users of GPG and similar infrastructure, particularly money-making BigCos. Open source, particularly reliance on open source by said MM BigCos, is relatively new.
It may not be financial ingratitude. It may be that we just haven't reached a sensible equilibrium between the two symbiotic ecosystems. At some point in the future, "due diligence" might commonly include identifying these sorts of tools, and their developers, and deciding either to not use the tool or to fund the tool's health.
I'm not saying that GPG is exactly where it needs to be, but is it lost? The code is out there and it is in use by many around the world. Just to play devil's advocate, what's wrong with stopping development on it?
I think it is cruel, heartless and selfish to expect a poor man to work for the benefit of the world without benefit to himself. If it's done by free will it is awesome, but is astoundingly arrogant to expect someone to do it by default.
That is absolutely not what would happen. Some organization that relies on it would fork it and maintain the fork. It would be highly likely they would even ask him to consult.
Whether he's been cheated or not depends on your values. Many people cheerfully give up revenue maximization in order to perform some service they perceive to be of great value. You can't really have a meaningful political movement without such people.
At 53 years old and $25,000/year, he almost certainly has not prepared for any reasonably comfortable or safe/secure retirement (not knowing anything else about his personal life). There will come a point where he simply cannot work. He must take care of himself first. Or, to put it another way, if he doesn't take care of himself, then he'll reach a point where he can no longer take care of GPG, much less any dependents.
He lives in Germany, I imagine they have some form of a state retirement program.
I'm actually curious now of how many first world countries are as backwards as the US where if you retire without any personal savings you are extremely screwed.
You are not that much better off in Germany or generally North Europe, because pensions are earned through payments during career (three pillars: tax-like mandatory contribution, voluntary contribution, and thirdly a private insurance), and if you are not able to accumulate that kind of savings (which in some cases are more like "years worked for system" than actual money saved) then your old-age pension is going to be not entirely unlike the old-age social security in the U.S.
This is why "free as in beer" is a problem for "free as in freedom." Just to maintain things costs money because people take money to live, not to mention how much it costs to field things that are competitive on UI/UX and other metrics with big closed ecosystems.
In the last hour or so (I think since this hit the front page) there have been approximately €2000 of donations added to the drive at https://gnupg.org/, nudging it over €40000.
For bitcoin donations, you can go to [1], which gives the address as 12LKeo24XCzgz6ASSxcUa8BvUfzkEyCpGq [2]. The address is not generated per user, and is dedicated to GnuPG.
The Wau Holland Stiftung takes the BTC and pays it out to the GnuPG project. Its a foundation that has its roots in the CCC and supports all kind of open source and/or hactivists projects.
Can someone signal boost this on bitcointalk or other bitcoin communities? They are huge users of PGP. I don't have accounts on any of those sites or I'd do it myself.
Given the general scarcity of talent in the business, it should really be trivial for a high end IT security consultancy to pay Werner a €3000/month (ie. enough to live on, if not extravagantly) retainer to be available ~10 hours a month to consult on encryption matters (or something like that).
I wonder if it all really comes down to "Really I am better at programming than this business stuff." or if there is some unstated dogmatism that gets in the way.
It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.
The task of maintaining GPG isn't principally cryptographic. GPG is one of those classic un-fun projects that the open source community is notorious for neglecting. So the problem isn't finding and funding cryptographic experts to work on it; the problem is finding Werner Koches who are willing to take on the slog of making sure GPG continues to work.
Look at how many crappy, trivially broken crypto messaging systems are posted to HN every year. Some of them even get funded! Nobody wants to work on GPG, which makes what Koch is doing even more important.
Whether the work is "principally cryptographic" or not means fantastically little for it's business value, what matters is that the fraction of the value Werner is capturing is almost unmeasurably small. What Werner needs isn't donations, it's a vehicle for capturing some of the value he's creating.
The idea I suggested (a consultancy retainer) is a way of converting his name into cash. At 10 hours a month, his function would mostly be limited to the company being able to say that he works for them, maybe have him join some high-level meetings, more than actually doing programming for clients.
You're in the general security business, you seem to be pretty good at business in general: don't you know someone who could turn hiring Werner and two devs to work on GPG into cash?
And the reason OpenSSL and OpenSSH and, I don't know, every other open source project that has spare-time developers have developers committing code for free would be...
>It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.
Moxie Marlinspike was doing well for himself when he was squatting in pgh and train-hopping, too. Some people are just better at coercing life into doing what they want to do. I think it helps that Moxie is probably a few standard deviations more intelligent than most humans, but that's just a bonus.
And this is the weird conflict with open source software. OSS is primarily written because somebody needed it and didn't have it. If they have it, and it works, they have no need to write it or support it. Eventually somebody stops supporting it, and then we all realize we're in trouble, somebody forks it and support is taken up by somebody who needs it.
I think this works. It's sad that it depends on exploiting the virtually unpaid work of a few committed die-hards. But basically, it's the only way we can have good gratis software without something stupid like bundling ads, lack of source code or 'services-based' models. It's clear from all the other unfunded OSS projects that corporate sponsorship isn't going to happen unless they're getting something in return.
I wonder sometimes if this is the legacy that RMS was thinking about. Sometimes, in my more cynical moments, it seems like we have somehow managed to trick a whole generation of programmers into giving "free stuff" to the world, enabling the creation of the very successful mega corporations which have then kept the value for themselves.
Would it be impossible to create some sort of stipend program at FSF? After all the creation and maintenance of software is allowed to cost money under the GPL.
> I wonder sometimes if this is the legacy that RMS was thinking about.
No.
Free software was never about no money being involved. In fact, RMS himself used to get a lot of money by selling free software. Back in the day when Emacs was too big for the internet, RMS used to sell Emacs tapes at 100 USD each (with documentation and source code, of course).
In fact, he still thinks that you should be charging money for distributing free software:
Distributing free software is an opportunity to raise funds for
development. Don't waste it!
He also thinks selling exceptions to the GPL is another good way to support yourself. FFTW and Qt are two prominent projects I can think of that did this.
The GPL itself is anti-freeloading. We give you the code, you can do whatever you want with it, but if you want to build on top of ours, you have to give back. It's all about levelling the playing field for everyone.
I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.
Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
You're really mischaracterizing the VLC case. It wasn't "a single open source contributor with an ideological conflict," but one of the lead contributors pointing out the incompatibility between the GPL and Apple Store ToS.[0]
By the way, VLC has been relicensed as MPL and is now available for iOS again.[1]
It doesn't seem to be happening this way because FSF fundamentalists like RMS want the whole hog to be 'Free Software' not just 'Open Source'. Any compromise is unacceptable even if it means cutting off their nose to spite their face.
Open source and free software are synonyms. They refer to the same category of software. RMS doesn't have anything against open source software. He's got something against people de-emphasising the freedom parts of free software by calling it open source, but he doesn't think non-copyleft licenses are doing any harm.
There is a considerable portion of the open source community which views capitalizing on software as inherently immoral. As soon as Werner Koch started charging money for it, most people would switch to a free fork or distribute it on the black market to spite him.
I don't see this happening with FFTW or Qt. Apparently selling exceptions is fine? I can imagine a market for selling GPG exceptions.
Also, I know some free games are sold on app stores. Wesnoth comes to mind. Have people come to spite the Wesnoth developers and put the same game on the app store without a fee?
You only have to look at any thread here about copyright or piracy to see indignation at the very idea of charging money. People believe that software being free (for every definition of free) is a fundamental human right, and part of the justification made for piracy is that no one has the right to profit from software, and the for-profit distribution models need to be disrupted and undermined.
You can list a couple of exceptions, sure. But I'll see you that and raise you all of The Pirate Bay.
You're arguing against a straw man. The free software community has stood by using free licenses and selling exceptions and dual licensing. The FSF explicitly sells its code and gives you the source along with it. The community holds that software should be free as-in libre, not free as-in beer. This is a distinction that has been made time and time again.
That is, you are always free to charge money, but you are not free to withhold source or prevent modifications/redistribution of those modifications, because this restricts the rights of other human beings. Or said another way, your freedom stops where my nose begins.
App stores are profitable for a small number of UX experts. It's very hard for me to imagine many open source apps having good enough UX to survive the app store hunger games.
Assuming I'm reading this [1] right, the FSF seem to believe that Apple App Store (where the majority of mobile app profits are being made) isn't compatible with the GPL.
You don't, but as I pointed out this seems to be where the majority of app revenue still comes from. Cutting that out as an option makes it much more difficult to make much money from app development.
