Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have
open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details,
probably because secret and transparent voting is, well, impossible to
achieve fully, so this GR is bound to a similar fate as the 'publish debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

The vision of self driving cars is nothing compared to the vision of no cars
at all.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIh7SsACgkQCRq4Vgaa qhzBeQ//cwylOdeflBVM3BZT5hp8JXNzd7QekP8GgtF69CIvRxdyF8HhxQ6B56YQ K7UGynCVhNMHoZkaRLNTuVK3K1fIZJBS6ySif99lOFGcBeT/HnvWOV61uMbOPUUo Fj6dkWtexc3cN8FTC1166NXVFVkxLVfzbTXjx4ih5qOsgr0AzOc0CAbWW/dgot10 hZd8mfkcEP0ZwtRhd9mea90yG/JtmP8140r5atJHRiSuVHX6d2VoinSKSO0BIdAr FylnELXgJNTLDui+Lm0GqVP5au3rSqcUpcTdpoatt82phWe9ox9/6Qnz6OJyAwWo o00Kg8Ob+fR9nVMRMxUouSy9SohOsXWkyUzZLQR3GaXfZkRYxJgOA5kihGJL4Yj/ 2ll2DRSYT30yo2mRqNJiWsJnkzoR6TYh+rfGfGDSO74Lpm7P36B+iU/Vtk/zgPhC SGBr8V4OsrFIUNSveubF2GWRg5Fu8ZXZAEh5/dvzkEsQzlyobrHxz4fievvMm7pR n0mD25zQA3S0qgBmw0W2NDAaI3wybDoBf6Wi8Yql5uTqNB2pcs61xghsN5UaC0bW C2c1qc4Nx58qmi27Ge9GEpg2I8X

On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have
open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, so this GR is bound to a similar fate as the 'publish debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment"
(following the new GR flow), I sponsor this.



If I were to add my thoughts: political GRs don't belong in Debian,
please take them elsewhere. For non-political votes there is no use
for private voting.

--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmIh8fUACgkQCBa54Yx2 K61X6xAAnoOE8AI2orDt5v+AM13ROQNSfFu2CWwertpOnFpkR16XN0XcIPsHJ210 e29tfd2lOseDSAWr/i1jEmxtA9xAgp3qUOhgM9OGA2GJZxAV5NJ/siQDkPucxGmd FyCvHw5bcLLyg2kCs9uGQZVBZQQ/qeaUPzHGapP0Mqa1Apu6At9A2A7IjISn86cg eY3WKOJ+922H30MT7KDHavRYX6TDNfZBDBn5R1xYLe5/+5PAAu0DPrC38V0shgVp veaxTNxDSDqFMw14S3eSGq14hcKmUIM3yrTe1Ntzqlt43duTmCI6JPXlOc1FZKbU D2v+PYWIxAf+wYjzoF5/UyS60lkrobgEHlFAWVMPeJqzmDUAxfpx2HxPwGSppvrS sgERknSoruZUawx4APWTSZqI50XZBeSr0ezeJ5wCEZsFTnzaz8k+v0LgOJzXEXyF YRe0Q+AJWhz4e3pJOAIDt4b7TBDibjTCpLqVKNiBLtGYairvASxEGf8kWWDmapth +Z9tgIQGGktuhBqgRQPSvzkuNcGG8bQenuHDBv24vasEouT8ndG

On Fri, Mar 04, 2022 at 12:14:56PM +0100, Pierre-Elliott B�cue wrote:

Mattia Rizzolo <mattia@debian.org> wrote on 04/03/2022 at 12:03:22+0100:

[[PGP Signed Part:Signature made by expired key 0816B9E18C762BAD Mattia Rizzolo <mattia@mapreri.org> ]]
On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have >> open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details,
probably because secret and transparent voting is, well, impossible to
achieve fully, so this GR is bound to a similar fate as the 'publish
debian-private' vote, which was voted for and then was never implemented. >>
A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which >> is also why I explicitly want to see "keep the status quo" on the ballot, >> and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment" (following the new GR flow), I sponsor this.

If I were to add my thoughts: political GRs don't belong in Debian,
please take them elsewhere. For non-political votes there is no use
for private voting.

Is init systems GR a political GR?

I'm pretty sure some gave double thoughts before voting because of the shitstorm/flame that had happened before the vote.

Not only that, but also conflicts of interest involving an employer may
have influence over a non-political vote (or the willingness to vote).
This has been argued already it seems.

Bests,

--
Tiago

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

I think we can establish a limitation between "secret" and "wiser
secret". I can understand that making vote transparent and secret is
likely not possible. And I am not sure that it is the purpose. The
purpose is not to see displayed on a public website one name related to
a GR and a vote. In other words, while I dont think someone will do a
detailed investigation to know who voted what (most people just will not
want to spend energy for this), anyone, including with malicious
purpose, can visit a web page to see what I voted and do harasment then.
While I accept not to be in a full secret, as I am not afraid with
persons who can do harasment to spend so energy to find this info in a
deep server or via a hash or whatever, I am worry bif any mad guy can
see what I voted about a GR as I know the person will not hesitate to
attack me. Again, we have an example of this, of high flame, during RMS
GR, and while the most radical persons probably did not want to do deep investigations about voters, I think they were ready to visit a page and
go after voters. I dont know if it happent effectively, but given how
the vote happent with trials to disturb after the campaign time, it is possible.

The last thing which may justify a such ballot is the idea that "if you
dont want to see your name related to a vote, just dont vote, you dont
have to do it, you are free". this may be acceptable for political GRs,
but more a problem for ambiguous situations.

Hence the importance to make secret possible at least, if not general
and mandatory.

Jean-Philippe MENGUAL
Debian Developer non uploading
Community team member
Accessibility team member
debian-l10n-french team member
President of Debian France non-profit organization

Le 04/03/2022 à 12:41, Tiago Bortoletto Vaz a écrit :

On Fri, Mar 04, 2022 at 12:14:56PM +0100, Pierre-Elliott Bécue wrote:

Mattia Rizzolo <mattia@debian.org> wrote on 04/03/2022 at 12:03:22+0100:

[[PGP Signed Part:Signature made by expired key 0816B9E18C762BAD Mattia Rizzolo <mattia@mapreri.org> ]]
On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have >>>> open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, >>>> probably because secret and transparent voting is, well, impossible to >>>> achieve fully, so this GR is bound to a similar fate as the 'publish
debian-private' vote, which was voted for and then was never implemented. >>>>
A voting system which is transparent only to some, is undemocratic and >>>> will lead to few people in the know, which is diagonal to Debians goals >>>> of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which >>>> is also why I explicitly want to see "keep the status quo" on the ballot, >>>> and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment"
(following the new GR flow), I sponsor this.



