[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secret Ballots: How Secret

Holger Levsen <holger@layer-acht.org> writes:

> And furthermore & sadly this confirms my feeling that some want to push
> 'secret ballots' into Debian...

I'm not sure that I understand what you mean by this, I think.  We're
openly having a preliminary discussion of a GR to add secret ballots to
Debian, so yes, clearly some people want to have secret ballots in Debian.
That's the point of these discussions.  I think this is stating
dissatisfaction with how Sam phrased his reply, but regardless, the goal
is still to have an open discussion of all aspects of this.

I think you're opposed to secret ballots in Debian, but I'm not sure why,
or how you view the pluses and minuses.  I think you mentioned previously
that you're worried that it would create an appearance of a cabal, but I'm
not sure where that fear comes from.  Is it just not knowing who voted
which way, or is it verification that secret ballots actually came from
Debian Developers and only one per DD, or...?  Maybe it would be useful
for you to explain more about why you object, if you do.

For what it's worth, the reason why secret ballots are attractive to me is
via a "first do no harm" principle.  It's not unreasonable to fear
retaliation for votes with political ramifications on today's Internet and
in today's society, it's unlikely that Debian will be able to entirely
avoid votes with political ramifications as much as we'd all love to steer
past those shoals via consensus alone, and it feels very wrong to me that
anyone should have to fear voting honestly.  My default, when someone says
that something is a risk for them, is to believe them and try to help
reduce that risk.

That said, I am perhaps a bit less sanguine than Sam is about the efficacy
of the secret ballot verification process for DPL elections.  (If I had to
guess how many voters verified their ballots, I would say around 5%,
possibly less.  [*])  I'm a bit concerned that any scheme that doesn't
build the cryptographic verification into the process and instead relies
on people going out of their way to do verification is not going to be
widely verified, and therefore it does create new risk if some future
iteration of Debian has a less trustworthy secretary than we do today.  To
be clear, this is not a new risk; we're already living with this risk for
DPL elections and maybe this should be within my risk tolerance.  But it's
not as clearly within my risk tolerance as it is within Sam's.

[*] I do want to acknowledge, however, that having the *capability* for
    verification even if almost no one uses it routinely does provide real
    protection against shenanigans, since it means should anyone suspect
    shenanigans a bunch of people can go back and verify their votes even
    if they didn't initially, provided they retained the necessary

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: