From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7A6D4138334 for ; Sat, 27 Jul 2019 11:18:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 39447E0867; Sat, 27 Jul 2019 11:18:57 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F16F4E0863 for ; Sat, 27 Jul 2019 11:18:56 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 211AA348CCF; Sat, 27 Jul 2019 11:18:53 +0000 (UTC) Message-ID: Subject: Re: [gentoo-project] Re: [RFC] vote.gentoo.org - a new voting frontend for Gentoo Elections From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Cc: Gentoo Elections , infrastructure , council , trustees Date: Sat, 27 Jul 2019 13:18:49 +0200 In-Reply-To: References: Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-14oqg265DG1cIl0Onn0f" User-Agent: Evolution 3.30.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: b87a7ee3-2f66-4795-934d-f107aadf9b4b X-Archives-Hash: 18c73317e7ca65e8f9cd1b94d08ee8f7 --=-14oqg265DG1cIl0Onn0f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2019-07-27 at 11:40 +0100, Roy Bamford wrote: > On 2019.07.27 07:21, Micha=C5=82 G=C3=B3rny wrote: > > Hi, > >=20 > > (CC-ing all parties interested in technicals, plus main consumers) > >=20 > > I'd like to work on providing new web-based frontend for voting > > in Gentoo elections. It would replace votify in the pipeline but > > generate countify-compatible data, so the votes would still be counted > > using old tooling. > >=20 > >=20 > > Goals > > =3D=3D=3D=3D=3D > > The goals for the new system would be to: > >=20 > > 1. Improve privacy of votes by removing connection between voters > > and their confirmation IDs ASAP (not storing them unencrypted > > on permanent storage at all). > >=20 > > 2. Unifying voting mechanism for developers and non-developers. > > The latter currently vote by mail and get their votes manually hacked > > into the system. > >=20 > > 3. Removing dependency on dev.gentoo.org shell access for voting.=20 > > This > > is implied by 2. but should also support any future efforts of > > reducing > > reliance on the single system in Infra. > >=20 > > 4. Make it possible to use the system for unofficial elections (e.g. > > team lead votes). Currently setting a vote up requires root > > privileges > > on dev.g.o which is not really feasible. > >=20 >=20 > 5. Election Officials shall have a means to determine the voter turmout > from time to time while the election is in progress. >=20 > Today, its carried out by the -infra contact and publicised in reminders > to vote, IRC channel topics etc Oh, I though those mails are directed to all listed officials for an election and assumed this is nothing new to solve. Sure, this is entirely feasible. >=20 > [snip] >=20 > > Before the election starts, election officials prepare a list of voters > > containing their e-mail addresses and OpenPGP key fingerprints. They > > run a script which creates tokens for all voters, encrypts them, then > > mails them to voters. >=20 > How do we deal with expired public keys? When token mails are generated GPG automatically verifies whether keys are usable. As a result, if someone has an expired key, the script explicitly notes it and returns an error. >=20 > Devs get a warning at commit time before their key expires. Non devs > will not be permitted (by gpg) to sign a ballot with an expired key. > Here, the election officials script will be attempting to make use of=20 > expired keys. >=20 > I can see another requirement ... > 6. At the record date for any election, voters public keys shall be=20 > checked for validity until at least the end of the voting period. >=20 > That will give election officials time to remind the electorate to fix > their keys. You can't sign votes using your key, as this kills the privacy requirement. Instead, we rely on secret token mails being encrypted using voter's key. Key only needs to be valid at encryption time, as you can decrypt messages from the past ;-). --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-14oqg265DG1cIl0Onn0f Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAl08MxlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM3 NkE4NDUwOTQwOThEMjhDQzhCMjZDNTYzOUFEQUUyMzI5RTI0MEUACgkQY5ra4jKe JA5EpQgAnB9xajCM6vrbA4Ro8TB/2IXRzz8jIPUiYIpLX6cPgiHGK5Qcn32Xi4NH FUNv3N1fr4xFK3isZfcphCKI7l8mbzzzfk20gTVV5Uc7/vD3QB3WscQp65Yui8Wm XZsCtSqbnPPxCbBG1c1WWAcvrbmJb0FU+pNCJSj76Vlld7+pp2A9Ocg/Qe0LBS18 +WIZSRjkKzMzxXRdjuyHuPI8YAPGWT/+7qlF9lFlket/HmQCSadRMhH5M/UHxNxu +2pwwW7AGlv5GVSlSBDFZFK+Kkyvqfdzqj/CnQh6zIn8zpoRv1fc/nMnX2Pd+5Ua re2G2yYfN0Q7Sj4b7wE0Vw7SY7aFGQ== =fAVv -----END PGP SIGNATURE----- --=-14oqg265DG1cIl0Onn0f--