The task of maintaining GPG isn't principally cryptographic. GPG is one of those classic un-fun projects that the open source community is notorious for neglecting. So the problem isn't finding and funding cryptographic experts to work on it; the problem is finding Werner Koches who are willing to take on the slog of making sure GPG continues to work.

Look at how many crappy, trivially broken crypto messaging systems are posted to HN every year. Some of them even get funded! Nobody wants to work on GPG, which makes what Koch is doing even more important.

Whether the work is "principally cryptographic" or not means fantastically little for it's business value, what matters is that the fraction of the value Werner is capturing is almost unmeasurably small. What Werner needs isn't donations, it's a vehicle for capturing some of the value he's creating.

The idea I suggested (a consultancy retainer) is a way of converting his name into cash. At 10 hours a month, his function would mostly be limited to the company being able to say that he works for them, maybe have him join some high-level meetings, more than actually doing programming for clients.

You're in the general security business, you seem to be pretty good at business in general: don't you know someone who could turn hiring Werner and two devs to work on GPG into cash?

No, I don't. You can trace some of my open frustration with crappy message crypto apps to this, by the way.

>It seems to me there's a parallel to someone like Moxie Marlinspike who's vaguely in the same field, but seems to be doing very well for himself.

Moxie Marlinspike was doing well for himself when he was squatting in pgh and train-hopping, too. Some people are just better at coercing life into doing what they want to do. I think it helps that Moxie is probably a few standard deviations more intelligent than most humans, but that's just a bonus.

Don't know about Moxie's situation, but Werner Koch also has a young child and a wife [who's not working, according to the article] to support.