I was worried about possibly needing to change license.
I’d rather ask the contributors to consent to licensing their code under the new license. You don’t need the copyright in the hand of one entity to change license, it’s enough if all copyright holders agree.
The situation is made seemingly complicated by the possible need to use copylefted images
WDYM by “images”?
As in art assets? I’m not sure those would even be infectious. I think it’s possible to even use non-free assets in a GPL’d application. It may be better to treat them as such to keep the licensing simple though.
Even then, it’s usually possible to “upgrade” permissively licensed code (such as Apache 2.0) to a copyleft license as long as the original license’s conditions are still met which usually involves denoting which parts of the code is also available under the permissive license.
Why does it need to be public-facing? There may be solutions that don’t require exposing it to billions of people.
Security is always about layers. The more independent layers there are, the fewer the chances someone will break through all of them. There is no one technology that will make your hosting reasonably secure, it’s the combination of multiple.
You’ve already mentioned software ran inside an unprivileged sandbox.
There’s also:
Sandbox ran unprivileged inside a VM
VM ran inside unprivileged sandbox
Firewall only allowing applications to open certain ports
Server running all of that hosted by someone else on their network with their own abstractions
The backend is the real interesting part, and the only way that we can be sure that “they cannot read the emails”
While I’d still prefer it, OSS can’t really help with that because what’s really required here is remote attestation.
That is an unsolved problem to my knowledge; there is no way to know which software they’re actually running. Even if they published the source code, they could trivially apply a patch in their deployment that stores all incoming email somewhere and you’d be none the wiser.
Even if they published source code and could somehow prove to you that they’re running a version derived from it, you would still not be safe from surveillance as one could simply MITM all connections. See i.e. notes.valdikss.org.ru/jabber.ru-mitm/.
That’s likely one of the reasons they do everything they can to make PGP accessible to every user.
imap/smtp can be toggled with a warning, if that’s really their concern
It’s plain and simply not how their service works. They’d have to build most of their service a second time but unencrypted.
It’s like asking Signal to build in support for IRC; it does not make sense for them to do that in any way without malicious intent needed.
no IMAP = no easy migration to somewhere else
You have IMAP access via the bridge. That’s what it’s for.
The ultimate output of Nix is one set of data, usually the description of a derivation (~= package). You cannot cause arbitrary side-effects with it like writing to files or making network requests with it.
the parts of Guix in which packages are defined are quite pure, even using monads for some things
Monads have nothing to do with purity. In fact, one of the most infamous usages of them is Haskell’s IO monad which is probably the most impure construct in the entire language.
it is really not too different from the Nix language.
Hm, I can’t help but think that a lisp dialect can never really be similar to any language except another lisp.