Since my last reply was generic (I kept scrubbing details that non-developers would fail to grasp), I'm posting this in reply to each of your points. They are good points, and good questions.
1) The organization is specifically designed for security.
I'm glad you asked, because I feel partly responsible for this architecture and am proud of the results so far. First, the foundation/association that accepts cash from donors is totally separate from the non-profit that maintains the code. The CipherShed project will not take money from anyone, not even truecrypt.ch, other than perhaps to cover minor project expenses such as hosting. No one will be paid other than to reimburse out-of-pocket expenses for such things. I have seen money have a corrupting influence in crypto, and we wont stand for it here! Our structure instead is similar to how the Apache Foundation, which accepts donations, supports the Apache HTTP Server Project, which does not.
Second, there is a separate audit organization, Open Crypt Audit. It's technical advisory board even includes Bruce Schneier, and the founders, like Matthew Green are very impressive. To date, the CipherShed team has avoided becoming buddies with anyone in the Audit team to help prevent any influence on the auditors. However, multiple CipherShed members, including me, have carefully read the Phase I Audit Report, and I can tell you that if any outside organization tried to cause the audit to be low quality, they failed. If they can continue to produce products like the Phase I report, they will quickly build trust world-wide.
The third organization is the truecrypt.ch association, which is likely to announce a non-infringing name soon. Led by Jos, I have confidence this team will build a world-class funding organization that will not only benefit the guys who need to pay professional cryptanalysts, like Open Crypt Audit, but also help fund fixing/securing various key FOSS packages that we all depend on - I wont name them, but you know the ones that need help. Based in Switzerland, they are building a culture of independence from government influence. After all, Jos used to be Vice President of the Pirate Party
The structure of the CipherShed team will evolve over time, and is rapidly evolving right now as I write this. Formally, it is a world-wide non-profit collaboration of individual contributors. We're taking many ideas from Apache, and have elected a Project Management Committee to manage the project, consisting initially of the seven people listed on this page. PMC members are non-anonymous, which is a whole separate discussion, but it is a generous sacrifice on their part.
Critically, IMO, there is a 4 person sub-committee called the Security Team, who was elected by the PMC. The ST is tasked with insuring security above any other CipherShed goal. Any code changes must be carefully reviewed by at least 3 of the 4 ST members. Members were chosen for their experience in reviewing such code. Over time, we will change the makeup of the PMC (CipherShed community members get to vote for them, at least once a year, possibly sooner in the beginning). They will similarly vote for security team members who may change from time to time. However, I can tell you that the primary concern, at least publicly, of every PMC member is to choose ST members they can trust to protect and enhance the security of the CipherShed fork.
If you have any ideas for how to improve this overall structure to enhance security, I would love to hear them. I think this is a critical issue high in everyone's mind.
2) We have decided for the PMC and ST members to be non-anonymous, but to respect each contributor's privacy to some extent. We require participation by voice so we can learn to recognize each other, even by phone. I personally dabble as a side hobby in identifying voice characteristics, because of work I did to help accelerate speech to speeds the blind need, up to about 6X speed up. By the way, Google WaywardGeek if you want to learn about me. Even after only a few hours of on-line conversation, I do not believe I could be fooled by someone pretending to be one of our PMC members. The combination of being able to very carefully imitate a voice and also have knowledge similar to a specific PMC member is too difficult to fake. This also makes it impossible for a single NSA agent to pretend to be more than one PMC member, thus having more power to control voting and be disruptive.
We are getting to know each member as they present themselves over time. Some things are harder to fake than others. When one PMC member's little brother yelled a typical little brother rant at him in the background, it lent very strong evidence that he lives as claimed, and is too young to be an experienced NSA plant. Mentally, I'm checking off who I believe is unlikely a professional skilled NSA plant one by one as I get to know a bit about their real lives. With one possible exception (and I'm not going to tell you which one), I think I can mentally cross off every PMC member soon, though I don't expect you to take my word for it. I feel the remaining person could be both who he claims as well as an experienced spy at the same time. Not so much with the others. Feel free to review not just our code, but also the PMC members, and especially ST members (myself, Frank, Jason, and Chris).
I frankly don't know how we could ever vet a person to the point that we could blindly trust him. Even if he's trustworthy today, he may be bribed or blackmailed tomorrow. I like to joke that I could be turned by either $1M or being tamed by a hot spy chick, and preferably both I also tell the team that if the MiB show up at my door, I intend to cooperate, because I don't need any trouble from them. Personally, I think we have to assume the worst - or in the case of my $1M and hot spy, the best
The point of all this is that we can never trust any single PMC or ST member, but we hope to build trust in the team. So, we're watching each other like hawks. We could do as you suggest and demand financial records and such, but that's not going to detect the fact that the MiB just showed up at one of our doors, and since the hot spy chick pays for everything, it wont show up in my financials!
3) Our best protection against NSLs and such may be having PMC members world-wide, including Germany, Taiwan, England, and I think others. Obviously, we want to increase that diversity even more, and hopefully take advantage of our connection with truecrypt.ch for some Swiss protection. For example, we hope to host our binary downloads in Switzerland, courtesy of truecrypt.ch and the ISP donating their servers. Rather than maintain warrant canaries, we plan to have monthly voice meetings. If one of us is being threatened, they will have to hide that in their voice, which can be challenging. When one of us is compromised, any of the rest of us who notice will raise the alarm, and in plain words, not some cryptic message. Some of us (not me) say they will fight an NSL in court, and may even go the route that the LavaBit guy went, letting everyone know what really happened. Some of these FOSS guys are fanatics that way, and frankly, we need them.
I think we mostly agree that warrant canaries will not defend against blackmail, threats, a $1M bribe, or a hot spy. We'll count on keeping close tabs on each other instead, and hope that one of us has time to raise an alarm. Do we need a secret phrase? How about this one. You'll know to run for the hills if I ever ask anyone, "So, did anyone try to stick a cigarette up your hole lately?" That should be funny to about 10 other people who know the story...
4) We use git, on github, sign all master branch commits, and we use github's issue tracker. If someone with a Ph.D. in IT systems designed to thwart government subversion shows up claiming to be an expert in the various complex IT systems he says we have to use, I may have to kill him.
5) We already had that leadership crisis. How do you think CipherShed started? When you stand up and say we have to start all over because the leaders aren't the security experts I want to follow, you wind up building a culture that wont let leadership get in the way. We're modeling the effort somewhat after Apache, as a meritocracy. Guys like me wont tolerate fools in charge who can ruin the project. I'm too old for that.
There were no "secret negotiations". Jos simply prefers to talk rather than doing email back and forth on the list. I can understand that, seeing how his first approach of posting now and then to the forum didn't work out well. I think he needs the instant feedback that you get by voice to adjust what he is trying to say, partially to compensate for his English and any misunderstanding when talking to big geeks.
There were some basic disagreements, and being open-source, we forked the project rather than resolve them. However, what that enabled was CipherShed to distance itself from the organization that takes donations, put in place a security focused development process, and enabled rapid progress without having to consult lawyers at every step. I was a bit of an ass at the time, but I think Jos would agree that it worked out for the best.
6) Of course it will be audited! Please support truecrypt.ch to enable that to happen often and in-depth!