On Friday 10. April 2020 12.00.34 Jan Wey. wrote:
I was made aware of this just 5 minutes ago. Sorry, if this was already
mentioned on this ML in the past few days.
Singapore decided to release their Tracing-App under GPL-3.0 [0], which
obviously would establish better trust and would benefit other countries
and regions as well, as the software (or parts of it) could be re-used,
being in line with PMPC[1] as well as the FSFE's call to release any
COVID19 Tracking App under a Free Software License.
[...]
[0] https://github.com/opentrace-community
[1] https://publiccode.eu/
[2] https://fsfe.org/news/2020/news-20200402-02.html
This is interesting to hear about! Reading the Norwegian news recently, it
would appear that the "app" being developed for this country's public health
agency will not be Free Software. Here's a reasonable Norwegian language entry
point to the news coverage:
https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetseksperter-1.14977918
The justification for this is fairly weak:
https://www.simula.no/news/digital-smittesporing-apen-kildekode
One reason given is that making the source code available helps people with
"hostile intent" to do bad things. Obviously, one can also argue that making
the code available allows people with helpful intent to remedy the bad things
that may be in the software, these being there through accident, questionable
judgement or even malicious intent.
To justify their position, the case of the Heartbleed vulnerability is
mentioned, with it being stated that the bug that caused it lingered for two
years in Free Software without the anticipated scrutiny being brought to bear.
Certainly, those who pitch "open source" largely as an efficiency or economic
tool (the ones who talk about bugs and eyeballs) don't do the Free Software
movement many favours by reducing the spectrum of benefits down to a single
easy-to-sell metric of success.
But as we know, the real reason for things like Heartbleed occurring is the
chronic underinvestment in Free Software by companies making colossal amounts
of money using Free Software. These companies are happy to see "open source"
in broad use, but they are not prepared to adequately invest in the
maintenance and further development of the software. When the auditing
audience is burned-out volunteers and bad guys, the situation is obviously not
favourable to those wanting to see high reliability and security engineered
into the code.
The fact is, however, that Free Software characteristics are largely
orthogonal to how good any software might be. There is nothing to stop the
best quality software being Free Software, and there is nothing to stop
commercially "valuable" proprietary software being complete garbage. Sadly,
academic and research institutions are often bamboozled by predatory
"innovation" advocacy that equates value with scarcity and secrecy, leading to
the hoarding of research benefits for application within privileged niches
instead of helping to strengthen society at large.
With regard to the news article on the topic, there are various attempts at
reassurance about how serious the developers are taking the work. For example:
"Måten vi jobber på er nok veldig likt hvordan åpen kildekode-miljøet ville
jobbet. Det er også den typen folk som sitter i gruppen, sier lederen av
ekspertgruppen."
("The way we work is probably rather like how the open source community would
have worked. It is also this kind of people working in our group, says the
leader of the expert group.")
In other words, a form of imitation of how Free Software developers might work
is occurring based on a perception of a particular "kind of person". Seeing
how well the industry tends to imitate various recommended practices more
generally, typically failing in a burdensome way, I'm not sure how much
confidence I would have from such reassurances.
Reassurances from the government also seem to be readily forthcoming:
"Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise seg at den
ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt være viktig
for oss i den sammenhengen, sier helseminister Bent Høie til NRK."
("We would obviously not release a solution if there were indications that it
wasn't secure. The expert group's independent assessment will, of course, be
important for us in that regard, says health minister Bent Høie til NRK.")
I would take government reassurances more seriously if we hadn't previously
heard lazy brushing aside of concerns about attacks on electoral processes and
infrastructure by the prime minister. A while ago there were reports of
intrusions and data breaches at one of the regional health providers, but all
that seemed to emerge from that episode were vague "nothing to see here"
claims from these ministers.
For more criticism, a Norwegian language article (and its comments) linked to
from the above news article is somewhat worth reading:
https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/
Here, the Singapore application is mentioned along with indications that
Germany may also take it into use. There also appear to be architectural
differences between the way these applications work: centralised versus
decentralised communication, for instance.
Fundamentally, Free Software means having control over the software we choose
(or are asked to choose) to run on our devices. Denying us the ability to know
what that software does is simply exploitative. It is rather telling that
Simula - the developers of the Norwegian application - don't even dignify this
fundamental aspect of Free Software in their response to criticism. And it is
interesting that a country renowed for its surveillance and social control is
more open about the technology it uses than a country that actively projects
an entirely different image of itself to the rest of the world.
Paul
P.S. I find it also laughable that the following statement is paraded early on
in the Simula article:
"Åpenhet og kunnskapsdeling er en del av ryggmargen vår."
("Openness and knowledge sharing is an essential part of who we are.")
As far as I know Simula is part of the software patenting "innovation" circus
in this country, which is fundamentally incompatible with true openness and
sharing.
_______________________________________________
Discussion mailing list
Discussion@lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/discussion
This mailing list is covered by the FSFE's Code of Conduct. All
participants are kindly asked to be excellent to each other:
https://fsfe.org/about/codeofconduct