Hello everyone,

in anticipation of the fact that the Debian project might conduct more confidential votes on General Resolutions in the future, I would like to reserve DEP-16 for an improved voting procedure for confidential votes.

My official approval as DD is pending, so I cannot add my current draft
to the Salsa repository yet.

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB1XIEACgkQ+C8H+466 LVknkQwA1YXVolz2LrRzc5YJXhFeFlPXGffKL6XpOy9CeX+kowsH+q+J2k+reIm9 HX6yR9MrcF3nL9wJk0V3zjX5ii+1gCukN/gHDusAXuiwWE3Wn/gv0X2g3D9dhTXP AlbfawA4WmVj5QBwNOCZJIA3M7DDntEa4bJ133Lo0pU1M3m5RWqoTAl40C0bBUXR NnCvF4XoY2r8U5TkC+vVGNFhmeeDOde65QN5Z92NUtfoLQWZI4nqgwg1Ydsidfb5 DHJpNWba2u3GfJBHdeKymQfQJF0Av3LI/SV6LBFCDiU+3UbWnv0ULkTvU2PWarxj jSNhuyntczT959OHC04QuX+dtNUFKX8XjbTMuJBmUa3

* Pierre-Elliott Bécue <peb@debian.org> [2021-04-13 11:19]:

I would rather not reserve any DEP for this right now. We actually don't >really know if any space for DEP text regarding secret voting will be
left out. The voting procedure is historically described extensively in
the Constitution, and no DEP will be able to override that.

I was under the impression that DEPs are intended as a general way to
discuss improvements for Debian in a somewhat formalized context,
regardless how this is implemented eventually. Also, I want to clarify that
the current protocol with hash pseudonyms for secret voting in DPL elections
is not in the Constitution either, and my proposal only concerns that
technical detail, not the voting system itself or the political side
whether or not a secret vote should be held.

If you still think that a DEP is not the appropriate place for this,
I'll gladly put it elsewhere (I would be grateful for suggestions,
though).

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB1Z10ACgkQ+C8H+466 LVlxiwwAsrIEwx/l9WPI3urP0n9ZSJhrn8lMJwvc4IWft4oNhTU8Ozu2JbGzvuDE bAqH79YKwdsJz5tZZLcZ+GGEzm6edqIaCIw1MwM+C6fyIoUnIa/dMHPaG9R7eg+W 1RdyrdO+6tibiMOFdkis+sqMrpvuGGQJBqy7NP6XU/UesZNqYmbLmjmQklKdc0Hp T3vMxfb7A/4srxPvJQENtUbamkB4R0txruVToyTW8Lq4uvM3BgOLPst9a+qQgj/m YBZzFCL9fwwxjV9g4g9K3EHgZhzVaNYxhynCFLyESbZoc/BM9aPeSPfcSeREIPnT vNDjIs6KwFGP8RMVzFlrOHwS6Npfy0zFSwrbe2NuLzd

Le mardi 13 avril 2021 � 10:55:33+0200, Timo R�hling a �crit�:

Hello everyone,

in anticipation of the fact that the Debian project might conduct more confidential votes on General Resolutions in the future, I would like to reserve DEP-16 for an improved voting procedure for confidential votes.

My official approval as DD is pending, so I cannot add my current draft
to the Salsa repository yet.

Cheers

I would rather not reserve any DEP for this right now. We actually don't
really know if any space for DEP text regarding secret voting will be
left out. The voting procedure is historically described extensively in
the Constitution, and no DEP will be able to override that.

