StopCoviD: The first publication of the source code of the tracing application would be empty and uninteresting
On May 12, that is, yesterday, the government officially released part of the source code for StopCoviD, the mobile tracking application that is supposed to help during the second phase of the de-disconfine process.
The experts did not immediately fail to indicate that these bits of code made available were simply useless. And this has led to controversy over the ability to access the entire source code.
This article will also interest you: StopCoviD, the increasingly controversial deployment
On April 8, a month ago, Mr. Cédric O, the Secretary of State for Digital Affairs promised that the application's source code would be "public, auditable by anyone." After the declaration, nothing had yet been published until 12 May. The person chosen for the elbow publication is GitLab, a Github alternative to Microsoft. "As the government has committed, the project team is starting the release of the source code and documentation of the StopCovid application. The rest soon! Secretary Cedric O wrote on Twitter, praising the government's promise in its own way.He then took the opportunity to share the GitLab link.
For the moment the reactions revolve between disappointment, derision and anger. Until the rest of the source code is published, because the reviews are more than negative. The code posted online is totally useless and empty. Experts say they won't be able to work on the issue because it's impossible to analyze the application's instructions. And the responses to the digital secretary's messages highlighted this problem: "There is not the source code of the application, but only the Robert protocol," noted the first speaker. "Beautiful transparency, no application source code just documentation… revisions," adds the second. "No available sources of the server backend," revealed a third. "There's nothing at all, it's helloWorld nothing more… it's not even an app, it's bits of code from the beginning of a project," concluded the last speaker. With regard to the Robert Protocol, which had been published previously, the experts who had made comments and proposed amendments could not verify whether their interventions had been taken into account. This aspect is highlighted by Olivier Blazy, senior lecturer, expert in cryptography: "We will have to play the game of 7 differences to see if the problems postponed for several weeks have been patched."
Despite the uproar and criticism, the situation may change in the next few weeks or even days. Perhaps to defend the team in charge of the development of the application, one could say that it prefers to proceed step by step. But this is not well perceived by specialists and others who follow this news. Because these strategies are too much like political communication that brings nothing concrete. Especially since the deployment is scheduled for June, in other words in a few weeks. This does not leave enough time for a deep analysis of the source code even if it were published these days and make feedback as there would be imperfections to review before its deployment.
This first publication raised another problem. Indeed if the application was supposed to be open source that is, verifiable and auditable by anyone, it was mentioned in the publication to say that certain parts of the StopCoviD code will not be viewed by the public, so will remain confidential. This was announced by the Institute in charge of the project, that is, INRIA (National Institute for Research in Computer Science and Automation). The Institute's argument explains that the part that will remain confidential is a set of mounts for infrastructure security. Of course this is totally in contrast to what has been planned since the beginning in line with the recommendations and requirements made by government and European agencies. Indeed, the National Agency for Security of Information Systems noted that "all work carried out under the StopCovid project will be published under open source license to ensure continuous improvement of the device and the correction of possible vulnerabilities" and that methods of "obfuscation of the code" should be avoided, in other words, use means to hide code. In this order, Guillaume Poupard, the director of L'ANSSI, said following the first publication of the source code: "In the strict field of digital security, if you want to be able to do this cleanly, it means that the application that is going to be put on the phones must be well designed, clean and trustworthy. This means that it must be well developed, audited and transparent, with the publication of the content of this code."
Now access an unlimited number of passwords: