Source code

[gvdr]

Hi, thanks for the documentation. It is, however, useless unless you also share the source code. What is your plan to release it openly?

It is important to release all the code, and not just a selection as suggested by the documentation, and to release it as soon as possible so to allow the whole community to assess it before the app is launched. Ideally, as the decisions you are taking now have a strong impact on delicate societal dynamics, the development of the app should be openly accessible: don't wait to have the definitive version running to share the code, start now.

PS This involve the code both on the device side and on the server side.

[wariobrega]

I strongly endorse @gvdr concerns. The documentation seems to be informative in terms of goals and the description of the app. However, it is crippled by the lack of source code. This app will have a strong impact on Italian Citizen' life and will be fundamental in the upcoming months to keep the situation at bay. I strongly recommend for the code to be made public as soon as possible (and before the app is launched), to have a critical and constructive judgment from the developer community.

[lagmac]

I agree with @gvdr and @wariobrega. Sharing source code is just as important as sharing documentation

[ByteSurfer]

+1

[arsenico13]

@lagmac I would say that it's even more important. :)

So, we are waiting...

[lbrutti]

I definitely agree with these concerns. Sharing documentation Is a nice marketing move, good for low tech people.

Give us the code and we'll eventually give you trust.

[lagmac]

@lbrutti I'm positive, so I hope that sharing the documentation is just the first step and not just a marketing move. Let's wait and see what happens.

[fansanelli]

Dear all,

please check this out:

https://www.agid.gov.it/it/design-servizi/riuso-open-source/linee-guida-acquisizione-riuso-software-pa

Code must be open licenced and available on a public repository to allow reuse. (Edit: emphasis of mine)

I'm sceptical they will show us the source, anyhow, I follow... Cheers Francesco

[matteocontrini]

The Ministry of Innovation has already confirmed many times that the app will be open source with the MPL 2.0 license.

https://innovazione.gov.it/app_Immuni_risposte_quesiti_anorc/

https://innovazione.gov.it/app_Immuni_domande_di_report/

https://innovazione.gov.it/Immuni-tutto-quello-che-ce-da-sapere/

[gvdr]

The timing of the code release is crucial (if the app is launched on the 29th of May, we need to see the code in advance, to assess it).

Also, the documentation says that all the "relevant software" will be open under GNU AGPL: this suggest that part of it won't be open. Which parts? Why? Who decided they are not relevant?

[drizzt]

The Ministry of Innovation has already confirmed many times that the app will be open source with the MPL 2.0 license.

https://innovazione.gov.it/app_Immuni_risposte_quesiti_anorc/

https://innovazione.gov.it/app_Immuni_domande_di_report/

https://innovazione.gov.it/Immuni-tutto-quello-che-ce-da-sapere/

Why MPL 2.0? The guideline suggests EUPL (https://www.agid.gov.it/it/agenzia/stampa-e-comunicazione/notizie/2019/05/13/pubblicate-linee-guida-agid-sullacquisizione-il-riuso-del-software-nella-pa) and I strongly suggest that license too. Using a weak copyleft license like MPL can lead to derivatives software without the need to release them as MPL. Using a strong copyleft license, instead, doesn't have this problem (moreover EUPL is the chosen licence from AGID and I don't see why don't use it)

[gvdr]

The notification has been here for 24hours. Given the criticality of this project, a prompt and transparent communication is essential. @luke10ferrari and the rest of @BendingSpoons, where are you?

[R3bard0270]

When and where release here on github the apk and ios file application for download before official store? Thanks.

[stramargio]

+1

[annalisapg]

I strongly support the concerns of @gvdr on this theme. Source code is essential and should be released as soon as possible (usually with the guidelines..)

[acrive82]

+1

[psychomad]

+1 Checkin in real what is possible and what is not with all people skills can be only a benefit to improve security for such delicate topic

[codker]

I agree, releasing the source code only days prior to the public release is not enough.

[lpradovera]

Where is the source code? Why should we not do all that is in our power to prevent anyone from installing this application?

[Jecko-o]

The italian public is currently misled, thinking the source code has been released and not having the knowledge or the will to verify this information. I can usually understand being under pressure and not having time to answer issues messages in a couple of days. But the release of the source code as soon as possible is a crucial node for this crucial software in a time of crisis. The lack of answers to this issue is just unacceptable.

