Primary working copy of the source code

[lopsided]

As per recent ticket closures; "As this is not the primary working copy of the source code, we cannot apply the patch to this repository, otherwise it will diverge from the upstream code."

Where is the primary working copy of the source code?

The NHS reports that the source code for the app is made available and links to this repository from this page: https://faq.covid19.nhs.uk/article/KA-01157/en-us?parentid=CAT-01028&rootid=CAT-01024

Either the code is open source or it isn't. If the primary working copy of the source code is not available, then the app is not open source. Please can you clarify.

[ChrisJBurns]

I agree. Something that needs to be cleared up I believe. The app by nature has inherited the security concerns of many. Being open-source, this will silence said claims as to the inner workings of the app. The app also benefits from the contributions made by interested parties like myself. If it's just a read-only copy of the real code that is hosted internally, this has to be made clear.

[edwh]

If the primary working copy of the source code is not available, then the app is not open source.

I don't mind them using an internal repository and only committing to here periodically. But in order for that to be beyond reproach, it needs to support reproducible builds as per #19 so that people can check that the version on Play matches a particular release on here.

Otherwise tin foil hat people can say "they've got secret tracking code in the version of the app you install, you know" and sane people have no way to disprove that.

People are already saying that. Let's go the extra mile and close off that nonsense.

[t-chappell]

Yeah this confusion of having "open" source repo but not having reproducible build is going to give more ammo to those that want to spread more paranoia.

I am a dev that wants help but when I notice things (which I may be wrong about) like the google exposure client is using deprecated methods, and one that doesn't seem to exist according to google docs, suggests to me the app's main functionality really shouldn't be working at all, which does arouse my suspicion of a) is this just a really old version and a waste of time or b) tin-foil hat theories, which is hard to argue against as we have no idea. A reproducible build will extinguish that.

[nhs-covid19]

Thanks for your interest in the Covid-19 project. The issue of reproducible builds has already been addressed in https://github.com/nhsx/covid-19-app-android-ag-public/issues/19 The suggestion that methods are being used that don't actually exist (raised in https://github.com/nhsx/covid-19-app-android-ag-public/issues/7) was a misunderstanding by the reporter regarding the way that Java methods can be accessed in Kotlin. A reproducible build for a system component that is run in the cloud (the code contained in this repository) is hard to achieve, as there is no version of the compiled software that is downloadable by an end user that can be compared. As we've previously mentioned, however, the code here, and in the other public repositories, is absolutely intended to be a faithful copy of source code of the mobile applications, and the code executed on the server.