draft open source post
This commit is contained in:
parent
e5d46b3dfb
commit
d00a52e69d
1 changed files with 75 additions and 0 deletions
75
content/posts/2026-open-source/index.md
Normal file
75
content/posts/2026-open-source/index.md
Normal file
|
|
@ -0,0 +1,75 @@
|
|||
+++
|
||||
title = 'Why Open Source?'
|
||||
date = 2026-05-08T13:00:00-00:00
|
||||
lastmod = 2026-05-03T10:00:00-00:00
|
||||
draft = true
|
||||
tags = ['open source']
|
||||
[params]
|
||||
author = 'Iain Learmonth'
|
||||
+++
|
||||
|
||||
All of our development efforts at SR2 Communications are released under an open source licence.
|
||||
This is often a condition of the grants that fund our work but we don't just use the licences to meet contractual
|
||||
requirements. We strongly believe that open source software is the best way to approach the technical needs of
|
||||
civil society organisations.
|
||||
|
||||
Kerckhoffs's Principle is one guiding idea in this approach.
|
||||
The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public
|
||||
knowledge[^1].
|
||||
Kerckhoffs's principle was later phrased by the American mathematician Claude Shannon as "the enemy knows the system".
|
||||
|
||||
This principle forces us to build software that would withstand a source code leak because it's already open.
|
||||
We cannot hide security flaws behind obscurity.
|
||||
Every algorithm, every protocol decision, every line of networking code must be robust enough for expert scrutiny.
|
||||
When vulnerabilities are found, and they sometimes are, they're found by friendly researchers who report them, rather
|
||||
than by adversaries who exploit them silently.
|
||||
|
||||
This auditability also helps us build trust.
|
||||
When our code is fully auditable, users can verify exactly what our software does, and crucially, what it doesn't do.
|
||||
They can confirm we're not logging their activity, not inserting backdoors, not collaborating with adversaries.
|
||||
This trust is foundational.
|
||||
Without it, users won't risk using our tools, and the tools become useless.
|
||||
|
||||
When we produce censorship circumvention tools, we are building in a context where there is already distrust.
|
||||
Censorship cannot exist without surveillance.
|
||||
To block content, authorities must first monitor what users are accessing.
|
||||
This surveillance creates a chilling effect: even when censorship isn't actively enforced, the threat of being watched
|
||||
leads to self-censorship.
|
||||
Users hesitate to search for sensitive topics, search for alternative news sources, or communicate openly.
|
||||
We must circumvent not only the censorship imposed technically, but the self-censorship imposed by the threat of
|
||||
surveillence.
|
||||
|
||||
Funding for internet freedom work can be unpredictable. Grant cycles end. Priorities shift.
|
||||
If a funding gap forces us to halt development, open source ensures continuity is possible.
|
||||
Other organisations can pick up where we left off without needing any permission from us.
|
||||
They can maintain the software, apply security patches, and keep services running for users who depend on them.
|
||||
|
||||
Even when funding is stable we cannot be everywhere at once.
|
||||
Our team has expertise in specific regions and network conditions, but censorship takes different forms across the
|
||||
world.
|
||||
Deep packet inspection, for example, may be implemented differently in different regions but if we have an open source
|
||||
framework for defeating it, we enable others to adapt our tools for their local contexts.
|
||||
A developer in a region we've never considered can fork our repository, modify protocols to evade their specific regional
|
||||
environment, and deploy it for use.
|
||||
|
||||
Our open approach invites contributions from a global community of security researchers, computer scientists, and
|
||||
censorship measurement specialists.
|
||||
These academics scrutinise our cryptography, suggest protocol improvements, and identify vulnerabilities we might have
|
||||
missed.
|
||||
They publish papers that advance the entire field, and we incorporate their findings back into our codebase.
|
||||
This virtuous cycle makes our tools stronger than any closed-source alternative could be.
|
||||
|
||||
We see open source as a strategic necessity.
|
||||
It builds user trust in an environment of surveillance and self-censorship.
|
||||
It multiplies our impact through decentralised adaptation.
|
||||
It harnesses global expertise for continuous improvement.
|
||||
It enforces genuine security that withstands scrutiny.
|
||||
And it ensures our mission endures, regardless of what happens to our organisation.
|
||||
|
||||
The code we write today may outlast us. That's by design.
|
||||
|
||||
[^1]: Kerckhoff described a number of design rules for military ciphers in 1883, and there is another principle that we
|
||||
also strongly agree with (translated from
|
||||
[the original French text](https://petitcolas.net/kerckhoffs/crypto_militaire_1.pdf)): "given the circumstances in which
|
||||
it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and
|
||||
comply with a long list of rules".
|
||||
Loading…
Add table
Add a link
Reference in a new issue