[vincenzoiovino]

The italian public is currently misled, thinking the source code has been released and not having the knowledge or the will to verify this information. I can usually understand being under pressure and not having time to answer issues messages in a couple of days. But the release of the source code as soon as possible is a crucial node for this crucial software in a time of crisis. The lack of answers to this issue is just unacceptable.

Moreover the public is misled by thinking that the app preserves privacy and the public is not aware of the devastating Papparazzi Attack (see the corresponding issue). It is urgent to share and spread these news over the socials and to independent journalists.

[realeroberto]

I strongly share @gvdr's concerns. The documentation alone, albeit undoubtedly a first step, is not enough any more: not with a release deadline for the executable app so close in time.

Making the code available as early in the process as possible (i.e., NOW), is sensible for two reasons:

1. there do exist a legal requirement by art. 69 of the Italian Codice dell'Amministrazione Digitale, as well as mandatory compliance with the Guidelines published by AGID
2. this is a legit case for open innovation: releasing the code is a good way of summoning the relevant communities both in Italy and abroad, which will be happy to provide suggestions and improvements not just on the wording of a few sentences in the documentation itself but on functional and non-functional requirements, design, code quality, privacy- and security-related vulnerabilities, inclusiveness and accessibility and so forth.

As Immuni ultimately amounts to a policy implementation, I expect transparency and openness to be pivotal. What the Italian government should not do in any case is to destroy mutual trust with all involved stakesholders.

@eutopian-eu

[luke10ferrari]

Hi everybody, my name is Luca and I work at Bending Spoons. I was mentioned, so I'll chip in with a brief message. I hope it helps.

First, I'd like to thank everybody for contributing with their opinion. We read all the messages.

Second, something we must clarify: we Bending Spoons don't get to decide when the code is released. All of the decision-making for the project is in the hands of the government and the Commissario Straordinario. I believe they'll soon start to engage with the community directly here on GitHub through their own dedicated teams. As far as I know, they're committed to open-sourcing the code, as they've stated publicly multiple times.

Third, I'd like to underline the fact that we at Bending Spoons are very much in favor of open-sourcing the code base. In fact, we licensed it to the government under the AGPL v3. Initially, we'd chosen the MPL v2 (also an open source license, but a less strict one, as far as I understand—I'm no expert), but then switched to the AGPL v3 in response to advice coming from the open-source community.

We're working hard to contribute something useful to the people. We look forward to adding to the open-source repos with all of you soon.

[lagmac]

Hi everybody, my name is Luca and I work at Bending Spoons. I was mentioned, so I'll chip in with a brief message. I hope it helps.

First, I'd like to thank everybody for contributing with their opinion. We read all the messages.

Second, something we must clarify: we Bending Spoons don't get to decide when the code is released. All of the decision-making for the project is in the hands of the government and the Commissario Straordinario. I believe they'll soon start to engage with the community directly here on GitHub through their own dedicated teams. As far as I know, they're committed to open-sourcing the code, as they've stated publicly multiple times.

Third, I'd like to underline the fact that we at Bending Spoons are very much in favor of open-sourcing the code base. In fact, we licensed it to the government under the AGPL v3. Initially, we'd chosen the MPL v2 (also an open source license, but a less strict one, as far as I understand—I'm no expert), but then switched to the AGPL v3 in response to advice coming from the open-source community.

We're working hard to contribute something useful to the people. We look forward to adding to the open-source repos with all of you soon.

@luke10ferrari Thanks for the clarification, but the problem is this: "All of the decision-making for the project is in the hands of the government and the Commissario Straordinario". In the past two months too much has been said, denied, promised, withdrawn by this government. As I have already written: let's wait and see.

[lmasellis]

@luke10ferrari Thanks for the clarification, but the problem is this: "All of the decision-making for the project is in the hands of the government and the Commissario Straordinario". In the past two months too much has been said, denied, promised, withdrawn by this government. As I have already written: let's wait and see.

If you feel this is a problem (and so do I), maybe to "wait and see" is not the solution. Because time is running out, and having the source when the app is already deployed will be of scarce use.

