[timwaagh]

Great so now we can be sure some hacker working at an intelligence agency or criminal syndicate reads this and now knows how to hack DigiD, which is basically the Dutch government's SSO. After you get in you can do all kinds of things like apply for student loans, passport taxes etc. There will be another layer of security but still.. this is not great. Don't get me wrong I am not against publishing source code but they ought to think about what they publish.

[radicalbyte]

It's the frontend app. Even script kiddies can download it from the Play Store and decompile it.

[pieter_mj]

There was a request (foia/woo) made to obtain source code for frontend and backend. The latter is still being considered to be released as well.

[radicalbyte]

I know, that will take some time though as it will need multiple deep reviews before it's released (as it's critical infrastructure and releasing it will increase the visibility).

Overall this will improve the security of the system, if only from the people I've seen offer their time (for nothing!) to ensure that this process is a success.

[timwaagh]

But now they have more information. Comments. Variable names. Decompiled code is difficult to read.

[Aeolun]

So now we’ll know if it’s _actually_ secure. This is a good thing as far as I’m concerned.

Trusting it’s safe because you don’t know if its not sounds like a bad idea.

[arp242]

Which would you rather trust?

1. A safe that's been sitting on a public square for ten years, which the best safe-crackers in the world have tried – and failed – to break.

2. A safe hidden in a secret room that no one is allowed to access, but the manufacturer claims it's safe without real evidence beyond "trust me".

[timwaagh]

If I had great faith in the security of this product I would be fine with it.