Moving SecureDrop repositories out of Microsoft's GitHub

Bonjour,

Today GitHub was acquired by Microsoft. As a result all SecureDrop repositories went from being hosted by a small independent company to one of the largest proprietary software corporation. Not only does Microsoft actively work against the Free Software movement (software patents, copyright law reforms, etc.), it is also a major contractors for the defense world wide (see the The Microsoft Cyber Attack released this year for one of many examples).

Now would be a good time to move away from GitHub into a self hosted infrastructure. As it turns out the SecureDrop community already has a GitLab instance which proved quite reliable over the past nine months. Of course such a migration will take time (CI, documentation, scripts, etc.) but there is no rush and it can happen over a period of months without any stress.

The alternative would be to wait until a catastrophic event forces the migration with no delay and disrupts the SecureDrop development cycle, or worse. One could argue that the Microsoft acquisition is a catastrophic event already. But realistically it is merely a non-equivocal warning that the worst is to come. Let’s not wait for it

Cheers

P.S. I am available to help with the migration and can commit two days a week on this project for as long as required.

@dshmL may (conditional ) organize a hackaton mid-july in the SSL hackerspace on the theme “Run away from GitHub and self-host”. If the Freedom of the Press Foundation provides virtual machines on that occasion, the SecureDrop.club playbooks can be applied (and the OVH specific things removed). The upside of doing that would be to lower the bar to self-hosting.

Realistically FPF may want to retain control over the repositories it already owns in GitHub and moving to the securedrop.club infrastructure would not allow that. But re-using the securedrop.club provisioning logic could be an option to ease maintenance. Since we were careful to re-use the same tools (Ansible, molecule, etc.) it could be an opportunity to share the maintenance workload on these.

Thanks for starting this discussion, @dachary. The proposed migration doesn’t seem worthwhile to me. A few reasons why not follow.

Given the outstanding work pending on the SecureDrop and related projects, reallocating engineering effort toward a significant hosting migration would drastically reduce velocity on SecureDrop mainline, and the forthcoming workstation overhaul. The benefits of such a migration for organizations running SecureDrop are nominal at best, whereas the support burden incurred by such a change stands to be quite substantial.

The SecureDrop release management procedures already treat any hosting provider, GitHub included, as a potential vector for compromise. That’s why we have a meticulous airgapped signing process to ensure that any tampering with data integrity would be detected, and cause updates or first-time installations to fail, due to signature mismatch. Over time, we can bolster trust further by supporting reproducible builds, enabling multiple maintainers—as well as any interested member of the community—to verify that the signed releases contain precisely the expected code.

Since the introduction of the SecureDrop GUI updater for Tails, we now ship automatic updates via GitHub, same as we long have for initial bootstrapping and manual signature verification. While the practice of shipping releases via git certainly has its problems, we’d surely do better to focus on providing updates in manner more consistent with best practices, such as hosting deb packages via apt for use on the workstations, be they Tails or Qubes or some other platform.

In sum, the combination of limited developer bandwidth—despite the tremendous output we’ve enjoyed from maintainers, yourself included!—along with our shared commitment to providing reliable service to news organizations makes the transition away from GitHub a non-starter, at this point in time. I certainly am happy to monitor progress over time and re-evaluate, but as matters stand today, staying with GitHub as the primary public record of the SecureDrop code base strikes me as the best decision.

Hi Loic, et al.

I love activism, and believe more of us in tech need to take more of a stand to demand a higher bar for justice in our world. While this discussion has been closed, I did want to add into the record of this conversation a few brief thoughts.

1. The war industrial complex is evil. That, I will never, ever disagree with.
2. Microsoft is a rare for-profit tech company that has invested millions into design research to learn more about real human needs… many, entirely outside their business model. Sincere, awesome research they’ve been generous with sharing publicly and evangelizing, entirely un-tied to specific products or revenue streams. Danah Boyd is among the most respected of today’s “Cyber Anthropologists,” and I believe may have even given birth to that term (tho I also semi-doubt-it, as the term itself is rather pretentious and she is everything but) in her post-doctoral academic work at Harvard. She is a Principal Researcher at Microsoft, and with their support was able to launch the 501©3 Data And Society Institute. https://datasociety.net
3. Microsoft’s design organization has also led the way in pioneering standards for Inclusive Design. The work at this link, is a fine example: https://katholmesdesign.com/inclusive-toolkit/ This effort in particular, stuck a deep chord with me—and having worked for more than a few Fortune 500 corporations, I can assert that no others have come close to supporting the research and development of digital standards to make our world a more inclusive place through digital products, than Microsoft has.
4. Microsoft is also one of the only tech companies and was one of the first Fortune 500 companies, to remove mandatory forced Arbitration for sexual harassment claims, in their employment agreements. That was huge. Here in the US, legislation is being pushed to do the same—and it’s not winning. That was a VERY un-popular move in “the establishment.” Even many non-profits and indie companies, are hesitant to remove their Forced Arbitration clauses wrt sexual harassment, in their employment agreements. I can confidently say that Microsoft has done more to combat systemic misogyny with this one tiiiny thing, than most non-profits have ever had the balls (or frankly the desire) to touch. Another great article (from NYT) on Microsoft’s move.

Almost every for-profit corporation is going to have a significant dose of evil intertwined in it. Most of those things they’d rather we not pay attention to. Thank goodness, however—many of us DO pay attention to what they’d rather we not! Unfortunately however, as is evolving to become a pattern evident in the “rage cycle” of news (not journalism, news) today… the good some businesses do, is rarely lauded. We need to acknowledge that, and to acknowledge and elevate the courageous good the few corporations who behave that way, do.

Public American corporations (which Microsoft is) are controlled by boards and stockholders, not executives. Greed is written into American lawbooks as “Fiduciary Responsibility.” I really, really applaud Microsoft, for taking some quiet risks that few other corporations in all business sectors have had the courage or the means to similarly endeavor. As such, I want to support them—so that stockholders and boards at other corporations, can pattern-match public support to social-purpose actions not driven by direct revenue gains. Because of the “Fiduciary Responsibility” BS, unless there is demonstrable public support and alternative revenue sources to backup a decision to cut-off their defense industry work, it would be corporate suicide for them to do that. As an anarchist and a humanist, I say “who cares, human lives are on the line!.” The reality is far more complicated, however.

I still refuse to buy an Office license, too. Mostly tho, I just think it’s shit software… and LibreOffice is a rare exception I’m willing to make, to embrace a product despite usability shortcomings. “But it’s FOSS!!” Who cares. If a product’s makers don’t care enough about its users to hold its experience to a higher standard, or to secure funding to pay UX resources to improve the product when plenty of other funding is in the pipeline for other things, I can’t support it.

Re: GitHub… I sincerely doubt that Chris wanted to sell GitHub. They were deep in the VC stranglehold, and most of the time founders and management have little say in who buys the businesses they started. I’m sure that he and other early GitHubbers were mortified, to sell their project to Evilsoft.

Finally: On a bit of a tangent, but where my heart is with much of this—where were the cries to abandon GitHub when their female employees came-forward to confess horrific bro-culture indignities and sexual harassment from senior execs and one of the founders? I didn’t hear many, outside feminist geek circles & the like.

Evil comes in many forms. So does good—and usually, the good is kept far more quiet, than the evil. Why turn our backs on evil, when it can be stood-up to and roared at? Especially when turning our backs on it, would come with such significant costs. In comparison to many of the evils in the tech industry, in FOSS (yes, there is plenty of toxicity in the FOSS world, too), and in our global village, Microsoft’s evil has been diminishing at a far quicker rate than most other organizations I can think of (and yes, I say “organization” instead of “corporations,” because non-profits and indie companies can cause plenty of damage to communities and employees, too).

Food for thought. These are good conversations to have. I appreciate you raising the issue, Loic. I wish more people challenged more of the organizations and teams holding the puppet-strings on the rest of us, more often. <3 #itscomplicated

Damn. Ok, I really failed on the “brief” front.