Better putting pressure on those who have the power to decide (@luke10ferrari is very clear on who are they).

[vtrgdu]

Second, something we must clarify: we Bending Spoons don't get to decide when the code is released. All of the decision-making for the project is in the hands of the government and the Commissario Straordinario. I believe they'll soon start to engage with the community directly here on GitHub through their own dedicated teams. As far as I know, they're committed to open-sourcing the code, as they've stated publicly multiple times.

@luke10ferrari let me understand: your company is willing to open the code but the Commissario Straordinario prevents you from doing that? That is: if you put the code here right now he would terminate the contract? Thank you in advance for your clarification!

[gvdr]

I second the question by @vtrgdu: did you request the authorization to release the code and was it denied by the Commissario Straordinario? When did you made that request? What were the denial motivations?

This is an extremely important information that we should now in detail.

[Wow, that typo was funny]

[vincenzoiovino]

Hi everybody, my name is Luca and I work at Bending Spoons. I was mentioned, so I'll chip in with a brief message. I hope it helps.

First, I'd like to thank everybody for contributing with their opinion. We read all the messages.

Second, something we must clarify: we Bending Spoons don't get to decide when the code is released. All of the decision-making for the project is in the hands of the government and the Commissario Straordinario. I believe they'll soon start to engage with the community directly here on GitHub through their own dedicated teams. As far as I know, they're committed to open-sourcing the code, as they've stated publicly multiple times.

Third, I'd like to underline the fact that we at Bending Spoons are very much in favor of open-sourcing the code base. In fact, we licensed it to the government under the AGPL v3. Initially, we'd chosen the MPL v2 (also an open source license, but a less strict one, as far as I understand—I'm no expert), but then switched to the AGPL v3 in response to advice coming from the open-source community.

We're working hard to contribute something useful to the people. We look forward to adding to the open-source repos with all of you soon.

Hello, thanks for having the time of replying.

I would like to remark that the openness of the code is necessary but not sufficient for all the process to be TRANSPARENT.

The same Italian law that talks about openness of the source code also says (sorry for the non-Italians): "La piattaforma di cui al comma 1 è di titolarità pubblica ed è realizzata dal Commissario di cui all’articolo 122 del decreto-legge 17 marzo 2020, n. 18, convertito, con modificazioni, dalla legge 24 aprile 2020, n. 27, esclusivamente con infrastrutture localizzate sul territorio nazionale e gestite dalla società di cui all’articolo 83, comma 15, del decreto-legge 25 giugno 2008, n. 112, convertito, con modificazioni, dalla legge 6 agosto 2008, n. 133". (source: https://www.gazzettaufficiale.it/eli/gu/2020/04/30/111/sg/pdf )

If what COPASIR declared is true, you will use CDNs that are outside National territory (can you confirm?) and so this clashes with the aforementioned law.

We do not want just the source code to be open but we also want you openly state to the authorities, public and the media the unprecedented risks for the National security and citizens' privacy that this app introduces (see other issues in this repo). All process should be transparent!

[gbonfiglio]

In fact, we licensed it to the government under the AGPL v3.

@luke10ferrari not sure I understand this bit - code is yours, you licensed it as AGPL v3. This should allow you to release it immediately.

I don't get how a third party (the government) can prevent you from releasing source code of something you started, own and freely license. They might be able to take decisions on when it's "safe" to release their fork, but without affecting your code.

[annalisapg]

In fact, we licensed it to the government under the AGPL v3.

@luke10ferrari not sure I understand this bit - code is yours, you licensed it as AGPL v3. This should allow you to release it immediately.

I don't get how a third party (the government) can prevent you from releasing source code of something you started, own and freely license. They might be able to take decisions on when it's "safe" to release their fork, but without affecting your code.

I definitly agree. A license is there to state what you can do with your creation. And if you ALREADY licensed your work this means that your agreement with the Commissario Straordinario allowed you to do so (otherwise double check the agreement, for your safety). So there should not be any additional barriers to the release of the code.

[lmasellis]

I don't get how a third party (the government) can prevent you from releasing source code of something you started, own and freely license. They might be able to take decisions on when it's "safe" to release their fork, but without affecting your code.