If I were to add my thoughts: political GRs don't belong in Debian,
please take them elsewhere. For non-political votes there is no use
for private voting.

Is init systems GR a political GR?

I'm pretty sure some gave double thoughts before voting because of the
shitstorm/flame that had happened before the vote.

Not only that, but also conflicts of interest involving an employer may
have influence over a non-political vote (or the willingness to vote).
This has been argued already it seems.

Bests,

--
Tiago

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Mattia Rizzolo <mattia@debian.org> wrote on 04/03/2022 at 12:03:22+0100:

[[PGP Signed Part:Signature made by expired key 0816B9E18C762BAD Mattia Rizzolo <mattia@mapreri.org> ]]
On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have
open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details,
probably because secret and transparent voting is, well, impossible to
achieve fully, so this GR is bound to a similar fate as the 'publish
debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment" (following the new GR flow), I sponsor this.

If I were to add my thoughts: political GRs don't belong in Debian,
please take them elsewhere. For non-political votes there is no use
for private voting.

Is init systems GR a political GR?

I'm pretty sure some gave double thoughts before voting because of the shitstorm/flame that had happened before the vote.
--
PEB

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEE5CQeth7uIW7ehIz87iFbn7jEWwsFAmIh9OYPHHBlYkBkZWJp YW4ub3JnAAoJEO4hW5+4xFsLfi4P/1s5o4r7nYikuuIw4GfW2T9Le0w/Vdofr76o f2VV0J8fGb6SrL71yx4T55JKnjY1sQj0OICXNKdy8GggFdFUYmi0LABvIeb3/qPA RkTynXJ5hWyoOzCPxoBOsYbKz4YKpT3fzVs96Chp2Qjhu084Hj8kasX8YoGw2I5I VLMAbzjp/wKOI3mYK3/FF2QkPrZEC/lpCH9Ow4c7tRoZUwrmJjfpVTo3MrJA0j+M Y8V2Z+eZvqb1h2tYwhSU7llZRam6MJZW9G0xnaJEEGSUstYFkNk8V99RTtqb1d0D cXKnMNr7L3HYY59ZyTN0LasxbYKWrE/XqYCcBEvj5vvD5RCSoSVV/9tfBBZOguc7 N9uDg10XcEy9Ui8xk6nyHN2qHFTy11Xuz0Bw+bUVOvLu3C15VJSSqqcerown1P+X 0iP9fb9PzT9lMmpd4BbjvTgnM4FKumA+PDr4IIfqXTNaZPLjpUYUxQIwiadaLPZ3 2vD+kpIUTExrfpVx+G1YpsV33DmbyTxq8NMGPUeeiZhMrsVq6HD1MrVJ+W2gZO8D 8JuQGJwPB0P0UiUq3wbxTYhxM7HIeiGLgLPAT+T0sRDpQVrLRnSlgaSSKddd1HOr wwHOdtcffYNoCxBYooDa2q68OudlSzKqHNJtVH3yQLNJ/IBXDXsZkdMwG/4zYW4w
1t+49qgy
=wAM3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 12:03:22PM +0100, Mattia Rizzolo wrote:

On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have open and transparent voting, the project resolves to leave our voting system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, so this GR is bound to a similar fate as the 'publish debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot, and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment" (following the new GR flow), I sponsor this.

yes, that's what I ment, thanks. Do I need to resent my mail now with this change? :)


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

We live in a world where teenagers get more and more desperate trying to convince adults to behave like grown ups.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIh89sACgkQCRq4Vgaa qhyEURAAsEjv2PvWA6WwJy/wBA90nn917fiZejEGqGRHGvQbydBo42UBS0o6KWSZ 0oe5JqxXFMHvWAqe0YBqQKv5mZLWr6R/dTRy1ZUuHFnx2iZ1yoGzi9Zpa5V3Q5n8 Sgg/uN+7JzK/9/1BWY537rKJP/rLjjuL8TSY25B5W+J5pf7ndOHJQPUptB+bxkLS uBB4jlJWDkX407Tuv16RXhnWEpQ/vCE8KNWaRW+dl8ZFvc/FL1wiXNfN825AU2nM Q0RbVMC8gb/1Q7YGFYX4HKpywroyASqOx8R1nXaRPqSx9qbrbzwyr8bNGZRjW6Rm G/x6WIEgZveSY9knD2ISYHhcqf3Rd/Lqcl7f4BVY8ukxa4fsbyF7X/zntsz9o8Yd v7pa8WZsa5WWX40oflM1MzTASAtk+0oCg9Apbes1pjrEfOpuLsr/JI0CdHo51zme em3w9x4N2FhVA6F+18EWfMTZyq+7AIGGiyXQs0BVnYVz2pSd0MzVCWMtJkFw+us3 yQvtu5vp0pQh/wS3RudSQL5jboVSJqcf1ridALLP3fiUS59+TLQC408pJM9BdBD

On Fri, Mar 04, 2022 at 06:41:54AM -0500, Tiago Bortoletto Vaz wrote:

On Fri, Mar 04, 2022 at 12:14:56PM +0100, Pierre-Elliott B�cue wrote:

I'm pretty sure some gave double thoughts before voting because of the shitstorm/flame that had happened before the vote.

This has been argued already it seems.

Yes, it's already been discussed, I doubt it needs to be discussed even
more here, and I surely don't want to.

