I would rather not reserve any DEP for this right now. We actually don't >really know if any space for DEP text regarding secret voting will beI was under the impression that DEPs are intended as a general way to
left out. The voting procedure is historically described extensively in
the Constitution, and no DEP will be able to override that.
Hello everyone,
in anticipation of the fact that the Debian project might conduct more confidential votes on General Resolutions in the future, I would like to reserve DEP-16 for an improved voting procedure for confidential votes.
My official approval as DD is pending, so I cannot add my current draft
to the Salsa repository yet.
Cheers
"Timo" == Timo Röhling <timo@gaussglocke.de> writes:
...
Also, I want to clarify that
the current protocol with hash pseudonyms for secret voting in DPL elections is not in the Constitution either
...
If you still think that a DEP is not the appropriate place for this,
I'll gladly put it elsewhere (I would be grateful for suggestions,
though).
Cheers
Timo
What improvements do you have in mind?I would like to implement a cryptographic protocol that provides the
Will you be the person who implements them?I would like to be a part of that, but as have no experience with the
Has this been discussed with the Project Secretary?No, mostly because I am acutely aware that crytography is hard and I
I would like to implement a cryptographic protocol that provides the
same level of verifiability for secret votes as the currently used
public votes. In particular, I would like to see some additional proof
that the published hash values actually belong to eligible voters.
I would like to implement a cryptographic protocol that provides the
same level of verifiability for secret votes as the currently used
public votes. In particular, I would like to see some additional proof
that the published hash values actually belong to eligible voters.
As Kurt mentioned (but buried in one of those debian-vote threads), take a >look at Belenios if you aren't already familiar with it.
https://www.belenios.org/
It presumably would need some work to be usable for Debian votes due to >needing integration with PGP signatures and our keyring, and unfortunately
we can't use the really cool homomorphic encryption mode because we want
to do Condorcet, but it otherwise seems like the right sort of direction.
As a bonus, the developer is a member of the Debian project.
I would rather an existing system like that, which has already undergone
some cryptographic peer review, than for us to try to come up with
something novel. Secure online voting is an insanely hard problem, and
while we have enough unique conditions that we can probably relax the >constraints that make it unsafe for general population political
elections, there are still a lot of ways it can go wrong that are very >inobvious.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
As Kurt mentioned (but buried in one of those debian-vote threads), take a >look at Belenios if you aren't already familiar with it.I certainly wouldn't mind if Stephane were willing to help us setup
As a bonus, the developer is a member of the Debian project.
If you wish to start a DEP on the matter Timo I am eager to grant you DEP16 as you asked. :)Yes, thank you!
I certainly wouldn't mind if Stephane were willing to help us setup
a nifty e-voting solution and advise us on the best way to proceed.
Correct me if I am wrong, but as far as I understood it, we cannot avoid
that *someone* in the project has the opportunity to connect ballots
with voters (because someone has to administrate the registrar), unless
we involve a third party in the credential generation.
[...] the current scheme using pseudonym hashes is
almost good enough, it just lacks a way to prove that each pseudonym
really matches with exactly one voter. [...]
With all that being said and having made my case, I am open for any reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.
I would be glad to help :-)Great!
I'd like to raise two questions for debate:With all that being said and having made my case, I am open for anyAnd I am open to make changes in Belenios if needed.
reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.
* Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:
I would be glad to help :-)Great!
I'd like to raise two questions for debate:With all that being said and having made my case, I am open for any reasonably secure solution (including Belenios) that we can agree on,And I am open to make changes in Belenios if needed.
and I will help implement it if I can.
1. Do we want to retain the ability to vote openly?
Obviously, open votes are more transparent, which is nice and very appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.
2. How much are we committed to the current process that works
exclusively via email?
Personally, I think that a structured HTML form is more accessible for
screen readers than pure text ballots, and you can still make the web interface render nicely in a text browser such as Lynx or w3m.
