[Freedom-misc] Re : Openpilot

lcerf at dcc.ufmg.br lcerf at dcc.ufmg.br
Sun Mar 1 20:37:39 CET 2020


Would an audit of such a large amount of code be possible?

According to 'sloccount', 73% of the 420k lines of code are in the  
"phonelibs" directory and 12% in "external".  Most of that would be  
dependencies if packaged for a GNU/Linux distribution.  For instance, 110k  
lines of code are in phonelibs/eigen (for linear algebra, the "libeigen3-dev"  
package in Trisquel's repository), 77k lines in phonelibs/acado (a toolkit  
for for Automatic Control And Dynamic Optimization) and 32k in external/cppad  
(for diferenciation, eponymous package in Trisquel's repository).

The new critical code looks concentrated in the "selfdrive" directory, which  
contains fewer than 55k lines of code.  It is certainly possible to audit  
that code for safety and security (I believe it is what you mean by  
auditing).  Notice that section "Safety and Testing" of  
https://raw.githubusercontent.com/commaai/openpilot/master/README.md suggests  
the developers take the problem seriously.  Also, having dependencies (rather  
than reinventing the wheel, but with bugs) is good practice.

How are binary blobs hidden within open-source programs detected?

The program could rely on nonfree binaries.  Nevertheless, as I wrote, I have  
not found any explicitly nonfree license in the source tree.  When it comes  
to detecting binary disguised as source code, the Linux-libre project  
executes  
https://www.linux-libre.fsfla.org/pub/linux-libre/releases/LATEST-5.N/deblob-check  
(but it is kind of specifically tailored to discovering blobs in Linux's  
source code).

Notice that I do not see any good reason to doubt that openpilot is free  
software.  It does not hurt to investigate anyway.


More information about the Freedom-misc mailing list