| 1 |
On Mon, 2021-08-30 at 05:23 +0000, Robin H. Johnson wrote: |
| 2 |
> On Sat, Aug 28, 2021 at 12:30:15PM +0200, Michał Górny wrote: |
| 3 |
> > Please review the following pre-GLEP. |
| 4 |
> Please don't take the rest of my mail as a dismissal, but rather as |
| 5 |
> considering how to protect Gentoo's voting system from any attack that I |
| 6 |
> feel I might even remotely have the system privilege level to conduct. |
| 7 |
> |
| 8 |
> I absolutely do want improvements to Gentoo's voting process, like I |
| 9 |
> said last year in mentioning mail-in ballot systems. |
| 10 |
> |
| 11 |
> > |
| 12 |
> > --- |
| 13 |
> > GLEP: 9999 |
| 14 |
> > Title: Secrecy-respecting voting mechanism for Gentoo projects |
| 15 |
> > Author: Michał Górny <mgorny@g.o> |
| 16 |
> > Type: Standards Track |
| 17 |
> > Status: Draft |
| 18 |
> > Version: 1 |
| 19 |
> > Created: 2021-08-27 |
| 20 |
> > Last-Modified: 2021-08-27 |
| 21 |
> > Post-History: 2021-08-27 |
| 22 |
> > Content-Type: text/x-rst |
| 23 |
> Can you please reference all of your earlier proposals about changing |
| 24 |
> the voting system, because this isn't the first time you've suggested |
| 25 |
> it, and there have been prior suggestions by others as well. |
| 26 |
|
| 27 |
Was there actually more than one? I didn't link it (or search for it) |
| 28 |
because it's literally the same proposal, just in GLEP form. |
| 29 |
|
| 30 |
Unless you mean the "community vote verification" which I considered to |
| 31 |
be out of the scope. However, it's going to work the same with this |
| 32 |
voting model. |
| 33 |
|
| 34 |
> |
| 35 |
> ... |
| 36 |
> > The election process |
| 37 |
> > -------------------- |
| 38 |
> > |
| 39 |
> > Each election/referendum consists of the following steps: |
| 40 |
> > |
| 41 |
> > 1. A developer creates a new election/referendum. During this step, |
| 42 |
> > the developer specifies whether the boundary dates for each election |
| 43 |
> > phase, the voter list and the (potential) candidates. |
| 44 |
> > |
| 45 |
> > 2. If the nomination phase is applicable, the system accepts nominations |
| 46 |
> > from the voters. Each nominated candidate is mailed about |
| 47 |
> > the nomination, and given the explicit choice of accepting |
| 48 |
> > or declining it. If the nomination is accepted, the candidate may |
| 49 |
> > also upload a manifesto. |
| 50 |
> > |
| 51 |
> > 3. When the voting phase beings, the system creates random identifiers |
| 52 |
> > for all voters. Each identifier is encrypted using voter's PGP key |
| 53 |
> > and sent via email to the voter. The voter-identifier mapping is |
| 54 |
> > discarded immediately to reduce the risk of it leaking. |
| 55 |
> What if each voter generates their OWN identifier (using tooling), and |
| 56 |
> includes it in an encrypted ballot, such that it later winds up in the |
| 57 |
> master ballot, where they can verify it... |
| 58 |
|
| 59 |
I'm sorry but you need to spell this out slower because everything's |
| 60 |
just encrypted and I can't decrypt it ;-). |
| 61 |
|
| 62 |
> |
| 63 |
> > If the nomination phase was enabled, the system also creates |
| 64 |
> > the final candidate list from nominees who accepted their nomination. |
| 65 |
> > |
| 66 |
> > 4. Voters submit their votes using their random identifiers. |
| 67 |
> Can you expand on this step more? |
| 68 |
> |
| 69 |
> If I send a mail to the gentoo.org email system, it must by definition |
| 70 |
> contain somewhere: |
| 71 |
> - my email address as the sender |
| 72 |
> - my identifier |
| 73 |
> |
| 74 |
> If there's no encryption on the return mail, both details are |
| 75 |
> potentially available to anybody in infra, which is one of the parties |
| 76 |
> we want to block. |
| 77 |
> |
| 78 |
|
| 79 |
Nobody's talking about "return mail". In fact, the rationale section |
| 80 |
suggests votes are submitted via HTTPS. This way in the worst case |
| 81 |
Infra can grab IP of the voter but again, they would also have to tamper |
| 82 |
with the receiving script to get the vote along with it. |
| 83 |
|
| 84 |
I suppose we could have people submit votes encrypted to the election |
| 85 |
officials. Then I think this will eliminate the problem because Infra |
| 86 |
will have access to the IP addresses of voters but not votes, |
| 87 |
and election officials will only receive the final ballot. |
| 88 |
|
| 89 |
-- |
| 90 |
Best regards, |
| 91 |
Michał Górny |
Archives