Regards,

--
Pierre-Elliott B�cue
GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2
It's far easier to fight for principles than to live up to them.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEESYqTBWsFJgT6y8ijKb+g0HkpCsoFAmB1YicACgkQKb+g0Hkp Csqf4BAAqz/EKCNx9duMPCxw1Ll/K2Hkb1OIm5C7yoo9PS6HiFwXI/tw7+w5asU/ /NznYoSmJqDBDRx0dN+I/2RvXziFUvFd/UtwQt1aKXqDbv5TkhS6cZl3pqAYWvua 5J3Nxpi63hjTvGQNmDs4P/tJq15rV+w2zOcvPcyfb8gU+ij9tqOOsTwOTtcQ0tBU LJbldMtmKpJmcD2P0iTd7h/GWIqLOCqZZicMKIr/cnfrFRPr32BX4J3r/QP2zWBe 3iZrvbygQT7yMA4fPWpVuV6/gN1YRASCrDl71Nta5fbdjmo47/H4FUWHkyxTmuqW Rm1WwP5dhpzsq8+PDPgvJ8vsTLki5ZMEJWdpg1aOaykg8ZPh63/AyNPuEqav9XUB jgBjpk48viWqePpQ+pIzaH5bAca2SP3256fbSeqiZMPiuo8mHl1MPTfMxABW1P2Z mM28siE0/5BWbzMov2ATwot4OP1XisDf+A6VTrx1Oi92J0Yt3CkkJBrnq6Wg0xxg AWiUf1jcu/6NkcHrBr7xEsY4dOS5h77+9ji1Mf82J6iBlrKdW17GDNh3UvxrOV8a uEanU4ExzxIz0va5U3oq/BCKxtPqBvwKZxTmIXq/cMUyf1NQve7Zf+7GtlE3mg3c pmSFJVnlrfVVCoV222DWdf9+ChvkTty1iMYLMnseyVG13ZjoZTY=
=0uuq
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1

"Timo" == Timo Röhling <timo@gaussglocke.de> writes:

Timo> * Pierre-Elliott Bécue <peb@debian.org> [2021-04-13 11:19]:
>> I would rather not reserve any DEP for this right now. We
>> actually don't really know if any space for DEP text regarding
>> secret voting will be left out. The voting procedure is
>> historically described extensively in the Constitution, and no
>> DEP will be able to override that.
Timo> I was under the impression that DEPs are intended as a general
Timo> way to discuss improvements for Debian in a somewhat
Timo> formalized context, regardless how this is implemented
Timo> eventually. Also, I want to clarify that the current protocol
Timo> with hash pseudonyms for secret voting in DPL elections is not
Timo> in the Constitution either, and my proposal only concerns that
Timo> technical detail, not the voting system itself or the
Timo> political side whether or not a secret vote should be held.

I think a DEP is a fine thing to use if you like that.
Honestly, I'd just stick a page in your salsa, but there's nothing wrong
with a DEP if that's what you want to use.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Apr 13, 2021 at 11:41:52AM +0200, Timo Röhling wrote:

...
Also, I want to clarify that
the current protocol with hash pseudonyms for secret voting in DPL elections is not in the Constitution either
...

4.2.6 Votes are cast by email in a manner suitable to the Secretary.

If you still think that a DEP is not the appropriate place for this,
I'll gladly put it elsewhere (I would be grateful for suggestions,
though).

It would sound like a good idea to me that a GR to change the
constitution to make all votes secret should also add language
like "in a verifiable way".

Regarding technical details:
What improvements do you have in mind?
Will you be the person who implements them?
Has this been discussed with the Project Secretary?

Cheers
Timo

cu
Adrian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Adrian Bunk [2021-04-13 19:08:14]:

What improvements do you have in mind?

I would like to implement a cryptographic protocol that provides the
same level of verifiability for secret votes as the currently used
public votes. In particular, I would like to see some additional
proof that the published hash values actually belong to eligible
voters.

Will you be the person who implements them?

I would like to be a part of that, but as have no experience with the
way that Devotee is currently set up, I can only discourage you from
letting me anywhere near it without supervision.

Has this been discussed with the Project Secretary?

No, mostly because I am acutely aware that crytography is hard and I
really would prefer to see some serious feedback first that I'm not
making a fool of myself.