It's not so simple. Maybe they entered a NDA. The GPL license (and derivatives) simply says that when you give your software to a recipient, you have to provide the source code, and the recipient is obliged to do the same upon further distribution. It does not contain any obligation for the recipient to further distribute the software publicly, nor it does prevent the author to voluntary enter an NDA.

[olistik]

I don't get how a third party (the government) can prevent you from releasing source code of something you started, own and freely license. They might be able to take decisions on when it's "safe" to release their fork, but without affecting your code.

It's not so simple. Maybe they entered a NDA. The GPL license (and derivatives) simply says that when you give your software to a recipient, you have to provide the source code, and the recipient is obliged to do the same upon further distribution. It does not contain any obligation for the recipient to further distribute the software publicly, nor it does prevent the author to voluntary enter an NDA.

The lack of transparency in this regard is another side of the same issue. There's no excuse in avoiding to state the presence of such NDA.

[gbonfiglio]

It does not contain any obligation for the recipient to further distribute the software publicly, nor it does prevent the author to voluntary enter an NDA.

@lmasellis mostly correct - but it would mean who signed the NDA voluntarily decided to "remit" the power to take decisions re: release to someone else.

This might definitely be the state of things right now - and we have no reason to think otherwise but it's not fair to say BS was not in a position to release the source code.

They most likely voluntarily decided to give up this power: as a matter of fact the competing app to Immuni had their code published on Github from day 1.

[gvdr]

There is no point in imagining scenarios. I really hope @luke10ferrari will dispell any doubt and clarify the setting as soon as possible.

[gbonfiglio]

Agree with @gvdr, let's keep political comments out of this issue, but also let's all remember that speculation is a direct consequence of the lack of information.

If the code was available we wouldn't be here trying to figure out the pre-conditions that have led to it not being available for review yet with launch being only 10 days from now.

[paolo-de-rosa]

Hi all, I'm Paolo, CTO at Team Digitale, Ministry for Innovation Technology and Digitalization.

Immuni is under heavy development and I'd like to reassure everybody that we're setting up a dedicated team so that we can respond to the community promptly. Most importantly, we're working to release all of the code base open source as soon as possible.

The team is looking for a good balance between releasing the code early and making sure that the code is sufficiently stable and readable for the community to navigate and provide feedback reasonably easily. It should be a matter of a few more days. Please bear with us.

We look forward to seeing this project improve thanks to the contributions of the community then! thanks and best

[vincenzoiovino]

Hi all, I'm Paolo, CTO at Team Digitale, Ministry for Innovation Technology and Digitalization.

Immuni is under heavy development and I'd like to reassure everybody that we're setting up a dedicated team so that we can respond to the community promptly. Most importantly, we're working to release all of the code base open source as soon as possible.

The team is looking for a good balance between releasing the code early and making sure that the code is sufficiently stable and readable for the community to navigate and provide feedback reasonably easily. It should be a matter of a few more days. Please bear with us.

We look forward to seeing this project improve thanks to the contributions of the community then! thanks and best

I would add: also excess of misinformation. Paolo nice to meet you virtually. Please be assured that it is nothing personal. You declared in a interview to a major Italian newspaper: "La sicurezza non dipende dal modello." (The security does not depend on the model). Source: https://www.corriere.it/tecnologia/20_maggio_09/app-immuni-de-rosa-pronti-fine-mese-sogei-garante-sicurezza-327c2c4a-91c6-11ea-9f60-1b8d14bed082.shtml

Surely you mean someting different and I can guess what you mean but whoever has a basic knowledge of security knows that this may be confusing for citizens . If a model is insecure, whatever app will implement that model, the app will be insecure. So what did you mean? The transparency of the process I mentioned before is tightly related to this issue. The experts should have produced documentation about security models, threat and risk models, references to the recent literature, comparisons ecc. We do not just want the software to be open but also any decision that impacts the National security and citizens' privacy. If as expert of the Ministry, you affirm that the security does not depend on the model to the media, this should be clarified in official documents. Moreover citizens are not required to be able to read code or understand technical details and they should be just informed through non-technical but objective documents, not unclear interviews on newspapers. Sorry if there is some document I missed. Good work

[fpietrosanti]

In fact, we licensed it to the government under the AGPL v3.