On the other hand, some people might have considerably less trust in
their web browser than their email client.
Cheers
Timo
--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
* Stéphane Glondu <glondu@debian.org> [2021-04-16 17:12]:
I would be glad to help :-)Great!
I'd like to raise two questions for debate:With all that being said and having made my case, I am open for anyAnd I am open to make changes in Belenios if needed.
reasonably secure solution (including Belenios) that we can agree on,
and I will help implement it if I can.
1. Do we want to retain the ability to vote openly?
Obviously, open votes are more transparent, which is nice and very appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.
2. How much are we committed to the current process that works
exclusively via email?
Personally, I think that a structured HTML form is more accessible for
screen readers than pure text ballots, and you can still make the web interface render nicely in a text browser such as Lynx or w3m.
On the other hand, some people might have considerably less trust in
their web browser than their email client.
Just my 0.02 - but we're all probably getting well ahead of ourselves
having just had two votes, maybe we should not be changing the system immediately.
No, please don't. We already have problems enough with HTML - a structured form would need to be fully accessible, secure, validated. A signed email
is (relatively) more straightforward and has served us well for the last
25 years.
1. Do we want to retain the ability to vote openly?
appropriate for many technical issues that we might vote on. On the
other hand, most votes in Debian are DPL elections anyway.
exclusively via email?
On the other hand, some people might have considerably less trust in
their web browser than their email client.
I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a
vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.
Hi zigo,
On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand <zigo@debian.org> wrote:
I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.
Note that the RMS GR was, in fact, open. :)
I respect Kurt's interpretation of the constitution and the reluctance to single-handedly interpret vague sections. I personally believe that "lists all the votes cast" (4.2.3) should be interpreted to mean "lists by hash"
or another non-personally-identifying means. Perhaps that will need to be clarified in the constitution, one way or the other, in the future. My
point is that Kurt's interpretation (as I understand it) is that all
non-DPL votes are open. So I don't believe that Kurt would ever make the decision to have a confidential non-DPL vote. Kurt: please correct me if I misunderstand you!
Hi zigo,
On Sun, Apr 18, 2021 at 6:16 PM Thomas Goirand <zigo@debian.org <mailto:zigo@debian.org>> wrote:
I'd be very much for leaving the decision of open/close to our
secretary, with most votes open, and the possibility for him to decide
when it should be closed. I trust Kurt to do the right thing whenever a
vote (like the RMS GR) needs to be closed. Otherwise, I very much prefer
if most votes were staying open.
Note that the RMS GR was, in fact, open. :)
I respect Kurt's interpretation of the constitution and the reluctance
to single-handedly interpret vague sections. I personally believe that "lists all the votes cast" (4.2.3) should be interpreted to mean "lists
by hash" or another non-personally-identifying means. Perhaps that will
need to be clarified in the constitution, one way or the other, in the future. My point is that Kurt's interpretation (as I understand it) is
that all non-DPL votes are open. So I don't believe that Kurt would ever
make the decision to have a confidential non-DPL vote. Kurt: please
correct me if I misunderstand you!
-Olek
"Timo" == Timo Röhling <timo@gaussglocke.de> writes:
I thought you were focused on the voting mechanism not so much on the >constitutional changes. I think this question belongs to thatIt was not my intention segue into the constitutional discussion, I was
constitutional discussion.
At least on debian-vote Russ and a number ofAs many available e-voting platforms are not really designed for open voting, this would certainly simplify things. I take it the question is far from
people argued that we should move entirely to secret votes. Since we
are acting as individuals, there's not really a need for votes to hold
us accountable.
Yes, I agree with you. Thought my proposal was to change that fact (ie: change the constitution) so we can give more power to Kurt.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 301 |
Nodes: | 16 (2 / 14) |
Uptime: | 215:17:42 |
Calls: | 6,744 |
Calls today: | 4 |
Files: | 12,272 |
Messages: | 5,369,118 |