I've put my initial draft on Salsa now:
https://salsa.debian.org/-/snippets/540

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB2G98ACgkQ+C8H+466 LVkHhAwAm8+sWU/ufQ0bvOBlNkFdajai6mTF0NUoQuKkn30SBpFDQwnDKYUztLWt 66OWm2kVdGN1kGtOYPi6jrBgOgVliYqOBHwc1xAT/iV47719zfVMo7VrJmo8lXo1 eOw3+OF9wCFZwjT3c9Tp9MhZljpAV/PoW2mIH8XnjQsQxvBoL4BA00SFxwdIVrRS 5qfBq2i0iSXiFkwOo6K4PUeocjZV3xfPL78OlADHxTkYXV+AAYNMBiWuqjFPS7ep e8BD3IVKUVPzxqaALN18F9ZXiprpmz0uBWKJ06S86EhfY7+TDLFW9EBAfWWSFteY X+6S8DIHH02k+XbpwgA44KgNgh/YVpqg21m5Nc1Tte+

Timo Röhling <timo@gaussglocke.de> writes:

I would like to implement a cryptographic protocol that provides the
same level of verifiability for secret votes as the currently used
public votes. In particular, I would like to see some additional proof
that the published hash values actually belong to eligible voters.

As Kurt mentioned (but buried in one of those debian-vote threads), take a
look at Belenios if you aren't already familiar with it.

https://www.belenios.org/

It presumably would need some work to be usable for Debian votes due to
needing integration with PGP signatures and our keyring, and unfortunately
we can't use the really cool homomorphic encryption mode because we want
to do Condorcet, but it otherwise seems like the right sort of direction.
As a bonus, the developer is a member of the Debian project.

I would rather an existing system like that, which has already undergone
some cryptographic peer review, than for us to try to come up with
something novel. Secure online voting is an insanely hard problem, and
while we have enough unique conditions that we can probably relax the constraints that make it unsafe for general population political
elections, there are still a lot of ways it can go wrong that are very inobvious.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

------EWAJTQGPHQBWOFPU0XWR9S1CISXPCT
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

Le 14 avril 2021 00:51:31 GMT+02:00, Russ Allbery <rra@debian.org> a écrit : >Timo Röhling <timo@gaussglocke.de> writes:

I would like to implement a cryptographic protocol that provides the
same level of verifiability for secret votes as the currently used
public votes. In particular, I would like to see some additional proof
that the published hash values actually belong to eligible voters.

As Kurt mentioned (but buried in one of those debian-vote threads), take a >look at Belenios if you aren't already familiar with it.

https://www.belenios.org/

It presumably would need some work to be usable for Debian votes due to >needing integration with PGP signatures and our keyring, and unfortunately
we can't use the really cool homomorphic encryption mode because we want
to do Condorcet, but it otherwise seems like the right sort of direction.
As a bonus, the developer is a member of the Debian project.

I would rather an existing system like that, which has already undergone
some cryptographic peer review, than for us to try to come up with
something novel. Secure online voting is an insanely hard problem, and
while we have enough unique conditions that we can probably relax the >constraints that make it unsafe for general population political
elections, there are still a lot of ways it can go wrong that are very >inobvious.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

+1

If you wish to start a DEP on the matter Timo I am eager to grant you DEP16 as you asked. :)
--
Pierre-Elliott Bécue
From my phone
------EWAJTQGPHQBWOFPU0XWR9S1CISXPCT
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div class="gmail_quote">Le 14 avril 2021 00:51:31 GMT+02:00, Russ Allbery &lt;rra@debian.org&gt; a écrit :<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-
left: 1ex;">
<pre dir="auto" class="k9mail">Timo Röhling &lt;timo@gaussglocke.de&gt; writes:<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">I would like to implement a cryptographic
protocol that provides the<br>same level of verifiability for secret votes as the currently used<br>public votes. In particular, I would like to see some additional proof<br>that the published hash values actually belong to eligible voters.<br></
blockquote><br>As Kurt mentioned (but buried in one of those debian-vote threads), take a<br>look at Belenios if you aren't already familiar with it.<br><br><a href="https://www.belenios.org/">https://www.belenios.org/</a><br><br>It presumably would need
some work to be usable for Debian votes due to<br>needing integration with PGP signatures and our keyring, and unfortunately<br>we can't use the really cool homomorphic encryption mode because we want<br>to do Condorcet, but it otherwise seems like the
right sort of direction.<br>As a bonus, the developer is a member of the Debian project.<br><br>I would rather an existing system like that, which has already undergone<br>some cryptographic peer review, than for us to try to come up with<br>something
novel. Secure online voting is an insanely hard problem, and<br>while we have enough unique conditions that we can probably relax the<br>constraints that make it unsafe for general population political<br>elections, there are still a lot of ways it can
go wrong that are very<br>inobvious.<br><br><div class="k9mail-signature">-- <br>Russ Allbery (rra@debian.org) &lt;<a href="https://www.eyrie.org/~eagle/">https://www.eyrie.org/~eagle/</a>&gt;<br><br></div></pre></blockquote></div><br clear="
all">+1<br><br>If you wish to start a DEP on the matter Timo I am eager to grant you DEP16 as you asked. :) <br>--<br>Pierre-Elliott Bécue<br>From my phone</body></html>
------EWAJTQGPHQBWOFPU0XWR9S1CISXPCT--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Russ Allbery <rra@debian.org> [2021-04-13 15:51]:

As Kurt mentioned (but buried in one of those debian-vote threads), take a >look at Belenios if you aren't already familiar with it.
As a bonus, the developer is a member of the Debian project.

I certainly wouldn't mind if Stephane were willing to help us setup
a nifty e-voting solution and advise us on the best way to proceed.

My main concern is that Belenios might actually be a bit too powerful
(and therefore unnecessarily complex), because we do not need most of
the strong privacy guarantees.

Correct me if I am wrong, but as far as I understood it, we cannot avoid
that *someone* in the project has the opportunity to connect ballots
with voters (because someone has to administrate the registrar), unless
we involve a third party in the credential generation. In that case, we
might just as well bite the bullet and let the Secretary tally the votes
just as it is done right now. And let's not forget that any server
application we do not need to host is a server application that can't be hacked.

Besides, I don't think we need to worry very much that the Secretary
might leak individual voting behavior, because if a leak occurs, he or
she will be the prime suspect pretty much instantly, which creates a
powerful disincentive.

With these assumptions, the current scheme using pseudonym hashes is
almost good enough, it just lacks a way to prove that each pseudonym
really matches with exactly one voter. That is a much simpler problem to
solve: my proposal is basically an adaptation of the
Chaum-Fiat-Naor protocol, which solves a related problem for blind
signatures on money checks (to be precise, it is the part
that convinces the signer that the data is correct without actually
seeing the data).

With all that being said and having made my case, I am open for any
reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB3Ht8ACgkQ+C8H+466 LVnVsgwAuf4PnqV/fxSPgu+nm+qkuOl2AJuvTs0Gumo6Foo2Dy8CI9XfVfCYnWiv zwaade5fb8QLEw6H9Zuvba0fmXIEmOCtYDDdPgdTLPylkjZr+klgRRefHF56m2w0 yKD5JJTrUChN8X4AKp2OhLJnpZ3w92sfSzwFvAVoFqGCHFJb3tQiF00NHLDAS+VO TEwLu9RvpF58NZN350EILy4yeAii6XVaRcc0zGoTaa+/zgQH/xsDxEBvvfGCZQQN n86lXsB01Y4Av8RckO7A3p4ZoXGbBYDDubzAvFjMr3vtAaxbG11dwUVeK4EGvB8P 7UfqAM/oa1Pj434g1BBV5z8qb10sj/Pg7lWEayslbaU

* Pierre-Elliott Bécue <peb@debian.org> [2021-04-14 18:44]:

If you wish to start a DEP on the matter Timo I am eager to grant you DEP16 as you asked. :)

Yes, thank you!