--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmIiAvAACgkQCBa54Yx2 K61PmA/+LYyaTNTRlPZVxtJSKjM9nuwTxKuEh9N+eStQa7aoK06c39lucWra3IgW +bqYzzDeu5i8ZyHDmx2fDoO+jDzHlUqewrnUONbtVWixsvrJznjVd84FTW9RU3Wm 0oH8WaIksLQsZ/VlFX6Dx26Hr9IPy73+xzpeEVrv3+nxgR2BhU0kibqR5zB7Jttw FNqytT50eG+GE/01VoY44O2bQyhmVru8kZ4a1sQ7QdFoiOkW6HI5qZeSczhJrUht qabES4adSPwBS1CORrM9BwhcHTxvF7QJ2y6vx3ojN8g67E/pCNvUmgD7Aj3Ec6wB +hBUunM8M2VE8xyvrkvperNbkNlc31wvJ80nsLjbp0Q5VmxTO+4bMsFpn/bSM0eA Z1vWjGx7HofjOcue0h22chGRtOdIafY1o4Y0gytICzUHARvFg0QB5WNF9+VmPbiD Qjw2QvPO/RqvmsXlrKGCO45UuVW8cAk+FC6NN6Mcyx2czjtu/zz8gsIuswcSjhKR uBcy28Hn/uc8/kHeNzpyHHubMpcepL24eLR+m+wYF3w9qsZp2lw

On Fri, Mar 04, 2022 at 12:14:56PM +0100, Pierre-Elliott Bécue wrote:

Is init systems GR a political GR?

yet there are people maintaining systemd and sysv in public.
so what's next, secret maintainers?


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

This is a pandemic, not a war. People keep dying even if you surrender.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIiAtAACgkQCRq4Vgaa qhzF1Q/+MxcGRNEB6xVwYG4n39YWNCekE1ldF+DCISPcvRnsk6akjFOVDDKHytpk p1MfSE2bFGl1h5nesl/iDG/B62ZMm42osqHp2qcjo7IUyqfLGO4XXVDhE2F6PmU4 eN0NhLxDG4MT99fVcAxgrxY9BRmWwRHcL8IKjRmOw2CIEFPjjHY9xXGs9xvyZl0S HSu4D52cBQv5K1JjDiAGTOBqahvA3x/Av2tTURbMcAfrai+dVqZ1kRXQJ58PIC5B HYJBb3MNPtQTEncAZ7n0rfBMkaxzP/kBik158NpXMU4YiuobZgD8Vvir30ica+Cl 1ppERecodCgo9s2yRx9zlZt4GfdIGUN+KE10WrwKvZfVn0TV4QQdpgge24aSZccd c6XbOIeSbnSd8+MH19Aiq4yRL+sbsaqAsIm8/cDxnBJvjJXfqmXFK5cBrPOrO9rw z+5g6S+2/MnZYx5eMYxRZvOxrny/ltJ1Xx0oe6gefrevgpJTZPESz/Srf9cwQTaM Encjw2tRo8a+hSBhdtFVIHI2pFpnXBFNqhSJN5QQ0Kdqr9pxfa3bJMvHWxEn4nx/ WqymZYvJO9Smsf8Sp0cs9Vk3qE4llMPboJd8MZ14P

Holger Levsen <holger@layer-acht.org> writes:

On Fri, Mar 04, 2022 at 12:03:22PM +0100, Mattia Rizzolo wrote:

On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have >> > open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details,
probably because secret and transparent voting is, well, impossible to
achieve fully, so this GR is bound to a similar fate as the 'publish
debian-private' vote, which was voted for and then was never implemented. >> >
A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which >> > is also why I explicitly want to see "keep the status quo" on the ballot, >> > and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment"
(following the new GR flow), I sponsor this.

yes, that's what I ment, thanks. Do I need to resent my mail now with this change? :)

I sponsor this.

While I may not end up voting for it as my first option, I think it
deserves to be an explicit option, because I can imagine that no
super-majority emerges in this vote, and if that happens then we will be
able to draw rather different conclusions about the project consensus
depending upon whether this option comes above or below NotA (and by how
much).

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmIiBMQACgkQ0EujoAEl 1cDvdA//VsZhQi6vcaHXsDDf/dUswSnbEaxG8l0c8n7IgFASCh/O9iANQhn6BFv3 SJLAGoQe3CkGQh8HUzeKp/CycIaLGChsZoVvj0KFx1ifpsxVs68ouADaH5TAeVvK AdMPD8Nc2WkAc6jtwC32vsQc98x3b96UTcBuaxsBYOYXNECE2WHTnNjaNU4dDihe EUkeJiMpynamjyJxU30KN3sxNHFJZ6RW6Nfvj/dmbD629fvKQmDRUa5dfyGq5tZv yOC5q8U5V9SZDmOUvF8nJwfUva47JxBIkjZHUAq/u8s4dSHiDrd5QxnwLmmq4DdY /c1LkalIOsTdmr1Z3KEgby9XU/gTHgdNOlypzkxJsbqyQl5RPpN2vzDojdwdzzcd yMKCQ4S9PjCRp492smkhzaxN3BoQ68edxbNYzLTEvsh4G/IhtLZEZLdLy87Da0CL dm6toOABx2ODWndW5AsNhCL9KK/6pul1OkWr9+iF2rcpCkxnhuSwnqBpL1R29lSk fjkry+gC5R4QDRcqweyxEQ6JZkPPVL+YLShzdr+4coJrmM3puuM6VZ/PvSbQXg4i p+VZ8l+5B4gfETF+APEEY80yw91sM2T4ev5mwxl3xj3vjonYjHUt/Qi3k+zTxR4q 8Pu+q5hwme+1T72

El 04/03/22 a las 12:03, Mattia Rizzolo escribi�:

On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have open and transparent voting, the project resolves to leave our voting system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, so this GR is bound to a similar fate as the 'publish debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot, and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment" (following the new GR flow), I sponsor this.

I sponsor this ballot.

If I were to add my thoughts: political GRs don't belong in Debian,
please take them elsewhere. For non-political votes there is no use
for private voting.

I think technical is political. Giving freedom to software users is
political.
And I'd rather say we should avoid GRs involving individuals.

