COVID19-Tracing/-Tracking App in Singapore under GPL-3.0

Sat Apr 11 03:09:06 UTC 2020

Thanks for sharing!

I just passed it on to a government mailing list in my country (Peru).

I did a quick search and found an article by the Singaporean government 
explaining their logic, which I shared also.

<https://www.tech.gov.sg/media/technews/six-things-about-opentrace>

Hope it helps!

Regards,
Sebastian

El vie, 10 de abr de 2020 a las 15:52, Paul Boddie <paul at boddie.org.uk> 
escribió:
> On Friday 10. April 2020 12.00.34 Jan Wey. wrote:
>>  I was made aware of this just 5 minutes ago. Sorry, if this was 
>> already
>>  mentioned on this ML in the past few days.
>> 
>>  Singapore decided to release their Tracing-App under GPL-3.0 [0], 
>> which
>>  obviously would establish better trust and would benefit other 
>> countries
>>  and regions as well, as the software (or parts of it) could be 
>> re-used,
>>  being in line with PMPC[1] as well as the FSFE's call to release any
>>  COVID19 Tracking App under a Free Software License.
> 
> [...]
> 
>>  [0] <https://github.com/opentrace-community>
>>  [1] <https://publiccode.eu/>
>>  [2] <https://fsfe.org/news/2020/news-20200402-02.html>
> 
> This is interesting to hear about! Reading the Norwegian news 
> recently, it
> would appear that the "app" being developed for this country's public 
> health
> agency will not be Free Software. Here's a reasonable Norwegian 
> language entry
> point to the news coverage:
> 
> <https://www.nrk.no/norge/fhi-appen-smittestopp-gjennomgas-na-av-sikkerhetseksperter-1.14977918>
> 
> The justification for this is fairly weak:
> 
> <https://www.simula.no/news/digital-smittesporing-apen-kildekode>
> 
> One reason given is that making the source code available helps 
> people with
> "hostile intent" to do bad things. Obviously, one can also argue that 
> making
> the code available allows people with helpful intent to remedy the 
> bad things
> that may be in the software, these being there through accident, 
> questionable
> judgement or even malicious intent.
> 
> To justify their position, the case of the Heartbleed vulnerability is
> mentioned, with it being stated that the bug that caused it lingered 
> for two
> years in Free Software without the anticipated scrutiny being brought 
> to bear.
> Certainly, those who pitch "open source" largely as an efficiency or 
> economic
> tool (the ones who talk about bugs and eyeballs) don't do the Free 
> Software
> movement many favours by reducing the spectrum of benefits down to a 
> single
> easy-to-sell metric of success.
> 
> But as we know, the real reason for things like Heartbleed occurring 
> is the
> chronic underinvestment in Free Software by companies making colossal 
> amounts
> of money using Free Software. These companies are happy to see "open 
> source"
> in broad use, but they are not prepared to adequately invest in the
> maintenance and further development of the software. When the auditing
> audience is burned-out volunteers and bad guys, the situation is 
> obviously not
> favourable to those wanting to see high reliability and security 
> engineered
> into the code.
> 
> The fact is, however, that Free Software characteristics are largely
> orthogonal to how good any software might be. There is nothing to 
> stop the
> best quality software being Free Software, and there is nothing to 
> stop
> commercially "valuable" proprietary software being complete garbage. 
> Sadly,
> academic and research institutions are often bamboozled by predatory
> "innovation" advocacy that equates value with scarcity and secrecy, 
> leading to
> the hoarding of research benefits for application within privileged 
> niches
> instead of helping to strengthen society at large.
> 
> With regard to the news article on the topic, there are various 
> attempts at
> reassurance about how serious the developers are taking the work. For 
> example:
> 
> "Måten vi jobber på er nok veldig likt hvordan åpen 
> kildekode-miljøet ville
> jobbet. Det er også den typen folk som sitter i gruppen, sier 
> lederen av
> ekspertgruppen."
> 
> ("The way we work is probably rather like how the open source 
> community would
> have worked. It is also this kind of people working in our group, 
> says the
> leader of the expert group.")
> 
> In other words, a form of imitation of how Free Software developers 
> might work
> is occurring based on a perception of a particular "kind of person". 
> Seeing
> how well the industry tends to imitate various recommended practices 
> more
> generally, typically failing in a burdensome way, I'm not sure how 
> much
> confidence I would have from such reassurances.
> 
> Reassurances from the government also seem to be readily forthcoming:
> 
> "Vi vil selvfølgelig ikke lansere en løsning hvis det skulle vise 
> seg at den
> ikke er sikker. Ekspertgruppens uavhengige vurdering vil selvsagt 
> være viktig
> for oss i den sammenhengen, sier helseminister Bent Høie til NRK."
> 
> ("We would obviously not release a solution if there were indications 
> that it
> wasn't secure. The expert group's independent assessment will, of 
> course, be
> important for us in that regard, says health minister Bent Høie til 
> NRK.")
> 
> I would take government reassurances more seriously if we hadn't 
> previously
> heard lazy brushing aside of concerns about attacks on electoral 
> processes and
> infrastructure by the prime minister. A while ago there were reports 
> of
> intrusions and data breaches at one of the regional health providers, 
> but all
> that seemed to emerge from that episode were vague "nothing to see 
> here"
> claims from these ministers.
> 
> For more criticism, a Norwegian language article (and its comments) 
> linked to
> from the above news article is somewhat worth reading:
> 
> <https://nrkbeta.no/2020/04/02/advarer-mot-a-installere-fhis-korona-app/>
> 
> Here, the Singapore application is mentioned along with indications 
> that
> Germany may also take it into use. There also appear to be 
> architectural
> differences between the way these applications work: centralised 
> versus
> decentralised communication, for instance.
> 
> Fundamentally, Free Software means having control over the software 
> we choose
> (or are asked to choose) to run on our devices. Denying us the 
> ability to know
> what that software does is simply exploitative. It is rather telling 
> that
> Simula - the developers of the Norwegian application - don't even 
> dignify this
> fundamental aspect of Free Software in their response to criticism. 
> And it is
> interesting that a country renowed for its surveillance and social 
> control is
> more open about the technology it uses than a country that actively 
> projects
> an entirely different image of itself to the rest of the world.
> 
> Paul
> 
> P.S. I find it also laughable that the following statement is paraded 
> early on
> in the Simula article:
> 
> "Åpenhet og kunnskapsdeling er en del av ryggmargen vår."
> 
> ("Openness and knowledge sharing is an essential part of who we are.")
> 
> As far as I know Simula is part of the software patenting 
> "innovation" circus
> in this country, which is fundamentally incompatible with true 
> openness and
> sharing.
> _______________________________________________
> Discussion mailing list
> Discussion at lists.fsfe.org <mailto:Discussion at lists.fsfe.org>
> <https://lists.fsfe.org/mailman/listinfo/discussion>
> 
> This mailing list is covered by the FSFE's Code of Conduct. All
> participants are kindly asked to be excellent to each other:
> <https://fsfe.org/about/codeofconduct>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20200410/327c2dbe/attachment-0001.htm>