@luke10ferrari not sure I understand this bit - code is yours, you licensed it as AGPL v3. This should allow you to release it immediately.

The Software Code Copyright Ownership can't be of Bending Spoon SpA. The "Authorship" can stay at Bending Spoon SpA but Ownership (Copyright Exploitation Rights) must be transferred to the Public Agency (being PDCM or Others).

Otherwise it would be a violation of "Linee Guida Acquisizione e Riuso" as implementation of Art 69.2 of Digital Administration Code (CAD).

Reference on the topic https://forum.italia.it/t/requisiti-normativi-su-riuso-app-di-contact-tracing

So, Bending Spoon SpA can't release the code as AGPLv3 because the code must be owned by the Public Agency, then the Public Agency must release it as AGPLv3.

Otherwise regardless of the opensource license, there would be a public treasury damages and Corte dei Conti must act to recover the damage, triggering a lot of troubles for all parties involved.

The final outcome should be: Copyright Ownership: Presidency of Council of Italian Republic Authorship: Bending Spoon SpA License: AGPLv3

And the Copyright Owner must bring their platform on Developers Italia, as defined by "Linee Guida Acquisizione e Riuso del Software nella PA".

Anything different than this, will trigger a legal action.

[GennAvi]

@paolo-de-rosa Please consider that this delay in publishing the source code must be taken into account properly. Please postpone the release of the app of a decent amount of time, so that proper validation can be run. Otherwise, how would you expect to gain the trust of the community and of the citizens? There are a lot of important issues that have not been addressed by Immuni team members. It is also not clear, at the moment, if they are going to implement at least the non-API dependent fixes which are essential to preserve (a minimum of) citizens' privacy/freedom.

[gferrara8596]

Guys, is not difficult to push the code on GitHub, is easy... trust me! Give it a try! You won't regret it!

[gferrara8596]

@AndreazLattmann the company is working for free. Please do not insinuate or speculate. It's a serious and time pressing issue and you are not contributing by rising unnecessary polemics.

Ti rispondo in italiano, magari riesci a capire. Se leggi la polemica è un tuo problema. Stop.

Non voglio sollevare polemiche. Ma non è corretto dire che l'app è open-source se del source non si vede neanche l'ombra. Tu installeresti un app pensata per tracciarti senza la possibilità di leggere il codice dietro? Io no. Voglio avere il tempo per leggerlo, non prima scaricarla e poi leggerlo. E come ho detto nel mio video non è difficile pubblicare il codice su GitHub, inoltre dovrebbero farlo perchè continuano a dire che è open-source. Io non chiedo a Rockstar di pubblicare il codice di GTA V perchè non è open-source. Ma Immuni lo è e il codice dovrebbe essere libero. Che stiano lavorando gratis o meno a me non importa sinceramente, ma la mia fiducia adesso non la hanno. Per niente.

[gbonfiglio]

@AndreazLattmann you should go and have a second read at that "netiquette" thing.

[annalisapg]

Hi all, I'm Paolo, CTO at Team Digitale, Ministry for Innovation Technology and Digitalization.

Immuni is under heavy development and I'd like to reassure everybody that we're setting up a dedicated team so that we can respond to the community promptly. Most importantly, we're working to release all of the code base open source as soon as possible.

The team is looking for a good balance between releasing the code early and making sure that the code is sufficiently stable and readable for the community to navigate and provide feedback reasonably easily. It should be a matter of a few more days. Please bear with us.

We look forward to seeing this project improve thanks to the contributions of the community then! thanks and best

Thank you Paolo dire the clarification. I understand that code is still in Alfa version so the work is not already done. I was misled by the AGPL license.. I supposed the work was concluded.

[gvdr]

@paolo-de-rosa @luke10ferrari thanks for both your answers but: 1) it is taking a worrying amount of time to get the necessary clarification 2) your answers are contradictory

Luca affirmed that you are ready to release the code, but the decision is up to the Commissario Straordinario. Paolo explained that you are still working to produce a versions stable enough to be released.

Clearly the two answers are, at least in part, contradictory.

So, once again: can you be more detailed? Did you request the CS to release the code? What was the answer? If negative, why? You mention that the "relative software" will be open. What won't be open? Why? Who decided?

