1 |
On Mon, 2021-08-30 at 05:23 +0000, Robin H. Johnson wrote: |
2 |
> On Sat, Aug 28, 2021 at 12:30:15PM +0200, Michał Górny wrote: |
3 |
> > Please review the following pre-GLEP. |
4 |
> Please don't take the rest of my mail as a dismissal, but rather as |
5 |
> considering how to protect Gentoo's voting system from any attack that I |
6 |
> feel I might even remotely have the system privilege level to conduct. |
7 |
> |
8 |
> I absolutely do want improvements to Gentoo's voting process, like I |
9 |
> said last year in mentioning mail-in ballot systems. |
10 |
> |
11 |
> > |
12 |
> > --- |
13 |
> > GLEP: 9999 |
14 |
> > Title: Secrecy-respecting voting mechanism for Gentoo projects |
15 |
> > Author: Michał Górny <mgorny@g.o> |
16 |
> > Type: Standards Track |
17 |
> > Status: Draft |
18 |
> > Version: 1 |
19 |
> > Created: 2021-08-27 |
20 |
> > Last-Modified: 2021-08-27 |
21 |
> > Post-History: 2021-08-27 |
22 |
> > Content-Type: text/x-rst |
23 |
> Can you please reference all of your earlier proposals about changing |
24 |
> the voting system, because this isn't the first time you've suggested |
25 |
> it, and there have been prior suggestions by others as well. |
26 |
|
27 |
Was there actually more than one? I didn't link it (or search for it) |
28 |
because it's literally the same proposal, just in GLEP form. |
29 |
|
30 |
Unless you mean the "community vote verification" which I considered to |
31 |
be out of the scope. However, it's going to work the same with this |
32 |
voting model. |
33 |
|
34 |
> |
35 |
> ... |
36 |
> > The election process |
37 |
> > -------------------- |
38 |
> > |
39 |
> > Each election/referendum consists of the following steps: |
40 |
> > |
41 |
> > 1. A developer creates a new election/referendum. During this step, |
42 |
> > the developer specifies whether the boundary dates for each election |
43 |
> > phase, the voter list and the (potential) candidates. |
44 |
> > |
45 |
> > 2. If the nomination phase is applicable, the system accepts nominations |
46 |
> > from the voters. Each nominated candidate is mailed about |
47 |
> > the nomination, and given the explicit choice of accepting |
48 |
> > or declining it. If the nomination is accepted, the candidate may |
49 |
> > also upload a manifesto. |
50 |
> > |
51 |
> > 3. When the voting phase beings, the system creates random identifiers |
52 |
> > for all voters. Each identifier is encrypted using voter's PGP key |
53 |
> > and sent via email to the voter. The voter-identifier mapping is |
54 |
> > discarded immediately to reduce the risk of it leaking. |
55 |
> What if each voter generates their OWN identifier (using tooling), and |
56 |
> includes it in an encrypted ballot, such that it later winds up in the |
57 |
> master ballot, where they can verify it... |
58 |
|
59 |
I'm sorry but you need to spell this out slower because everything's |
60 |
just encrypted and I can't decrypt it ;-). |
61 |
|
62 |
> |
63 |
> > If the nomination phase was enabled, the system also creates |
64 |
> > the final candidate list from nominees who accepted their nomination. |
65 |
> > |
66 |
> > 4. Voters submit their votes using their random identifiers. |
67 |
> Can you expand on this step more? |
68 |
> |
69 |
> If I send a mail to the gentoo.org email system, it must by definition |
70 |
> contain somewhere: |
71 |
> - my email address as the sender |
72 |
> - my identifier |
73 |
> |
74 |
> If there's no encryption on the return mail, both details are |
75 |
> potentially available to anybody in infra, which is one of the parties |
76 |
> we want to block. |
77 |
> |
78 |
|
79 |
Nobody's talking about "return mail". In fact, the rationale section |
80 |
suggests votes are submitted via HTTPS. This way in the worst case |
81 |
Infra can grab IP of the voter but again, they would also have to tamper |
82 |
with the receiving script to get the vote along with it. |
83 |
|
84 |
I suppose we could have people submit votes encrypted to the election |
85 |
officials. Then I think this will eliminate the problem because Infra |
86 |
will have access to the IP addresses of voters but not votes, |
87 |
and election officials will only receive the final ballot. |
88 |
|
89 |
-- |
90 |
Best regards, |
91 |
Michał Górny |