1 |
On Sat, Aug 28, 2021 at 3:30 AM Michał Górny <mgorny@g.o> wrote: |
2 |
> |
3 |
> Hi, |
4 |
> |
5 |
> Please review the following pre-GLEP. |
6 |
> |
7 |
> --- |
8 |
> GLEP: 9999 |
9 |
> Title: Secrecy-respecting voting mechanism for Gentoo projects |
10 |
> Author: Michał Górny <mgorny@g.o> |
11 |
> Type: Standards Track |
12 |
> Status: Draft |
13 |
> Version: 1 |
14 |
> Created: 2021-08-27 |
15 |
> Last-Modified: 2021-08-27 |
16 |
> Post-History: 2021-08-27 |
17 |
> Content-Type: text/x-rst |
18 |
> --- |
19 |
> |
20 |
> Abstract |
21 |
> ======== |
22 |
> |
23 |
> A new voting system is devised with the aim of providing a single voting |
24 |
> system for all Gentoo elections and votes. Automation is used to |
25 |
> eliminate the human bottleneck in processing the elections. Votes are |
26 |
> submitted via random identifers, and the identifiers are sent to voters |
27 |
> via encrypted e-mail to protect the vote secrecy. E-mail is used to |
28 |
> enable non-developer voters to participate. |
29 |
> |
30 |
> |
31 |
> Motivation |
32 |
> ========== |
33 |
> |
34 |
> The votify/countify tooling used to run Gentoo elections dates back |
35 |
> to 2005. While it still serves it purpose, it has grown antiquated |
36 |
> and is facing a few problems that are discouraging the developers from |
37 |
> using it. These are: |
38 |
> |
39 |
> The problems with the current tooling include: |
40 |
> |
41 |
> 1. The elections require a lot of manual setup and attention. This is |
42 |
> causing noticeable delays and can raise doubts about the validity |
43 |
> of elections. For example, voters can still submit or modify votes |
44 |
> after the deadline until the infra official collects them. |
45 |
> |
46 |
> 2. The vote secrecy is not respected properly. While the voting is |
47 |
> ongoing, the votes are stored in voters' home directories. Any |
48 |
> person with superuser access to dev.gentoo.org is capable of reading |
49 |
> the votes. Furthermore, there has been a case of votes being |
50 |
> accidentally disclosed to the mailing list by election officials. |
51 |
|
52 |
Why do you want secret elections? |
53 |
|
54 |
> |
55 |
> 3. Including non-developers as voters is cumbersome and potentially |
56 |
> violates the vote secrecy. In the past, it has been either done by |
57 |
> creating temporary accounts on dev.gentoo.org, or requiring the votes |
58 |
> to be sent openly via mail and therefore known to the election |
59 |
> officials. |
60 |
> |
61 |
> At this point, votify is practically used only for the Council |
62 |
> and Trustee elections. The late attempts of using it for the Base |
63 |
> System and Security project elections have resulted in a lot of |
64 |
> frustration from the developers participating. The vast majority of |
65 |
> project elections are currently run using third-party services or plain |
66 |
> mail votes. |
67 |
|
68 |
I'm not sure disclosing "frustration" is sufficient. If there was |
69 |
frustration (and FWIW I believe there was) it would be great to get |
70 |
some detail on the list. |
71 |
|
72 |
> |
73 |
> The goal of this GLEP is to propose a new voting system that meets |
74 |
> the expectations of developers better, and can be easily used to run |
75 |
> elections and referenda by Gentoo developers and projects. |
76 |
> |
77 |
> |
78 |
> Specification |
79 |
> ============= |
80 |
> |
81 |
> Requirements for the election system |
82 |
> ------------------------------------ |
83 |
> |
84 |
> The new election system should meet the following requirements: |
85 |
> |
86 |
> 1. Gentoo developers should be able to start a new election/referendum |
87 |
> without requesting manual attention of any other individuals. |
88 |
> |
89 |
> 2. The election system should cover the nomination phase if it is |
90 |
> applicable, providing the necessary automation to assemble the final |
91 |
> candidate list. |
92 |
> |
93 |
> 3. All deadlines should be enforced automatically, and results should |
94 |
> be published automatically as well. In particular, it must not be |
95 |
> possible to modify votes after the final deadline. |
96 |
> |
97 |
> 4. The secrecy of the votes must be protected to the best of ability. |
98 |
> This includes both associating a particular vote with a voter, |
99 |
> as well as determining whether a voter in question has cast a vote. |
100 |
> |
101 |
> 5. The system should make it easy for non-developers to cast a vote |
102 |
> on the same terms as developers. |
103 |
|
104 |
This seems like a fairly generic problem; are we not sure that a |
105 |
solution already exists? |
106 |
|
107 |
> |
108 |
> |
109 |
