The Licensing and Compliance Lab interviews Micah Lee of GPG Sync
GPG Sync is a recently launched project for managing the sharing of GPG keys, particularly within an organization. Micah Lee made the project internally at First Look Media and has now shared it with the world.
What inspired the creation of GPG Sync?
Since the very beginning of First Look Media we've taken computer security seriously, and that includes every single employee using encrypted email. But as an organization that has over 100 employees at this point, most of whom aren't already computer nerds, I quickly realized that managing keys is too complicated of a task for every single person to be required to do. I use GPG Sync to solve this problem: all of the complexity of key management can be managed by a small group of techies, allowing our growing user base to use encrypted email without having to think about the details nearly as often.
How will people use it?
At First Look Media, we've installed GPG Sync on everyone's workstations and just let it run in the background, ensuring that everyone will have everyone else's public keys without having to think about it. But I think a lot of other organizations will find it useful as well. I've spoken with people who work for other news organizations, as well as the non-profit world, who are excited about implementing it internally there. And I'm personally going to subscribe to multiple GPG Sync fingerprints lists, so I'll have trustworthy public keys available for a much larger group of people.
What features do you think really sets GPG Sync apart from similar software?
GPG Sync is really focused on the needs of organizations, while most other email encryption-related software is focused on the needs of individuals.
Why did you choose the GPLv3 as GPG Sync's license?
Whenever I decide I want to release some code, I like to default to GNU GPL so I can lock it open. I'm not opposed to using permissive licenses like BSD or MIT, but I only use them if I think there's a compelling reason for them.
How can users (technical or otherwise) help contribute to GPG Sync?
First, start using it! If you're part of an organization where everyone uses encrypted email -- even if it's just the other people in your Dungeons and Dragons party -- try setting up a fingerprints list and have everyone use it. See what you think, and report any bugs, or suggest features you'd like to see, in the issue tracker. And if you have programming skills, please take a look at the issue tracker and make some pull requests. I'm always happy to merge other people's code into the project.
What's the next big thing for GPG Sync?
I'm not sure yet, but probably I will focus on a port to other platforms.
Enjoy this interview? Check out our previous entry in this series, featuring Stefano Zacchiroli of Software Heritage.