It's a pretty low risk if you don't put your identity out there. I know there's at least one Git forge that's a Tor onion service. Even on GitHub 99% of the time this ends with a DMCA takedown of the repository. You should probably put it on a pseudonymous alt account but you don't actually need to use a Tor onion service.

You could also get someone else to put their name on the web hosting and so on. Don't know who exactly, but there are a lot more people willing to take legal risk of having reverse-engineered an FPGA toolchain, than people who can reverse-engineer an FPGA toolchain. Doing the work is what's most important, and the rest can be figured out later. But you don't even see that. You don't see people being like "I reverse-engineered Vivado but I won't give you a copy because I could get sued."

"Doing the work is what's most important, and the rest can be figured out later."

I would say for most people his means they won't start the work if they don't know whether there is a way. Also most people like to get credit for their work. So the number of people capable AND willing to work without getting credit is low. And that is not surprising to me.

It is not my skill set, but I certainly would not invest much into something like this.

> You don't see people being like "I reverse-engineered Vivado but I won't give you a copy because I could get sued."

Eh, not Vivado, but back in my undergrad days I RE/cracked a tool used in a very specific niche and definitely kept my mouth shut as the developers could a) do some investigation and then sue me, a student without any legal budget to spare; b) improve copy protection on future releases; and/or c) prevent my access to future versions of the tool that I was using for my thesis.

On other threads about Denuvo you always see somebody saying they've got the chops but the risk to their livelihoods is not worth it.

I think there are a lot of (now) hobbyist reverse-engineers that learned the craft back in the day and kept the knowledge for themselves.