From d00a52e69d212df7a2b249294af34b002249f724 Mon Sep 17 00:00:00 2001 From: irl Date: Sun, 3 May 2026 16:19:06 +0100 Subject: [PATCH] draft open source post --- content/posts/2026-open-source/index.md | 75 +++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 content/posts/2026-open-source/index.md diff --git a/content/posts/2026-open-source/index.md b/content/posts/2026-open-source/index.md new file mode 100644 index 0000000..0070dc8 --- /dev/null +++ b/content/posts/2026-open-source/index.md @@ -0,0 +1,75 @@ ++++ +title = 'Why Open Source?' +date = 2026-05-08T13:00:00-00:00 +lastmod = 2026-05-03T10:00:00-00:00 +draft = true +tags = ['open source'] +[params] + author = 'Iain Learmonth' ++++ + +All of our development efforts at SR2 Communications are released under an open source licence. +This is often a condition of the grants that fund our work but we don't just use the licences to meet contractual +requirements. We strongly believe that open source software is the best way to approach the technical needs of +civil society organisations. + +Kerckhoffs's Principle is one guiding idea in this approach. +The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public +knowledge[^1]. +Kerckhoffs's principle was later phrased by the American mathematician Claude Shannon as "the enemy knows the system". + +This principle forces us to build software that would withstand a source code leak because it's already open. +We cannot hide security flaws behind obscurity. +Every algorithm, every protocol decision, every line of networking code must be robust enough for expert scrutiny. +When vulnerabilities are found, and they sometimes are, they're found by friendly researchers who report them, rather +than by adversaries who exploit them silently. + +This auditability also helps us build trust. +When our code is fully auditable, users can verify exactly what our software does, and crucially, what it doesn't do. +They can confirm we're not logging their activity, not inserting backdoors, not collaborating with adversaries. +This trust is foundational. +Without it, users won't risk using our tools, and the tools become useless. + +When we produce censorship circumvention tools, we are building in a context where there is already distrust. +Censorship cannot exist without surveillance. +To block content, authorities must first monitor what users are accessing. +This surveillance creates a chilling effect: even when censorship isn't actively enforced, the threat of being watched +leads to self-censorship. +Users hesitate to search for sensitive topics, search for alternative news sources, or communicate openly. +We must circumvent not only the censorship imposed technically, but the self-censorship imposed by the threat of +surveillence. + +Funding for internet freedom work can be unpredictable. Grant cycles end. Priorities shift. +If a funding gap forces us to halt development, open source ensures continuity is possible. +Other organisations can pick up where we left off without needing any permission from us. +They can maintain the software, apply security patches, and keep services running for users who depend on them. + +Even when funding is stable we cannot be everywhere at once. +Our team has expertise in specific regions and network conditions, but censorship takes different forms across the +world. +Deep packet inspection, for example, may be implemented differently in different regions but if we have an open source +framework for defeating it, we enable others to adapt our tools for their local contexts. +A developer in a region we've never considered can fork our repository, modify protocols to evade their specific regional +environment, and deploy it for use. + +Our open approach invites contributions from a global community of security researchers, computer scientists, and +censorship measurement specialists. +These academics scrutinise our cryptography, suggest protocol improvements, and identify vulnerabilities we might have +missed. +They publish papers that advance the entire field, and we incorporate their findings back into our codebase. +This virtuous cycle makes our tools stronger than any closed-source alternative could be. + +We see open source as a strategic necessity. +It builds user trust in an environment of surveillance and self-censorship. +It multiplies our impact through decentralised adaptation. +It harnesses global expertise for continuous improvement. +It enforces genuine security that withstands scrutiny. +And it ensures our mission endures, regardless of what happens to our organisation. + +The code we write today may outlast us. That's by design. + +[^1]: Kerckhoff described a number of design rules for military ciphers in 1883, and there is another principle that we +also strongly agree with (translated from +[the original French text](https://petitcolas.net/kerckhoffs/crypto_militaire_1.pdf)): "given the circumstances in which +it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and +comply with a long list of rules".