Page MenuHomePhabricator

Write cli tally output to database
Closed, ResolvedPublic

Description

Whenever you tally with ./cli/tally.php, the result gets output to your terminal and nowhere else. Write it to the database like the job does so that the output page can read it even if it didn't instantiate the request.

Event Timeline

@Niharika @jrbs Just a note, I believe once the results are written to the database they will be visible in the dump file.

If the election does not have the voter-privacy property set, this dump file is visible to anyone.

Before we do this ticket, we might want to decide whether we want to:

  1. Remove the results from the dump file (like was done with the private key in T288924), or
  2. Rely on the election admins to appropriately set the voter-privacy property when creating an election

@Niharika @jrbs Just a note, I believe once the results are written to the database they will be visible in the dump file.

If the election does not have the voter-privacy property set, this dump file is visible to anyone.

Before we do this ticket, we might want to decide whether we want to:

  1. Remove the results from the dump file (like was done with the private key in T288924), or
  2. Rely on the election admins to appropriately set the voter-privacy property when creating an election

I think this is by design - the dump file is intended to be publicly available, iirc. Is there any sensitive information in the dump file beyond the private key?

As of Tim's ticket, the key is no longer available in dumps generated from the UI. Whether or not we want a dump to exist is a different issue. fwiw, if the election is encrypted, the dump is full of encrypted ballots without the encryption key. If the election isn't encrypted, the dump shows the anonymized ballots.

Change 713933 had a related patch set uploaded (by STran; author: STran):

[mediawiki/extensions/SecurePoll@master] Write results of cli tally to the database

https://gerrit.wikimedia.org/r/713933

@Niharika @jrbs Just a note, I believe once the results are written to the database they will be visible in the dump file.

If the election does not have the voter-privacy property set, this dump file is visible to anyone.

Before we do this ticket, we might want to decide whether we want to:

  1. Remove the results from the dump file (like was done with the private key in T288924), or
  2. Rely on the election admins to appropriately set the voter-privacy property when creating an election

I think this is by design - the dump file is intended to be publicly available, iirc. Is there any sensitive information in the dump file beyond the private key?

After this change, the election results will be available in the dump file after the CLI tally has been run. I don't know whether or not you want people to be able to see this.

After this change, the election results will be available in the dump file after the CLI tally has been run. I don't know whether or not you want people to be able to see this.

To clarify, your concern is that the results are potentially visible between decryption and posting? We will be decrypting the results at most a few hours before they're posted, so the window of opportunity for them to be leaked is pretty small. Though I may be misunderstanding the concern here. It might be that I also don't fully grok how the decryption is going to happen. But overall I don't believe there is a risk in making the results public especially since we'll be posting them to wiki soon after they're scrutinised.

After this change, the election results will be available in the dump file after the CLI tally has been run. I don't know whether or not you want people to be able to see this.

To clarify, your concern is that the results are potentially visible between decryption and posting? ...

Yep, that is correct. As long as you are happy with this, I think we are good.

Yep, that is correct. As long as you are happy with this, I think we are good.

Awesome. I think there might be a situation where we aren't immediately posting the results publicly for an election once it's decrypted, but at the moment (for Board elections and for other encrypted elections like enwiki ArbCom) the decryption and posting are done pretty much at the same time.

Change 713933 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Write results of cli tally to the database

https://gerrit.wikimedia.org/r/713933

QA has been using this to test the tallies on beta.

It looks like when we json_encode the tally results (before storing them on the database) there can be a small loss of precision (I have seen ~1E-14). This should not affect the outcome of the election, because by the time we are writing the results to the database we have already done the tallying. It might affect the way the results look like on the tally page, but the tally page only displays 6 decimal places so it is probably unlikely.

Here is an example of how it looks when you extract the tally from the dump: https://www.mediawiki.org/w/index.php?title=Anti-Harassment_Tools/SecurePoll_Improvements/Test_Results/5_2_5000_956342267/dump

Test Environment: https://vote.wikimedia.beta.wmflabs.org SecurePoll 3.0.0 (a86be99) 06:26, 2 September 2021.