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB3Or8ACgkQ+C8H+466 LVma5Qv/UFnBeo5AQJCRQXxaiGJSqpKCiy/DinQMzzuX+VPRy8y8gYOFos9z7B8r djG5Q630oOYxWZqSjC2w3+RdorOGKGak4cLmP6q8Z/87fSZE8iFCxWhiCNlDtQtu gdePU/Kr9ww83s3u3yGgsQ5DxChVOWxc6rbMcSJFK9ghcnibGum7q3m80+91i8zB dOFiOBdiHQu5dxYKCaN7HOcalbJjlVEUvXR0CmrkAjHmz1hzSHJt03HFOtGBjj3z 7H1czKRlIaPcjuZ7VZ9a4tF28xuoleLOb5pirl22cKweOvRRYxW2CrumCF0pN8ID VKUY+hGDc7//Ti2IeMFEEAKwvlHn3gVSh6W4/Jr8SUI

Le 14/04/2021 à 18:57, Timo Röhling a écrit :

I certainly wouldn't mind if Stephane were willing to help us setup
a nifty e-voting solution and advise us on the best way to proceed.

I would be glad to help :-)

Correct me if I am wrong, but as far as I understood it, we cannot avoid
that *someone* in the project has the opportunity to connect ballots
with voters (because someone has to administrate the registrar), unless
we involve a third party in the credential generation.

Indeed, in Belenios, the credential authority and the server have the opportunity to connect *encrypted* ballots with voters, but there is no
known way to connect voters with their plaintext choices.

[...] the current scheme using pseudonym hashes is
almost good enough, it just lacks a way to prove that each pseudonym
really matches with exactly one voter. [...]

This is difficult in general, but in Debian the voter list is public so
I guess something can be done with logins and/or PGP keys.

With all that being said and having made my case, I am open for any reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.

And I am open to make changes in Belenios if needed.


Cheers,

--
Stéphane

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:

I would be glad to help :-)

Great!

With all that being said and having made my case, I am open for any
reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.

And I am open to make changes in Belenios if needed.

I'd like to raise two questions for debate:

1. Do we want to retain the ability to vote openly?

Obviously, open votes are more transparent, which is nice and very
appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.

2. How much are we committed to the current process that works
exclusively via email?

Personally, I think that a structured HTML form is more accessible for
screen readers than pure text ballots, and you can still make the web
interface render nicely in a text browser such as Lynx or w3m.

On the other hand, some people might have considerably less trust in
their web browser than their email client.


Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB8niwACgkQ+C8H+466 LVkmEwwAqN0rFXF7O8zjvJCi8X1c3Vfg3qCNJ05se/GXJjYdFy4KrKCk3vHoeJYL er7TFPrcp3nYt15yKn9bLaMUhDD6whKxXUP6IRCGQLKYpnX056abXaBitqxRkcXm 8kymxDwYkcplFduELSvZ7VaGv2Sx0/xXncxyIBIpK9eqiUYTFlsm6MGBK8lOUH2+ DzIZ7QVv0eNjdOV6iawYDlQmtSAjAhAQ0jg+IbKKdedgIX8vHvXXdnpmQqr4dczB 2Ah4StYLgB0RsljOjPdfDTXSeL2UIWqrtU7fIIrmoBTLKaprIMU2sMp/VhJ0MtsQ 9mYbrjQCdQzDYhQnILkcwf3isHp55jgyWzNd79yRxwU

On Sun, Apr 18, 2021 at 11:01:36PM +0200, Timo Röhling wrote:

* Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:

I would be glad to help :-)

Great!

With all that being said and having made my case, I am open for any reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.

And I am open to make changes in Belenios if needed.

I'd like to raise two questions for debate:

1. Do we want to retain the ability to vote openly?

Obviously, open votes are more transparent, which is nice and very appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.

Yes, as far as possible. Agreed: most votes are the annual DPL election.

2. How much are we committed to the current process that works
exclusively via email?

Personally, I think that a structured HTML form is more accessible for
screen readers than pure text ballots, and you can still make the web interface render nicely in a text browser such as Lynx or w3m.

On the other hand, some people might have considerably less trust in
their web browser than their email client.

No, please don't. We already have problems enough with HTML - a structured
form would need to be fully accessible, secure, validated. A signed email
is (relatively) more straightforward and has served us well for the last
25 years.

Just my 0.02 - but we're all probably getting well ahead of ourselves -
having just had two votes, maybe we should not be changing the system immediately.