Cheeers,

-- S

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQRZVjztY8b+Ty43oH1itBCJKh26HQUCYiIHtQAKCRBitBCJKh26 HWorAP4tLa9MV541T+tVEVID4bvHkCt7ytLW5tBaTP6lRW1+HwEA12fPwl81ub4M GsddVxBniOumMeL9oxsmD08fbzWxcAI=
=DUCO
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Philip Hands: " Re: Reaffirm public voting" (Fri, 04 Mar 2022 13:23:32 +0100):

Holger Levsen <holger@layer-acht.org> writes:

On Fri, Mar 04, 2022 at 12:03:22PM +0100, Mattia Rizzolo wrote:

On Fri, Mar 04, 2022 at 10:42:51AM +0000, Holger Levsen wrote:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have >> > open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, >> > probably because secret and transparent voting is, well, impossible to >> > achieve fully, so this GR is bound to a similar fate as the 'publish
debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and >> > will lead to few people in the know, which is diagonal to Debians goals >> > of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which >> > is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

Assuming you meant this as "this ballot" instead of "this amendment"
(following the new GR flow), I sponsor this.

yes, that's what I ment, thanks. Do I need to resent my mail now with this change? :)

I sponsor this.

While I may not end up voting for it as my first option, I think it
deserves to be an explicit option, because I can imagine that no super-majority emerges in this vote, and if that happens then we will be
able to draw rather different conclusions about the project consensus depending upon whether this option comes above or below NotA (and by how much).

Cheers, Phil.

I sponsor this as well.


--

Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Mathias Behrle

iQIzBAEBCgAdFiEErCl+XEa50LYccXaB1tCb5IQFu/YFAmIiBq4ACgkQ1tCb5IQF u/bwaxAAixxGFbGzhb0ESB3jd0LWrULxbRWic+viuV6DR+PFathbpkFeUACqj9WY q8cc1rf9rOIgooXnPsfG+D7NauD+BO3rR+X8Psds1oawGWuigEwjMxP2Nbc+XuzG /Daxufg8XygomMblmlymZnx3jfPnK2wk1YGI4+FMpDHZ7JLvow/0L9oyxa27pnVj HnVOC+ArDQbqLFbZC5FuetinFePaLFXiFSEw3hI+V0ATJoL7nc+mlaEXIgV1qnqa BWIbCPEtorsVwtosv6K6lJDxaN3b/eQVvUwbgAyxkXfNa66r2PpbMOJ++bHkvyvT IwYh9lrXRLz0gavXepH0JnbrhmK+gQxB+P28X5vZa4YXOBb5XX5qE1ETd+2jfygP MYWdC6wmCO2uvrHIlIIrNb+/YbSVEeIqVg/pHXW/5EEysJFFWeBI0wMtYsGPYnn9 OzLbALlnkRojm0VXSR0GJg9wNPCg8FAaAJnBX3l2dDhCMGALoCF21d4FZrRwsQR8 5pXsVe7A8EV1zFX5UrHno4jZZ68oCiE92FIsdAOgSWkwQJFSnpYK70B9rY0W2FsU rEzOYrNyhOycEWADDGsTPqbAbwIzgYIZeyt0T/xHXnIcGJvQ2R/HkPYdok3LjcnD 8AEdsv9YabKsq8GlOpk4/Bfv8l4cWaZW/44GoXDUGqF1nFGvbkk=
=mTOb
-----END P

On 2022-03-04 13:15, Holger Levsen wrote:

On Fri, Mar 04, 2022 at 12:14:56PM +0100, Pierre-Elliott Bécue wrote:

Is init systems GR a political GR?

yet there are people maintaining systemd and sysv in public.

How is that relevant?

I'm neither a systemd nor sysv maintainer, but considering the grief
that some other non-maintainers got just for expressing that they favor systemd, I'd rather not vote at all if it's not secret.

You of all people should know this. You've spoken out against exactly
this kind of grief. You asked for a shield back then, and that's what
the people in favor of voting secrecy are asking for now.

Best,
Christian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

Le 04/03/2022 à 11:42, Holger Levsen a écrit :

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, [...]

It is possible to achieve some reasonable level of secrecy and
transparency (and verifiability)... it is an active research topic per
se. Belenios came out of this research, devotee-ng could also benefit
from this research.

Disclaimer: I am upstream of Belenios in my dayjob.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

I'm not sure what you mean here. From some point of view, TLS is also transparent "only to some", since very few people understand the
mathematics behind the crypto involved there. Yet, we don't promote
unsecured communications where a TLS-secured variant exists.


Cheers,

--
Stéphane

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Jean-Philippe MENGUAL dijo [Fri, Mar 04, 2022 at 01:08:33PM +0100]:

Hi,

I think we can establish a limitation between "secret" and "wiser
secret". I can understand that making vote transparent and secret is
likely not possible. And I am not sure that it is the purpose. The
purpose is not to see displayed on a public website one name related
to a GR and a vote.

An idea just floated to me :-) The reason our GRs are called General Resolutions and not, ahem, "votes" (except when we talk about them
informally or want to write in fewer characters) is IMO because Debian
works as a collective, where we held assemblies, and collectively
discuss, propose and choose among options.

Assemblies are often open (in real-world gatherings). People
argue. When it comes to voting, you know what to expect about most of
the people (those you know best, and those that did the arguing).

Votes come from electoral systems, from larger constituencies. The
stakes are different, yes, but the _participation style_ is also
different. And I think we should remain closer to an assembly than to
an electoral system.

Yes, Debian has grown a lot since our Constitution was
drafted. However, I joined in 2003, approximately where the amount of
DDs stabilized; we have been ~800-1100 people since then. The model
has worked decently for the past twenty years; we had two cases where
private voting could have allowed people to express their opinions
without fear of hate-mail, retaliation or somesuch (the FSF and the
systemd votes, both with a strong political rather than technical
component, even though systemd _is_ technical).

In other words, while I dont think someone will do a detailed
investigation to know who voted what (most people just will not want
to spend energy for this), anyone, including with malicious purpose,
can visit a web page to see what I voted and do harasment
then.

While I accept not to be in a full secret, as I am not afraid with
persons who can do harasment to spend so energy to find this info in
a deep server or via a hash or whatever, I am worry bif any mad guy
can see what I voted about a GR as I know the person will not
hesitate to attack me. Again, we have an example of this, of high
flame, during RMS GR, and while the most radical persons probably
did not want to do deep investigations about voters, I think they
were ready to visit a page and go after voters. I dont know if it
happent effectively, but given how the vote happent with trials to
disturb after the campaign time, it is possible.

