| 1 |
On Sat, Aug 28, 2021 at 3:30 AM Michał Górny <mgorny@g.o> wrote: |
| 2 |
> |
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> Please review the following pre-GLEP. |
| 6 |
> |
| 7 |
> --- |
| 8 |
> GLEP: 9999 |
| 9 |
> Title: Secrecy-respecting voting mechanism for Gentoo projects |
| 10 |
> Author: Michał Górny <mgorny@g.o> |
| 11 |
> Type: Standards Track |
| 12 |
> Status: Draft |
| 13 |
> Version: 1 |
| 14 |
> Created: 2021-08-27 |
| 15 |
> Last-Modified: 2021-08-27 |
| 16 |
> Post-History: 2021-08-27 |
| 17 |
> Content-Type: text/x-rst |
| 18 |
> --- |
| 19 |
> |
| 20 |
> Abstract |
| 21 |
> ======== |
| 22 |
> |
| 23 |
> A new voting system is devised with the aim of providing a single voting |
| 24 |
> system for all Gentoo elections and votes. Automation is used to |
| 25 |
> eliminate the human bottleneck in processing the elections. Votes are |
| 26 |
> submitted via random identifers, and the identifiers are sent to voters |
| 27 |
> via encrypted e-mail to protect the vote secrecy. E-mail is used to |
| 28 |
> enable non-developer voters to participate. |
| 29 |
> |
| 30 |
> |
| 31 |
> Motivation |
| 32 |
> ========== |
| 33 |
> |
| 34 |
> The votify/countify tooling used to run Gentoo elections dates back |
| 35 |
> to 2005. While it still serves it purpose, it has grown antiquated |
| 36 |
> and is facing a few problems that are discouraging the developers from |
| 37 |
> using it. These are: |
| 38 |
> |
| 39 |
> The problems with the current tooling include: |
| 40 |
> |
| 41 |
> 1. The elections require a lot of manual setup and attention. This is |
| 42 |
> causing noticeable delays and can raise doubts about the validity |
| 43 |
> of elections. For example, voters can still submit or modify votes |
| 44 |
> after the deadline until the infra official collects them. |
| 45 |
> |
| 46 |
> 2. The vote secrecy is not respected properly. While the voting is |
| 47 |
> ongoing, the votes are stored in voters' home directories. Any |
| 48 |
> person with superuser access to dev.gentoo.org is capable of reading |
| 49 |
> the votes. Furthermore, there has been a case of votes being |
| 50 |
> accidentally disclosed to the mailing list by election officials. |
| 51 |
|
| 52 |
Why do you want secret elections? |
| 53 |
|
| 54 |
> |
| 55 |
> 3. Including non-developers as voters is cumbersome and potentially |
| 56 |
> violates the vote secrecy. In the past, it has been either done by |
| 57 |
> creating temporary accounts on dev.gentoo.org, or requiring the votes |
| 58 |
> to be sent openly via mail and therefore known to the election |
| 59 |
> officials. |
| 60 |
> |
| 61 |
> At this point, votify is practically used only for the Council |
| 62 |
> and Trustee elections. The late attempts of using it for the Base |
| 63 |
> System and Security project elections have resulted in a lot of |
| 64 |
> frustration from the developers participating. The vast majority of |
| 65 |
> project elections are currently run using third-party services or plain |
| 66 |
> mail votes. |
| 67 |
|
| 68 |
I'm not sure disclosing "frustration" is sufficient. If there was |
| 69 |
frustration (and FWIW I believe there was) it would be great to get |
| 70 |
some detail on the list. |
| 71 |
|
| 72 |
> |
| 73 |
> The goal of this GLEP is to propose a new voting system that meets |
| 74 |
> the expectations of developers better, and can be easily used to run |
| 75 |
> elections and referenda by Gentoo developers and projects. |
| 76 |
> |
| 77 |
> |
| 78 |
> Specification |
| 79 |
> ============= |
| 80 |
> |
| 81 |
> Requirements for the election system |
| 82 |
> ------------------------------------ |
| 83 |
> |
| 84 |
> The new election system should meet the following requirements: |
| 85 |
> |
| 86 |
> 1. Gentoo developers should be able to start a new election/referendum |
| 87 |
> without requesting manual attention of any other individuals. |
| 88 |
> |
| 89 |
> 2. The election system should cover the nomination phase if it is |
| 90 |
> applicable, providing the necessary automation to assemble the final |
| 91 |
> candidate list. |
| 92 |
> |
| 93 |
> 3. All deadlines should be enforced automatically, and results should |
| 94 |
> be published automatically as well. In particular, it must not be |
| 95 |
> possible to modify votes after the final deadline. |
| 96 |
> |
| 97 |
> 4. The secrecy of the votes must be protected to the best of ability. |
| 98 |
> This includes both associating a particular vote with a voter, |
| 99 |
> as well as determining whether a voter in question has cast a vote. |
| 100 |
> |
| 101 |
> 5. The system should make it easy for non-developers to cast a vote |
| 102 |
> on the same terms as developers. |
| 103 |
|
| 104 |
This seems like a fairly generic problem; are we not sure that a |
| 105 |
solution already exists? |
| 106 |
|
| 107 |
> |
| 108 |
> |
| 109 |