Andy Cater

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 4/18/21 11:01 PM, Timo Röhling wrote:

* Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:

I would be glad to help :-)

Great!

With all that being said and having made my case, I am open for any
reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.

And I am open to make changes in Belenios if needed.

I'd like to raise two questions for debate:

1. Do we want to retain the ability to vote openly?

Obviously, open votes are more transparent, which is nice and very appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.

I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a
vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.

2. How much are we committed to the current process that works
exclusively via email?

Personally, I think that a structured HTML form is more accessible for
screen readers than pure text ballots, and you can still make the web interface render nicely in a text browser such as Lynx or w3m.

On the other hand, some people might have considerably less trust in
their web browser than their email client.

Exactly. Web browsers are nasty beasts, with CVEs every month.

I don't think the problem is the client though (even though I would
prefer a signed mail, for the reasons Andrew wrote). The issue is
probably more how the voting software is written, and it's general
principles (verifiability with optional anonymity comes to mind).

On 4/18/21 11:22 PM, Andrew M.A. Cater wrote:

Just my 0.02 - but we're all probably getting well ahead of ourselves
having just had two votes, maybe we should not be changing the system immediately.

I respectively don't agree. The process *will* be long until we can
change the voting system, so let's start the thinking now. It's fine for
most DDs not to be involved in at least the brain-storming phase. Maybe
we'll need another GR when we're ready, but that's probably far in the
future.

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 18, 2021 at 09:22:38PM +0000, Andrew M.A. Cater wrote:

No, please don't. We already have problems enough with HTML - a structured form would need to be fully accessible, secure, validated. A signed email
is (relatively) more straightforward and has served us well for the last
25 years.

An other option is that we have software in Debian that makes it
easy to vote using email. For instance, we could have a tool that
generates the data that needs to be mailed and have it in a format
that that's easy to send over email.


Kurt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 18, 2021 at 5:08 PM Timo Röhling <timo@gaussglocke.de> wrote:

1. Do we want to retain the ability to vote openly?

Yes, options are always good. However, as I mentioned on Salsa[1], I think secret is the better default going forward. Confidentiality allows people
to vote what they think instead of being pressured to vote a certain way.
It prevents possible harassment. It prevents damaged relationships if
people vote differently on contentious topics. It absolutely still gives
people the freedom to publicly announce how they voted, if they choose to
do so. Most of us in Debian take privacy very seriously, let's extend that
to our votes as well.

Obviously, open votes are more transparent, which is nice and very

appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.

I think that some of the most contentious issues I've seen in Debian have
been technical issues. I absolutely think those should be confidential for
the reasons above.

2. How much are we committed to the current process that works

exclusively via email?

Email is proven and robust. Kurt's suggestion of tools to facilitate it is
a solid one.

On the other hand, some people might have considerably less trust in
their web browser than their email client.

Yes, this. Not necessarily the browser itself but there are many more vulnerability points between the user and a final ballot. I'm happy to be convinced otherwise but that's my initial inclination.

-Olek

[1] https://salsa.debian.org/-/snippets/540#note_236214

<div dir="ltr"><div dir="ltr">On Sun, Apr 18, 2021 at 5:08 PM Timo Röhling &lt;<a href="mailto:timo@gaussglocke.de">timo@gaussglocke.de</a>&gt; wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;
border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>1. Do we want to retain the ability to vote openly?<br></blockquote><div><br></div><div>Yes, options are always good. However, as I mentioned on Salsa[1], I think secret is the better default
going forward. Confidentiality allows people to vote what they think instead of being pressured to vote a certain way. It prevents possible harassment. It prevents damaged relationships if people vote differently on contentious topics. It absolutely
still gives people the freedom to publicly announce how they voted, if they choose to do so. Most of us in Debian take privacy very seriously, let&#39;s extend that to our votes as well.</div><div><br></div><blockquote class="gmail_quote" style="margin:
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Obviously, open votes are more transparent, which is nice and very<br>
appropriate for many technical issues that we might vote on. On the<br>
other hand, most votes in Debian are DPL elections anyway.<br></blockquote><div><br></div><div>I think that some of the most contentious issues I&#39;ve seen in Debian have been technical issues. I absolutely think those should be confidential for the
reasons above.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">2. How much are we committed to the current process that works<br>
exclusively via email?<br></blockquote><div><br></div><div>Email is proven and robust. Kurt&#39;s suggestion of tools to facilitate it is a solid one.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">On the other hand, some people might have considerably less trust in<br>
their web browser than their email client.<br></blockquote><div><br></div><div>Yes, this. Not necessarily the browser itself but there are many more vulnerability points between the user and a final ballot. I&#39;m happy to be convinced otherwise but
that&#39;s my initial inclination.</div><div><br></div><div>-Olek</div><div><br></div><div>[1] <a href="https://salsa.debian.org/-/snippets/540#note_236214">https://salsa.debian.org/-/snippets/540#note_236214</a></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi zigo,

