Question around developer privacy preservation \ stacker news ~devs

pull down to refresh

Question around developer privacy preservation

1789 sats \ 12 comments \ @optimism 22 Feb devs

When I cycled nyms earlier this month (as a preventive opsec measure) I decided to stop exposing myself to GitHub's tracking features under this new identity.

The problem with GitHub is that if you’re interacting with a repository that is part of a GitHub organization, your geolocation and, if configured so, your IP address, is being shared with everyone in that org that has or in the near future will gain access to audit logs (everyone that has administrative rights.) Additionally, for non-enterprise plans, access to this is hard to finely configure. The retention rate of these logs in the admin UI is 6 months, but these logs can be streamed and/or downloaded off-GitHub through API and retained elsewhere. This means that anyone gaining access to a GitHub organization’s security role can collect this information and store it.

This issue can become significant when an opsec failure occurs. Real life example: you were tuning your VPN config last night and forgot to check if it were on in the morning when you pushed a commit or commented on an issue. Situations like that do happen - I know because it happened to yours truly 4 times in 12 years. In recent times though, geolocation information has become increasingly sensitive in the Bitcoin space. For instance, consider @lopp’s meatspace attack log for 2025 thus far.

To reduce the risk of accidental exposure, I decided to find and try using a publicly available Tor-only Gitea/Forgejo instance. I came across a tor-only service called "Right To Privacy" which seemed stable and reliable when I did a test run. However, when I used it for "production" last week to host source code and workflow for a little system that monitors robosats (#887106) it only lasted a few days and it’s been down for more days than it’s been up.

The problem with services like these is that they rely on donations. The alternative is a paid service, so that "users" become customers and operators have an incentive to not introduce days worth of downtime (or rug.) We have a great tool in Lightning to have exactly the type of sender anonymity needed, and for now definitely supporting small enough amounts to make weekly billing a thing. Conceptually, having a LN-invoicing git-onion could be a good match from a privacy preservation p.o.v. (caveat: but not so much for compliance of course; I'm not writing this for bank-devs, sorry.)

Before investing time and resources in developing such a tool, I'm wondering if there are other developers interested in a privacy-preserving development workflow solution.

Would I be creating something for myself alone, or do we think there could be a larger demand for this type of service?

view all related items

71 sats \ 3 replies \ @elvismercury 17h

I have no expertise to offer but have been super curious for years about how the opsec, or lack of it, will play out among core devs once various important people / groups have billions, and then trillions, at stake, and are no longer okay with it riding on the whims of some small collection of neckbeards.

So far as I can tell almost no discussion or concrete action has occurred to pre-empt the issue, aside from the attrition of some good people.

101 sats \ 2 replies \ @optimism OP 16h

Note that I'm only talking about this under isolated, easy-to-burn nym myself. Wouldn't do it if there were any link to irl - that would be bad. Security and obscurity combined is a good thing. I think it's to be expected as an outsider that you do not know what opsec is in place though; that's ok.

I also don't know what kinds of digital opsec other devs use - and especially not core maintainers because I never talk to any of the currently active ones - or how they protect themselves.

But that's also not what I'm looking for. I'm actually looking to reduce opsec pressure: an operator of a tor hidden service has no means to find a location on their connecting clients unless they operate some massive dragnet of prior hops that may or may not be connected through all the way (i.e. the operator is literally the feds.) This means that opsec focus can be spent on other things, productive things.

The worst situation you can be in is having to look over your shoulder (or your family members' shoulders) all day every day. It sucks and it is counter-productive.

101 sats \ 1 reply \ @elvismercury 14h

My interest isn't even anything so cloak and dagger as advanced digital spycraft, more like: a bunch of people running around using their own names and faces. I wouldn't have a single good night's sleep.

0 sats \ 0 replies \ @optimism OP 5h

Yes. Those are different threats. It's been worrying to read the narratives in the tornado cash and samurai cases but things like Bitcoin Core are still just open source software and none of it goes in without broad open discussion. Tor wouldn't really protect against that anyway.

The problem to me are trolls / people that hold grudges / gangs. Against that, tor does offer a reasonable solution.

300 sats \ 1 reply \ @kilianbuhn 5h

Would I be creating something for myself alone, or do we think there could be a larger demand for this type of service?

No, there is a big demand for this. Not only Bitcoin and adjacent projects. Even game emulators and piracy stuff.

Emulators might even be already a few years in the future of the kind of censorship that Bitcoin will eventually have. 🤠

5 sats \ 0 replies \ @optimism OP 3h

This is a really good tip. I just spent some time browsing through emulator repos and those are fairly active and have decent amounts of contributors / workflow activity.

Thank you!

121 sats \ 1 reply \ @k00b 23h

I would guess the market is small but larger than just you. Data privacy feels pretty mainstream now, but metadata privacy still seems niche. Developers are more aware of privacy issues but the majority of them have a kind of fatalist attitude about privacy.

It might be worth reaching out to someone building a small git host and see if they'll create a tor-only mode and accept bitcoin.

chr15m on github runs Hosted Gitea and also implemented gitnonymous, a shell script for pushing commits over Tor. I interviewed them when I was working on my own git host many years ago. He's an awesome open source dev.

100 sats \ 0 replies \ @optimism OP 22h

Thanks!

the majority of them have a kind of fatalist attitude about privacy.

I cared less before shtf many years ago. Can't protect against 3-letter agencies (at least not all of them, you have to make choices), but can protect against nearly everyone else. Even if it were only GitHub/MS to protect against, it would be of different importance; but the audit logs are a big issue. Tor (in secure mode w/o javascript) does fix this.

[..] see if they'll create a tor-only mode and accept bitcoin.

Good idea!

my own git host

This is very cool, sir.

100 sats \ 1 reply \ @itsrealfake 2h

before you spend too many cycles on LN git, consider Nostr Git.

there's a discussion happening among several devs already.

you could spin up an npub and ping me if you feel like you would like to get put in touch.

0 sats \ 0 replies \ @optimism OP 1h

How does in your opinion nostr solve exposing my IP? I'd still need that to be explicitly tor-only and enforced separate identity (I'm currently unable to reconcile using NIP-46 because of the identity-reuse risk that comes with it, even though I think that Amber is awesome.)

you could spin up an npub

SN hosts my NIP-05.

21 sats \ 1 reply \ @Mumbo 16h

Is the Bitcoin repo one of these?

0 sats \ 0 replies \ @optimism OP 15h

Any organization on github has audit logs, including the open source ones.