Read the actual armed forces report. Would you like me to upload it somewhere?
Page 4, they recommend that access be given to the libraries referenced by the code. In other words, those libaries weren't audited.
Page 5, they say they noticed that the internet was accessed during the software compilation process for the purpose of downloading third party libraries. They outright say that this is an attack vector.
The rest of the document more or less verifies that everything is as expected after the final binary has been cryptographically signed. This is expected, any tampering necessarily occurred before the binary was signed.
Auditing source code doesn't matter given the nature of the attack vector. Protesters asking for source code will be embarrassed when they publish it and nothing is found. I'll only be satisfied if they publish the actual signed binary which ran on every machine on election day, the whole world looks at it with reverse engineering tools and finds nothing. Then I'll accept brazilian elections as legitimate.
I read the report and there's nothing there that can be used to argument in favor of what you're saying.
On the same report they point out 3 improvements for releasing the source code:
- provide access to git or the VCS they use
- allow usage of tools that do dynamic code analysis on compiled code
- provide access to 3rd party libs referenced in the source code
They didn't say the machines that compile the source code had internet access; they explicitly stated those machines had network access (which is completely different); they might have access to local network and it's expected so they can fetch the libraries needed for compilation.
I can't deny that a supply chain attack might be possible by corrupting one of these 3rd party libs, but there wasn't anything on their report that is as bad as you make it out to be.
Also, I can agree that the auditing should be more transparent, but I can't help but think that imagine if the army had access to the whole source code, how they would try to come up with a supply chain attack just to mess up the elections to favor their candidate?
EDIT2: just to clear out, there were several different auditors when they had the auditing session, including universities and the federal police, the source code was provided to these auditors in 2021 and none found the issues the army pointed out. It's even pointed out by TSE that the army had access to the source code at the same time the other auditors had.
There's nothing to worry about. There were public tests that provided full access to the source code and the army boycotted these tests, then they produced their own report, bringing up issues that could definitely be done during those public tests they decided not to participate.
> provide access to 3rd party libs referenced in the source code
Yes. I don't know what those libraries are, what they do or where they come from. I can't find any information on the matter.
> They didn't say the machines that compile the source code had internet access
> they explicitly stated those machines had network access (which is completely different)
You're right. I hadn't noticed that.
> they might have access to local network and it's expected so they can fetch the libraries needed for compilation
We still need access to those libraries.
> I can't deny that a supply chain attack might be possible by corrupting one of these 3rd party libs
Good, we at least agree on this possibility. I can't prove it was actually exploited but this shows it's not "unquestionable".
> but there wasn't anything on their report that is as bad as you make it out to be
A supply chain vulnerability seems pretty bad to me. Especially for an "unquestionable" system. Everything they did to defend it against criticism is cast into doubt given this possibility.
> how they would try to come up with a supply chain attack just to mess up the elections to favor their candidate?
If they can mess up the system, the elections are invalid anyway. All prior elections too. Including Bolsonaro's victory in 2018.
> there were several different auditors when they had the auditing session, including universities and the federal police, the source code was provided to these auditors in 2021 and none found the issues the army pointed out
Well they didn't publish detailed reports like the armed forces did. Or maybe they did and I didn't see the reports. Do you know?
They said nothing about the network access either. Why? Seems like a glaring omission to me. All these auditors and not a word about network access during compilation?
> It's even pointed out by TSE that the army had access to the source code at the same time the other auditors had.
Did they look at those libraries? I can't find any information on them.
> There's nothing to worry about.
I wouldn't go that far. I want them to publish the real executable that ran on the machines on election day. That way we can reverse engineer it and look for malicious code. That's the true test. If the binary is genuine and no one finds anything, I'll accept the results and never again speak of this matter. Otherwise the possibility is gonna remain at the back of my mind.
they said they couldn't point to any security risks that would invalidate the whole process.
I would like to read more about these findings, I can't find them anywhere and feel like I can only find them in alternative media sites.