Does external code review even matter? Leaving aside the difficulties of fighting with lobbyists, entrenched companies, unions, IP risk and financial obligations, (among many other points of friction) what is the upside?
OTA and continuous integration will only improve, and likely at a logarithmic pace typical to other technological advancements. What if you during your project you needed every line of code reviewed before it was deployed (you probably do), but then a thrid party has to review it before you can ship it? This would KILL turn around time.
Entire teams are devoted to writing and reviewing this software at every company, and each continuous update. These updates can be rolled out daily, weekly or monthly. It probably takes internal testing and internal reviewing to push code. This is non-trivial and scales with the complexity of the design. Further, as difficult as internal reviews and testing may be, it can still be incorrect; even when the reviewers have intimate knowledge of the entire codebase and the granular changes, source-code diffs, and commented commit messages.
How many people do you reckon it would take to independently review every line of code in production? At what level of inspection would you be able to achieve a confidence level >90% that the code did what the developers allege in a safe and sane manner? Open source works because people can contribute code, fork-code and use the code they write and fork. Without these incentives a decentralized community would be unlikely to contribute, review and maintain proprietary code as they would be disincentivised from doing so as the IP would be protected. The government or the auto-companies would do the reviews, which outside of the massive cost (passed on to consumers) I will leave you to work out the issues there.
Oh thanks for this grim view, it is fairly accurate, I disagree with X but on balance maybe it is more true than false, what is the solution?
We open source the testing and make that public, and we don't need the actual code to do this. Simple heuristics are developed for whatever we need to optimize for.
* Safety works this way and is done really well, we smash some cars up, run some stress tests and qualify them.
* Manufacturers are required to publicly announce when they have pushed an update and the specific systems changed like a longer commit message with details of the system and changes.
* Third party tests are continuously upgraded for whatever the battery demanded by the market is.
This will create a market opportunity for someone to create value. They will provide data and can sell it, distribute it or publish it. People will be incentivised to write tests because they use vehicles and companies will want to be auto-trends verified car of the year. If we accept that it will be almost impossible to convince automakers to give up their IP and that the code will regulalrly change making review prohibitivle expensive, this seems like the only option.
Create in depth testing for emissions, safety, cruise control, privacy, data transmission ETC and have that be governed as open source projects. Open up bug bounties (either auto-trader/magazines/interested companies sponsor this or automakers are incentivized to foot this bill). By bug bounty, I mean more of audting the car and requirements, or if the companies allowed specific features to have code reviewed like the Jeep hacking experiment.
This will happen anyway because people don't like their credit card data to be stolen, and they don't like getting caught cheating on ashley madison, but what they really don't like? Having their car remotely turned off, remotely piloted using self-driving technology to the criminals dark layer or have their car otherwise destroyed or used for crimes.
Review is coming, maybe even endorsed by automakers with some of their code provided, but we can't expect the government to do a great job reviewing the code, so let's just have an open-source testing model and develop better tests for things we care about.
OTA and continuous integration will only improve, and likely at a logarithmic pace typical to other technological advancements. What if you during your project you needed every line of code reviewed before it was deployed (you probably do), but then a thrid party has to review it before you can ship it? This would KILL turn around time.
Entire teams are devoted to writing and reviewing this software at every company, and each continuous update. These updates can be rolled out daily, weekly or monthly. It probably takes internal testing and internal reviewing to push code. This is non-trivial and scales with the complexity of the design. Further, as difficult as internal reviews and testing may be, it can still be incorrect; even when the reviewers have intimate knowledge of the entire codebase and the granular changes, source-code diffs, and commented commit messages.
How many people do you reckon it would take to independently review every line of code in production? At what level of inspection would you be able to achieve a confidence level >90% that the code did what the developers allege in a safe and sane manner? Open source works because people can contribute code, fork-code and use the code they write and fork. Without these incentives a decentralized community would be unlikely to contribute, review and maintain proprietary code as they would be disincentivised from doing so as the IP would be protected. The government or the auto-companies would do the reviews, which outside of the massive cost (passed on to consumers) I will leave you to work out the issues there.
Oh thanks for this grim view, it is fairly accurate, I disagree with X but on balance maybe it is more true than false, what is the solution?
We open source the testing and make that public, and we don't need the actual code to do this. Simple heuristics are developed for whatever we need to optimize for.
* Safety works this way and is done really well, we smash some cars up, run some stress tests and qualify them.
* Manufacturers are required to publicly announce when they have pushed an update and the specific systems changed like a longer commit message with details of the system and changes.
* Third party tests are continuously upgraded for whatever the battery demanded by the market is.
This will create a market opportunity for someone to create value. They will provide data and can sell it, distribute it or publish it. People will be incentivised to write tests because they use vehicles and companies will want to be auto-trends verified car of the year. If we accept that it will be almost impossible to convince automakers to give up their IP and that the code will regulalrly change making review prohibitivle expensive, this seems like the only option.
Create in depth testing for emissions, safety, cruise control, privacy, data transmission ETC and have that be governed as open source projects. Open up bug bounties (either auto-trader/magazines/interested companies sponsor this or automakers are incentivized to foot this bill). By bug bounty, I mean more of audting the car and requirements, or if the companies allowed specific features to have code reviewed like the Jeep hacking experiment.
This will happen anyway because people don't like their credit card data to be stolen, and they don't like getting caught cheating on ashley madison, but what they really don't like? Having their car remotely turned off, remotely piloted using self-driving technology to the criminals dark layer or have their car otherwise destroyed or used for crimes.
Review is coming, maybe even endorsed by automakers with some of their code provided, but we can't expect the government to do a great job reviewing the code, so let's just have an open-source testing model and develop better tests for things we care about.