1. Home

Chat about Novel Coronavirus - 2019-nCoV - COVID-19

You are reading a single comment by @jellybaby and its replies. Click here to read the full conversation.

  • This popped up a while ago - that they were releasing versions that weren't the same as the one in Git - assume the fear was that the open sourcing of it was in name only.

    https://github.com/nhsx/COVID-19-app-Android-BETA/issues/49

    I didn't really follow it up - it looks like there have been pushes recently so maybe it's no longer a valid gripe. Personally I simply don't trust them to either produce something ethically, to not use the data improperly or (even if done properly) to act on it effectively and impartially.

  • Aha, further down in that issue:

    Hello all - and thank you for your patience.

    The app is still being actively developed in our private GitHub repos.
    We're learning from all your comments, along with the security issues
    raised through HackerOne.

    At the moment, all of our effort is going into building, refining, and
    testing the app. The development team is focused solely on that.

    Preparing the app for an open source release takes time. We have to
    make sure that all secrets and keys have been redacted, that all
    developers' personal details have been removed, that the git history
    doesn't contain anything untoward, that we haven't accidentally done
    something to compromise security, that the licence files are correct
    etc.

    Additionally, it's difficult to code in the open on a high-profile
    project like this. We want to give our developers the space to work
    safely and effectively.

    My job is to make sure that the source code gets released alongside
    the public binary - and that it is released under a FOSS licence. I'm
    working as hard as I can to achieve that goal.

    Thank you all for holding us to account over this.

    That's not what I'd call Open Source and means if having the code in the open is a factor in if you would install the app or not I think you should treat it as closed source. But I'm perhaps just a paranoid nutter on the Internet.

  • I don't think it's a paranoid worry. I understand what the guy is saying about protecting his devs, and Occam's razor suggests that it's likely the true explanation.

    However, in my mind his/her explanation should just mean that stuff isn't pushed publicly - not that the app is released anyway without a public code review available.

    I've never done open source dev though - I could easily be wrong about how it's done. This isn't a game changer for me in any case as I never would have installed it, but it's a point of interest.

About

Avatar for jellybaby @jellybaby started

About Terms of Use Privacy Policy Cookie Policy Report a problem