The issue they’re complaining about is that they’re being held to additional standards because they ask for a sensitive permission.
That’s not Snikket’s complaint. Snikket naturally satisfies the standards at hand because they do not export address book data, so they have no reason to object to the standards Google is failing to verify. Their complaint is rightfully about Google’s incompetence in evaluating their compliance. It’s clear from Snikket’s account what a shit show it is at Google who failed copious times to evaluate their software.
There’s nothing more terrible in the position of a software repository than the incompetence of neglecting to review code as part of the acceptance process. I can’t think of a more foolish policy than to ignore the code of software for which you are trying to endorse the quality of.
B. Code review takes a very large amount of highly qualified man hours to not work.
Not if a machine does it. And even if they use humans, it takes even more man hours to do the alternative dynamic analysis and traffic analysis. Code review saves countless man hours even if done 100% manually by humans.
C. Requiring review of proprietary code exposes Google to a crazy amount of antitrust and IP liability. Again, to not work.
Not applicable to FOSS code.
Code review doesn’t happen because it’s a laughably stupid idea that has virtually no chance of being beneficial in any way. It’s not an oversight.
Code reviews happen at every organisation I have worked for to catch unwanted code before deployment and testing. The reason we review code before testing is because it’s cheaper to review code than to test it. It’s laughably stupid to think code review doesn’t work only to then to spend more money on verification tests.
An organization reviewing its own code is not the same, or similar in any way, to an organization reviewing a large volume of external code for malicious intent. And it doesn’t work for a wide variety of reasons (including the one I already gave you that binaries don’t provide you any guarantees that they’re from the source). Onboarding is universally slow because new people take weeks to months to actually meaningfully understand big projects.
Again, you’re asking for FOSS code to get some special treatment and bypass the requirements already in place. It’s completely absurd, because every single one of those tests would still be unconditionally mandatory to get any kind of actual confidence in security. Choosing to skip them because someone in India skimmed the code would be way past gross negligence.
An organization reviewing its own code is not the same, or similar in any way, to an organization reviewing a large volume of external code for malicious intent.
This is neither of those cases. This is trivially searching the code for where the address book API is called, and inspecting only the relevant code to that object for a specific usage. If you review the whole volume of code for the entire application, you’re doing it wrong. It’s trivial and for the reasons I’ve already explained, less effort than dynamic analysis and traffic analysis.
And it doesn’t work for a wide variety of reasons (including the one I already gave you that binaries don’t provide you any guarantees that they’re from the source).
And you apparently missed the response because you’ve neglected to address it. It was a defeated claim.
Onboarding is universally slow because new people take weeks to months to actually meaningfully understand big projects.
You’re thinking about hiring heads to work on code they need to understand in depth in order to edit the code. That’s not the case here. Code reviews are much cheaper than onboarding developers.
Again, you’re asking for FOSS code to get some special treatment and bypass the requirements already in place.
Again, no exemption has been requested. Google is either smart enough to make use of info at their disposal, or they are not. (answer: they are not).
It’s completely absurd, because every single one of those tests would still be unconditionally mandatory to get any kind of actual confidence in security.
Only if you do it wrong. A code review gives more confidence about what happens with the address book than testing. Only a fool would needlessly spend money on the more costly and redundant black box approach which yields results (guesswork!) with less confidence¹. Sure you can also do the black box analysis but that’s just wasting money when the bar has already been cleared. You would do both if lives depended on the code, but such standards are far above Google’s standards.
Choosing to skip them because someone in India skimmed the code would be way past gross negligence.
You’re still not getting it. No one advocates for an exemption. You need to get that out of your head. A code review is a way to more cheaply do the verification with higher confidence, not to bypass it.
¹ Hence why Google failed many times to get it right.
“Just searching the code where the address book API is used” most certainly does not give you increased confidence. Obfuscation is not that difficult. You can only possibly gain confidence if you fully understand every single line of code.
I ignored it because it’s idiotic. Google isn’t and shouldn’t be building code for you unless you pay for it.
Not doing literally every single test every other app is required to is an exemption.