Can you ensure us that an adequate amount of time will be allowed between the code release and the app launch?

If I can offer you a suggestion: do release whatever code you have NOW. You want to be able to receive the help of the community as soon as possible. Every hour of delay does contributes to a perception of closeness (and no proclaim dispels it) and constitutes a lost opportunity.

[matteocontrini]

The source code will be published this week:

https://www.corriere.it/tecnologia/20_maggio_17/app-immuni-paola-pisano-l-ho-scelta-io-assieme-speranza-pronta-entro-maggio-2badf3dc-9881-11ea-ba09-20ae073bed63.shtml

[vincenzoiovino]

The source code will be published this week:

https://www.corriere.it/tecnologia/20_maggio_17/app-immuni-paola-pisano-l-ho-scelta-io-assieme-speranza-pronta-entro-maggio-2badf3dc-9881-11ea-ba09-20ae073bed63.shtml

Thanks for sharing.

When will the Ministry and/or Immuni's Team will reply to COPASIR (the comittee for the security of the Republic) who questioned the fact that Immuni's app will store the citizens' data on CDNs outside the Nationaly territory in contradiction of the Ministerial decree? (I do not have proofs about the truth of this affirmation from COPASIR but in absence of refusal I have to believe COPASIR who had access to more information than I do have.) And when will they publish a security analysis stating clearly to the citizens and authorities the fact that the app is subject to the Papparazzi attack and the other attacks reported here and in the scientific literature? Source code is only a part of the transaprency of the process.

[gvdr]

Once again, the answer from the Minister is appreciated but does not go in the necessary details.

un codice open source, che verrà pubblicato questa settimana

The documention mentions that the "relative software" will be open. What won't be open? Why? Who decided?

[gvdr]

@luke10ferrari @paolo-de-rosa You have 26 open issues. We don't even know who's commenting as part of your team or as a private citizen.In 4 days, you did not address any of the crucial issues raised so far. If you are going to release the source code and then completely ignore the community, this is going to be a failure wrt open accessibility.

[strk]

Ciao @paolo-de-rosa, prima di tutto grazie per essere intervenuto in questa discussione.

Vorrei anche io esprimere l'esigenza di vedere l'intensa attivita' di sviluppo ("heavy development") mentre accade, onde valutare - anche - il processo di sviluppo, anziche' soltanto il prodotto finale. Questo e' quello che si chiama "sviluppo aperto" e da cittadino, che contribuisce a pagare questo processo, credo di averne il diritto. E credo di avere il diritto di contribuire nelle scelte progettuali nella realizzazione di una tecnologia che il governo, cui i miei rappresentanti hanno dato fiducia, raccomandera' di utilizzare.

Most importantly, we're working to release all of the code base open source as soon as possible.

Rilasciare il codice sorgente e' gia' possibile, quindi "as soon as possible" e' adesso, dalla prima riga di codice che verra' scritta. Questo modo di sviluppare "all'aperto" e' molto comune e molto efficace per costruire una comunita' di interesse attorno ad un progetto, e aiuta a diminuire errori concettuali che potrebbero protrarsi fino al rilascio finale.

The team is looking for a good balance between releasing the code early and making sure that the code is sufficiently stable and readable for the community to navigate and provide feedback reasonably easily. It should be a matter of a few more days. Please bear with us.

Non e' necessario ci sia una stabilita' prima del rilascio. Stabilizzare un prodotto tecnologico e' un processo che richiede tempo, e insieme si fa prima e meglio (ci sarebbero piu' "beta tester").

Sto scrivendo questo intervento in italiano perche' parliamo di una tecnologia sviluppata su guida del Governo Italiano e pensata per l'uso da parte di cittadini italiani. Capisco l'idea di coinvolgere sviluppatori anche esteri ma questa specifica discussione, legata a scelte di governo, ha senso farla in italiano, secondo me.

@luke10ferrari grazie anche a te per essere intervenuto

[sirmmo]

@strk assolutamente vera ogni parola. Aggiungo che per altro, ogni giorno di attesa nella pubblicazione del codice rende meno rilevante l'app stessa.

[olistik]

To speed things up I suggest you to fork this repository: https://github.com/google/exposure-notifications-server (Closes #7)