> The election process |
| 110 |
> -------------------- |
| 111 |
> |
| 112 |
> Each election/referendum consists of the following steps: |
| 113 |
> |
| 114 |
> 1. A developer creates a new election/referendum. During this step, |
| 115 |
> the developer specifies whether the boundary dates for each election |
| 116 |
> phase, the voter list and the (potential) candidates. |
| 117 |
> |
| 118 |
> 2. If the nomination phase is applicable, the system accepts nominations |
| 119 |
> from the voters. Each nominated candidate is mailed about |
| 120 |
> the nomination, and given the explicit choice of accepting |
| 121 |
> or declining it. If the nomination is accepted, the candidate may |
| 122 |
> also upload a manifesto. |
| 123 |
> |
| 124 |
> 3. When the voting phase beings, the system creates random identifiers |
| 125 |
> for all voters. Each identifier is encrypted using voter's PGP key |
| 126 |
> and sent via email to the voter. The voter-identifier mapping is |
| 127 |
> discarded immediately to reduce the risk of it leaking. |
| 128 |
> |
| 129 |
> If the nomination phase was enabled, the system also creates |
| 130 |
> the final candidate list from nominees who accepted their nomination. |
| 131 |
> |
| 132 |
> 4. Voters submit their votes using their random identifiers. |
| 133 |
> |
| 134 |
> 5. When the voting phase ends, the system publishes the results |
| 135 |
> and the master ballot. |
| 136 |
> |
| 137 |
> |
| 138 |
> Rationale |
| 139 |
> ========= |
| 140 |
> |
| 141 |
> In the proposed system, the whole election process is automated from |
| 142 |
> the point of creating the election, through nominations and voting |
| 143 |
> phases, to publishing the results. Any developer can easily start |
| 144 |
> an election without hitting a manpower bottleneck. This should make it |
| 145 |
> possible to use the new election system both for major elections such |
| 146 |
> as the Council elections, and small in-project elections and votes. |
| 147 |
> |
| 148 |
> The elections/votes can be either based on predefined candidate/option |
| 149 |
> list, or run a semi-automated nomination phase, to account for various |
| 150 |
> kinds of elections. |
| 151 |
> |
| 152 |
> The system is largely based on mail, making it possible to easily |
| 153 |
> include voters who are not developers. The most important mails are |
| 154 |
> PGP-encrypted to provide the necessary authentication for voters |
| 155 |
> and protect their secrecy. |
| 156 |
> |
| 157 |
> This GLEP does not enforce a specific UI to the voting system. |
| 158 |
> An example solution would be to provide a simple web-based UI to handle |
| 159 |
> nominations and cast votes, using URLs with random identifiers sent via |
| 160 |
> mail. Such a system would make it easy for non-developers |
| 161 |
> to participate. Creating and managing elections could be done locally |
| 162 |
> using scripts on dev.gentoo.org. |
| 163 |
> |
| 164 |
> As long as the underlying tooling is not tampered with, the system |
| 165 |
> protects the vote secrecy through use of random identifiers. |
| 166 |
> The association between a random identifiers and a voter name is |
| 167 |
> preserved only for the short time needed to encrypt the identifier |
| 168 |
> and send it via mail. Afterwards, the association is discarded. |
| 169 |
> |
| 170 |
> After the election concludes, the master ballot is published |
| 171 |
> and the voters can both verify the election results, and confirm that |
| 172 |
> their vote has been included in it. |
| 173 |
> |
| 174 |
> The system does not provide the ability to establish whether |
| 175 |
> a particular voter has cast a vote or not by design. This makes it |
| 176 |
> unsuitable for Trustee elections. |
| 177 |
> |
| 178 |
> |
| 179 |
> Backwards Compatibility |
| 180 |
> ======================= |
| 181 |
> |
| 182 |
> The new system can replace the use of votify script, with the exception |
| 183 |
> of Trustee elections that require the ability to determine who have |
| 184 |
> voted. However, there is no reason not to deploy it alongside the old |
| 185 |
> one. |
| 186 |
|
| 187 |
I'm currently a trustee; and I do not necessarily desire a secret |
| 188 |
election for board members; so I'm fine with not using this proposal |
| 189 |
for that. |
| 190 |
|
| 191 |
> |
| 192 |
> |
| 193 |
> Reference Implementation |
| 194 |
> ======================== |
| 195 |
> |
| 196 |
> Not complete. |
| 197 |
> |
| 198 |
> |
| 199 |
> Copyright |
| 200 |
> ========= |
| 201 |
> This work is licensed under the Creative Commons Attribution-ShareAlike |
| 202 |
> 3.0 |
| 203 |
> Unported License. To view a copy of this license, visit |
| 204 |
> https://creativecommons.org/licenses/by-sa/3.0/. |
| 205 |
> |
| 206 |
> |
| 207 |
> -- |
| 208 |
> Best regards, |
| 209 |
> Michał Górny |
| 210 |
> |
| 211 |
> |
| 212 |
> |
Archives