As of Monday, there were 122 pending pull requests made by software developers to the code, and as many as 235 major and minor issues had been flagged. (Express photo: Sneha Saha)
Nearly a week after the Ministry of Electronics and Information Technology (MeitY) released the source code for Aarogya Setu app on code source sharing platform GitHub, software developers and cyber-security experts have alleged that the government was not responding to the changes being suggested by them on the platform.
“Till now, developers have not been able to access the code and there have been more than 100 pull requests, which denote that there is huge interest in understanding the working of the app. There is no active engagement from owners of the app,” Kazim Rizvi, founder of policy think-tank The Dialogue, said.
The government, however, said changes suggested by the software developers must follow the correct process for it to be accepted, and that just suggesting the change on GitHub was not the right procedure. “You have to read the guidelines of the bug bounty program along with the GitHub link. Whatever suggestions are given, they are examined by the technical team as to which have to be accepted, and then it is built in. They have to submit changes in the way it has been prescribed in the bug bounty program,” MeitY spokesperson and CEO of MyGov, Abhishek Singh, said.
Some of the software developers The Indian Express talked to also claimed that the code uploaded to the open source repository is different from the one live code running the app on Google Play store.
The source code of Aarogya Setu app was released to promote transparency, the government said. (Express photo: Sneha Saha)
“It is not the same code. Play Store is running 1.1.3 version, this (the one on GitHub) is running 1.2.0, which is a version for the future. We can also see that from past commits that some of the functionalities have either been removed or changed, including for example, the PM Care- UPI integration, from the released code,” Anivar Aravind, founder-executive director of Indic Project, who has also analysed the codes on GitHub, said.
The government had on May 27 released the source code of its contact tracing app Aarogya Setu and announced cash prizes for those who find a bug or vulnerability in it.
When asked about the delay in releasing the code after significant calls from India’s developer community, IT Secretary Ajay Prakash Sawhney told The Indian Express: “Even the best developers don’t document their code when they are rushing to make it functional. Now, they have properly cleaned the code. We even plan to release the code for the server function so that other countries can pick it up and use this app in their country as well.”
Software developers, however, argue that since May 27, there has been no engagement from the government’s side or from any of the volunteers who wrote the code.
“When you make an app or code open source, you make your code repository publicly accessible via services like GitHub and the ideal practice is that all the push and pull functions as well as changes are made from from that repository, so that all changes are logged and everyone can monitor those changes. It seems that the government is keeping a private repository, has created a copy of it and made the same public,” a Chennai-based cyber-security expert said.
Push and pull requests are features on GitHub which allows software developers and the owner of the code to interact with each other and take note of the various changes suggested in the source code. According to GitHub, a pull request allows a developer to let others, including the owner of the code know that they have suggested certain changes in the code repository.
As of Monday, there were 122 pending pull requests made by software developers to the code, and as many as 235 major and minor issues had been flagged. There had been no action taken on any of the issues on the public repository.