I understand your gut feeling about the acquisition, especially considering that Standard Notes is focused on ensuring privacy through encryption.
GitHub explains on their security page that they don't encrypt repositories:
We do not encrypt repositories on disk because it would not be any more secure: the website and git back-end would need to decrypt the repositories on demand, slowing down response times.
Their explanation makes sense to me, but I don't know if it does it for you.
Do you think you'll look to move to a different platform like Gitlab, or stay on Github and maybe just distribute releases through a different platform?
Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.
I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
I understand your gut feeling about the acquisition, especially considering that Standard Notes is focused on ensuring privacy through encryption.
GitHub explains on their security page that they don't encrypt repositories:
Their explanation makes sense to me, but I don't know if it does it for you.
Do you think you'll look to move to a different platform like Gitlab, or stay on Github and maybe just distribute releases through a different platform?
Ideally the next step would be to use our own CDN (aka AWS), which admittedly is not a huge step up. So I'm not too sure yet what this means. But definitely, I'm more concerned about releases than I am about actual code/issues.
I just came across a security issue relevant to this discussion. Gitea (a GitHub alternative hosted on GitHub) just had its releases on GitHub compromised:
github.com/go-gitea/gitea/issues/4167
The solution they're going for is to GPG sign their releases. Another probably simpler way to resolve your concerns could be to just post the SHA256 hashes of the releases on an external domain and include directions to check the hash of the release from GitHub in the installation instructions.
Yup, this is the direction I'll be going in as well.