Voting is a single-time action. If somebody is willing to harass
people with strong viewpoints... It's much easier IMO to go through
the mailing list archives and find who is more active, and not only
find their vote, but their full argumentation. Votes for the most part
_cannot_ really be private for the people most involved in a decision
if we are consistent with our argumentation.

Of course, you argue just the other way, that people will attack us
based on the vote tally. But we are talking -and you expressly
recognize it- about what _could_ happen, not about what _has_
happened.

The last thing which may justify a such ballot is the idea that "if you dont want to see your name related to a vote, just dont vote, you dont have to do it, you are free". this may be acceptable for political GRs, but more a problem for ambiguous situations.

Hence the importance to make secret possible at least, if not general and mandatory.

I agree votes should be "secretizable". But I really hope they don't
become mandatorily secret.

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQRgswk9lhCOXLlxQu/i9jtDU/RZiQUCYiJEPQAKCRDi9jtDU/RZ iR5mAQDRLThWMTyELr0ftsztf60geOU91N/81R8vbZDYXNG+/QEAx6EUjm543ah+ ql7jFTDZVLkE52W9fxtsRWi5fCH+qQ4=
=lpdF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I know Holger's and Bill's proposed options are prone to change and
merge, but I'll say it now and probably reaffirm it later:

I second this option.

While I prefer Harlan's, it has failed to gain sponsors, and I don't
want to risk the complete loss of public votes in Debian. I think the
status quo (all votes are public except for DPL votes) is much better
than the other proposals.

Holger Levsen dijo [Fri, Mar 04, 2022 at 10:42:51AM +0000]:

Reaffirm public voting
======================

Since we can either have secret and intransparent voting, or we can have
open and transparent voting, the project resolves to leave our voting
system as it is.

Rationale:

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, so this GR is bound to a similar fate as the 'publish debian-private' vote, which was voted for and then was never implemented.

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

I'm seeking sponsors for this amendment to the current GR.

--


-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQRgswk9lhCOXLlxQu/i9jtDU/RZiQUCYiJAIwAKCRDi9jtDU/RZ icwsAP0RWBiEiY1cH6gUTO81jHpa4hItK3dDrxuDfsku2prE7wEA3aRvkwOXdHsf SA1uPZjvtDJvcA6pxYEOl0Tq5z6wzwk=
=fF8g
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 04:24:46PM +0100, St�phane Glondu wrote:

A voting system which is transparent only to some, is undemocratic and
will lead to few people in the know, which is diagonal to Debians goals
of openness and transparency.

I'm not sure what you mean here. From some point of view, TLS is also transparent "only to some", since very few people understand the
mathematics behind the crypto involved there. Yet, we don't promote
unsecured communications where a TLS-secured variant exists.

TLS is not a voting system, so it does not need to have the same
property to be useful.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 04, 2022 at 04:24:46PM +0100, St�phane Glondu wrote:

Hello,

Le 04/03/2022 � 11:42, Holger Levsen a �crit�:

The GR proposal for secret voting is silent on implenentation details, probably because secret and transparent voting is, well, impossible to achieve fully, [...]

It is possible to achieve some reasonable level of secrecy and
transparency (and verifiability)... it is an active research topic per
se. Belenios came out of this research, devotee-ng could also benefit
from this research.

Disclaimer: I am upstream of Belenios in my dayjob.

I have voted several time using Belenios. This is probably the most
advanced free software voting solution. This has been useful to lots
of organisation during the lockdown.

However I feel this GR is putting the cart before the horses.
Before voting for or against a new voting system, we need to experiment
with them and see how they can be made to fit Debian. The secrecy used
for DPL elections is too weak if the purpose is to protect against
contentious GR.

That is why my own ballot proposal just say to keep the vote as is for
the time being and to discourage non-technical contentious GR.

Cheers,
--
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Holger (2022.03.04_10:42:51_+0000)

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

If we were to have such an option on the ballot, my understanding of constitution 4.2.4 is that we'd have both "keep the status quo" and
"NOTA" as ballot options.

SR

--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------X01rDcSZFj9f1pahhx2A5xw9
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SSBzcG9uc29yIHRoZSBvcHRpb24gYmVsb3cuDQoNCkFtIDA0LjAzLjIyIHVtIDExOjQyIHNj aHJpZWIgSG9sZ2VyIExldnNlbjoNCj4gUmVhZmZpcm0gcHVibGljIHZvdGluZw0KPiA9PT09 PT09PT09PT09PT09PT09PT09DQo+IA0KPiBTaW5jZSB3ZSBjYW4gZWl0aGVyIGhhdmUgc2Vj cmV0IGFuZCBpbnRyYW5zcGFyZW50IHZvdGluZywgb3Igd2UgY2FuIGhhdmUNCj4gb3BlbiBh bmQgdHJhbnNwYXJlbnQgdm90aW5nLCB0aGUgcHJvamVjdCByZXNvbHZlcyB0byBsZWF2ZSBv dXIgdm90aW5nDQo+IHN5c3RlbSBhcyBpdCBpcy4NCj4gDQo+IFJhdGlvbmFsZToNCj4gDQo+ IFRoZSBHUiBwcm9wb3NhbCBmb3Igc2VjcmV0IHZvdGluZyBpcyBzaWxlbnQgb24gaW1wbGVu ZW50YXRpb24gZGV0YWlscywNCj4gcHJvYmFibHkgYmVjYXVzZSBzZWNyZXQgYW5kIHRyYW5z cGFyZW50IHZvdGluZyBpcywgd2VsbCwgaW1wb3NzaWJsZSB0bw0KPiBhY2hpZXZlIGZ1bGx5 LCBzbyB0aGlzIEdSIGlzIGJvdW5kIHRvIGEgc2ltaWxhciBmYXRlIGFzIHRoZSAncHVibGlz aA0KPiBkZWJpYW4tcHJpdmF0ZScgdm90ZSwgd2hpY2ggd2FzIHZvdGVkIGZvciBhbmQgdGhl biB3YXMgbmV2ZXIgaW1wbGVtZW50ZWQuDQo+IA0KPiBBIHZvdGluZyBzeXN0ZW0gd2hpY2gg aXMgdHJhbnNwYXJlbnQgb25seSB0byBzb21lLCBpcyB1bmRlbW9jcmF0aWMgYW5kDQo+IHdp bGwgbGVhZCB0byBmZXcgcGVvcGxlIGluIHRoZSBrbm93LCB3aGljaCBpcyBkaWFnb25hbCB0 byBEZWJpYW5zIGdvYWxzDQo+IG9mIG9wZW5uZXNzIGFuZCB0cmFuc3BhcmVuY3kuDQo+IA0K PiBBbmQgdGhlbiwgZWFybHkgMjAyMiBpcyBub3QgdGhlIHRpbWUgZm9yIHJ1c2hlZCBjaGFu Z2VzIGxpa2UgdGhpcywgd2hpY2gNCj4gaXMgYWxzbyB3aHkgSSBleHBsaWNpdGx5IHdhbnQg dG8gc2VlICJrZWVwIHRoZSBzdGF0dXMgcXVvIiBvbiB0aGUgYmFsbG90LA0KPiBhbmQgbm90 IG9ubHkgYXMgIk5PVEEiLCBidXQgYXMgYSByZWFsIG9wdGlvbi4NCj4gDQo+IEknbSBzZWVr aW5nIHNwb25zb3JzIGZvciB0aGlzIGFtZW5kbWVudCB0byB0aGUgY3VycmVudCBHUi4NCj4g DQo+IA0K

