It's the organization you use if you're sick, lost your job, where you get your social security etc. Basically a huge behemoth of all kinds of social or labor services.
While most of the code probably has little value for others (2000 different repos), I think it's quite noble that it's public, given it's made with tax payer money and serves our people. And when working there I found it quite cool to work in the open, a sense of pride in publishing everything we were doing. Also a bit funny, just checked the project I started 5 years ago: "last updated 42 minutes ago".
And not everything is there. ID Card software is hosted on Github https://github.com/open-eid
Especially for simpler things like style/accessibility issues, I could see this being somewhat common honestly.
The Foundation for Public Code: “We help public organizations collectively develop and maintain public code.”
Amazing people behind this org…
This is the official government app (you can get benefits, pay taxes, etc...), downloaded by 30+ million citizens, stack is React Native + Typescript
Imagine a single European rail service (not Euro rail where you can buy a single ticket that will make you take Dutch train, and then connect on a German train, and then on an Austrian train, and if you miss a connection, good luck figuring out your replacement..)
Even if this is done under the umbrella of an EU institution, the politics work the same way except now every other country is trying all kinds of maneuvers in an attempts to retain as much of the control as possible.
For example, in Ukraine used closed source software, and only war (because censorship), slightly slowed stream of scandal publications about bugs and vulnerabilities.
DigiD has some minor annoyances, but it's a helluva lot better than some alternatives I could think of.
Why? I’ve lived in a European country with common national IDs, in the US, and in a European country without national IDs, and I’m not sure that the absence of it is “embarrassing.” Note that in most European countries it’s an identifier of citizenship, not residence, with other ID cards such as residence permits, drivers licenses, or municipal registrations indicating residence. Therefore, it’s far from sufficient for many common use cases that depend on residence, and the countries that don’t have one such as the US or the UK typically use passports (or ad-hoc solutions such as US/Canada enhanced drivers licenses) for travel.
I agree that digital IDs can be very useful.
Surely that's hyperbole. State IDs are pretty standardized, and even more so with the REAL ID system (if the mandates for it ever go into effect). When have you ever had a problem using one state's ID in another state?
I cant vote with my Texas ID in Wyoming. A passport might be sufficient to vote in a different state for a national election but I’m admit that I’m not 100% sure on that.
Every government agency in the US doesn’t know who I am without me telling them. And even then if they fat finger the number I could be in for a world of hurt until someone realizes.
If you compare that to 2FA for Office 365 for example, where you just have a push notification where you press a button to allow, then you can't help but think that some attention to UX would be helpful.
As it is, I usually pick SMS verification instead of using the app. Yes, less secure, but so much easier.
1: https://www.rijksfinancien.nl/memorie-van-toelichting/2019/O...
2: https://logius.nl/onze-organisatie/zakendoen-met-logius/door...
I suppose it would hinge on your view of regressive use fees as well.
It sounds like they might not been very keen to maintain the app.
Can there be alternative better implementations or DigID “hardcoded” to one provider?
People don't generally read it when their phone apps send them a "please login" notification after the 200th one that day, they tend to approve it without thinking (or worse, accidentally approve a phishing notification while trying to login), especially when busy, which results in them letting phishers onto their device.
The DigiD login flow is a bit of a mess, but it seems very well designed to avoid that particular tendency. The entire process requires active involvement from the end-user, which means they'll be paying attention on whether it's them logging in or not.
Edit: I received the notifications for Microsoft Authenticator app
I think the only part that can reasonably be simplified without compromising security is to use a push notification instead of having to scan the QR-code.
I hadn't even noticed that app login doesn't require username and password. With a password manager that doesn't add a lot of friction. Even when accounting for that extra step, I still find Office 365 and SMS verification much easier.
You plan a video conf using their web app, connect at the right time, and show your passport when asked.
As an aside, I login without using their app, as my Android phone does not support Google Play.
Don't know what happens if you don't have a dutch passport though. I guess they are under no obligation to render services to people that are neither citizen nor national.
A bit like when I got married and the French state wanted proof that I wasn't already married before, during the period I had lived in the UK. The UK services wouldn't give me the time of day, since I was neither British nor living there. I ended up getting an official looking note from the Dutch embassy to the UK, stating that "to the best of their knowledge I wasn't married" =)
During covid the government provided an ability to schedule a zoom call to verify identity remotely and set up Digid with a foreign number so I finally have it.
I do appreciate that they keep is so secure (or perhaps I should say, not logged in by default). It works well in general imho.
With the Digid app you just need to remember the pin code or unlock with face id. The app generates the codes for each login and then you just scan the QR. It's very simple to use.
Recently I lost my phone and had to set everything up again. I had to start digging for 2fa backup codes, but Digid I could easily set up again using the NFC chip in my passport.
On desktop, you use pin, type code, then scan. I find the flow quite smooth.