> We give you the code, you can do whatever you want with it, but if you want to build on top of ours
The problem here is determining where the divide between "using the software" and "building on top of ours" is. The line becomes blurry when the software is (e.g.) a library where the basic use of the library is to base other software off of it (as opposed to a desktop app -- e.g. GnuCash -- where "usage" has a more straight-forward meaning).
Which is why there's an explicit form of the GPL for libraries; the LGPL.
There still exists uncertainty and ways around it (You can execute GPL programs or write shell scripts so that GPL programs execute your code) such that you don't have to distribute the major parts of your codebase, but the GPL has an explicitly different version for libraries that are supposed to be linked in to non-free software vs libraries that are cores of GPL software.
The FSF's interpretation of the GPL and LGPL has never made a distinction between static and dynamic linking. A lot of other armchair internet lawyers, make this distinction, though. ;-)
Eben Moglen seems to think, as I understand it, that it depends on how you distribute the thing. If you link dynamically but distribute the whole thing together as if it were a whole, it's a single work and all should be under the GPL. Other situations seem less clear.
This is the rub though. If you are (e.g.) distributing a desktop app that uses a LGPL library, you may not be able to assume that the library is installed on your target platform. For example, you may use libxml2 for XML parsing, but not be able to assume that it's installed on Windows (assuming for the sake of argument that libxml2 was LGPL instead of MIT licensed).
It's one thing to "cash in" on a GPL/LGPL project (e.g. writing a nice GUI around GnuPG, but not giving back to the project) where you are just wrapping the functionality of the GPL/LGPL project. It's another thing entirely to just use a support library (like an xml parser) where the library itself is not the main functionality of the program and have someone saying that your project has to be GPL.
That line of thinking goes both way. A game designer might need a supporting graphic library, but graphic itself is no the main function of the game. The developer just want to wrap the functionality of the library, yet the license of the game is now dictated by the graphic library. Releasing the whole work under a open license would be piracy.
Same problem exist with complete overhaul mods to game. Counter strike simply wrapped around half-life. Half-life was not the main function of CS, yet if they had been giving out CS with half-life under a open license it would again be piracy.
Thus it is hard to see a world where copyright would allow someone to ignore the license as long the "library" is not the main functionality. It would be a nice world, a world with remixing and a explosion of creativity, but a very different world from one that we got now.
My biggest objective criticism of the GPL licenses (i.e., not tied to whether it conforms to some ideology or other, but sticking to "mere" quality issues) is that they are all excessively tightly tied to the C runtime in how they are specified. It's reasonably clear to me what GPL and the LGPL mean in the world of C, but the more your runtime deviates from that, the more the license becomes a matter of interpretation. Arguably, nothing that isn't in C or C++ ought to be GPL'ed or LGPL'ed; even if you want to copyleft your code you arguably ought to use a different license that makes sense with regard to your code.
> but if you want to build on top of ours, you have to give back
No! Nowhere does the GPL says you have to give back to developers, you just have to give everything to the users (and more specifically to your users), because they are the one with the product and the modifications. If they happen to be upstream developers, then sure, they will get the changes too, but that is not the primary goal of the license. It's all about the user being Libre.
Thanks for the links. So I wonder if you could charge for cloning a repo in Github. You know put your code there, but git clone (or fork) doesn't work unless you feed it a onetime key, so you goto Github, "buy" your key, then pass it into your git command line
git clone --token=0x1515151 <repospec>
and git allows the clone to happen and tags it with the clone token. No token and you don't get to get a copy of the source.
If that would work it would be an interesting way of selling your software.
Well, that would require github making some changes server-side, but it seems like an entirely reasonable thing to do. You can browse the source, but you can't really download it until you pay.
There's no reason why free software should just be given away. The point is to make sure users have the source code and the permission to modify it and redistribute it. It was never to make sure they don't have to pay in order to acquire the software.
Sure, if they can redistribute it, perhaps they could undercut you, but if we believe that piracy doesn't really hurt sales that badly, it seems likely that this secondary moneyless distribution might not substantially hurt the primary one.
> I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.
> Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
As an indie app developer, I already struggle with people ripping off my apps and publishing them in various app marketplaces under similar or identical names, or taking my web app, wrapping it and charging money for it.
I have to imagine that if I used a free software licence, this would happen a lot more, and I wouldn't be able to issue takedown requests. Someone searching for the name of my app might find five or ten similar or identical looking results and have no idea which is mine. These other results might serve ads, track user behavior, gather personal information or perform other anti-user operations, leveraging the popular reputation my apps have built to do so.
You can still retain trademark rights and copyright to art assets, which for most apps should be as effective as copyright to prevent ripoffs. (Which isn't saying much. Copyright doesn't seem to be very effective to prevent ripoffs, unfortunately.)
I think issuing trademark infringements notices is fine as far as handling this problem for free software.
If people want to bundle "my" GNU Octave and modify it randomly delete the users hard drive, that's ok. Free software allows this. Just don't call it GNU Octave, call it GNU DiskDestroyer or something.
It's a big problem with the culture of (a lot of) the software development community. Having a culture of demanding access to the source of your software is a good thing, but having a culture of demanding all software for no cost is a bad thing.
As jordigh points out, RMS has always been quite happy to charge money for software. For example, the FSF sells a $5,000 "Deluxe Distribution" compiled for a platform of your choice: http://gnu.ist.utl.pt/order/order.html I've spoken to various people at the FSF, and they're generally quite enthusiastic about charging money for GPLed software.
But to make a larger point, if you try to model RMS's behavior using cynicism, you'll tend to make inaccurate predictions. To use a metaphor, his brain is running slightly non-standard software: His social skills are not quite compatible with standard protocols, but he will go to far greater than ordinary lengths to uphold his personal moral principles. I've dealt with RMS and/or the FSF a couple of times, and once I decided to assume that RMS wants exactly what he claims he wants, dealing with the FSF was actually rather pleasant.
Thus, if Stallman thought that programmers should live ascetic lives, he would have written long essays justifying why this was correct. But instead, he wrote long essays about why sharing and hacking on software was a Good Thing, and added (almost as an aside) that you are welcome to charge as much as the market will bear, and that doing so may often be a good decision.
FWIW, RMS does live mostly as a nomadic ascetic (sort of like a Buddhist monk surviving on alms), which suggests that he believes that is an acceptable lifestyle for a hacker.
I don't think a generation has been tricked into giving "free" (as in beer) software; I think the generation brought it on themselves, and continues to do so. We've always been free (as in speech) to charge money for our free (as in speech) software.
People are very eager to work for free on free (as in speech) software just for the pats-on-the-back from "the community", it seems to me, at least as often as people do it because they're truly passionate about their craft.
With the rise of "have a github profile/opensource contributions" in job posting descriptions, it's only going to get worse. "Open source" is very rapidly becoming the "unpaid internship" model of hiring and distributing work in the software industry, and it breeds a sort of contempt for the notion of receiving compensation for one's efforts. I'm not sure that's a good thing with all the very-much-for-profit activity around software development.
Somewhat ironically, the GPL is much more amenable to getting money from software than the Apache, BSD, and other more permissive licenses. Most profitable companies built around Open Source software use the GPL (Apache being the notable exception).
There's simply very little reason for someone to pay for BSD licensed software, but there is reason to pay for GPLed software (even if only to get a different license for it).
I've just donated. It's an important project and Werner Koch needs to be rewarded.
I feel that we, as a community, are really bad at supporting some of the opensource projects that powers our infrastructure. I'm not sure what can be done to improve this. Maybe we need a foundation that raises money for those projects and does the marketing needed to remind us to donate.
I for one wouldn't mind giving say 30 euros/month to be redistributed between projects like GPG, openssh, varnish, nginx, openssl...
After the big openssl bug, wasn't there some intent among some of the existing foundations to try to identify open source keystone projects and get them additional attention & support? It seems like the privacy advocacy groups might route some spending to GPG just as a pragmatic matter.
You are right that we, as a community, are really bad at supporting key open source infrastructure. But I also think that relying on donations from individuals like us is a fundamentally wrong model. I don't benefit directly from GPG, but I benefit from many services that make use of GPG and make lots of money off of me.
I completely agree that the services and companies that rely on those technologies should also contribute.
But as a software developer, I use openssh daily in my job. I use tmux, I use nginx, I use openssl and a lot more opensource projects and they allow me to make a living. So, it makes sense for me to contribute.
