It's not a side show at all, it's the most important thing. By showing us the code the AEC is making the implicit commitment that this is the code running on their systems. Until they show us some code they are not even making that commitment at all - they could be running anything, they could change it every day to match their whims.
My own suspicion is that they DO know of numerous problems either current or past and quite likely these will cast enough doubt on some particular past results that it would bring about a constitutional crisis.
I don't mean any offense - but your position is not self-consistent. "Showing us the code" does not invalidate "could change it every day to match their whims".
For example the entire source code to Linux is public, but looking from the outside, you as an observer have no way to know that a particular copy of the Linux code is what is running on my laptop.
Which is why I say it's a side-show. If the source code is shabby, getting it might help a little in the short-term; it makes the whole process less reputable. But code can be rewritten. It distracts from the real need; independent verification of the process itself.
The point, though, is that releasing the source code under the pretense that it is the running code can create a legal obligation that what's released is what's run. No, it doesn't prevent them from running something else, but it at least creates the possibility of audits and consequences if they do so.
I know everyone likes to cite that paper whenever they can, but it's not really relevant here. In this hypothetical, they give you the source but they compile it to binary. They do not provide you with the compiler or its source. The compiler can be malicious, but there's no need to hide its maliciousness - they don't even prove that the software running is in any way derived from the source they've given you! It would be a giant leap forward to have to design against KT-level shenanigans. The whole process can currently be subverted with CS 101-level jiggery pokery.
I actually see where both you and the person you're debating with are coming from. Yeah, it's kinda a side-show because they can publish anything they want and you or I can't verify that's truly what is running. But it's a side-show that can turn into the main-show if the government really screws it up or a whistle-blower appears on the scene. From that angle, I say making them publish the code & promise the public that's the real code in production will then at least add one more avenue for any government-scandals to be "accidentally" revealed.
Basically, the more often you can force someone to tell a lie the more likely they screw up somewhere and it all falls apart.
If they could be legally compelled to release it once, perhaps there is some way of legally compelling them to always have the most recent version published.
Lets put it to a vote. Along with the proposal to renew the contract... we'll just have to do it after the upcoming scheduled maintenance on the voting system...
Maybe there should be a provision that votes concerning the voting system uses the most conservative and/or transparent means of voting available (such as counting a show of hands, or paper slips...)?
Either way this is silly. Yes, it is hard to trust the entire system, without doing a system audit. Fundamentally, when you put your voting logic into a few opaque plastic boxes who's only interface is a green and red button, it's pretty hard to know that the system hasn't been tampered with, is secure, does what it is supposed to do, does what it did yesterday today as well... but surely opening up the source is a great start?
I'd propose a simple system based on Forth and micro-controllers, that would allow for (reasonable) analysis of the binary machine code -- perhaps with random sampling and destructive reverse-engineering testing of all of the component parts every now and then.
Then we could worry about whether the people doing the auditing were on the take or not...
Actually, how about this: for stuff like this which is presumably public voting anyway, use two flags and a high-resolution camera, coupled with face detection and signal processing to determine the vote -- along with archiving the photo with a time-stamp (and vote number/identifier) for easy (manual) auditing. Audit a random sample (with representatives from all parties doing the auditing) every now and then?
Might not even have to use facial recognition -- just have every (voting) member wear a qr-code button on their shirt...
(Then you could worry about a system that did real-time altering of the recorded image, as have been demonstrated a year back (for:eg: dynamically replacing ad boards in live sports events...)). I do believe there's distrust all the way down. Maybe we should just leave the decisions to a dictator.
My own suspicion is that they DO know of numerous problems either current or past and quite likely these will cast enough doubt on some particular past results that it would bring about a constitutional crisis.