> The election process |
110 |
> -------------------- |
111 |
> |
112 |
> Each election/referendum consists of the following steps: |
113 |
> |
114 |
> 1. A developer creates a new election/referendum. During this step, |
115 |
> the developer specifies whether the boundary dates for each election |
116 |
> phase, the voter list and the (potential) candidates. |
117 |
> |
118 |
> 2. If the nomination phase is applicable, the system accepts nominations |
119 |
> from the voters. Each nominated candidate is mailed about |
120 |
> the nomination, and given the explicit choice of accepting |
121 |
> or declining it. If the nomination is accepted, the candidate may |
122 |
> also upload a manifesto. |
123 |
> |
124 |
> 3. When the voting phase beings, the system creates random identifiers |
125 |
> for all voters. Each identifier is encrypted using voter's PGP key |
126 |
> and sent via email to the voter. The voter-identifier mapping is |
127 |
> discarded immediately to reduce the risk of it leaking. |
128 |
> |
129 |
> If the nomination phase was enabled, the system also creates |
130 |
> the final candidate list from nominees who accepted their nomination. |
131 |
> |
132 |
> 4. Voters submit their votes using their random identifiers. |
133 |
> |
134 |
> 5. When the voting phase ends, the system publishes the results |
135 |
> and the master ballot. |
136 |
> |
137 |
> |
138 |
> Rationale |
139 |
> ========= |
140 |
> |
141 |
> In the proposed system, the whole election process is automated from |
142 |
> the point of creating the election, through nominations and voting |
143 |
> phases, to publishing the results. Any developer can easily start |
144 |
> an election without hitting a manpower bottleneck. This should make it |
145 |
> possible to use the new election system both for major elections such |
146 |
> as the Council elections, and small in-project elections and votes. |
147 |
> |
148 |
> The elections/votes can be either based on predefined candidate/option |
149 |
> list, or run a semi-automated nomination phase, to account for various |
150 |
> kinds of elections. |
151 |
> |
152 |
> The system is largely based on mail, making it possible to easily |
153 |
> include voters who are not developers. The most important mails are |
154 |
> PGP-encrypted to provide the necessary authentication for voters |
155 |
> and protect their secrecy. |
156 |
> |
157 |
> This GLEP does not enforce a specific UI to the voting system. |
158 |
> An example solution would be to provide a simple web-based UI to handle |
159 |
> nominations and cast votes, using URLs with random identifiers sent via |
160 |
> mail. Such a system would make it easy for non-developers |
161 |
> to participate. Creating and managing elections could be done locally |
162 |
> using scripts on dev.gentoo.org. |
163 |
> |
164 |
> As long as the underlying tooling is not tampered with, the system |
165 |
> protects the vote secrecy through use of random identifiers. |
166 |
> The association between a random identifiers and a voter name is |
167 |
> preserved only for the short time needed to encrypt the identifier |
168 |
> and send it via mail. Afterwards, the association is discarded. |
169 |
> |
170 |
> After the election concludes, the master ballot is published |
171 |
> and the voters can both verify the election results, and confirm that |
172 |
> their vote has been included in it. |
173 |
> |
174 |
> The system does not provide the ability to establish whether |
175 |
> a particular voter has cast a vote or not by design. This makes it |
176 |
> unsuitable for Trustee elections. |
177 |
> |
178 |
> |
179 |
> Backwards Compatibility |
180 |
> ======================= |
181 |
> |
182 |
> The new system can replace the use of votify script, with the exception |
183 |
> of Trustee elections that require the ability to determine who have |
184 |
> voted. However, there is no reason not to deploy it alongside the old |
185 |
> one. |
186 |
|
187 |
I'm currently a trustee; and I do not necessarily desire a secret |
188 |
election for board members; so I'm fine with not using this proposal |
189 |
for that. |
190 |
|
191 |
> |
192 |
> |
193 |
> Reference Implementation |
194 |
> ======================== |
195 |
> |
196 |
> Not complete. |
197 |
> |
198 |
> |
199 |
> Copyright |
200 |
> ========= |
201 |
> This work is licensed under the Creative Commons Attribution-ShareAlike |
202 |
> 3.0 |
203 |
> Unported License. To view a copy of this license, visit |
204 |
> https://creativecommons.org/licenses/by-sa/3.0/. |
205 |
> |
206 |
> |
207 |
> -- |
208 |
> Best regards, |
209 |
> Michał Górny |
210 |
> |
211 |
> |
212 |
> |