(after writing this I noticed that you’re asking for resources, not advice...)
How good are you at system admin stuff? A massive gaping potential issue is that you’re using third party services for both hosting your code (which could potentially be extracted via newer versions of Copilot, not to mention the thousands of GitHub employees) and your discussions (how much do you trust Discord to secure your data? How afraid are you of man in the middle attacks?). Both are free services, which means you’re the product.
I have no idea as to whether they are better, but here is a random list of alternatives to Discord. Or you could just go with Signal, which seems more trustworthy, at the cost of convenience.
Hosting your own git server gets rid of the issue of Microsoft accessing your code, at the cost of a lot more bother with setting things up and ensuring you have a secure server. Though I’m guessing a simple OpenBSD + git setup would totally suffice, assuming that you only use that machine for git. This would limit the git attack vector to SSH/OpenBSD—both of which would require a lot of work, at least at non NSA levels.
The above would get you to improving levels when it comes to transmission of the data. Storage is another issue. I see there are some encryption projects for git, but I don’t know anything about them. You could assume that remote access of the git server to be unlikely and leave it at that, but it’s worth considering physical access, though a secure box with a lock would help a lot with that. Still not adequate, though. Adequate at a minimum would require you physically working from the same location and having discussions in person to minimize the risks of overhearing. Though it adds a nice juicy target for bugging, etc.
How do you run code? If it’s on a remote server, then you’re back to trusting whoever is hosting it. If you do it locally, then you have to trust yourself (or your distro) to setup the appropriate security. Are you more worried about something getting in, or something getting out?
This is asking more questions than giving specific advice on which specific practices are appropriate for (one of) the four levels. I will post an example of specific advice to get this started.
(after writing this I noticed that you’re asking for resources, not advice...)
How good are you at system admin stuff? A massive gaping potential issue is that you’re using third party services for both hosting your code (which could potentially be extracted via newer versions of Copilot, not to mention the thousands of GitHub employees) and your discussions (how much do you trust Discord to secure your data? How afraid are you of man in the middle attacks?). Both are free services, which means you’re the product.
I have no idea as to whether they are better, but here is a random list of alternatives to Discord. Or you could just go with Signal, which seems more trustworthy, at the cost of convenience.
Hosting your own git server gets rid of the issue of Microsoft accessing your code, at the cost of a lot more bother with setting things up and ensuring you have a secure server. Though I’m guessing a simple OpenBSD + git setup would totally suffice, assuming that you only use that machine for git. This would limit the git attack vector to SSH/OpenBSD—both of which would require a lot of work, at least at non NSA levels.
The above would get you to improving levels when it comes to transmission of the data. Storage is another issue. I see there are some encryption projects for git, but I don’t know anything about them. You could assume that remote access of the git server to be unlikely and leave it at that, but it’s worth considering physical access, though a secure box with a lock would help a lot with that. Still not adequate, though. Adequate at a minimum would require you physically working from the same location and having discussions in person to minimize the risks of overhearing. Though it adds a nice juicy target for bugging, etc.
How do you run code? If it’s on a remote server, then you’re back to trusting whoever is hosting it. If you do it locally, then you have to trust yourself (or your distro) to setup the appropriate security. Are you more worried about something getting in, or something getting out?
This is asking more questions than giving specific advice on which specific practices are appropriate for (one of) the four levels. I will post an example of specific advice to get this started.