On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand <zigo@debian.org> wrote:

I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a
vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.

Note that the RMS GR was, in fact, open. :)

I respect Kurt's interpretation of the constitution and the reluctance to single-handedly interpret vague sections. I personally believe that "lists
all the votes cast" (4.2.3) should be interpreted to mean "lists by hash"
or another non-personally-identifying means. Perhaps that will need to be clarified in the constitution, one way or the other, in the future. My
point is that Kurt's interpretation (as I understand it) is that all
non-DPL votes are open. So I don't believe that Kurt would ever make the decision to have a confidential non-DPL vote. Kurt: please correct me if I misunderstand you!

-Olek

<div dir="ltr"><div>Hi zigo,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand &lt;<a href="mailto:zigo@debian.org">zigo@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
I&#39;d be very much for leaving the decision of open/close to our<br> secretary, with most votes open, and the possibility for him to decide<br>
when it should be closed. I trust Kurt to do the right thing whenever a<br> vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer<br>
if most votes were staying open.<br></blockquote><div><br></div><div>Note that the RMS GR was, in fact, open. :)</div><div><br></div><div>I respect Kurt&#39;s interpretation of the constitution and the reluctance to single-handedly interpret vague 
sections. I personally believe that &quot;lists all the votes cast&quot; (4.2.3) should be interpreted to mean &quot;lists by hash&quot; or another non-personally-identifying means. Perhaps that will need to be clarified in the constitution, one way or
the other, in the future. My point is that Kurt&#39;s interpretation (as I understand it) is that all non-DPL votes are open. So I don&#39;t believe that Kurt would ever make the decision to have a confidential non-DPL vote. Kurt: please correct me if I
misunderstand you!</div><div><br></div><div>-Olek</div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Apr 18, 2021 at 11:58:55PM -0400, Olek Wojnar wrote:

Hi zigo,

On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand <zigo@debian.org> wrote:

I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.

Note that the RMS GR was, in fact, open. :)

I respect Kurt's interpretation of the constitution and the reluctance to single-handedly interpret vague sections. I personally believe that "lists all the votes cast" (4.2.3) should be interpreted to mean "lists by hash"
or another non-personally-identifying means. Perhaps that will need to be clarified in the constitution, one way or the other, in the future. My
point is that Kurt's interpretation (as I understand it) is that all
non-DPL votes are open. So I don't believe that Kurt would ever make the decision to have a confidential non-DPL vote. Kurt: please correct me if I misunderstand you!

The only real difference between a secret and non-secret vote
currently is knowing who voted what. In both cases a list of
voters and a list of votes is published. Changing the interpretation
that we don't publish who voted what would turn our non-secret
vote in the same a secret vote. I do no believe that was ever the
intention. For every GR we have published who voted what.


Kurt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 4/19/21 5:58 AM, Olek Wojnar wrote:

Hi zigo,

On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand <zigo@debian.org <mailto:zigo@debian.org>> wrote:

I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a
vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.