I don't disagree at all, but as you say, you do those things in your job. It's likely that you also use them outside your job for personal purposes, which is why I agree that it makes sense for you to contribute. But most employees don't (and shouldn't) feel like it's their duty to pay for the tools they use to do their jobs.
It would be really great if you could run an apt-get/yum filter on your server and retrieve a list of donate links for the open source services you rely on.
Ideally, a GPL+donate-what-you-can would really help maintain these projects.
That, and there's unlikely to be a compelling story for VCs here. There are many many projects that are great and valuable to humanity and yet are not VC fundable.
But wait, I thought fame and accomplishment and helping lots of people were supposed to be enough for software authors, that somehow making people pay for software was evil, that it's OK if everyone just copies your source code and uses it, that an Open And Free Internet would be self-sustaining?
Making people pay for software might still be evil, but supporting software with teaching how to use it, documenting it, publishing books about it, making conferences, supporting it is what I think is a reasonable way for oss spirited souls to make money.
SQLite comes as an example - while completely free, public-domain, what might (I don't know for sure) be making money for the three people behind it is the extensive test suite, various other extensions (compression, security) and possibly support/integration/customizations for specific needs (less memory/cpu usage, or who knows what..)
When you buy a dinner at a restaurant, the chef ought to be compelled to share the recipe? No one forces you to eat at restaurants or use software. You are free to make your own.
Free until Apple decides to stop offering it. Or if they stop allowing users to install the software you develop. Or if future versions are released with onerous, unacceptable licensing terms.
When you use proprietary software, you are at the mercy of the company who distributes software to you.
Just one of many obvious examples that plenty of tools are available "allowing them the freedom to improve their lot." Nobody is stopping them, nobody is "keeping your users under your thumb". Improve your lot? do it yourself, or pay the engineers accordingly.
Oh, sure, Apple et al can change their minds and charge outrageous fees and demand outrageous licensing terms. Nonetheless, lots of affordable tools are available.
And before you take the opposing view any farther: I come from an era & mindset of building advanced computers from scratch. I reject the argument you offer of "by not giving them the source code you are [oppressing them]", because I'm trained in building computers starting from sand, and writing software starting with toggling in op codes with manual switches. I've written format converters (with no guiding documentation) to overcome the bounds you imply.
If you want someone to put in the effort to create complex software, maybe you should understand that they should be paid for that effort - one price to use it, and a higher price to get the detailed source code. If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
Rhetorical question: If nobody is stopping them, there is no harm in giving them the source code, right? So why don’t you?
> I've written format converters (with no guiding documentation) to overcome the bounds you imply.
Please do not assume that everybody should be like yourself.
> If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
There’s an easy way to rectify this – just don’t call it selling. Call it renting, which is what it practically is. The thing which I get when I buy software today is by no practical definition my property: its utility is deliberately limited by the manufacturer, and I am both legally and practically prohibited to extend that limit or repair it.
I wonder if a patreon-like (or even patreon itself) would be more effective raising donations than just one-time donations. I know enough people that swear by gpg, so it doesn't strikes me as hard finding a base.
468 comments
[ 3.3 ms ] story [ 292 ms ] threadRelying donations from occasional news cannot be healthy for the project. I imagine that during the next week the project will be able to amass a significant amount of donations but whenever this article is forgotten, the cash inflow will trickle.
I kinda wish that such organizations could make patreon accounts. Or maybe a non-profit service with the same idea. The point is, it's hard to keep track of all the projects that need money and to manage such donations without blowing your budget.
I can think of a few projects that I rely on a daily basis: firefox, xfce, fsf, freedesktop, python, debian, openbsd, transmission torrent, the gnome foundation, vlc, and there is probably a lot more that I can't remember right now.
[1] http://www.linuxfoundation.org/programs/core-infrastructure-...
The fact is that all of these projects need better funding. Frankly it surprises me that large multinational corporations that care about security don't just fund these people. The downside risk for them is terrible.
Hoping for donations to reasonably compensate developers is beyond naive.
The difficulties I see with this approach is 1) getting a trustworthy intermediate and 2) how to select the projects to allow the donations for. But 2) shouldn't be that hard because the users could, in the end, pick who they want to donate to.
My first thought was the Software Freedom Conservancy. The only reasons I see for them not to take GPG under their wing are lack of will (but why?), sense of funding priorities (but why?), or the possibility that some GPG constituents would be concerned about associating GPG strongly with a US-based organization.
There's a history of Koch that is pretty ugly. He tried to start a consulting company with said government money and seems to have a "pay me to fix bugs" attitude. This breathless "omg must donate now" sentiment dominant here is highly questionable.
gpg should be under and funded by FSFE not via begdonations and german government funding.
There's nothing wrong with that attitude. There's no reason why he should be doing work without pay.
If people send him bug fixes and he refuses to merge them, that's something else. But he doesn't have to work for nothing. I assume that whatever money he may be receiving from the German government may be used for other kinds of developments, not bugs that don't affect him.
Here is a link to the donation page: https://gnupg.org/donate/index.html
Imagine all the workflows that depend on verified encryption signatures like Debian, Ubuntu, etc and that's just software distribution, not counting privacy issues like journalists, political dissidents, whistle blowers, etc using it for secure communications.
It was pretty easy to donate, took me less than 2 minutes. I encourage everybody that is able to make a donation, however small, every euro counts.
I left a note that he (like the EFF and the ACLU) should have a recurring donation option, or at least an option to receive a once yearly email asking for a donation. There are many people that would happily go with a recurring donation if that option were available.
And, as others have pointed out it is easy and you can choose between cc and PayPal.
I just chipped in $25.
Edit: Over €10k more in the hour since this comment. It's now 2/3 of the way to the funding target.
It's just that it takes a lot of media attention to get you to your goal plus a lot of the donations a coming from regular developer who understand the importance of this instead of the big companies profiting from this software.
Interesting to see more people have donated so far in 2015 than the whole of 2014.
Really happy to see that this post on HN has traction, and delighted to watch the counter go up. GPG and other security projects need a way better tech PR push.
I'm experimenting to do a dead-simple licensing system using SSL certs and signing--rough idea is, cert is from me, and when it expires, software says "lol no get new cert".
I'm sure this has been done before, but the amount of custom license management code I've seen in the wild makes me wonder...
You are of course aware signatures don't solve the licensing problem however, which is a Trusted Client problem (i.e. unsolvable).
It also seems you want to expire things, so I do feel I have to warn you that signatures are a totally separate thing to a secure time source, which is a whole different bag of marbles.
However, since what you're designing sounds like a logic bomb/copy protection/DRM system, I must say what I've been saying for the last quarter-century or so: please do not design your software to deliberately fail. That is a bad call: trust me on this one. Any crypto that you do to support it, even if the crypto itself is sound, is just tapdancing around a failure state.
Software is shareware, gets a little naggy within 30 days of license expiration, send money to get a new license file, which makes the nagging go away. No cessation of service.
I'm not worried about clock spoofing--I assume basically good-faith customers.
Signing would help people from just copy-pasting certificates around. If they want to go into the executable and rewrite the routines, well, there's only so much one can do, yes?
(Your registrations are time-limited? That's very unusual for self-described "shareware". That's pretty much "commercial, but your demo nags".)
You're welcome to choose whatever business model works for you, of course, but take it from me, this one's straight from the early '90s. I hope it works for your users too.
And unfortunately, the harder someone tries to reach that goal, the more fragile their software becomes. A lose/lose situation.
It really is better to engineer software to work, not to fail.
For example: https://github.com/glebd/cocoafob or https://github.com/bdrister/AquaticPrime
This is how the stories goes: we haven't figured out how to make good work worthwhile.
Perhaps we can learn something from our vast experience in profitably peddling shit?
But that'll never change unless all of a sudden we say "Ok, on the count of 3, everybody stop giving away their hard-earned expertise for free. 1... 2... 3..." We're like musicians nowadays. We love it, so we do it without insisting on compensation.
A few months ago, I Show HN'd an open source project, but reserved the copyright to the code. The commenters immediately took note of this and I felt compelled to switch it to an MIT license. (It was open source for security reasons, if you're wondering.) I'm glad I did, but the point remains: there was pressure to conform.
ORLY? Have you read much source for BitLocker or FileVault, recently? WhatsApp? Skype? And those are just the most popular ones off the top of my head...
Er, the first to keep their source closed and try to charge for it happened a long time ago, and there are huge numbers of developers at firms from one-man shops to massive megacorps still doing it today.
