Tech Help! Can someone help verify the accuracy of the Aarogya Setu source code that's been made public?

Hey folks, @Devdutta sent this tweet to the office group today -

https://twitter.com/asdofindia/status/1266566128496553984?s=20

It made me wonder if there was any way to cross check the code that was made open source. One of my friends said that something called reproducible builds can help compare the code against what’s coming from the play store and verify the two are the same.

Could anyone here help us confirm this?

4 Likes

With my limited understanding of this problem, I had hinted about similar potential problems in THIS POST earlier. There is no way to prove the veracity of this code given -

  1. it is a wrapper on another website
  2. it cannot be compiled and run without the server components which have not yet been released

I really hope the government has not released a fake code though because it WILL eventually get detected and what will they blame it on then - a politically motivated fraud?

5 Likes

Yesterday they merged more code from private repository into the public repository. I made a comparison.

3 Likes

Hi Akshay - Many thanks!
One question about the Google storage bucket that has now been dropped - I may be wrong but think that these bucket permissions can allow data sharing with multiple users including upto public. Any idea what was this bucket being used to store earlier?

1 Like

Hi Akshay,

Thanks for analysing the code and the video. I believe the Govt. has released more like a clone of the repo, which is being updated with latest code as it gets developed, which seems okay.

The best way to check IMO, would be if we can compare the source code on github against the source code from reverse engineered APK. Correct me if I am wrong.

Thanks.

1 Like

@shubhamjain0594 That’s exactly what Akshay did in the video he posted above. He compared the source uploaded on Github against the one he obtained from reverse-engineering the Aarogya Setu app on the Play Store.

What he found was exactly what you have said, they are using a private repo for the actual code, and releasing the code on the public repository time to time. Also, there seem to be minor changes between the two, which says to me they’re being careful about what they release to the public repository. This is not exactly open source, but this is what we’re getting in the end.

1 Like

@alkalox This is not uncommon. Many big companies do this with their open source projects. The definition of open source doesn’t exclude this behavior. They do this to avoid leaking keys, minor bugs, legal problems, private discussion, flattening history or squashing to make it easier to navigate and so on.

2 Likes

Now, we might not know who made the app? While rsprasad did claim that it wasn’t outsourced to a private operator, it’s important to know who it was :popcorn:

https://twitter.com/LiveLawIndia/status/1321344902471450624

Unsuprising given there has been a disappointing lack of proper disclosure in the past : https://twitter.com/internetfreedom/status/1265546608328028161?s=20

1 Like

Yes but we expect such software to be not only opensource but free as in freedom. Shouldn’t “free/libre software” be the norm seeing the problems with open-source definiton?