Add recomendations about open-source or not about documents HOT 12 CLOSED

@gscokart

I guess some people will trust it more if it is open sources, and other would trust it less. I don't know on which side will be the majority.

Why would people trust something less if it's open source?

from documents.

According to https://noyb.eu/en/data-protection-times-corona (and I agree):

People must be able to trust technology in the fight against the coronavirus, so that enough people will participate. This can be achieved by measures such as good data encryption, storage of data within the user's phones and the publication of the source code ("open source").

from documents.

More info about the need of having the implementations be free software:
https://fsfe.org/news/2020/news-20200402-02.en.html

from documents.

@kkoenen The Reproducible Builds project is a set of software development practices that create an independently-verifiable path from source to binary code.

from documents.

For those interested, here a walk-through of a free and open source implementation (using Zenroom) of the crypto inside DP-3T
https://medium.com/@jaromil/decentralized-privacy-preserving-proximity-tracing-cryptography-made-easy-af0a6ae48640

from documents.

Very much in support of OP. To make it a little more technical; what are the available best practices to verify (possibly at run-time) if a packaged iOS / Android app is based on a certain version of the published source? Or is 'verified publisher' the best horse to bet on wrt application integrity?

from documents.

dp-3t-client ( https://github.com/snakehand/dp-3t-client ) is FOSS portable Rust implementation. Rusts safety guarantees reduces the auditing burden, and a high level C library API is provided for interoperability. Rust also offers reproducible builds.

from documents.

A similar statement has been released in the Netherlands, signed by prominent civil rights defenders. In section 3:

De broncode van de applicatie en de overige infrastructuur is openbaar onder een vrije software licentie, zodat iedereen de werking van het systeem kan controleren.

Translates to:

The source code of the application and the other infrastructure is public under a free software license, so everybody can check the workings of the system.

from documents.

I'm usually in favor of opensource application, and I would personnally trust it more.
In this context, the major threat is a fork of the app. An that is much easier in opensource (ok, a mobile app is still easy to clone/modify). So I suspect even security specialist will have hard debate on the subject.

But at the end, seeing the urgency (and the limited time for education), it doesn't matter what the security specialist think, nor what IT geek think. What will matter is what journalists says, and what majority of non it people will trust better (and that, I don't know what it is).

from documents.

It was my understanding that a reference application will be developed which I’d assume would also be open source?

from documents.

I started implementing the crypto in Rust here https://github.com/snakehand/dp-3t-client - it is not compatible with the medium / Zenroom code yet , but I will make some adjustments to make it interoperable.

from documents.

Zenroom is a (FOSS) portable, isolated and deterministic execution environment of 1MB payload approx whose bytecode can be signed and versioned: it solves the problem when adopted for internal crypto and business logics.

from documents.