RFC: anonymous voting system


Last year, it was decided in a referendum that the Foundation will use
an anonymous voting system. There was some discussion on how to do it,
but in the end, nobody wrote anything.

As the next elections (and a possible referendum) are just around the
corner, we had to act. So I wrote some (most probably ugly) code.

You can test the system here: http://vuntz.net/tmp/voting/

You can download the code here: http://vuntz.net/tmp/anonvoting.tgz

Please have a look at it. If you think it's done the wrong way, send me
patches, or a good implementation of an anonymous voting system. I don't
want to be stuck in discussions for months since nothing has happened
for months and we need something really soon now.

This is a web-based system. I didn't want to work with e-mails again
since there are a lot of problems when we process them (the script used
in the current system to count the votes processes mail and it's been a
big pain in the past).

Here's a quick summary of how it works:
  + The membership & elections committee sends a mail to the members
    containing an ID (the member's e-mail) and a token. This token
    is not anonymous.
  + The member goes to the website, logs in, chooses her vote and
    confirms her vote.
  + When the member confirms her vote, a new random token is generated.
    This token is only used to save the vote and is displayed to the
    member. There's no link between the member and this token.
  + The first non-anonymous token is removed so the member can not 
    vote twice.

Here's a quick summary of the limitations of this system:

  + Right now, users with access to the database can know who
    didn't vote.
    => This is fixable and I'll do it if people think it has to be

  + The initial token will be sent by mail to the members. Mail is not
    secure and it could be intercepted by anyone.
    => This is not different from what we have right now. Anonymous does
       not necessary means secure. While having something totally secure
       would be great, I believe we can do this later.

  + We probably won't have SSL for this system, so there could be some
    "attack" here too.
    => Same answer

  + You'll need to trust people with access to the database/code since
    they can do a lot of bad things.
    => You already trust the membership & elections committee and the
       gnome.org admins, don't you? :-) More seriously, this is again
       something that is not different from the current system.

If there's no big complain about it, it will be the system that will be
used for the next vote.



Les gens heureux ne sont pas press�

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]