--------------X01rDcSZFj9f1pahhx2A5xw9--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9eLej9CS02N0etaYrrJTIyFwKMIFAmIjRXAACgkQrrJTIyFw KMLzLQ//a3PNxZfPwpnMepjkG8wqM1GN29wxfiQjqdi/ivNRmyvJtxRj4SJh+C0f +8tRldtzv4uQ/gBXXuVlOReSqg+TB7cFUcUbjlI7DfGwSHR20mrkRGCDA+aQxDdr 3IrvqNKsG6QgEGZxMrVkR0iihu4oQUMH8tSuCXgB5FYBMld6Cm2wWIuOlwNdGzW7 NELdl6F58NSfbMebARpXicUhVso0mQivX/HRvp+HRWw875NGIhSf16cX53Qg+ngk JS7w/0uFfzC7fYQLXgVz0E7Uf0FXrh7cBgELZ8JIJzRWVZsIoKUTZzo+x6tOpMzE bjacqKMIzaRIOtG0GCpCiMyxMROxTU238MF0xcR4PtA0KcDZT+OKPnWme6Rh01lb ngmpPodSXLuLchMwasAGZ8sXjDOhTYaxRE6POkwuRkh/CBnuyx1sXUjTNO1AK8v2 Z8Ne/KHSRtiatmt6VaVPJ3Airmy6VBL+fJaiPPwnLDhbeiUtCd+z6BM8j7eycQyB 9XXZ4nXJCt23cLFubAuXDvOwImO/x662y5GtelQuqUOfbb52/0eGPWlU0EHZkiWF G7GgCg1goF2wPnX0s/brKY8mTej67WLZN0t5tl+ct+tNOLWhPugqcA/tEwmvgn+2 px5VCQaQaRt6aAl6fjs2cHsKjwz7P//xVXx/mY9sprcK6lcAVsY=
=2ffm
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Stefano Rivera dijo [Fri, Mar 04, 2022 at 10:27:45PM +0000]:

Hi Holger (2022.03.04_10:42:51_+0000)

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot, and not only as "NOTA", but as a real option.

If we were to have such an option on the ballot, my understanding of constitution 4.2.4 is that we'd have both "keep the status quo" and
"NOTA" as ballot options.

It will make sense if they are ranked almost-equally then :-) Although
it is not impossible they will not, which might read as "we are happy
/ unhappy about this particular GR's background" or something like
that.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Holger Levsen <holger@layer-acht.org> writes:

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

We've been talking about secret votes for about nine months now, so I'm
not sure "rushed" is the word that you're looking for. Concretely, it's leaving me unclear what would make the change feel not rushed to you.

I understand if you are opposed to secret voting in general, but this
feels like a different objection than general opposition to the idea.

Could you be a bit clearer about what would make a proposal not rushed
(whether or not you would then support it)? Are you specifically asking
that we agree on the full details of implementation before passing a GR allowing for it? Or something else?

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 3/5/22 17:52, Russ Allbery wrote:

Holger Levsen <holger@layer-acht.org> writes:

And then, early 2022 is not the time for rushed changes like this, which
is also why I explicitly want to see "keep the status quo" on the ballot,
and not only as "NOTA", but as a real option.

We've been talking about secret votes for about nine months now, so I'm
not sure "rushed" is the word that you're looking for. Concretely, it's leaving me unclear what would make the change feel not rushed to you.

I understand if you are opposed to secret voting in general, but this
feels like a different objection than general opposition to the idea.

Could you be a bit clearer about what would make a proposal not rushed (whether or not you would then support it)? Are you specifically asking
that we agree on the full details of implementation before passing a GR allowing for it? Or something else?

Hi Russ,

Thanks for raising the topic. It's a way more difficult one than many
may think, so let's dive into it.

When considering a voting system, there are a few important things to
consider [1]:

1- vote-privacy: the fact that a particular voter voted in a particular
way is not revealed to anyone.
2- Receipt-freeness: a voter does not gain any information (a receipt)
which can be used to prove to a coercer that she voted in a certain way.
3- Coercion-resistance: a voter cannot cooperate with a coercer to prove
to him that she voted in a certain way.
4- Individual verifiability: a voter can check that her own ballot is
included in the election's bulletin board.
5- Universal verifiability: anyone can check that the election outcome corresponds to the ballots published on the bulletin board.
6- Eligibility verifiability: anyone can check that each vote in the
election outcome was cast by a registered voter and there is at most one
vote per voter.

If I understand well the problem, we can't have all of the above. That's technically not possible, with the current state of knowledge on earth.
I haven't read enough on the topic, but I believe that's the case. If
anyone has read more and would like to explain, please do...

The current proposal, if I understand well, is that we would like to
enforce 1- and 3-. I'm somewhat ok with it, but I very much value 4-, 5-
and 6- above 1-, 2- and 3-.

I am unsure about what Holger has in mind, but for me, yes, I do want to
know about the full details of implementation to make sure we have 4-,
5- and 6-, which we currently have with a fully public voting system.
Just voting on "I want my vote to be secret" without having any
information about the other properties is IMO completely silly and
looses the point.

Cheers,

Thomas Goirand (zigo)

[1] Taken from http://www.lsv.fr/Projects/anr-avote/RAPPORTS/deliv1-2.pdf

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thomas Goirand <zigo@debian.org> writes:

When considering a voting system, there are a few important things to consider [1]:

1- vote-privacy: the fact that a particular voter voted in a particular
way is not revealed to anyone.
2- Receipt-freeness: a voter does not gain any information (a receipt)
which can be used to prove to a coercer that she voted in a certain way.
3- Coercion-resistance: a voter cannot cooperate with a coercer to prove
to him that she voted in a certain way.
4- Individual verifiability: a voter can check that her own ballot is included in the election's bulletin board.
5- Universal verifiability: anyone can check that the election outcome corresponds to the ballots published on the bulletin board.
6- Eligibility verifiability: anyone can check that each vote in the
election outcome was cast by a registered voter and there is at most one
vote per voter.

If I understand well the problem, we can't have all of the above. That's technically not possible, with the current state of knowledge on earth.
I haven't read enough on the topic, but I believe that's the case. If
anyone has read more and would like to explain, please do...

The current proposal, if I understand well, is that we would like to
enforce 1- and 3-. I'm somewhat ok with it, but I very much value 4-, 5-
and 6- above 1-, 2- and 3-.

I believe the current system gives us 4, 5, and 6 only, and the proposed initial implementation of using the same mechanism as DPL votes for all
GRs would give us 1 (partially), 4, 5, and 6. In other words, I think
it's additive with respect to your list because you do not lose 5 or 6
(all the rankings and all of the voters are published and you can do the
math yourself; you just don't have the association between rankings and people). It's possible that we could gain more properties from Belenios
or some other voting system that makes better use of cryptographic
primitives. The security tradeoff (which is not captured by your list) is
to rely more heavily on trust in the Project Secretary because 4 remains possible but becomes more complex (you have to check your hash rather than
just scrolling through the list and finding your name and your vote).

Both of our current voting mechanisms are somewhat vulnerable to injection
of votes by the Project Secretary or someone with administrative access to
the voting system supposedly from people listed as Debian Developers but
who are inactive and did not actually vote. The DPL election mechanism is probably somewhat more so because people are less inclined to review the
list of voters when their votes aren't listed as well, but the difference
feels minor to me. This is a challenging thing to defend against in
general.

In DPL elections, we get 1 only partially since the Project Secretary
still can, in theory, determine which voters voted a specific way (as can anyone else with privileged access to the machine that receives and
verifies the votes). This proposal would also only give us 1 partially.

I'm personally more interested in using something like Belenios than just replicating the DPL election scheme mostly because I'm unsure that the DPL election scheme has had sufficient security analysis and I'd prefer to see
us move onto the firmer footing of a voting system that's had a published rigorous analysis of its properties and I'm not aware of one for our
current DPL election system. (I would love to be corrected if one does
exist.) But I think there's a bit of a chicken and egg problem with experimenting with any other voting mechanism, and I'm not sure how we get started. Sam's GR is one way to get started that seems reasonable to me,
but I can see why people may disagree.

I am unsure about what Holger has in mind, but for me, yes, I do want to
know about the full details of implementation to make sure we have 4-,
5- and 6-, which we currently have with a fully public voting system. Just voting on "I want my vote to be secret" without having any information
about the other properties is IMO completely silly and looses the point.

Sam's GR intentionally leaves the details open to the Project Secretary to determine. I understand why people might object to that and would prefer
to require a GR for any change to the process. I just wouldn't
characterize that as "rushed" (it's a deliberate choice, and hasn't been
made in a hurry so far as I can tell), so wasn't sure if that was the
objection here or if there was something else I was missing.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 05, 2022 at 11:42:03AM -0800, Russ Allbery wrote:

[...] Just

voting on "I want my vote to be secret" without having any information about the other properties is IMO completely silly and looses the point.

exactly.

Sam's GR intentionally leaves the details open to the Project Secretary to determine. I understand why people might object to that and would prefer
to require a GR for any change to the process.

Yes.

I just wouldn't
characterize that as "rushed" (it's a deliberate choice, and hasn't been
made in a hurry so far as I can tell), so wasn't sure if that was the objection here or if there was something else I was missing.

And I'd call this 'rushed' still. If someone promises foo without explaining how foo should be achieved and then a vote is held to mandate foo, I'd call this 'rushed'. Even if there has been talk about foo for a year, which btw,
by Debian standards, is not a long time.


--
cheers,
Holger

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄

If a monkey hoarded more bananas than it could eat, while most of the other monkeys starved, scientists would study that monkey to figure out what the
heck was wrong with it. When humans do it, we put them on the cover of Forbes.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmIjwvQACgkQCRq4Vgaa qhxATA/7Bm29542UslCb56BH1aJ/YyRFDutkDAWw+3Jodo+YbLC2CHZN7hmT1AyH rKPToY5cyU2Uy+i9f9Nd93MBNabuFhtC/H0X/+RxZh9YssPjvb4sDts07fdylBj3 6FJeIO+6A+XfgNiw0QXFkVSfZm4nSlSSFn84YFM3xl/7lZSewH0Uc/K57NsxenZ5 Mxo8TEfArDj2jG9GCJbYBunpn1ZrONnbWsuH/RsUDqyMshmMwqKoHoK6E+xJxwQ0 QRC7YlhaZNdJ8Xmo8bTuWycKVDvYsTkbTfwhWfZKGBxxzIMyAn5rgbh/ykWmLEFu wx8apACZJo3OSOEVixoecPfPAYZNXFgWvuzYxZ0IenAnPbBmC6wB1hRs7McuLCcX NU50jBZBHjRUIaROQ1duiQGLNMQ4Pq9efjX1cIR2P4WwqoX8XAn/eYBWh09O4pnq
nRiiwASEPBGDK

On 3/5/22 21:07, Holger Levsen wrote:

And I'd call this 'rushed' still. If someone promises foo without explaining how foo should be achieved and then a vote is held to mandate foo, I'd call this 'rushed'. Even if there has been talk about foo for a year, which btw, by Debian standards, is not a long time.

I agree. With the current proposal, I would vote "further discussion".

