Read on Twitter
so Aarogya setu is now opensource. Everyone is talking about it but I want to vent out about some thing else. I am looking at the issue log and it simply is making me sick. thread to follow. cont.
Github repository link for reference in case any one is not clear: https://github.com/nic-delhi/AarogyaSetu_Android
Have i looked at the code : no. do i intend to : no. However stay with me for a few tweets cont.
Have i looked at the code : no. do i intend to : no. However stay with me for a few tweets cont.
first issue raised that catches my attention : https://github.com/nic-delhi/AarogyaSetu_Android/issues/28 <- so someone ran mobsf on it. Kudoes for doing it. would have helped devs if you attached full report somehow. but no you needed to screenshot. title says CVE references are CWE. why is that a problem
I keep saying this if you raise such low level issues and create a lot of noise it helps no one. rather it creates a perception that sec is just making noise. Dont just report tool report why its wrong. again give details give specifics dont just run tool dump report. cont.
Second issue: https://github.com/nic-delhi/AarogyaSetu_Android/issues/44 <- seriously that time is long gone to make those decisions. you have what you have again ask details ask specifics not the overly generalistic questions why?. One answer that comes in my mind is "mere man ko bhaya" so ask specifics. cont.
then comes the free software fanatics : https://github.com/nic-delhi/AarogyaSetu_Android/issues/41 https://github.com/nic-delhi/AarogyaSetu_Android/issues/91 seriously they have done something atleast something make the most of it but no i will put my wishlist forward. contd.
its not all bad and gloomy its so good to see people diving in and suggesting fixes and even submitting pull requests like https://github.com/nic-delhi/AarogyaSetu_Android/pull/131 https://github.com/nic-delhi/AarogyaSetu_Android/pull/93 https://github.com/nic-delhi/AarogyaSetu_Android/pull/85 https://github.com/nic-delhi/AarogyaSetu_Android/pull/86 so kudoes to sumbitters here. contd.
Important question that comes in mind why such a outrage from my side. The important part that people need to realize this is a out of the way step by govt we dont see that so frequently do we want to encourage it or discourage.cont
when the devs would have woken up to 81 issues 43 pull requests i can assume they would have been excited however when you see such low quality issues raised you endup doing what is called ignore or put it in cold bucket. no one likes to do that but you got to do it. cont.
my concern with low quality security issues is the same dont raise issues just coz a tool said something understand its context. provide details. its static analysis not saying it could be right or wrong but the context matters.
I am happy that govt took this step how community handles it going forward defines how govt continues to handle it going forward. only criticising coz you want to criticise is a wrong. if you feel its wrong tell them why and help them fix. contribute to better tomorrow.
