Re: Debian Project Leader Election 2003 Results
Like Sam, I see no particular need for salt beyond the username.
However, I did notice a potential anonymity attack: the presence of
consistent partial voter lists and dummy tally sheets leaked some
information about which voters could have which hashes. (Batching
obviously alleviated this, but there were probably hours when very few
initial votes came in.)
One remedy would be not to post the list of who had voted until after
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger firstname.lastname@example.org (NOT a valid e-mail address) for more info.