Note that the RMS GR was, in fact, open. :)

I respect Kurt's interpretation of the constitution and the reluctance
to single-handedly interpret vague sections. I personally believe that "lists all the votes cast" (4.2.3) should be interpreted to mean "lists
by hash" or another non-personally-identifying means. Perhaps that will
need to be clarified in the constitution, one way or the other, in the future. My point is that Kurt's interpretation (as I understand it) is
that all non-DPL votes are open. So I don't believe that Kurt would ever
make the decision to have a confidential non-DPL vote. Kurt: please
correct me if I misunderstand you!

-Olek

Yes, I agree with you. Thought my proposal was to change that fact (ie:
change the constitution) so we can give more power to Kurt.

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

"Timo" == Timo Röhling <timo@gaussglocke.de> writes:

Timo> * Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:
>> I would be glad to help :-)
Timo> Great!

>>> With all that being said and having made my case, I am open for
>>> any reasonably secure solution (including Belenios) that we can
>>> agree on, and I will help implement it if I can.
>> And I am open to make changes in Belenios if needed.
Timo> I'd like to raise two questions for debate:

Timo> 1. Do we want to retain the ability to vote openly?

I thought you were focused on the voting mechanism not so much on the constitutional changes. I think this question belongs to that
constitutional discussion. At least on debian-vote Russ and a number of
people argued that we should move entirely to secret votes. Since we
are acting as individuals, there's not really a need for votes to hold
us accountable.


Timo> 2. How much are we committed to the current process that works
Timo> exclusively via email?

Timo> Personally, I think that a structured HTML form is more
Timo> accessible for screen readers than pure text ballots, and you
Timo> can still make the web interface render nicely in a text
Timo> browser such as Lynx or w3m.

These days I think a web form is quite accessible, so I'm not sure accessibility is a big factor either way.

I think the web will be more accessible for new developers.
We see frustrations with the voting tools fairly regularly.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Sam Hartman <hartmans@suchdamage.org> [2021-04-19 07:03]:

I thought you were focused on the voting mechanism not so much on the >constitutional changes. I think this question belongs to that
constitutional discussion.

It was not my intention segue into the constitutional discussion, I was
merely looking to enumerate requirements for the voting system.

At least on debian-vote Russ and a number of
people argued that we should move entirely to secret votes. Since we
are acting as individuals, there's not really a need for votes to hold
us accountable.

As many available e-voting platforms are not really designed for open voting, this would certainly simplify things. I take it the question is far from
being settled, though.

Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmB9jTAACgkQ+C8H+466 LVmmwwwAwQPiYtvImM3JGIJzjGgoM9Yh0RDPxUyNpmD15f/QWR7MF0QqgL1FMlzi DWTva11wi4dhAG+daYym4Pg4UM/br+U91rk0C4lrEC1NBQSrQhsBGJ5C3pBtzu9u ILtz+FIpwmNqHqVCNENqSggWP6mY2RE68QLr+IOY+z81xUIKbQvZTL3CHWYYrXZF RdMrfEpDv9+ttmBfFl23l4XdT3UzF/PC5ioMIBAAohMKboPQkpt5rR0O2e3a8Pp8 qMVJCGk9Zv7vbpSAn5iffVokYyKZlPC+aESPCE3VHwHrfLWsMZIqu6h3kQ2iFJK9 P9T/wsdgCEe7CCqu5Lc1bkKIiZGVszSQxDrj5uO+bRU

On Mon, Apr 19, 2021, 08:45 Thomas Goirand <zigo@debian.org> wrote:

Yes, I agree with you. Thought my proposal was to change that fact (ie: change the constitution) so we can give more power to Kurt.

Ah, got it. Yes, I also agree with you that this would be a good thing. :)



<div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 19, 2021, 08:45 Thomas Goirand &lt;<a href="mailto:zigo@debian.org">zigo@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .
8ex;border-left:1px #ccc solid;padding-left:1ex"><br>Yes, I agree with you. Thought my proposal was to change that fact (ie:<br>
change the constitution) so we can give more power to Kurt.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Ah, got it. Yes, I also agree with you that this would be a good thing. :)</div><div dir="auto"><div class="gmail_quote"><
blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote></div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)