The idea that closed-source for-profit development is a novel idea that violates norms in the software development community and that everyone is afraid to try is cute, but, you know, completely contrary to the actual facts of both the current state and history of software development.
Some source is better to be open for all stakeholders, others... it's more or less irrelevant, unless you believe the entire world is out to get you.
But there are library authors who publish BSD (governnent funding) who can't partner with GPL. It's unfortunate.
Seems like there's another option -- open source your project and also charge for a license to use it. By open sourcing people will trust it more which will cause its value to go up. And then more people would be willing to pay for it.
If you open source your project, unless you're using an unusual definition of open source, you've provided a free-of-charge, sublicensable license to use, modify, and distribute it. (Or, at least, a license that the licensee is free to sublicense without charging the sublicensee or paying an additional fee to you, so even if you are charging for the direct licenses, the more you sell the greater the probability that it will be available at no charge.)
You could open source it and charge a fee for professional support, however, which is a fairly common model.
I say this because I know that when I am looking for libraries to use at work in commercial software, I have to look for BSD-style code and now actively steer clear from GPL and LGPL code (static builds for me please).
It isn't to be malicious but it's mainly because I would like to continue living. Giving away things I have spent years working on doesn't pay my mortgage or put food on the table.
It's easier for businesses to write off these type donations (and make them for significant amounts) than for private individuals to do so.
Far simpler not to even bother at all.
If your effort is half as good, you still get half million people to donate $1.
On the company case, one million is not pocket change, so this will be a serious decision that has to be approved by several independent branches within the organization, each with veto power. Screw one of those and it's a deal breaker.
Furthermore, I'd say that this decision is one that is particularly difficult to frame for the company. While corporations do understand direct costs very very well, they are practically hardwired to ignore/exploit the gift economy. So the discussion will be stirred towards what indirect benefits will the company receive from donating to a worthy cause (public relations, tax exceptions, etc) and away from the consequences of letting a (unacknowledged) strategic partner to go under.
Not to say that a corporation cannot assume stewardship of a distressed project, but it almost always requires executive fiat to get over the bureaucracy.
I mean, I feel the burn when I give money to Debian, Arch, KDE, etc - but I do it because I know I have to, because the software is so important to me. The $500 or so I donate each year is a lot of money to me, and I'm in the US - I cannot imagine how much donating to these projects would hurt the international users who make significantly less than the 15-25k or so I make annually.
I don't know how KDE managed it, but Blue Systems (http://en.wikipedia.org/wiki/Blue_Systems) is a Germany company founded by one Clemens Tönnies, Jr. Don't know anything about the guy, but he is somehow paying 10+ KDE devs without a business model. I've donated a lot to Kubuntu, but I cannot imagine in a million years they get enough donor money to fund all the devs they employ.
But those kinds of philanthropies, the way Mark Shuttleworth keeps Canonical afloat, seems to me to be the only practical way to keep free software afloat. You cannot ask a million destitute people to donate money they need to eat or sleep comfortably, but we as a community don't have the charisma or ears to get fat cat donors to foot the bills. Probably because software freedom does not matter as much when you are wealthy - you can just pay to get the software you want made anyway, and you might even be able to bribe companies to give you the source if you care enough.
And I recognize a huge portion of the donor pool for most free software projects isn't either end of this spectrum, but people like me making something above the poverty line and below extravagance that donate what they can where they can, but that is consistently shown to not be enough. And I imagine it is more because it takes millions of average joes paying dollars to match what one millionaire can do in an instant.
Or they're small for-profit companies and they can't spare the revenue.
Or they're large companies and no one with a budget and decision power is even aware they use the product.
Or they're Red Hat... With limited budget for this and unlimited needs to cover.
I don't know how we get there when companies like Apple eat such a huge portion of the consumer OS and application dollar and companies like Microsoft and Oracle eat such a huge portion of the corporate dollar.
Do Free Software project with funding 'pay it forward' to the volunteers on other projects they heavily depend on? (I don't really know) If not, they deserve to suffer the consequences.
How would a free software project 'pay it forward'?
They are in a very similar position, aren't they?
Edit: For some reason, I can't reply to child comments (probably a cool-off time-out at work?).
Just a short note here, then: $1.25e6 for the FSF translates to 10 developers like Koch being paid (the donation page quotes "120000 EUR").
That's ten. For the whole FSF. As an example of a well-funded project. I'm not going to comment on that. HN would rightly give me months of cool-off time.
It seems reasonable that these projects should consider adding items to their budget to redistribute funds to projects that they depend on.
Some probably do this, however I think the GP was suggesting that something like this become more common.
Which ones are those?
In addition, some projects that are not well-funded as a project are "funded" in the sense that companies pay people to work on them, for example Microsoft paying Simon Peyton Jones to work on GHC.
Ubuntu is funded by Canonical. http://en.wikipedia.org/wiki/Mark_Shuttleworth in other words. So one big donor.
Debian... seems to mostly get by on volunteer labor and be ok with it, or it did when I was involved with them. Has that changed? I suspect that in some ways Debian is underfunded given the amount of work they do. Perhaps money would make some things happen faster there.
The Apache Software Foundation does a decent job at fundraising, and even employs a few people to do stuff like administration. Most of the projects get by with companies that pay people to work on them, which seems to work out pretty well.
Firefox/Mozilla make most of their money with deals: Google and Yahoo, last I remember.
I don't know about OpenSSH.
It's possible, but mostly donations don't seem to work unless it's big chunks of money from companies.
Unfortunately, that is very far from true.
Ubuntu was negative $21 million USD in 2013[1]. Canonical would literally make money by just not doing Ubuntu anymore.[2]
(Every time Canonical is on the verge of bankruptcy, Shuttleworth re-seeds back into the company from his personal checkbook)
[1] http://www.scribd.com/doc/199373896/Canonical-Group-Limited-...
(the numbers are represented in thousands, so 21,343 is 21,343,000)
[2] http://www.wired.co.uk/news/archive/2013-08/13/mark-shuttlew...
The significant losses due to Ubuntu development and related expenses are why Canonical as-of-late has been turning focus away from Ubuntu towards other markets such as Mobile and especially Enterprise (a la Red Hat's turf).
Circa 2008, before the Unity and Pulseaudio switches, it was considered by pretty much everyone the premiere Linux distro. I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
Even today Dell is still doing Sputnik and in European countries you can buy HP hardware with Linux. Why is Canonical not taking advantage of the fact that they could be making money off support for their desktop OS through all the hardware vendors?
Ubuntu has never been profitable for Canonical. Shuttleworth's game-plan was always long-term minded regarding Ubuntu -- but as we've seen as-of-late, Canonical is shifting focus to other markets they view as potentially profitable. Shuttleworth has committed to keeping Ubuntu alive, but it's no longer Canonical's sole hope for income.
> I don't see why they could not get support contracts with Dell, HP, etc to sell Ubuntu computers and provide the tech support in exchange for positive cash flows.
This isn't just a problem for Ubuntu, but for most end-user linux distros. People always joke with Linus when the "year of the Linux desktop" will finally arrive... The people who use Linux as their daily driver generally don't need the support, and for the ones who do, well it's a lot less marketshare than Windows.
> Even today Dell is still doing Sputnik
Besides Sputnik, and some Linux-only end-user manufacturers like System76, there really isn't a lot of choice for pre-installed Linux end-user computers.
It's weird too, because Sputnik is $50 more expensive than the windows version of the same hardware. (probably some Microsoft deal going on here).
Linux comes pre-installed on majority of server hardware (server hardware than comes with any OS at all that is), and Linux dominates this field. But the "year of the linux desktop" hasn't quite arrived yet. I do hope it comes soon.
Is it about profits, or - I'm going to be kind of cynical here - chasing taillights? The way they seem to bounce around from one thing to another (mobile phones! embedded!) makes it feel like the latter.
I tend to agree... modern Canonical feels like a company that lacks focus (probably because they aren't quite sure what the focus ought to be after realizing Ubuntu might not ever turn a profit for them).
I've used System76 and Zareason. System76 are Ubuntu-only (and the hardware may have issue with other distros); Zareason will support any Linux.
I run full-time linux on my laptop and my goto hardware has typically been a Thinkpad T series.
Canonical's cloud business might be profitable (even though Canonical as a whole is very-mush-so-not), however their cloud business is not coupled to Ubuntu, ie. they could use any Linux Distro, or any OS for the matter.
Ubuntu is a total loss center for Canonical. It's surprising to a lot of people given it's popularity... but popularity doesn't equal profitability... especially when most users don't pay anything for the software (not even support fees).
Typical beancounter mentality.
Probably comes with a suggestion of closing this division and going with something else
OF COURSE this department loses money. But it is a net gain for the company, and in fact without it the rest wouldn't exist.
Not sure what "of course" means here... it's very possible to be profitable off your OS Development division... look at Red Hat, SUSE, etc. They pay for the development from support payments... they collect support payments because enterprise wants their OS... it's a positive feedback loop. The better the OS, the more enterprise pays, the more funding RH can put into the OS dev team, the better the OS gets, the more support fees they collect, etc etc etc...
Canonical has not been able to successfully charge for support like RH and SUSE have figured out.
> But it is a net gain for the company, and in fact without it the rest wouldn't exist.
It's not a net gain unless the company can be profitable as a whole and subsidize (and justify the enormous expense) off-put by tertiary services, etc.
... right now Ubuntu project is responsible for Canonical being perpetually in the red... every quarter, since their foundation. Canonical could very well just run enterprise support contracts, or push their cloud services. They don't have to use Ubuntu... any OS would suffice. They aren't somehow coupled to Ubuntu to the point if Ubuntu didn't exist, Canonical wouldn't either.
https://www.apache.org/foundation/records/minutes/2014/board...
As a 501c(3) non-profit, it is constrained as to what it can do with donations.
All of the Debian developers are volunteers, am I wrong? Slackware can barely support one employee, the founder. OpenSSH falls under OpenBSD, which also supports just the founder, everyone else volunteers, and they DO volunteer some serious time and do important things. They also had problems raising funds, there were discussions on HN about that here, and I'm sure there will be more in a year or two.
From: http://www.openbsdfoundation.org/campaign2014.html : * If $10 were given for every installation of OpenBSD in the last year from the master site (ignoring the mirrors) we would be at our goal. * If $2 were given for every download of the OpenSSH source code in the last year from the master site (ignoring the mirrors) we would be at our goal. * If a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in the last year we would be at our goal.
This is kinda depressing.
Is there someone from the Debian project here? I'm wondering if they could afford to run their own mirrors around the world if they had to. Could they cover hardware, colo and bandwidth costs, if they had to? I'm just curious.
That's the point -- the ones that can should support the ones that can't, which are often foundational components of the reason the ones that can, can get money in the first place.
Too bad OpenSSL wasn't one of them until after the big "heartbleed" incident.
The core infrastructure projects don't seem to get as much funding as they ought to, especially given almost everyone relies on them (even if they don't realize it).
Prior to Heartbleed and the industry rallying to fund critical projects, OpenSSL only received an average of $2,000 USD a year[1]... that's pathetic.
[1] http://arstechnica.com/information-technology/2014/04/tech-g...
> Intel will invest "$300 million to help improve the pipeline for women and minorities, actively support the hiring and retention of diverse candidates, and fund programs that support the positive representation of women and minorities in technology and gaming industries."
http://www.wired.com/2015/01/intel-diversity/
> "Google Gives $775,000 to Nonprofit for Tech Diversity CODE2040 said Monday it received $775,000 in grants from the tech giant to support the launch of free training programs for more than 5,000 black and Latino college engineering students over the next two years."
http://blogs.wsj.com/digits/2015/02/02/google-gives-775000-t...
But there are also justified backlashes to the programme, given that there is a perceived priority given to the programme in some areas instead of writing software. The argument is that not everyone and their dog needs to be involved with writing software, so why should we encourage them to? You don't see such pushes in dentistry, the car industry or anything like that; "Are you a WOMAN? Then join the car industry!".
Strangely we do in IT though, where it is the belief that we should make EVERYONE code!
The "I will fight you and I will win" response from Emmanuelle Bassi is a particularly horrible/strange/passionate reaction from one of the guys involved with the programme: see http://blogs.gnome.org/tvb/2014/09/12/im-looking-at-you/comm...
Yes you do. Every single fucking time this comes up someone says "you don't see this in construction". It's rebutted every time it comes up and it's really fucking easy to do a simple web search to find examples of programmes to get men into teaching or nursing or to get women or minorities into construction.
Example links have been posted to HN many times.
I haven't seen anything like this here in the UK. Is it a US thing?
BTW, I wasn't advocating for or against in this GNOME argument. I am entirely an observer and was highlighting the arguments made by both.
That's at least how I think it went, you can go look it up, the details are online.
I thought I ought to add that because I suspect people are thinking that I dislike the programme? Either that or people like down voting with no reply.
With regard to the encouragement for everyone and their dog to take up coding, I see it a lot but in truth I do not see the same things in other professions - I have never seen a push to make youngsters take an interest in banking or journalism yet over here in the UK there is a push to make programming/coding a part of the national curriculum for youngsters, hence the introduction of the Raspberry Pi to encourage that.
The FSF had revenue of 1.25 million in 2013. I'm not trying to comment on where it came from or where it went to. I'm only pointing out that they are not in a very similar position.
In 2013 FSF paid $ 689,239 in salaries and, astoundingly!, $ 48,995 in credit card fees.
Anybody got an idea why they pay so much?
Source: 48995/689239 = (x*.029+.30)/x
Some banks do tack on a foreign transaction fee though, but that goes on the payer.
If they had zero expenses other than staffers, at a very modest 65,000 USD a year that would not even cover 20 people.
The EFF, FSF are the only real "good guys" out there fighting for your techie rights every day... They could really use your donations and support (even if you don't agree 100% with all of their message).
As mentioned by the grandparent comment, GPG is in use by Debian, Ubuntu and RedHat package managers. Whether or not you count those three as free software they have plenty of money to pay forward to a piece of software that underpins their entire stacks.
I am having a hard time to find financial statements from Debian.
Ubuntu, or rather Canonical, being a private company, doesn't seem to release financial information. The Ubuntu main page doesn't even provide a 'donate' link anymore.
Which leaves RedHat, at last. A public company, of course[0]:
[0] http://investors.redhat.com/financials-statements.cfmTry to download it: http://www.ubuntu.com/download/desktop/contribute/?version=1...
For some reason SPI has not put out an annual report since 2012: http://www.spi-inc.org/corporate/annual-reports/2012.pdf
http://www.pc-freak.net/blog/what-is-the-development-costs-o...
http://www.scribd.com/doc/199373896/Canonical-Group-Limited-...
21 million USD negative, largely due to Ubuntu development and related expenses.
Canonical has never been profitable, which is why Shuttleworth constantly re-invests his own personal capital in the company.
[0] - https://lists.debian.org/debian-vote/2013/03/msg00095.html
However, a lot of commercial entities use pgp as core of their business: all software packaged for the linux world is signed with gpg one way or another. All commercial distributions depend on it at their very core. I'm amazed that they don't fund gpg at least partially.
One of the points of open source is that software becomes a commodity, and that will always hurt OSS founding.
Even sadder is the fact that these "free" things actually cost us much, much more. https://news.ycombinator.com/item?id=8585237
It's a play on words though, by analogy with "Pay it back" which is returning a favor to one who did a favor for you first (like paying back a debt). In the case of large distros being heavily reliant on GPG and other upstream projects, I think the applicable term here is "pay it back".
Upstream developers helped out Debian, et al, and now Debian needs to pay those developers back. Arguably, by gifting their distros to the world at large, they're already "paying it forward".
"CII does what's beneficial to its members. Privacy tools aren't" [https://twitter.com/matthew_d_green/status/56338899320386764...]
...which indicates to me that GnuPG wasn't sold properly. It's not just a "privacy tool" -- it's one of the ways that software (including OpenSSL) is securely distributed. I would guess that quite a few of the CII's members benefit from GnuPG and don't even realize it.
I imagine those people need to control integrity of the software, to make sure it is deployed correctly on their servers and distributed securely to their clients and users, and OpenSSL has all they need for that. Privacy, OTOH, is unneeded because they are not (or rather much less) after their own or their users' privacy.
Perhaps via a "Free Core Infrastructure Initiative"
https://twitter.com/gnupg/status/563456662024228865
Link: https://www.wauland.de/en/donation.html#61
https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzk...
My name isn't even on the list of recent donors anymore, that's going fast! Maybe he'll wake up tomorrow and hit refresh a couple times to be sure there's nothing wrong with the counter, hehe.