One more time: a company having people review specific code for a specific purpose does not in any way resemble an adversarial code review against bad actors. There are no parallels. A code review gives you literally zero confidence that the writer isn’t malicious unless you comprehensively understand every single line. Open source project security is entirely and exclusively reputational.
“Just searching the code where the address book API is used” most certainly does not give you increased confidence.
That’s the starting point. It only takes 5 minutes to get there and find the object of interest. If you don’t spend 10-30 minutes more to see how the object is used, you’re doing it wrong. And if you try to read every single line of code in the project, you’re also doing it wrong.
Obfuscation is not that difficult.
Obfuscation is even easier to spot than to create, which on that basis alone would be good grounds to reject a package.
You can only possibly gain confidence if you fully understand every single line of code.
As I said, you need not read every single line of code. Just the code touching the address book.
I ignored it because it’s idiotic. Google isn’t and shouldn’t be building code for you unless you pay for it.
It’s looking more clear that English is not your first language. You continually fail to comprehend what I’ve said, which was the complete opposite of this comment, after you suggested yourself that a code review effort is that of a new hire onboarding effort.
One more time: a company having people review specific code for a specific purpose does not in any way resemble an adversarial code review against bad actors.
Again, that is not the purpose of the code review. If the purpose is to generally find malicious code, that’s a very different criteria than /not exporting an address book/. And if you move the goal posts to that mission, you have no fucking chance to do that with the simple black box analysis you’re advocating.
There are no parallels. A code review gives you literally zero confidence that the writer isn’t malicious
A code review is the absolute cheapest most effective way to find malicious code, if that’s your new goal. You will not find malicious code with any confidence by looking at a TLS traffic tunnel and playing with the app as a user. You can see that the app connects to the Snikket server and you can see that blobs are passed back and forth, which is expected anyway. From there, you have to guess from the timing and payload sizes that something is off, at which point you still really know fuck all. It’s a lot of effort to reach insufficient confidence to condemn the app.
unless you comprehensively understand every single line.
Clearly you’ve never written software. Malicious code does not affect every single line nor does finding malice need an understanding of every single line. Bugs would never be found on any large project if that were true. Every code review I’ve performed has been narrow in scope and yet I still find non-conformant code. A developer can work on a project for ~10-20 years of their life and still only see a small fraction of the code. Yet they still discover bugs in very little time. If you think you need to look at every single line, I suggest avoiding the software career path.
Open source project security is entirely and exclusively reputational.
Reputation matters whether a project is FOSS or not. But if it’s closed-source, reputation is all you have. Of course it’s nonsense to claim FOSS code cannot be reviewed by anyone who cares to step beyond reputation.
That’s not Snikket’s complaint. Snikket naturally satisfies the standards at hand because they do not export address book data, so they have no reason to object to the standards Google is failing to verify. Their complaint is rightfully about Google’s incompetence in evaluating their compliance. It’s clear from Snikket’s account what a shit show it is at Google who failed copious times to evaluate their software.
There’s nothing more terrible in the position of a software repository than the incompetence of neglecting to review code as part of the acceptance process. I can’t think of a more foolish policy than to ignore the code of software for which you are trying to endorse the quality of.
A. Code review doesn’t work.
B. Code review takes a very large amount of highly qualified man hours to not work.
C. Requiring review of proprietary code exposes Google to a crazy amount of antitrust and IP liability. Again, to not work.
Code review doesn’t happen because it’s a laughably stupid idea that has virtually no chance of being beneficial in any way. It’s not an oversight.
You’re doing it wrong.
Not if a machine does it. And even if they use humans, it takes even more man hours to do the alternative dynamic analysis and traffic analysis. Code review saves countless man hours even if done 100% manually by humans.
Not applicable to FOSS code.
Code reviews happen at every organisation I have worked for to catch unwanted code before deployment and testing. The reason we review code before testing is because it’s cheaper to review code than to test it. It’s laughably stupid to think code review doesn’t work only to then to spend more money on verification tests.
