About News Download Docs Forum Bugs Contact

Policy/Voting

Information

Tools

Resources

Source Mage Voting Policy

Note: several aspects of the Voting Policy are inspired by voting formats used by other F/OSS projects, most notably the Apache project. If you are unfamilar with terms like '(non-)binding votes' or expressing a vote as '+/-1' and '+/-0', please refer to the Apache Voting Process for some general discussion, but keep in mind that only the usage explicitly described in this policy is valid for Source Mage.

General


Lead Developer votes


Project and Component Lead votes


Lead voting process


Issue voting process


Developer removal voting process


Veto process


Vote verification

Currently, probst function is used to generate and/or verify hashes of votes.

The source code written by Seth Woolley is below:

probst() {
  D="$(pgpdump -i)"
  for i in '' $(seq 2 1000) ; do
    echo "$D$i" | gpg --print-md sha512 | tr -d '\n ' | tr '[A-F]' '[a-f]'
    echo
    if [ "$1" == "$i" ]; then break; fi
  done
}

To generate the hash you need to pipe the vote into this, pass it an optional argument of '', 2, 3, 4, etc. for how many votes are in the e-mail if you are batching your votes, and you'll get the same hash(es) vote counter generates on his end.

Using a single hash for individual votes, even if batched, avoids hash analysis at the end of voting.

This proposal allows everybody to validate their votes on their own with the hash receipt so we know vote counter isn't messing with the votes.

If your messages are not clear signed, but are detached/mime signed then you run this on the signature file that's created (with or without combined plaintext).

This isn't intended to prevent snooping on clearsigned messages. If you want that, please clearsign your vote, then encrypt it. This is important that you do this in two steps instead of "together" for now because there's now way to "decrypt" just a message and not its signature if they were done together with GPG (using the gpg command-line tool) and doing it in two steps makes it so the auditors don't have to use the session key given by vote counter to them to decrypt the single message. He can simply keep the decrypted messages together and sign+encrypt them over to the auditors as one unit. If you miss this part, he'll probably just ask you to resend it so he can properly send you a hash.

Note: for the function above you will need pgpdump utility which you can get by running cast pgpdump on SMGL system.