-
A counter to this would be to let users deploy their open source client [0] themselves to wherever (as one example, this is something that TermPair implements [1]).
[0] https://github.com/ProtonMail/WebClients
[1] https://github.com/cs01/termpair/#static-hosting
-
CodeRabbit
CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
-
A counter to this would be to let users deploy their open source client [0] themselves to wherever (as one example, this is something that TermPair implements [1]).
[0] https://github.com/ProtonMail/WebClients
[1] https://github.com/cs01/termpair/#static-hosting
-
Mailvelope ( https://github.com/mailvelope/mailvelope) is an open source extension for Chrome and Firefox that allows users to use openpgp encryption with any webmail provider. Unfortunately, I have only one contact who has corresponded with me with pgp. But two others (both activists) use ProtonMail (my only reason for having an account on the service) -- but not Tor (their ProtonMail use predates the latest "explainer"). At least when it comes to email, I'm going to go out on a limb and say people should _never_ trust it for sensitive communications. Message content itself can be protected by pgp encryption (if people would bother to use it), but there's no watertight way to consistently avoid the kind of relationship mapping that nation states and transnational corporations have been doing for the last two decades. That game is already over, and Big Brother won -- no matter who you use for email.
-
The browser add-on that comes closest is Signed Page[0], and in theory it could provide TOFU level security by requiring the user to opt in to new versions. For unclear reasons, though, the devs seem to be against implementing that.[1]
Any system for protecting against backdoors assumes that someone is auditing the code to check for user-specific code paths, so the only extra layer of security to add is some sort of Binary Transparency. A good example of that is Sigstore, which is being experimentally integrated with the Arch Linux package ecosystem.[2]
[0] https://github.com/tasn/webext-signed-pages
[1] https://github.com/tasn/webext-signed-pages/issues/13
[2] https://github.com/kpcyrd/pacman-bintrans