this post was submitted on 15 Jul 2024
1988 points (99.6% liked)

Technology

60031 readers
4001 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

Switzerland mandates all software developed for the government be open sourced

Switzerland mandates software source code disclosure for public sector: A legal milestone

https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/new-open-source-law-switzerland

@[email protected]

#tech #libre

you are viewing a single comment's thread
view the rest of the comments
[–] bassomitron 41 points 5 months ago (3 children)

This makes me curious in the US on whether or not government app source code would be provided via a FOIA request.

[–] timewarp 47 points 5 months ago (2 children)

You'd think so, but the answer is no. They've employed companies like Microsoft, Oracle, etc. to write up the security handbooks that says proprietary software is more secure. Heck, even electronic voting systems in the US is closed-source.

[–] [email protected] 40 points 5 months ago (1 children)

Security by obscurity the 100% least effective security measure! Wait what? MS left the government knowingly vulnerable for years for the shareholders?! That's some good security right there!

[–] cmhe -3 points 5 months ago (1 children)

I don't agree with the generalization here. Sure, it is generally advisable not to rely on security through obscurity, but depending on the use-cases and purpose it can be effective.

I dislike DRM systems with a passion, but they, especially those for video games like denuvo, can be quite effective, if the purpose is to protect against copying something for a short time until it gets cracked.

Otherwise I agree that software developed in the open is intrinsically more secure, because it can be verified by everyone.

However, many business and governments like to have support contracts so want to be able to sue and blame someone else than themselves if something goes wrong. This is in most cases easier with closed source products with a specific legal entity behind it, not a vague and loose developer community or even just a single developer.

[–] [email protected] 4 points 5 months ago (1 children)

However, many business and governments like to have support contracts

What i don't get is that governments can have their own in-house IT and can moderately large companies and up, so why the blame-shifting game?

If i'm a customer and your software blows up in my face i will not care that It's not our fault, it's our contractors.

[–] [email protected] 3 points 5 months ago

They don't care about what their customers think. It's about criminal and civil liability.

[–] [email protected] 20 points 5 months ago (3 children)

Heck, even electronic voting systems in the US is closed-source.

How can elections even be trusted to be fair in that case?

[–] NotMyOldRedditName 11 points 5 months ago* (last edited 5 months ago)

I think we're well past the open/closed discussion when hackers have repeatedly shown how easy it is to compromise the voting machines.

We know they're trash, it's not theory.

[–] timewarp 11 points 5 months ago (3 children)

Simply, you can't. I'm personally all for an open source alternative for electronic voting. I can bank online, but not vote online. I'd trust an open source online voting platform more than I'd trust poll workers to not skew some votes. I'd also like to be able to track my vote and ensure it was cast for the person I voted for.

[–] [email protected] 6 points 5 months ago (1 children)

Banking is completely different from voting from a security point of view. None of the parties in a bank transaction are anonymous, and there are numerous ways to retry or roll back a transaction. Computerized voting is more like crypto currency. 😝

[–] [email protected] 1 points 5 months ago

Computerized voting is more like crypto currency. 😝

Like it, but worse

[–] Fedizen 3 points 5 months ago* (last edited 5 months ago) (1 children)

you can't have secret ballot and have a secure, auditible online vote. One of the problems of social media is it has created enemy lists for authoritarian states.

[–] [email protected] 2 points 5 months ago (1 children)

You kind of can. Depends how fully auditable you want, but you can have cryptographically anonymized entries, that (I believe?) could even allow the original voter to track their vote, without enabling anyone else to track the vote back to the voter.

It's a different project, but GNU Taler have some interesting work on anonymized but not forgeable money transactions.

[–] [email protected] 1 points 5 months ago

The issue with online voting, no matter what you do, is that someone can force you under threat of violence to vote for a specific candidate, and watch to make sure you do it. Complete privacy in the voting booth is paramount to ensuring that everyone can vote freely.

[–] [email protected] 2 points 5 months ago

Biggest vulnreability for online voting stands behind voter

[–] [email protected] 2 points 5 months ago

By claiming that everyone who do not trust is ~~communist~~ trumpist

[–] [email protected] 12 points 5 months ago (1 children)

Generally, works of the US government are public domain.

However, most apps are produced on contract with development companies, and I expect the contract specifies that the rights remain with the developer.

[–] cybersandwich 9 points 5 months ago* (last edited 5 months ago) (1 children)

They explicitly do not, at least with every US federal contract I've ever seen. The govt owns the code that is written full stop.

[–] [email protected] 3 points 5 months ago (1 children)

As someone who works with and knows several military contractors, I’ve never heard of the US taking ownership of any code written. In fact, most of what they’re paying for is for companies to extend software they’ve already written to better fit the governments use case, such that even if the government owned the new improvements, that code wouldn’t function without the base application that pre-dates a government contract.

[–] cybersandwich 4 points 5 months ago* (last edited 5 months ago)

It depends on the software and situation of course, but if you are paying a contractor to develop/write a solution for you aka "government built" then the contractor that writes the code owns 0 of that code. It's as if it was written by Uncle Sam himself.

Now, if the government buys software (licenses), the companies will retain ownership of their code. So if Uncle Sam bought Service Now licenses, the US doesn't "own" service now. If service now extended capability to support the govt, the US still doesn't own the license or that code in most cases.

Sometimes the government will even pay for a company to extend its software and that company can then sell that feature elsewhere. The government doesn't get any benefit beyond the capability they paid for--ie they don't own that code. That can work to the governments benefit though, because it can be used as a price negotiation point. "we know you can sell this feature to 50 different agencies if you develop it for us, so we only want to pay 25% of what you priced it at".

But like it said, if it's a development contract and the contractors build an app for the government, all of the contracts I've ever seen, have Uncle Sam owning it all. The govt could open source it if they wanted and the contractor would have no say.

That's what we call GOTS products https://en.m.wikipedia.org/wiki/Government_off-the-shelf#:~:text=Government%20off%2Dthe%2Dshelf%20(,for%20which%20it%20is%20created.

Vs COTS:

https://en.m.wikipedia.org/wiki/Commercial_off-the-shelf

With COTS, that's where you'd see the ownership (depending on the contract/license agreement of course) remain with the vendor.

[–] satanmat 6 points 5 months ago

Short version: no

Long version: I’m pretty sure; no. I believe that; tools used like apps would not be subject to FOIA.

I deal with public records requests at work… email, documents etc. sure thing, but I’m pretty sure that the AG would laugh at you requesting the source code for apps we use.

—- I could only wish that we were mandated to use only open source software