What is different from the previous 2.1 is not clear.
The most interesting part is:
"Since the start of the funding campaign in December several thousand
people have been kind enough to donate a total of 250000 Euro to support
this project. In addition the Linux Foundation gave a grant of $ 60000
for 2015, Stripe.com and Facebook.com each pledged $ 50000 per year.
I am amazed by this superb and unexpected support for the GnuPG project.
This will not only allow us to continue the project and hire at least a
second full time developer but gives us also the resources to improve
things which have been delayed for too long."
I think everybody agrees that the most of the success of the campaign is due to this single article:
And to my delight, the article was written by Julia Angwin whose book
[1] J. Angwin. Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance. Times Books, 2014.
I recently finished and recommend. It's one of those few "books" written these days (quotation marks because they`re really more like stretched-out magazine articles) that actually make sense, come from the right place in terms of sentiment and tone, and most important are logical or coherent. I was curious about the author because I was so surprised and saw in her bio that she studied mathematics in college. Go figure ;-)
Yeah, without taking any credit away from the donors (or from the GPG authors, of course), we should be grateful to her and ProPublica for bringing this to light.
It kinda bothers me that, while I can make a donation to ProPublica, there's no way to express why I'm doing so. On the other hand, maybe there's a danger in becoming too donation-focused.
EDIT: After donating, they say: "Please consider sending a note to thoughts@propublica.org or tweeting @ProPublica sharing your reason for donating. We’ll use some of these messages to encourage others to donate."
Not to take away from the article, but this is like saying Yo-Yo Ma is so good at playing the Cello because he's talented.
He is talented, but that's not why he's good. He's good because of years of hard work, blood, sweat, and tears.
Most of the success of this campaign is due to Werner Koch's years of hard work. The article was the catalyst.
EDIT: I'm as grateful as the next guy for all the generous donors, to Propublica for publishing the article and to Julia Angwin for writing it. Let's just not forget who the real hero of this story is.
Donations for the previous years:
Year # € net €
2011 21 553 465
2012 53 5991 4963
2013 148 5041 4145
2014 801 34700
Do you think Koch worked much less hard in 2011 or 2012? It's that Snowden's revelations raised awareness both among the potential supporters and by Koch himself (he claimed in the article he'd have quitted due to the "lack of support" hadn't had Snowden "happened") motivating him to continue working.
Then before the ProPublica article, the only known contributions were cca 30000 EUR (apparently the Linux Foundation grant was agreed but still not public). But just in exactly 24 hours since the ProPublica article was published, the contributions were 180000 EUR plus commitment from Facebook and Stripe for 50000 USD yearly each, plus the publishing of the Linux Foundation grant. People who did contribute on that day could see how the "goal bar" moved from "mostly empty" to "full" and above in a few hours.
This case is a good example of plight of donation supported products and users unwillingness to support Volunteerily. If it wasn't the threat of project shutting down and the article about it, I doubt project would have recived the funding it did.
It also goes to show that Users are very bad at judging the value of a product and paying accordingly. They need to be provided an anchor price.
I believe this project will be a good case study for business of free and donation supported products.
This is probably what you want, as it's the stable version.
There's no harm in using gpg 1.4.x; the docs indicate that this is maintained because of its use on older and embedded systems, and AFAIK there's no reason to suspect gpg 1.4.x's security if you trust 2.0.x. It's just that the 1.4.x version has fewer features.
I haven't tried other package managers, but I suspect they also have this minor pitfall.
It's worth noting that Homebrew has "gpg" and "gpg2" as aliases for the "gnupg" and "gnupg2" formulae, respectively. This might be confusing to some people wondering why there are two versions of the same thing.
If anyone here is a `pass` [1] user, and you're using 2.1.1, or 2.1.0, I encourage you to upgrade. These two older versions of GnuPG had some nasty bugs, fixes for which the pass community sent upstream where they were accepted.
The result is that pass 1.6.5 and GnuPG 2.1.2 work nicely together.
Interested on those nasty bugs too, as I am on pass mailing list and have not read anything about them. This sounds more like a plug to pass, from a throwaway account.
Um, no. This isn't a throwaway account. This is my account - the username I use for everything. Type it into google. It's been my handle since I was super young. Whois the .com of it - I registered it in 2000.
I said "it sounds...", not that it was from a throwaway account. The "nasty" bugs you referred were never a problem for me, and the way you wrote sounded sensationalist.
I'm glad to hear you didn't have trouble with those bugs. They actually prevented new packages from building in Debian and Fedora, due to our unit tests catching the bugs, and we had to do a double-release on one day to fix them -- quite stressful for us. Anyway, it's a nice thing you weren't directly affected.
I've been wondering if there was anything like "proper" forwarding in gnupg-agent, and thus at least signature support over SSH connections for remote mail clients.
My use-case: I have a shell server which receives my emails. I use a local client (mutt) to read my mails, but I do not want to save my private key on the server, because it is not 100% under my control. The idea is that my physically local box would hold my private keys, and the agent would simply forward the to-be-signed data from the remote host to my local system, and transmit the signed data back.
When I send encrypted emails, at least those I can easily do on my physical box and send the file over first. It's a bit of an inconvenience, but I can live with that. Being able to sign my mails on that remote shell box without actually putting my keys there is the one thing I'm looking for.
I found some kind of hack for this a year or so back, but now I can't even remember what google-fu I had to employ.
Is there any work being done to formally prove GnuPG' algorithms correctness? Just curious since there are other topic around Coq in the front page and I couldn't find much by searching.
I do know of one researcher working on this: Julian Bangert at MIT out of Dartmouth has modeled x86 family processors in SMT, and is able to prove that all paths through a particular piece of code compile so that all cache hits are identical, CPU ticks are identical, etc. Brilliant young man - I expect we'll be seeing a lot more from him.
Does anyone know when Curve25519 (encryption, not signing, I know Ed25519 is already there) will be implemented? I'm waiting until that happens to generate my new long-term keypair.
The most interesting part is:
"Since the start of the funding campaign in December several thousand people have been kind enough to donate a total of 250000 Euro to support this project. In addition the Linux Foundation gave a grant of $ 60000 for 2015, Stripe.com and Facebook.com each pledged $ 50000 per year.
I am amazed by this superb and unexpected support for the GnuPG project. This will not only allow us to continue the project and hire at least a second full time developer but gives us also the resources to improve things which have been delayed for too long."
I think everybody agrees that the most of the success of the campaign is due to this single article:
http://www.propublica.org/article/the-worlds-email-encryptio...