Email Encryption Software Relies on One Guy
Err... did PGP recently go bankrupt?
Edit: Crap, it's worse, they seem to have been acquired by Symantec. Is it still any good?
exactly. Given the number of corporate laptops encrypted by the corporate IT with that software , and thus definitely some "license" style good money were paid by the corporations to some entities ... i never believed in the magical concept of trickle down and sounds like it doesn't work here too.
I'm really glad Pro Publica picked it up, but I also think we need to change to way we think about critical software like GPG. The GPG Tools team (GPG for Apple Mail) recently stated they need to charge for the tool in the future because they simply can't handle to amount of work anymore (it's still GPL) — the response from us was nothing but outrage.
// I just realized all of this is mentioned in the article. My bad.
Maybe the lesson here is not to license important software under such permissive licenses. Make it open source and free for non-commercial, require a donation if it is used in a commercial product. I don't really see how you can give something away for free and then expect companies to volunteer to pay for it.
Every serious definition of 'open source' or 'free software' says that you can't discriminate by field of endeavour - if you have one set of rules for commercial use and one for non-commercial use, it's not really open source. And the nature of donations is that you can't require them.
That's not to say that you can't build a business model around open source software. You can charge for pre-built binaries, you can charge for exceptions to the GPL license to build proprietary software with it (this is what Qt used to do), or you can charge for services associated with the code (e.g. running a hosted service). You can even technically charge for the code itself, though since anyone who buys it can resell it or give it away, that sounds precarious.
We call it Free and Open Source Software for a reason. Open Source means the code is open (i.e., you can study it), Free means it's licensed under a Free Software license (it doesn't necessarily mean free of charge).
People usually omit the "Free and" part when they talk about FOSS.
https://en.wikipedia.org/wiki/Free_and_open-source_software
// Anybody want to tell me why you vote me down? Am I wrong?
http://opensource.org/osd-annotated
The kind of "open source" I was talking about is source code that is released under a non-free software license. What do we call that?
---
@alexvoda "it's not really open source" is the part I tried to contradict. I may have been wrong though.
"obnoxious".
More seriously, typically something like "look but don't touch", or "proprietary with source available", or "source available under a restrictive license". Microsoft used to call it "shared source", and that term still has those connotations too.
Definitely not "open source", though; that means more than just "has source available".
The Unreal Engine is an example for this kind of business model on a large scale. KoboldTouch (used to be?) an example for the same on a very, very small scale (less than 5 people). I really don't see anything "obnoxious" about it.
Yeah, that's a very different case. It's indeed moderately common for proprietary software frameworks/engines to include source, so that their paying customers can modify and redistribute, but cannot redistribute in source form (modified or otherwise). That's not any more obnoxious than any other kind of proprietary software distribution, and I wouldn't call it "look but don't touch", though it certainly isn't open source or free software.
The case I'm talking about is software with publically available source, but under a restrictive license that doesn't satisfy the OSI or FSF or DFSG definitions. For instance, many random projects on github that don't bother applying a license, or rar (the archive format implementation), or tarsnap, or the extremely obnoxious JSON license.
You are free to come up with your own defintion of popular, agreed up terms. But this will lead to problems when you're using a different definition from everyone else.
Calling it just one or the other is enough though. Being "under a Free Software license" by definition means "the code is open (i.e. you can study it), so no need to say "and Open Source".
I do however prefer calling it free software over open source as I find the free software definition simpler and than the osd. And also because the term open source seems to place importance on the code being 'open' instead of 'libre', which you'll here rms talking about everytime someone says open source.
"Free software" has issues as well as a term, since free can obviously mean two things, gratis or libre. However, once the reader/listener has understood the difference between free of charge software and software that preserves your freedom to study, modify and redistribute it, I think open source is the more problematic term as it can more easily cause confusion as demonstrated by your comment (where you think open source means that the code just has to be 'open').
This kind of way to function give enough money to employ 10 people, and also secured a lot of new developments (encryption, video, etc.). Disclaimer: I'm just an employee, not the founder.
I would advise him to switch to that kind of licensing, if he wishes to. There's no reason he shouldn't be able to live through his work.
If you do this, the problem with dual-licensing a copyleft project is as follows:
-The copyleft license allows use in other projects with the same copyleft license
-The "dual" part allows use in proprietary licensed project (the stated enemy of the copyleft license)
-The ones left out are projects that use other copyleft licenses and copyfree licenses.
In my opinion dual-licensing copyleft licensed projects is a mockery of the purpose of copyleft.
All this is however irrelevant to the discussion about funding core FLOSS software. It doesn't matter the license, the challenges to funding such a project are the same.
It might be a little tricky in the case of GPG since it is really a GPL port of the commercial PGP software. So a major reason for it's original existence is that it is GPL code.
I hear you though. Free of charge and open source need to be two separate things (not all the time, of course). Cutting costs in FOSS development usually means spending less time on websites, documentation/support and UIs, which hurts the projects in the long term. It's a vicious cycle.
GPL lets anyone running a webapp pretty much ignore everything in the GPL license.
For the record I donated. I'm just pointing out that writing something that's bundled and distributed as part of something else means nobody thinks about your project, or in many cases even realizes they're using it.
I would like if someone with more understanding of the situation could outline the risks of allowing PGP to be the only implementation.
[0]http://www.symantec.com/connect/downloads/symantec-pgp-deskt...
Parts of its source code are viewable and reviewable, associated with key cryptographic functions. Much of what PGP builds is structure around that, and most of that isn't open in any sense of the word.
Phil Zimmerman (who's long since left the building) does understand the value of source review, and the team who supported PGP continued that legacy. But it was quite limited in scope.
That said, PGP also did work with other implementations, including GPG, to resolve compatibility issues -- I'm aware of a few of those personally myself.
Who to contact?
Same for GPG until now. I didn't hear they asked for donations.
And I doubt I'm the only one. So I quickly checked if maybe this was big on HN at a point and I just missed it.
https://hn.algolia.com/?query=GPG%20donation&sort=byPopulari... https://hn.algolia.com/?query=GPG%20fund&sort=byPopularity&p... https://hn.algolia.com/?query=GPG%20money&sort=byPopularity&...
Nope. It's not just me.
If not even the most technical people (that actually know what GPG and openssl are without looking it up) don't hear about this, how are regular people going to find out where to throw their donations at?
I think people would donate if they knew about it. I'm going to send this guy $100 and consider it a license fee, because he deserves it.
On the other hand, I had no idea that he was working full-time on it, and having money trouble.
Also: If you search for "GPG Koch" you can come across this comment:
https://news.ycombinator.com/item?id=6942254
EDIT: An example of development that is slow-coming: library support. Most GPG "libraries" in languages like Python and Ruby are just wrappers around the GPG command-line, because there is no proper library.
EDIT: For example, I believe that it would require rewriting a lot of code, and that means said code would need to be audited to make sure no security bugs were introduced. It's "easier" to just wrap the current command-line tools because they are a known quantity.
https://www.gnupg.org/%28it%29/related_software/gpgme/index....
I haven't used it, so I really don't know.
I've used it while making bindings for it for my Scheme project: https://github.com/cslarsen/mickey-scheme/tree/master/lib/op...
IIUC this is intentional design of GPG 1.x vs GPG 2.x: the former is statically linked binaires for "security reasons" while the latter is a shared lib (libgcrypt) + binaries with exactly the same features.
I remember it made the front page (but that might have been during business hours here in europe).
Another key would be to add a real commercial justification to pay for projects instead of just donating. Often for tax and regulatory purposes businesses can't just spend money on fun, frivolous things unless they want to make a mess of their accounting. Maybe something like for each $50 you spend you get to ask one question on a mailing list or message board.
Example: https://freedom.press/bundle/encryption-tools-journalists
Oh certainly, I use GPG on a daily basis, yet it never even occurred to me that such an ubiquitous project would have trouble gathering funds!
I tossed in a donation as soon as I saw the link in the article.
---
I remember jOOq (a Java SQL DSL) had similar troubles raising donations. They ended up moving to a commercial licensing model for 3.2+ that provides connectors for "enterprise" databases as well as professional support.
Had I seen a banner asking for donations, I would've gladly donated what they're now charging for licenses. -- It is an excellent library.
However I feel like the tooling does them a disservice. When the library can be added by tossing a few lines into `pom.xml` and having Maven fetch it, and the API can mostly be figured out w/ javadoc and your IDE's autocomplete: how many developers will even visit the project homepage and see a "We need funding!" banner?
That's a good point.
Not sure how this can be technically addressed though
The problem, I think, lies in the lack of balance between different types of "users", their ability to absorb risk, and their ability to advertise.
For an individual developer, new product development is a chicken-or-egg issue: you need money to live, but you can't make money off of an infant project. On the other hand, a corporation can siphon funds off of profitable projects into R&D, and the larger the company, the longer they can do it. There is a certain level of financial security that removes emotional burdens that can be real impediments to development progress. There is a singular focus that can be achieved by the developers in such a situation: one 100% focused developer is more than twice as productive as one 50% focused developer, all else being equal.
It's also extremely difficult for an individual developer to get the word out on their project. But if Google even breaths a hint that they are doing something, a subreddit will be made for it overnight and TechCrunch will assign a team of reporters to cover breaking news.
So from the start, the individual is behind the 8-ball in terms of being able to maintain a certain pace of development and gain mindshare for it. If you're entering an existing market, a lot of times the only way to gain traction for your project, to get any attention and get anything out of it, is to have to open source it just to meet other developer's expectations.
But I suspect the vast majority of people who want "open source" really only want it as a security blanket and aren't actually going to look at it. I completely admit that I'm included in that group.
For a corporation, what's the worst that can happen? In other words, who is going to fork their source? Another individual? They won't be able to keep up. Another corporation? They have to compete in both code and marketing, which isn't so attractive. It might be--all things considered--an equivalent effort to just start a competing product. Maybe even a little less effort, because you don't have to dance around collaboration and contribution issues.
But for an individual, it's a significantly higher impact of a problem. If I make a tool, release it open source, and--say--Google decides that it's great and they want to use it, even if I license under the GPLv3, they can very easily strong-arm me out of the driver seat. They could be in complete compliance with the license and contribute all of their changes back, but their marketing machine could easily put themselves at the forefront of developers' minds as the source of that project.
Is "closed now, open later" the solution? I don't know, that's always sounded to me like "closed now, closed later". See Android. What good is Android being open source if, by the time the source for the latest version is released, they've abandoned it for a new version?
Correct me if I'm wrong. I'd like to be wrong, so I know in which direction to take my own business development. But it just seems like there are several types of power, and individual, independent developers have few that large corps do not, whereas large corps have several that indies do not.
Juce and PyQt were created by single developers, so it's not impossible. Staking out and defending a niche would be a prerequisite, open-source or proprietary.
I have a library project right now that I provide dual-licensed under GPLv3 and a paid, proprietary license. It's not typical to release libraries under the GPL rather than, say, the LGPL or MIT. My reasoning is "code or coin, you gotta give something." I have no idea if it will actually work (and I'm not banking on it working, I wrote the thing for my own use first and foremost), but I am starting to think that I would rather nobody use my code than everyone if it meant I didn't get anything out of it past an 'at-a-boy.
Put another way, if I were Ryan Dahl, having gotten Node.js started off on my own, and I still had to work for a living, I'd be pretty freaking pissed. (https://groups.google.com/forum/#!topic/nodejs/hfajgpvGTLY) Maybe the actual Ryan Dahl doesn't care (and maybe he chooses to work, I don't know the exact details), but it would seriously bother me.
"Open" is as much a state of mind and development practices as it is a license. JIRA shipped with full source code while remaining proprietary. This removed customer concerns about JIRA going out of business, no need for source escrow. Customers ended up making modifications to the source, which then influenced the Atlassian roadmap. Conversely, one can have an open-source license, but a dev culture that rejects external input, e.g. Calibre. If a vendor focuses on business goals first, then creates a culture to support those goals, license choices will become clearer.
There are useful history lessons among these links:
1) Free Software Business mailing list archives (1993 to early 2000s), http://www.crynwr.com/cgi-bin/ezmlm-cgi?iis:0:201311#b
2) Self-publishing docs+screencasts with 90% royalties, earned railstutorial over six figures in a market where most technical books are lucky to earn $10K. Relevant to OSS biz models: https://news.ycombinator.com/item?id=7350265 & screencast toolchain: https://news.ycombinator.com/item?id=8932387
3) Bootstrapping 101, http://discuss.bootstrapped.fm/ & http://www.startupsfortherestofus.com/
4) ISV (Stardock) 2014 report, http://www.stardock.com/press/CustomerReports/Stardock2014.p...
Resources on business models:
5) The Business Model: Theoretical Roots, Recent Developments, Future Research, 2010, https://noppa.aalto.fi/noppa/kurssi/23e21090/luennot/23E2109...
6) Free Software and OSS Business Models, 2008, http://www.springer.com/cda/content/document/cda_downloaddoc...
7) Any good book on organized crime / unregulated business. Boundary conditions inform risk management, i.e. early recognition of failure scenarios to be avoided.
Either way, what really needs to happen is companies that build programs off his work need to make a concerted effort to donate to the project. Heck, set aside a small percentage of revenue and consider it a cost of business.
I did manage to do some isolated contributions to Open Corporates (http://turbot.opencorporates.com) where the community are super-welcoming and very patient, but I've felt a little isolated and like I'm not exactly giving much back. Apologies for the mildly-OT rambling.
Sometimes it's small things, like documentation. For example:
http://bugs.python.org/issue17701
Mozilla is quite friendly and makes it easy to contribute. I've had quite a pleasant experience whenever I tried to make a contribution.
https://bugs.kde.org/buglist.cgi?bug_status=UNCONFIRMED&bug_...
And their bug tracker is fairly pretty too.
https://github.com/rust-lang/rust/labels/E-easy
You shouldn't always work just for money, but this is financial ingratitude.
You can offer him all the $5 donations in the world, but he has a full-time job now and has no reason to return to this life of "financial ingratitude".
I'm pretty sure we all would miss him working on it, either directly or indirectly, I think, as developers, we do a horrible job of assessing our blind spots when it comes to infrastructure.
It may not be financial ingratitude. It may be that we just haven't reached a sensible equilibrium between the two symbiotic ecosystems. At some point in the future, "due diligence" might commonly include identifying these sorts of tools, and their developers, and deciding either to not use the tool or to fund the tool's health.
In your scenario, what will happen to GPG? The world just loses this essential asset?
It's not an either-or choice; There are solutions that help him and GPG.
I say f*ck the world.
It won't suddenly erase itself from all the world's computers. It'll still be there. It'll still work the same way it worked the day before.
Perhaps someone else will pick it up?
He's not immortal - at some point someone else has to step up to the plate.
I'm actually curious now of how many first world countries are as backwards as the US where if you retire without any personal savings you are extremely screwed.
Please do your part, and keep that bar moving.
[1] https://www.wauland.de/en/donation.nojs.html
[2] https://blockchain.info/address/12LKeo24XCzgz6ASSxcUa8BvUfzk...
The Wau Holland Stiftung takes the BTC and pays it out to the GnuPG project. Its a foundation that has its roots in the CCC and supports all kind of open source and/or hactivists projects.
https://en.wikipedia.org/wiki/Wau_Holland
I wonder if it all really comes down to "Really I am better at programming than this business stuff." or if there is some unstated dogmatism that gets in the way.
It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.
Look at how many crappy, trivially broken crypto messaging systems are posted to HN every year. Some of them even get funded! Nobody wants to work on GPG, which makes what Koch is doing even more important.
The idea I suggested (a consultancy retainer) is a way of converting his name into cash. At 10 hours a month, his function would mostly be limited to the company being able to say that he works for them, maybe have him join some high-level meetings, more than actually doing programming for clients.
You're in the general security business, you seem to be pretty good at business in general: don't you know someone who could turn hiring Werner and two devs to work on GPG into cash?
Lots of people would love to work on it. But who can work for free? No one that I know of.
Moxie Marlinspike was doing well for himself when he was squatting in pgh and train-hopping, too. Some people are just better at coercing life into doing what they want to do. I think it helps that Moxie is probably a few standard deviations more intelligent than most humans, but that's just a bonus.
I think this works. It's sad that it depends on exploiting the virtually unpaid work of a few committed die-hards. But basically, it's the only way we can have good gratis software without something stupid like bundling ads, lack of source code or 'services-based' models. It's clear from all the other unfunded OSS projects that corporate sponsorship isn't going to happen unless they're getting something in return.
Would it be impossible to create some sort of stipend program at FSF? After all the creation and maintenance of software is allowed to cost money under the GPL.
No.