An organization reviewing its own code is not the same, or similar in any way, to an organization reviewing a large volume of external code for malicious intent. And it doesn’t work for a wide variety of reasons (including the one I already gave you that binaries don’t provide you any guarantees that they’re from the source). Onboarding is universally slow because new people take weeks to months to actually meaningfully understand big projects.
Again, you’re asking for FOSS code to get some special treatment and bypass the requirements already in place. It’s completely absurd, because every single one of those tests would still be unconditionally mandatory to get any kind of actual confidence in security. Choosing to skip them because someone in India skimmed the code would be way past gross negligence.
This is neither of those cases. This is trivially searching the code for where the address book API is called, and inspecting only the relevant code to that object for a specific usage. If you review the whole volume of code for the entire application, you’re doing it wrong. It’s trivial and for the reasons I’ve already explained, less effort than dynamic analysis and traffic analysis.
And you apparently missed the response because you’ve neglected to address it. It was a defeated claim.
You’re thinking about hiring heads to work on code they need to understand in depth in order to edit the code. That’s not the case here. Code reviews are much cheaper than onboarding developers.
Again, no exemption has been requested. Google is either smart enough to make use of info at their disposal, or they are not. (answer: they are not).
Only if you do it wrong. A code review gives more confidence about what happens with the address book than testing. Only a fool would needlessly spend money on the more costly and redundant black box approach which yields results (guesswork!) with less confidence¹. Sure you can also do the black box analysis but that’s just wasting money when the bar has already been cleared. You would do both if lives depended on the code, but such standards are far above Google’s standards.
You’re still not getting it. No one advocates for an exemption. You need to get that out of your head. A code review is a way to more cheaply do the verification with higher confidence, not to bypass it.
¹ Hence why Google failed many times to get it right.
“Just searching the code where the address book API is used” most certainly does not give you increased confidence. Obfuscation is not that difficult. You can only possibly gain confidence if you fully understand every single line of code.
I ignored it because it’s idiotic. Google isn’t and shouldn’t be building code for you unless you pay for it.
Not doing literally every single test every other app is required to is an exemption.
One more time: a company having people review specific code for a specific purpose does not in any way resemble an adversarial code review against bad actors. There are no parallels. A code review gives you literally zero confidence that the writer isn’t malicious unless you comprehensively understand every single line. Open source project security is entirely and exclusively reputational.
That’s the starting point. It only takes 5 minutes to get there and find the object of interest. If you don’t spend 10-30 minutes more to see how the object is used, you’re doing it wrong. And if you try to read every single line of code in the project, you’re also doing it wrong.
Obfuscation is even easier to spot than to create, which on that basis alone would be good grounds to reject a package.
As I said, you need not read every single line of code. Just the code touching the address book.
It’s looking more clear that English is not your first language. You continually fail to comprehend what I’ve said, which was the complete opposite of this comment, after you suggested yourself that a code review effort is that of a new hire onboarding effort.
Again, that is not the purpose of the code review. If the purpose is to generally find malicious code, that’s a very different criteria than /not exporting an address book/. And if you move the goal posts to that mission, you have no fucking chance to do that with the simple black box analysis you’re advocating.
A code review is the absolute cheapest most effective way to find malicious code, if that’s your new goal. You will not find malicious code with any confidence by looking at a TLS traffic tunnel and playing with the app as a user. You can see that the app connects to the Snikket server and you can see that blobs are passed back and forth, which is expected anyway. From there, you have to guess from the timing and payload sizes that something is off, at which point you still really know fuck all. It’s a lot of effort to reach insufficient confidence to condemn the app.
Clearly you’ve never written software. Malicious code does not affect every single line nor does finding malice need an understanding of every single line. Bugs would never be found on any large project if that were true. Every code review I’ve performed has been narrow in scope and yet I still find non-conformant code. A developer can work on a project for ~10-20 years of their life and still only see a small fraction of the code. Yet they still discover bugs in very little time. If you think you need to look at every single line, I suggest avoiding the software career path.
Reputation matters whether a project is FOSS or not. But if it’s closed-source, reputation is all you have. Of course it’s nonsense to claim FOSS code cannot be reviewed by anyone who cares to step beyond reputation.