Questionable "open source" project

[developerfromjokela]

Why is github repo missing such many things? Like dm-verity? Are you hiding the kernel partially?

Are you aware of GNU License? Any changes needs be published.

[developerfromjokela]

i.e. package digabi-kernel is not available.

[Esinko]

I would like to add that the repo in question contains files which are missing most if not all the code / configuration data actually in them that is in the built OS (downloaded from abitti.fi). So technically it would not be possible to build a copy of the currently latest version of digabi-os in distribution from this repo, as this is NOT the source code for that and has never been.

[developerfromjokela]

Digabi should (perhaps is required to) be open, for security reasons and transparency. How can we trust your OS?

[mplattu]

Thanks for your interest! As you know the Abitti live image is based on Debian distribution. We're using the Debian source packages and compile them to our environment. As you know, the kernel contains a numerous parameters which can be set both at compile and execution time. The parameters which one selects to use are not part of the source code.

The only local change we make disables reading an arbitary initrd. The patch varies from kernel version to another. This particular example a patch to kernel 5.3:

--- orig/init/initramfs.c
+++ patched/init/initramfs.c
@@ -650,7 +650,7 @@ static int __init populate_rootfs(void)
    if (err)
        panic("%s", err); /* Failed to decompress INTERNAL initramfs */

-   if (!initrd_start || IS_ENABLED(CONFIG_INITRAMFS_FORCE))
+   if (1 || !initrd_start || IS_ENABLED(CONFIG_INITRAMFS_FORCE))
        goto done;

    if (IS_ENABLED(CONFIG_BLK_DEV_RAM))

What comes to the openness in general level, there is no official requirement for a software or technology used in a monitored high-stakes test should be open. In short, you don't have to trust our OS, it is enough we do. However, we've decided to work as openly as possible as it benefits both test-takers, test administrators and of course ourselves, the board.

Naturally, we must comply with the licenses of the software we use. The easiest way to get there is to use a Linux distribution which is careful in keeping straight with the licenses. Thus, we chose Debian in the first place and use their packages as much as possible.

What comes to this particular case (the patch above) the change is relatively small and almost trivial. As there has not been any interest for these patches we've decided not to publish these snippets. If there will be more interest on these matters, we must reconsider our position here.

Again, thanks for your interest.

[developerfromjokela]

Yes there are interests, at least ten people. So reconsidering would be great.

[Esinko]

I wonder if this should be reported to the Debian project? As clearly the maintainers of this repository won't change anything themselves...

[developerfromjokela]

Let's do it @Esinko!

[mplattu]

After my previous comment on this thread on Oct 2 I've contacted some experts in the area. It appears we're already complying with the GPL as we're using Debian kernel packages which they have made public.

If you feel that opening an issue at Debian or any other party is meaningful use of the resources of this party you must do what you feel is necessary.

I'm closing this issue as we have made our case here. Again, thank you for your interest in our work.

[Esinko]

@mplattu In my original comment I said that building the current version Abitti from this source code is impossible, due to missing configuration files and packages (etc.). Has that changed? Or is there something I'm missing in the building process? EDIT: Also what do you mean by "they" in "It appears we're already complying with the GPL as we're using Debian kernel packages which they have made public.". Who have made what public? Are the missing packages' sources available somewhere else?

[ahnl]

It would be very appreciated by others as well if you would completely open your source code, especially if it's funded with our tax money.

Other people could help by discovering security vulnerabilities and contributing to the project. There are plenty of other benefits from open-sourcing projects, which you should be already aware of.

Sadly I wouldn't consider this as an open-source project yet, as it is nearly impossible to build from the source files and not all code is released. @mplattu closing this discussion feels like an embarrassing way of avoiding it, please reopen.

[developerfromjokela]

@ahnl is right, I don't see a reason why this project shouldn't be open source. "Trade secrets" aren't so trivial if this is government funded project, right?

I see only benefits in open-sourcing the project in its entirety, for security research, bugfixes by other people, code review, suggestions, you name it.

@mplattu looking forward to your answer.

[developerfromjokela]

Yet no answers, we would like to hear your opinion on this @mplattu

[KaappoRaivio]

I'm not sure if I want to touch this rat's nest, but I genuinely cannot keep my mouth shut.

In short, you don't have to trust our OS, it is enough we do.

Who says I don't have to trust "your OS"? The Finnish matriculation exam is the highest-stake exam in Finland! If the students cannot be sure that the system is robust enough for a high-stakes exam to take place, what kind of position does that place the students in? Someone (who you don't even know) just assures you that the system your most important exam is held on is sufficient?

However, we've decided to work as openly as possible as it benefits both test-takers, test administrators and of course ourselves, the board.

I'd really like to see a day where the openness of Abitti would be guaranteed as a right of the candidates, and not represented as some privilege that the Matriculation Examination Board of Finland just happens to grant us.

The parameters which one selects to use are not part of the source code.

Not true. See https://opensource.stackexchange.com/a/5053. The relevant takeaway is that anything that is needed in order to build the software must be included in the source code, even if the changes are small.

Also what do you mean by "they" in "It appears we're already complying with the GPL as we're using Debian kernel packages which they have made public.". Who have made what public? If you are referring to the

I would also be interested to hear what packages have been made public, and who has performed that action.

I'm closing this issue as we have made our case here.

I also feel that this is just an attempt to avoid fair discussion on the topic. This is not about how much of the system is not public – the problem is that at the moment we do not have any way of building the system from the sources. The point and spirit of the GPL license is that anyone should be able to build the system from the same sources that the development is performed on.

When will Abitti be compliant with GPL?

P. S. there is still the problem of including GPL-licensed binaries (Geogebra etc.) in the distribution without making the source code public

[Esinko]

@KaappoRaivio The Matriculation Examination Board of Finland has offered to provide the source code upon request to individuals by mail (as letters, yes, you read correct). So technically, they are GPL compliant. There isn't much we can do here.

The only way forward would be to bring the arguably unprofessional and careless behaviour of the Matriculation Examination Board of Finland to the public's eyes to force any sort of change.

[KaappoRaivio]

Could you provide us with the exchange with the board? If they really have stated what you say we will have meme material for years :D

[Esinko]

@KaappoRaivio I'll see what I can do, but sharing the said exchange is not up to me. Is there some other way I can contact you? You can reach me with email: eemil@testausserveri.fi

[KaappoRaivio]

Sure, I'll send you an email :)