I find the constant back and forth between devices annoying. 2FA is already annoying because you have to switch from desktop to mobile and back, but that can't be helped. There's no need to make it 6 times, though: desktop (on site) -> mobile (start app + pin) -> desktop (fill in code) -> mobile (get camera) -> desktop (scan QR) -> mobile (press allow) -> desktop (continue on site)
That's just being irritating.
I suppose openness will enhance security over time?
Some extra eyes on the current code might fix some small issues, but I doubt this is going to improve the app much.
So many big egos in software.
Furthermore, using Unicode characters to represent progress is the true smell here. There simply are better ways to do this.
In the grand scheme of things, does it matter? No. But this is Hacker News LOL, someone has to discuss it.
If I were reviewing this code I would at least ask the developer to add an assertion or contract requiring that the argument be in the inclusive range [0..1]
The choice of variable name, percentage, is also misleading. At least I suspect it is because I would expect the comparisons involving percentages to be to numbers between 0 and 100.
If lack of allocations is a requirement then one could create a static array of strings and use
int(percent * 10)
I do object to the variable being called ‘percentage’ tho, as it clearly isn't one.
For instance if you want 20% that could also be expressed as a fraction such as 20/100, which turns out is the same as 2/10 or 0.2.
I do think they should remove the redundant statements in the conditions and also have an assertion that guarantees percentage to be [0, 1].
> The term "percent" is derived from the Latin per centum, meaning "hundred" or "by the hundred". The sign for "percent" evolved by gradual contraction of the Italian term per cento, meaning "for a hundred". The "per" was often abbreviated as "p."—eventually disappeared entirely. The "cento" was contracted to two circles separated by a horizontal line, from which the modern "%" symbol is derived.
This might be a little more obvious for me since my first language is derived from Latin, but anyhow it still keeps the meaning in english.
Source: native English speaker working in the Netherlands with a team of Dutch people. They are all really smart people, but they tend to err on the side of simple vocabulary when forced to think in English.
That was useful in a time where a text editor was "smart" when it copied your indentation to a new line. But nowadays any tooling will warn you when indentation doesn't match the bracing. The odds of people making that mistake has gone so far down, that the risk is no longer worth the reduced readability.
Sounds like it was not voluntary. Also not sure what kind of transparency is expected here, since there is no way to find if the source code published is the same used to build the app. Maybe decompilation is the way to go...
edit, found it in the code:
https://github.com/MinBZK/woo-besluit-broncode-digid-app/blo...
btw I see that attaching an nfc reader to your computer is also supported.
Theoretically supported, or actually possible?
As it stands, DigiD must be used with either the Android or the IOS app in the 'Substantieel' mode of authenticity verification when accessing health care records. This is likely to be pushed to other uses of DigiD as well eventually.
The passport feature is a new one to provide an alternative safer method of verifying ID for the times you need it. It isn't the default use of DigiD and is meant as an alternative to physically taking your passport places.
Besides the redundant checks, it's really simple, so simple that an intern, maybe even someone who doesn't code, can understand and update it.
It's performant, most compilers will cache the strings.
People trying to justify more complex one-liners with "what if you change the symbol, or just show 5 characters" etc. These scenarios wouldn't take more than 5 minutes to adapt this code, and anyone could do it.
For me, this code with a good set of tests doesn't get much better.
Much easier to read than `int count = (int)Math.Floor(percentage / 10); return new String("#", count) + new String("-", 10 - count));` in my opinion and not worth writing a custom progress component for.
I had the honour of being able to review this under NDA before it was made public (pro bono, and limited to static analysis and an hour poking around suspicious looking classes). I've seen a lot of .Net code in my time and this was surprisingly good. Sure there are things which could be improved, but you'll find an order of magnitude more issues in most other code (especially dynamic languages, which are magnets inadvertent issues affecting correctness).
``` Here is an example of Python code that can print a loading bar at different completion percentages:
def print_loading_bar(percent): bar_length = 20 hashes = '#' * int(percent * bar_length / 100) spaces = ' ' * (bar_length - len(hashes)) print(f'\rLoading... [{hashes}{spaces}] {percent}%', end='')
for i in range(101): print_loading_bar(i) time.sleep(0.1) ```
Luckily Corona made them realize you can also do it over a Skype call.
The interesting aspect of this is that it can be studied to write clients for platforms that are not officially supported -- currently, only Android and iOS are supported, but it'd be great to see a Linux client too.
It's a big shame that history has been rewritten and heavily redacted though. Version control history often has a lot of contextual information that's not immediately obvious in the source code itself.
I did not look in depth, but the source code would reveal how thing are getting encrypted and business flows but not the data. That is in the digid's infrastructure
So you definitely can't use this unless you pull the strings from the compiled APK theyve published.
Trusting it’s safe because you don’t know if its not sounds like a bad idea.
1. A safe that's been sitting on a public square for ten years, which the best safe-crackers in the world have tried – and failed – to break.
2. A safe hidden in a secret room that no one is allowed to access, but the manufacturer claims it's safe without real evidence beyond "trust me".