even having full access to the machines doesn't cover certain opaque sources of distrust. consider, for example, signature verification. besides the issue I've already mentioned, of difficulties (impossibilities) in telling whether a signing key has been compromised, there's the difficulty (impossibility?) of telling whether the machines are configured to accept programs signed by some specific alternate key, say for development, for configuration purposes, a vendor backdoor, etc. how would a voter or a party go about testing that, if given a chance? do you envision any way to check? assuming you agree it can't be checked, how can we trust that this possibility we can't rule out cannot possibly be abused to compromise either the whole election or the secrecy of some specific vote at some specific voting site?