Re: readable source code [Re: OVC-discuss Digest, Vol 37, Issue 10]

From: Fred McLain <mclain_at_zipcon_dot_net>
Date: Sun Nov 04 2007 - 16:39:27 CST

On Nov 4, 2007, at 1:13 PM, Hamilton Richards wrote:
>> As it turns out, I can read that code.
> No doubt you can, Fred, but the issue was whether it could be read by
> a significant fraction of the voting public. And the real issue is
> not how many people can read it, but how many could reason about it,
> well enough to construct a sound argument that it's correct.

As this exercise has made apparent, if the code is open at least
*someone* can read it and put forward a learned opinion as to it's

> Fred, could you do that? I've spent quite a few years studying formal
> methods, and have a fair amount of practice in proving programs
> correct, but that chunk of Java would stymie me completely. For one
> thing, I have no idea what axioms I would be starting with. For
> another, I have no clue about what I should be trying to prove.

As it turns out, I have been exposed to formal methods over the last
couple years in my current gig. Admittedly, I am not leading up that
portion of the project (I focus more on tooling and design). I
strongly approve of applying them, and in fact am in favor of
requiring a formal security analysis for voting software. We need a
protection profile for voting systems. The one question I have left
is if a NIST Common Criteria level 3 would be sufficient. Perhaps it
is a good start and a more stingient evaluation could follow on
later. Until we have the protection profile we do not have a means by
which to evaluate the security of these systems.

> So I ask all of my fellow proponents of open-source election
> software: What would you do with it if you had it? Would you be able
> to construct such a convincing argument for its correctness that
> ballot printers could be dispensed with?

Please, no DREs. The process of ensuring election integrity is tough
enough without DREs.
> If so, let's see an example of such a correctness argument.
> + + +
> Because some readers of this list may misinterpret what I've just
> written as an attack on open source, let me reiterate that I am
> entirely in favor of making election software open-source. What I
> don't accept is the purported connection between open source and
> security, correctness, and validity.
> I agree fully with this statement:
> "But every computer security expert says that you can't
> make a system secure by hiding your code."
> But it's equally true that you can't make a system secure by opening
> its code.
>> [...]
>> By the way, commenting the code is a good idea.
> That's the conventional wisdom, but it's hardly unchallenged. The
> argument against commenting code is that the comments tell the reader
> what the author intended, which is not necessarily what the author
> achieved.
> --Ham
>> -Fred-
>> On Nov 2, 2007, at 3:06 PM, Danny Swarzman wrote:
>>> I promise you that code will not appear in any system running in an
>>> election. We recognize the problem. We are working on a new product.
>>> It will reflect a fanatic devotion to legibility.
>>> -Danny Swarzman, VP Software Engineering, OVS
>>> On Nov 2, 2007, at 2:45 PM, Hamilton Richards wrote:
>>>> At 10:45 AM -0700 2007/11/2,
>>>> wrote:
>>>>> Message: 2
>>>>> Date: Fri, 2 Nov 2007 10:45:52 -0700 (PDT)
>>>>> From: "Richard C. Johnson" <>
>>>>> Subject: Re: [OVC-discuss] Representative Holt's OWN WORDS [Re:
>>>>> OVC-discuss Digest, Vol 36, Issue 9]
>>>>> To: Open Voting Consortium discussion list
>>>>> <>
>>>>> Message-ID: <>
>>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>> Stuart,
>>>>> Here is some example Open Source code from the OpenScan system.
>>>>> See
>>>>> how difficult you think it would be to figure out. My own
>>>>> thought
>>>>> is that most people could correctly understand what is being coded
>>>>> and could also see that no subroutine doing nasty things was
>>>>> hidden
>>>>> in the code:
>>>>> <EML Id="230" SchemaVersion="5.0">
>>>>> <TransactionId>OK-2007-09-1</TransactionId>
>>>>> <CandidateList>
>>>>> <Election>
>>>>> <ElectionIdentifier Id=?Oklahoma 2007" />
>>>>> <Contest>
>>>>> <ContestIdentifier Id="State Governor" />
>>>>> <Candidate>Brad Henry</Candidate>
>>>>> <Candidate>John Wayne</Candidate>
>>>>> <Candidate>Bill Okapi</Candidate>
>>>>> <Candidate>Jane Smith</Candidate>
>>>>> </Contest>
>>>>> </Election>
>>>>> </CandidateList>
>>>>> </EML>
>>>>> ***************************
>>>>> I do believe that there are enough people who could read such code
>>>>> to make such Open Source a reasonable approach to increased
>>>>> transparency of elections. How many people can read the above and
>>>>> understand it? Quite a few, I would think. I admit, Open Source
>>>>> drivers for a scanner are more difficult, but I can read them even
>>>>> if it would be hard for me to write them myself.
>>>>> -- Dick
>>>> Sure, many people could read code like that, if by "read" you mean
>>>> "recognize most of the words." But how many people could explain
>>>> how
>>>> one could determine whether that code is correct?
>>>> For a more realistic example, spend a minute perusing the Java code
>>>> appended below
>>>> <
>>>> action/>.
>>>> Then give us an estimate of the fraction of the population that
>>>> could
>>>> formulate a coherent argument for its correctness. How many could
>>>> even give a coherent definition of "correctness"?
>>>> Thanks,
>>>> --Ham
>>>> public ActionForward execute(ActionMapping actionmapping,
>>>> ActionForm
>>>> actionform, HttpServletRequest httpservletrequest,
>>>> HttpServletResponse httpservletresponse)
>>>> 70 throws Exception
>>>> 71 {
>>>> 72 String forwardName = "defaultPage";
>>>> 73 try {
>>>> 74
> [...]
> --
> ------------------------------------------------------------------
> Hamilton Richards, PhD Department of Computer Sciences
> Senior Lecturer (retired) The University of Texas at Austin
> ------------------------------------------------------------------
> _______________________________________________
> OVC-discuss mailing list
> By sending email to the OVC-discuss list, you thereby agree to
> release the content of your posts to the Public Domain--with the
> exception of copyrighted material quoted according to fair use,
> including publicly archiving at

Instant Messaging (IM) Addresses:
Yahoo: appworx_fred, schemalogic_fred
AIM: mclain98021
ICQ: 6947005
GTalk (Jabber):
Skype: fmclain

OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Nov 30 23:17:09 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST