Hi @fikko, thanks for the questions, let me please answer them one by one.
Several reasons for that.
First of all, CoreLibs (the main filtering engine of AdGuard) originally used proprietary code for some parts of network filtering (we licensed a third-party network filtering library with code). Nowadays, it’s reworked a lot, but still, open-sourcing it would violate the license, as our code would still count as a derivative of that library.
Also, right now we’re suing a company that decompiled an old version of AdGuard (prior to the introduction of CoreLibs) and built a clone app on top of it. Open-sourcing the filtering engine (even a part of it) at this point would hurt us in court.
Finally, we deal with AdGuard open-source clones on a regular basis, and it’s sad, but all those licenses are not good protection.
In the desktop apps, there’s a browser assistant extension that can be used to inspect the original website certificate. In the Android app, the original certificate can be examined in Statistics → Recent Activity.
We take all the necessary precautions to validate the server certificates in the same way the browser does. There’s a very detailed article on this in the knowledge base that also suggests several ways to check it.
You can reset the application data and generate a new certificate several hundred times. Every time it will generate a new root cert.
We have no information on the users. You can verify that by inspecting what the app sends to the servers or by examining the privacy policy which we keep up-to-date.
AdGuard filters are open source and all the changes can be examined by anyone.
We called it war on several occasions as well, we even did that in the very blog post you’re referring to.
Yes, and I have firsthand account of it, the lead of AdGuard support team lives in a building next to it.
Running a page does not require using any state certificate or even being in Russia.
Alex is not just one of the employees, he is a lead of the filters maintainers team and one of the most veteran employees (celebrated 10 years last week). Also, he lives in Odessa, Ukraine.
On a side note, I’ve never seen a punitive regime making someone compromise something. Usually, the life is simpler than that: there could be a malicious actor that takes control over accounts or there could be monetary reasons. Having the repo and all the changes public and open for review in my opinion is a good way to control that. But anyways I think we can improve it more, for instance make it mandatory for scriptlet rules to go through a pull request.