Tor for Open Source Developers and Contributors

Several legitimate reasons drive open source developers to use Tor for their contributions. Employer-sensitive contributions: some employers have restrictive IP assignment clauses that could claim ownership of code written outside working hours. Contributing to competing projects or projects in adjacent areas creates employer relationship complications. Pseudonymous contributions via Tor prevent employer identification of which open source projects an employee works on. Security research contributions: researchers contributing to security tools (exploit frameworks, vulnerability scanners, offensive security tools) may not want their professional identity associated with these tools in government contractor background checks. Privacy tool contributions: developers contributing to VPN software, Tor itself, or other privacy tools may prefer their contributions not appear in their professional profile. Personal-professional separation: some developers maintain strict separation between personal open source contributions (hobby projects, community work) and professional identity.

Git embed author information (name and email) in every commit. For pseudonymous contributions: create a separate Git identity: git config --global user.name 'PseudonymDev' and git config --global user.email 'pseudonym@protonmail.com'. For per-project identity: git config (without --global) in the repository directory. Create a ProtonMail or Tutanota email address (accessible via .onion) specifically for the pseudonym - never use a personal or work email for this identity. Commit GPG signing: if signing commits, generate a separate GPG key for the pseudonym identity: gpg --gen-key. Use this pseudonym key for signing commits in the pseudonym identity's repositories. Never use your real-identity GPG key for pseudonym commits (the same key fingerprint appearing in both contexts links the identities).

GitHub and GitLab are accessible via Tor Browser for web-based interactions (code review, issue comments, pull request discussion). For git operations (clone, push, pull) via command line over Tor: configure git to use Tor's SOCKS5 proxy: git config --global http.proxy socks5h://127.0.0.1:9050. For SSH-based git operations over Tor: configure your SSH config (~/.ssh/config) with a ProxyCommand using torsocks: Host github.com and ProxyCommand torsocks nc %h %p. This routes SSH connections through Tor. GitHub's API is also accessible via Tor: configure your API client to use the SOCKS5 proxy. Note: GitHub's .onion address (if any) - GitHub does not operate a dedicated .onion address, but is accessible via regular Tor exit nodes.

Code style is a fingerprinting vector: consistent naming conventions, commenting patterns, code organization habits, and even whitespace preferences are distinctive. Researchers have demonstrated ability to identify programmers from code style (code authorship attribution). For pseudonymous contributions: deliberately vary your coding style from your real-identity work. If your real-identity code uses specific naming conventions (camelCase vs snake_case), choose the opposite for pseudonym work. Use code formatting tools (prettier, gofmt, black) to standardize style and reduce unique patterns. Avoid transferring code directly between real-identity and pseudonym repositories without style transformation. The linguistic analysis (stylometry) concern from writing also applies to code: unusual variable names, distinctive comment phrasing, and algorithmic choices that match real-identity code can link pseudonymous contributions to the real author.

A sustainable pseudonymous developer identity requires consistent operational discipline. Account management: use the pseudonym email for all pseudonym-related communications. Password management: use a separate KeePass database for pseudonym accounts, stored in a location separate from personal account databases. Communication channels: if the project uses IRC, Matrix, or Discord for developer communication, maintain the pseudonym identity on separate accounts. Financial: if the project involves bounty payments (HackerOne, bug bounties, protocol-specific grants), receiving payment as a pseudonym requires privacy-preserving payment methods (Monero for full privacy) or accepting that receiving payment to a bank account links the financial identity to the pseudonym. Time-based correlation: contributing only at unusual hours that match patterns of your real-world identity creates temporal correlation. Use Tor to remove IP correlation while being aware that consistent timing patterns can be correlating evidence.