I mean if your code is open source, and you get an order to insert a backdoor of some kind, how can you put the backdoor in the open source code without violating a nondisclosure clause in the government’s order?
Law overrides contract, so if distributing those changes is prohibited, then not distributing those changes to code is not a violation of the open source licence, the relevant clauses of the licence contract can not be legally binding.
So you'd just [be required to] keep a non-open fork of that code even if the license (e.g. AGPL) would prohibit that.
I don't think a law requiring you to not distribute the changes overrides the license clauses terminating your license for not distributing them? It's not the license givers problem that you can't comply with the license, don't use it then?
Of course, not using that license and stopping the use of that code is also a completely valid (though costly) option.
If the licence giver believes that you're violating the contract, they are free to try and enforce that contact in court. A German court would almost certainly rule that the clause is unenforceable at least as it applies to that particular order-related modification (the licence requirements would still be valid for unrelated modifications). There is a nontrivial legal question whether that would imply that the requirement voids the licence as a whole or just the specific clause. Specific terms (e.g. AGPL clause 12) may suggest that it would void the whole licence, but I wouldn't be certain on how German courts would consider it given these specific circumstances; a German lawyer might have a good idea but I do not.
But in any case, contractual obligations are not an excuse for noncompliance with other legal requirements. If it does turn out that executing the order is incompatible with a particular license, then you must execute the order anyway and decide what's the best way to handle the consequences. Breaching a contract is a legally valid option as well, and in some cases that may even be the best option, if the expected liabilities/damages are less than the consequences of complying with it.
Tutanotas business is predicated on privacy, and on relying on open source. If the government requires them to disconnect from both, they are destroying the entire business. Imagine if they lost the right to use their foss systems because of this and the cost of starting a closed source replacement. Tutsnkta will already vanish overnight from every single privacy respecting app list. They could get sued for misrepresentation also. Shouldn’t the government at least be liable for compensating them for damages?
This is sever-side code, so you handle this email address the same way you handle other secrets, like your database password: put them in configuration instead of hardcoding them.
With end-to-end encryption, where encryption happens in an open source client, this conflict would be more interesting.
Unless you can prove your running copy is the same as the provided code (which is pretty hard for server software), you can always keep a private forked copy with the backdoor and run that
