Open source doesn’t actually matter here. A closed source electronic system should work just as well. Why?
The way it should work is the machine should just print out a scantron AND a human legible copy (probably with a bar code linking the two). The person submits both by hand. You get early results by counting the scantron. Before certification, there is a statistically significant manual counting of the human legible ballots. For tighter races you recount all. The linked barcode lets you also statistically cross-validate in case there was a discrepancy between the machine readable copy printed and the hand ballot (you sample randomly).
Open source means absolutely 0 here. There are too many vectors of attack (eg physically compromising a machine, chain of custody, malware etc). Better to assume the machine is compromised and build a system that doesn’t care.
How does open source help? If I place a device in front of you and tell you it's open source, there is no guarantee that it is running what you can download from github.
It’s just that windows is quite a bit more complex and vulnerable compared to much simpler and security focused OSs like a BSD back then or maybe Alpine Linux these days.
That's the point of the system I described. Vulnerabilities of the automated system don't matter. You verify the manual result and the digital result are the same.
The way it should work is the machine should just print out a scantron AND a human legible copy (probably with a bar code linking the two). The person submits both by hand. You get early results by counting the scantron. Before certification, there is a statistically significant manual counting of the human legible ballots. For tighter races you recount all. The linked barcode lets you also statistically cross-validate in case there was a discrepancy between the machine readable copy printed and the hand ballot (you sample randomly).
Open source means absolutely 0 here. There are too many vectors of attack (eg physically compromising a machine, chain of custody, malware etc). Better to assume the machine is compromised and build a system that doesn’t care.