Free software was never about no money being involved. In fact, RMS himself used to get a lot of money by selling free software. Back in the day when Emacs was too big for the internet, RMS used to sell Emacs tapes at 100 USD each (with documentation and source code, of course).
In fact, he still thinks that you should be charging money for distributing free software:
https://www.gnu.org/philosophy/selling.htmlHe also thinks selling exceptions to the GPL is another good way to support yourself. FFTW and Qt are two prominent projects I can think of that did this.
https://www.fsf.org/blogs/rms/selling-exceptions
The GPL itself is anti-freeloading. We give you the code, you can do whatever you want with it, but if you want to build on top of ours, you have to give back. It's all about levelling the playing field for everyone.
I have really hoped that the current app store model would turn out to be a great way to sell free software. A convenient way to pay, and you can download and install whatever you want. Optionally, you can have a link to the source code.
Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
In at least one case it's because a single open source contributor with an ideological conflict with App Stores was able to get an app removed:
http://www.tuaw.com/2011/01/08/vlc-app-removed-from-app-stor...
By the way, VLC has been relicensed as MPL and is now available for iOS again.[1]
[0]https://www.fsf.org/news/2010-05-app-store-compliance/ [1]http://www.videolan.org/vlc/download-ios.html
See what happened to VLC as an example.
Also, I know some free games are sold on app stores. Wesnoth comes to mind. Have people come to spite the Wesnoth developers and put the same game on the app store without a fee?
You can list a couple of exceptions, sure. But I'll see you that and raise you all of The Pirate Bay.
That is, you are always free to charge money, but you are not free to withhold source or prevent modifications/redistribution of those modifications, because this restricts the rights of other human beings. Or said another way, your freedom stops where my nose begins.
[1] https://www.fsf.org/blogs/licensing/more-about-the-app-store...
The problem here is determining where the divide between "using the software" and "building on top of ours" is. The line becomes blurry when the software is (e.g.) a library where the basic use of the library is to base other software off of it (as opposed to a desktop app -- e.g. GnuCash -- where "usage" has a more straight-forward meaning).
There still exists uncertainty and ways around it (You can execute GPL programs or write shell scripts so that GPL programs execute your code) such that you don't have to distribute the major parts of your codebase, but the GPL has an explicitly different version for libraries that are supposed to be linked in to non-free software vs libraries that are cores of GPL software.
Eben Moglen seems to think, as I understand it, that it depends on how you distribute the thing. If you link dynamically but distribute the whole thing together as if it were a whole, it's a single work and all should be under the GPL. Other situations seem less clear.
It's one thing to "cash in" on a GPL/LGPL project (e.g. writing a nice GUI around GnuPG, but not giving back to the project) where you are just wrapping the functionality of the GPL/LGPL project. It's another thing entirely to just use a support library (like an xml parser) where the library itself is not the main functionality of the program and have someone saying that your project has to be GPL.
Same problem exist with complete overhaul mods to game. Counter strike simply wrapped around half-life. Half-life was not the main function of CS, yet if they had been giving out CS with half-life under a open license it would again be piracy.
Thus it is hard to see a world where copyright would allow someone to ignore the license as long the "library" is not the main functionality. It would be a nice world, a world with remixing and a explosion of creativity, but a very different world from one that we got now.
No! Nowhere does the GPL says you have to give back to developers, you just have to give everything to the users (and more specifically to your users), because they are the one with the product and the modifications. If they happen to be upstream developers, then sure, they will get the changes too, but that is not the primary goal of the license. It's all about the user being Libre.
If that would work it would be an interesting way of selling your software.
There's no reason why free software should just be given away. The point is to make sure users have the source code and the permission to modify it and redistribute it. It was never to make sure they don't have to pay in order to acquire the software.
Sure, if they can redistribute it, perhaps they could undercut you, but if we believe that piracy doesn't really hurt sales that badly, it seems likely that this secondary moneyless distribution might not substantially hurt the primary one.
> Sadly, it doesn't seem to be happening this way. I don't understand why not. Perhaps I too am being too idealistic.
As an indie app developer, I already struggle with people ripping off my apps and publishing them in various app marketplaces under similar or identical names, or taking my web app, wrapping it and charging money for it.
I have to imagine that if I used a free software licence, this would happen a lot more, and I wouldn't be able to issue takedown requests. Someone searching for the name of my app might find five or ten similar or identical looking results and have no idea which is mine. These other results might serve ads, track user behavior, gather personal information or perform other anti-user operations, leveraging the popular reputation my apps have built to do so.
If people want to bundle "my" GNU Octave and modify it randomly delete the users hard drive, that's ok. Free software allows this. Just don't call it GNU Octave, call it GNU DiskDestroyer or something.
But to make a larger point, if you try to model RMS's behavior using cynicism, you'll tend to make inaccurate predictions. To use a metaphor, his brain is running slightly non-standard software: His social skills are not quite compatible with standard protocols, but he will go to far greater than ordinary lengths to uphold his personal moral principles. I've dealt with RMS and/or the FSF a couple of times, and once I decided to assume that RMS wants exactly what he claims he wants, dealing with the FSF was actually rather pleasant.
Thus, if Stallman thought that programmers should live ascetic lives, he would have written long essays justifying why this was correct. But instead, he wrote long essays about why sharing and hacking on software was a Good Thing, and added (almost as an aside) that you are welcome to charge as much as the market will bear, and that doing so may often be a good decision.
People are very eager to work for free on free (as in speech) software just for the pats-on-the-back from "the community", it seems to me, at least as often as people do it because they're truly passionate about their craft.
With the rise of "have a github profile/opensource contributions" in job posting descriptions, it's only going to get worse. "Open source" is very rapidly becoming the "unpaid internship" model of hiring and distributing work in the software industry, and it breeds a sort of contempt for the notion of receiving compensation for one's efforts. I'm not sure that's a good thing with all the very-much-for-profit activity around software development.
There's simply very little reason for someone to pay for BSD licensed software, but there is reason to pay for GPLed software (even if only to get a different license for it).
I feel that we, as a community, are really bad at supporting some of the opensource projects that powers our infrastructure. I'm not sure what can be done to improve this. Maybe we need a foundation that raises money for those projects and does the marketing needed to remind us to donate.
I for one wouldn't mind giving say 30 euros/month to be redistributed between projects like GPG, openssh, varnish, nginx, openssl...
But as a software developer, I use openssh daily in my job. I use tmux, I use nginx, I use openssl and a lot more opensource projects and they allow me to make a living. So, it makes sense for me to contribute.
Ideally, a GPL+donate-what-you-can would really help maintain these projects.
(And they use Stripe for payments, which of course is relevant here on HN. And as a first time user, it was a breeze to donate.)
I used PayPal and it went like a breeze too.
/sarc
SQLite comes as an example - while completely free, public-domain, what might (I don't know for sure) be making money for the three people behind it is the extensive test suite, various other extensions (compression, security) and possibly support/integration/customizations for specific needs (less memory/cpu usage, or who knows what..)
I'm also amazed at Mike Pall's luajit's effort, and he keeps his sponsors page here: http://luajit.org/sponsors.html
I've never used directly GPG, but since I'm debian/ubuntu user I've donated money after reading one of the posts here.
This is because by not giving them the source code you are keeping your users under your thumb and not allowing them the freedom to improve their lot.
Free. Improve your lot however you like.
When you use proprietary software, you are at the mercy of the company who distributes software to you.
Oh, sure, Apple et al can change their minds and charge outrageous fees and demand outrageous licensing terms. Nonetheless, lots of affordable tools are available.
And before you take the opposing view any farther: I come from an era & mindset of building advanced computers from scratch. I reject the argument you offer of "by not giving them the source code you are [oppressing them]", because I'm trained in building computers starting from sand, and writing software starting with toggling in op codes with manual switches. I've written format converters (with no guiding documentation) to overcome the bounds you imply.
If you want someone to put in the effort to create complex software, maybe you should understand that they should be paid for that effort - one price to use it, and a higher price to get the detailed source code. If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
> I've written format converters (with no guiding documentation) to overcome the bounds you imply.
Please do not assume that everybody should be like yourself.
> If you're paying the price of a few cups of coffee to use it, heck yeah you're not getting the complete body of work a team spent years creating.
There’s an easy way to rectify this – just don’t call it selling. Call it renting, which is what it practically is. The thing which I get when I buy software today is by no practical definition my property: its utility is deliberately limited by the manufacturer, and I am both legally and practically prohibited to extend that limit or repair it.