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Timo Röhling <roehling@debian.org> writes:

* Thomas Goirand <zigo@debian.org>:

2- Receipt-freeness: a voter does not gain any information (a receipt)
which can be used to prove to a coercer that she voted in a certain way.

6- Eligibility verifiability: anyone can check that each vote in the
election outcome was cast by a registered voter and there is at most one
vote per voter.

Property 2 is violated if the vote is confirmed in a signed email like
the public votes (I can't say because I never participated in a DPL
election yet).

It is. Our current voting system makes no attempt at property 2.

Property 6 is violated, because you can trivially add arbitrary
ballots with random HMAC_SHA256_HEX values (unless the voter turnout
is 100%, which seems rather unlikely).

I'm not sure that I see this for DPL elections because we publish both the
list of votes and the list of voters. If those two lists aren't the same length, that's fairly trivially detectable.

--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Thomas Goirand <zigo@debian.org>:

1- vote-privacy: the fact that a particular voter voted in a particular
way is not revealed to anyone.
2- Receipt-freeness: a voter does not gain any information (a receipt)
which can be used to prove to a coercer that she voted in a certain way.
3- Coercion-resistance: a voter cannot cooperate with a coercer to prove
to him that she voted in a certain way.
4- Individual verifiability: a voter can check that her own ballot is included in the election's bulletin board.
5- Universal verifiability: anyone can check that the election outcome corresponds to the ballots published on the bulletin board.
6- Eligibility verifiability: anyone can check that each vote in the
election outcome was cast by a registered voter and there is at most one
vote per voter.

* Russ Allbery <rra@debian.org>:

I'm personally more interested in using something like Belenios than just >replicating the DPL election scheme mostly because I'm unsure that the DPL >election scheme has had sufficient security analysis and I'd prefer to see
us move onto the firmer footing of a voting system that's had a published >rigorous analysis of its properties and I'm not aware of one for our
current DPL election system. (I would love to be corrected if one does >exist.)

That analysis is quickly done:

Property 1 holds contigent on the security of HMAC-SHA256
and discounting side channel attacks on the voting server itself.
[Technically, it's violated because the secretary can see all votes,
but I don't think that is a problem in our use-case.]

Property 2 is violated if the vote is confirmed in a
signed email like the public votes (I can't say because I never
participated in a DPL election yet).

Property 3 is violated because the HMAC key can be passed on.

Property 4 holds, as does property 5, because all ballots are
published with the corresponding HMAC_SHA256_HEX values.

Property 6 is violated, because you can trivially add arbitrary
ballots with random HMAC_SHA256_HEX values (unless the voter turnout
is 100%, which seems rather unlikely).

I'm also in favor of using a Belenios derivative, especially since
Stephane already agreed to help us adopt the system for Debian. We
can probably even reduce the complexity a bit because we can live
with a weakened form of property 1 (that is, the secretary may learn
the voting behavior of individual DDs).


Cheers
Timo

--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmIjyRIACgkQ+C8H+466 LVlWIQwAjsNvH+50HP0KcxIvnUnrvujFcf6kRLFDa0Q7cHo4QE8xnbcpeGru3F1f 1TI1O6kThREDZ3XtPWe3gN9BwX5sMZ8TFf5BNDLNBAJmj9t51kp6Q+BEZOSZN/vf Bn0rgZX3V2HCf8hIf6PZOuqnIHAel3yaS5b8jCJvMqWkB0qOh02ndehuTGl+tixP ar7WrEETkU1A5tpzN0JMUwArlctMGAeFeNQWlXtR0h4f7IZE23lgomCvP792X4wc Lpg9Zs7Fw/HYXQNf2nmRQasbeAwgqy1pDnGsRdVfWgQbmpiYYlbib89bNC8kasgM 9Yq8q+UAk7GNKGnuFlmtAsK4y3MBK79hgnX8qn7HC53

* Russ Allbery <rra@debian.org> [2022-03-05 12:39]:

I'm not sure that I see this for DPL elections because we publish both the >list of votes and the list of voters. If those two lists aren't the same >length, that's fairly trivially detectable.

You're right, I missed that when I looked at the election
results. In that case, the forger needs to map some voters who voted identically to the same HMAC_SHA256_HEX value, which means you need
to find collisions on the HMAC keys such that

H(uid1, K1) == H(uid2, K2)

I don't know how resistant HMAC-SHA256 is to this type of "chosen
key" attack.

Cheers
Timo


--
⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │
⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯

-----BEGIN PGP SIGNATURE-----

iQGzBAABCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmIj0D8ACgkQ+C8H+466 LVmANgwAjPFsU/nG1aXn9rqKIElGqlVwwzCsOehcyCv98VRGTYzSq7ln1y4cRV9y NaNAsQZeQh+9t/L3fWn7i1UE3p7ypEPNbMqcv+LsFsOMJOJStHoRE1motiqqnf4v GmhpDNxLWuXMjj5XCEATnP/iv6CwRXOm0ePhoX5D7Xf+/LPpb8ocIlA+L2kewjLt FG0JVM/LO0pze4WW9mnNyXxl/rbUeHOvMebmbof2gmvlvBVvVjSpARJv+e39qgvL jvjG01k3zgmTzU3h/lJqsgf+LdfWRBXcTb45hGPoEH1YWuPi3O/gaoNyE85ad4Ro 8CKTyCSzzlH+CVZVuClzln9HA/do6u4iuRPW3euNcWF

On Sat, Mar 05, 2022 at 06:30:35PM +0100, Thomas Goirand wrote:

When considering a voting system, there are a few important things to consider [1]:

1- vote-privacy: the fact that a particular voter voted in a particular way is not revealed to anyone.
2- Receipt-freeness: a voter does not gain any information (a receipt) which can be used to prove to a coercer that she voted in a certain way.
3- Coercion-resistance: a voter cannot cooperate with a coercer to prove to him that she voted in a certain way.
4- Individual verifiability: a voter can check that her own ballot is included in the election's bulletin board.
5- Universal verifiability: anyone can check that the election outcome corresponds to the ballots published on the bulletin board.
6- Eligibility verifiability: anyone can check that each vote in the
election outcome was cast by a registered voter and there is at most one
vote per voter.

This paper about belenios covers some of that: https://hal.inria.fr/hal-02066930/document


Kurt

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)