From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-project <gentoo-project@lists.gentoo.org>
Cc: Gentoo Elections <elections@gentoo.org>,
infrastructure <infrastructure@gentoo.org>,
council <council@gentoo.org>, trustees <trustees@gentoo.org>
Subject: [gentoo-project] [RFC] vote.gentoo.org - a new voting frontend for Gentoo Elections
Date: Sat, 27 Jul 2019 08:21:54 +0200 [thread overview]
Message-ID: <d91bbdafe1390dc9b168fb0db7b334c8d87f29fe.camel@gentoo.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 3823 bytes --]
Hi,
(CC-ing all parties interested in technicals, plus main consumers)
I'd like to work on providing new web-based frontend for voting
in Gentoo elections. It would replace votify in the pipeline but
generate countify-compatible data, so the votes would still be counted
using old tooling.
Goals
=====
The goals for the new system would be to:
1. Improve privacy of votes by removing connection between voters
and their confirmation IDs ASAP (not storing them unencrypted
on permanent storage at all).
2. Unifying voting mechanism for developers and non-developers.
The latter currently vote by mail and get their votes manually hacked
into the system.
3. Removing dependency on dev.gentoo.org shell access for voting. This
is implied by 2. but should also support any future efforts of reducing
reliance on the single system in Infra.
4. Make it possible to use the system for unofficial elections (e.g.
team lead votes). Currently setting a vote up requires root privileges
on dev.g.o which is not really feasible.
Voter UX
========
The idea is based on using two tokens:
1. *Secret token* which is known only to the voter, and is used to
authenticate in order to cast/modify the vote.
2. *Voter ID* (formerly: confirmation ID) which is used to
pseudonymously identify the vote. While IDs themselves are public,
their association with a particular voter is known only to the voter.
Ideally, voter_id = KDF(secret_token), so the voter needs only to use
one of them while voting and the other will be implicit.
Before the election starts, election officials prepare a list of voters
containing their e-mail addresses and OpenPGP key fingerprints. They
run a script which creates tokens for all voters, encrypts them, then
mails them to voters. The flat list of voter IDs (without association
to voters) is then stored on the server.
During the voting period, voters visit a trivial web-form. They enter
their secret token in order to authenticate, and are presented with
a simple box to edit their vote. Once the vote is submitted, is it
saved using voter ID. The site also lets voter download a copy
of the vote for post-election verification.
I will also provide a trivial CLI app to preserve the old 'use my
favorite editor' voting experience.
Once the voting period is over, election official runs another script
that collects results and generates countify-compatible data. Then
votes can be counted on any system, using the old tooling and results
announced as usual.
Technical details
=================
I've been wondering what would be the best implementation. I had two
ideas in mind: either absolutely minimal scripting with SSH-based access
for election officials, or full-fledged webapp. It's important to avoid
low bus factor and follow KISS principle. Our experience shows that
maintenance of most of the custom webapps for Infra has become
a nightmare, so I think the former is a better option.
This means that webapp would be limited to the actual voting. It will
be written either in simple Python (without frameworks) or even bash.
Votes will be stored in plain text files.
Election officials will access the server via SSH. They will be
provided with a few scripts to do common things such as setting up
the election, generating tokens, mailing voters, collecting results.
For anything less common, they will have to edit files directly.
We will also provide SSH access to other devs who wish to set up
unofficial elections. Access to individual election will be controlled
by ownership/permissions, so regular devs won't be able to fiddle with
Council or Trustee elections.
Your comments
=============
What are your thoughts?
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]
next reply other threads:[~2019-07-27 6:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-27 6:21 Michał Górny [this message]
2019-07-27 10:40 ` [gentoo-project] Re: [RFC] vote.gentoo.org - a new voting frontend for Gentoo Elections Roy Bamford
2019-07-27 11:18 ` Michał Górny
2019-08-09 5:49 ` Robin H. Johnson
2019-08-09 6:02 ` Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d91bbdafe1390dc9b168fb0db7b334c8d87f29fe.camel@gentoo.org \
--to=mgorny@gentoo.org \
--cc=council@gentoo.org \
--cc=elections@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
--cc=infrastructure@gentoo.org \
--cc=trustees@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox