Implement warrant canaries to ensure we can trust gitlab.com
I couldn't really find a better place to make a feature request for gitlab.com, so here we go...
Problem to solve
If gitlab.com receives an NSL with gag order or any other form of secret government subpoena, forcing them to turn over TLS keys, implement backdoors or manipulate GitLab CI artifacts etc. there should be a way to warn the public about that.
Intended users
The public.
Further details
Companies like Cloudflare protect themselves using so called "warrant canaries". That simply means they proactively put a bunch of notices on their website telling everyone that they have not received an NSL or the like and once they do, they can legally tell the public without violating the gag order, by removing the notices from the website.
For instance Cloudflare has the following notices:
Cloudflare has never
- Turned over our encryption or authentication keys or our customers' encryption or authentication keys to anyone.
- Installed any law enforcement software or equipment anywhere on our network.
- Terminated a customer or taken down content due to political pressure*
- Provided any law enforcement organization a feed of our customers' content transiting our network.
- Modified customer content at the request of law enforcement or another third party.
- Modified the intended destination of DNS responses at the request of law enforcement or another third party.
- Weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.
Proposal
Use warrant canaries on gitlab.com.
Links / references
https://en.wikipedia.org/wiki/Warrant_canary
https://www.cloudflare.com/transparency/
https://en.wikipedia.org/wiki/National_security_letter