On Friday 10. April 2020 12.00.34 Jan Wey. wrote: > I was made aware of this just 5 minutes ago. Sorry, if this was already > mentioned on this ML in the past few days. > > Singapore decided to release their Tracing-App under GPL-3.0 [0], which > obviously would establish better trust and would benefit other countries > and regions as well, as the software (or parts of it) could be re-used, > being in line with PMPC[1] as well as the FSFE's call to release any > COVID19 Tracking App under a Free Software License.
[...] > [0] https://github.com/opentrace-community > [1] https://publiccode.eu/ > [2] https://fsfe.org/news/2020/news-20200402-02.html This is interesting to hear about! Reading the Norwegian news recently, it would appear that the "app" being developed for this country's public health agency will not be Free Software. Here's a reasonable Norwegian language entry point to the news coverage: https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetseksperter-1.14977918 The justification for this is fairly weak: https://www.simula.no/news/digital-smittesporing-apen-kildekode One reason given is that making the source code available helps people with "hostile intent" to do bad things. Obviously, one can also argue that making the code available allows people with helpful intent to remedy the bad things that may be in the software, these being there through accident, questionable judgement or even malicious intent. To justify their position, the case of the Heartbleed vulnerability is mentioned, with it being stated that the bug that caused it lingered for two years in Free Software without the anticipated scrutiny being brought to bear. Certainly, those who pitch "open source" largely as an efficiency or economic tool (the ones who talk about bugs and eyeballs) don't do the Free Software movement many favours by reducing the spectrum of benefits down to a single easy-to-sell metric of success. But as we know, the real reason for things like Heartbleed occurring is the chronic underinvestment in Free Software by companies making colossal amounts of money using Free Software. These companies are happy to see "open source" in broad use, but they are not prepared to adequately invest in the maintenance and further development of the software. When the auditing audience is burned-out volunteers and bad guys, the situation is obviously not favourable to those wanting to see high reliability and security engineered into the code. The fact is, however, that Free Software characteristics are largely orthogonal to how good any software might be. There is nothing to stop the best quality software being Free Software, and there is nothing to stop commercially "valuable" proprietary software being complete garbage. Sadly, academic and research institutions are often bamboozled by predatory "innovation" advocacy that equates value with scarcity and secrecy, leading to the hoarding of research benefits for application within privileged niches instead of helping to strengthen society at large. With regard to the news article on the topic, there are various attempts at reassurance about how serious the developers are taking the work. For example: "Måten vi jobber på er nok veldig likt hvordan åpen kildekode-miljøet ville jobbet. Det er også den typen folk som sitter i gruppen, sier lederen av ekspertgruppen." ("The way we work is probably rather like how the open source community would have worked. It is also this kind of people working in our group, says the leader of the expert group.") In other words, a form of imitation of how Free Software developers might work is occurring based on a perception of a particular "kind of person". Seeing how well the industry tends to imitate various recommended practices more generally, typically failing in a burdensome way, I'm not sure how much confidence I would have from such reassurances. Reassurances from the government also seem to be readily forthcoming: "Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise seg at den ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt være viktig for oss i den sammenhengen, sier helseminister Bent Høie til NRK." ("We would obviously not release a solution if there were indications that it wasn't secure. The expert group's independent assessment will, of course, be important for us in that regard, says health minister Bent Høie til NRK.") I would take government reassurances more seriously if we hadn't previously heard lazy brushing aside of concerns about attacks on electoral processes and infrastructure by the prime minister. A while ago there were reports of intrusions and data breaches at one of the regional health providers, but all that seemed to emerge from that episode were vague "nothing to see here" claims from these ministers. For more criticism, a Norwegian language article (and its comments) linked to from the above news article is somewhat worth reading: https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/ Here, the Singapore application is mentioned along with indications that Germany may also take it into use. There also appear to be architectural differences between the way these applications work: centralised versus decentralised communication, for instance. Fundamentally, Free Software means having control over the software we choose (or are asked to choose) to run on our devices. Denying us the ability to know what that software does is simply exploitative. It is rather telling that Simula - the developers of the Norwegian application - don't even dignify this fundamental aspect of Free Software in their response to criticism. And it is interesting that a country renowed for its surveillance and social control is more open about the technology it uses than a country that actively projects an entirely different image of itself to the rest of the world. Paul P.S. I find it also laughable that the following statement is paraded early on in the Simula article: "Åpenhet og kunnskapsdeling er en del av ryggmargen vår." ("Openness and knowledge sharing is an essential part of who we are.") As far as I know Simula is part of the software patenting "innovation" circus in this country, which is fundamentally incompatible with true openness and sharing. _______________________________________________ Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion This mailing list is covered by the FSFE's Code of Conduct. All participants are kindly asked to be excellent to each other: https://fsfe.org/about/codeofconduct