Improving Geographical Resilience for Distributed Open Source Teams with Freon

Summary

In a recent blog post, I laid out the argument that, if you have securely implemented end-to-end encryption in your software, then the jurisdiction where your ciphertext is stored is almost irrelevant. Where jurisdiction does come into play, unfortunately, is where your software is developed and whether or not the local government will employ rubber-hose cryptanalysis to backdoor your software. XKCD: Security If you’re a European, you probably already assumed this sort of attack is inevitable in America under the Trump administration. Unfortunately, this isn’t a new threat. The U.S.A. P.A.T.R.I.O.T. Act–which Congress keeps re-authorizing despite how much it shits all over the Constitution and human rights–has emboldened government agents to flagrantly disregard the 4th Amendment for years already. The CLOUD Act, passed in 2018, adds further legal backdoors to data privacy. Well-Tread Paths There are multiple layers of mitigations that open source teams can adopt to make this sort of attack less attractive for human right violators. Commonly discussed mitigations include: Releasing your software publicly under an free or open source license allows your users to inspect the software, modify it, or fork it entirely if you’re totally compromised. Reproducible builds allow you to assert that the software you’re installing matches the version you expect from the open source repository. This introduces a mechanism that makes attacks significantly less stealthy. Digital signatures and attestations published to SigStore (or some other binary transparency technology) provide a notion of supply-chain security between the provider of a software package and its users.See also: PEP 740.In the context of end-to-end encrypted messaging apps, you also have the congruent notion of key transparency for preventing key substitution attacks. Nothing in the above list is new. If you cannot publish reproducible artifacts to SigStore (or equivalent) today, your developer ecosystem should a...