Page MenuHomePhabricator
Create Task
Maniphest T335201

Investigation: What needs to change to allow local wikis to run their own elections?
Open, HighPublic
Actions

Description

Local elections may be possible with only some configuration changes; we should investigate to see what these are. Particularly any security issues with making this change (and regular redteaming etc).

In T301180#8795042, @jrbs wrote:
In T301180#8508519, @Osnard wrote:

[snip]

I think a lot of this applies only to "global" elections which have voters from multiple projects (and thus require a script setup to compile the voter lists). This task would be explicitly about "local" elections which are run on a per-wiki basis.

Local elections are typically organised and run by community already, with the exception of the setup on votewiki which needs WMF support (or, technically speaking, someone with access to the maintenance server and to votewiki). See for example the coordination task for fawiki 2021 elections (T292685) -- the vast majority of that work was led by volunteers, and T&S was really just there to unblock votewiki accounts and set up the election. Likewise the enwiki 2022 elections were a similar process, though had to be encrypted. There is some argument that could be made about having a disinterested third party holding the decryption key, but that could still be T&S or really anyone who can give it to the local community for tallying the election.

Looking at the task description ... there might not actually be anything blocking this other than the CLI issue, plus the need to add the appropriate userrights to allow people to create polls). I would have some questions for exploration though:

  1. Is the method for connecting local wikis to votewiki likely to complicate this? Could you for example make a local election but also allow that wiki to take part in global elections? That is not clear to me.
  2. Is the SecurePoll extension already installed on Wikimedia wikis by default?
  3. Are there any other Security ramifications to consider?

Related Objects
Search...

Event Timeline

jrbs triaged this task as High priority.Apr 21 2023, 5:40 PM
jrbs created this task.
jrbs moved this task from Backlog to Needs evaluation on the MediaWiki-extensions-SecurePoll board.Apr 21 2023, 5:44 PM
Reedy removed a project: Wikimedia-Site-requests.Apr 21 2023, 7:35 PM
Osnard added a comment.EditedApr 25 2023, 9:06 AM
  1. Is the SecurePoll extension already installed on Wikimedia wikis by default?

Yes, apparently it is. See https://github.com/wikimedia/operations-mediawiki-config/blob/bb0fb0d6812624e8a95d84ad7ac5206b31cef5ab/wmf-config/InitialiseSettings.php#L10579-L10583

Edit: I checked a couple of Wikipedia's and didn't find an instance without SecurePoll. It seems to be installed everywhere, but I can not tell if it is set up everywhere (e.g. serverside requirements like gpg). But guessing from the public available config, I'd say yes.

Osnard added a comment.Apr 25 2023, 2:09 PM
  1. Is the method for connecting local wikis to votewiki likely to complicate this? Could you for example make a local election but also allow that wiki to take part in global elections? That is not clear to me.

I did some additonal investigations. Here are my findings so far.

The securepoll_lists database table is the source of the "eligible users".

The "votewiki hosted election" or "global election" usecase roughly works as this:

  1. On each wiki that participates, a new DB table is added and then populated by populateEditCount
  2. On an arbitrary wiki makeGlobalVotesList walks all the wiki instance DBs and compiles the data from populateEditCount into the securepoll_lists table of votewiki
  3. makeMailingList, deduplicateMailingList and sendMail are used to notify users that are listed in securepoll_lists

The "local election" usecase roughly works as this:

  1. After the poll has been created, the securepoll_lists table can be populated ...
    1. ... either by a plain list of usernames
    2. ... or by a "rule based selection" from the wikis local user base (PopulateVoterListJob)
  2. No notification is being send out to the eligible users

In both cases tallying is performed in the same way. A "global election" is probably much bigger than most "local elections" an therefore more time consuming at the tally.

As far as I can tell from the publicly available configurations, neither the securepoll_lists table, nor any other from Extension:SecurePoll is shared between the various wikis. So every wiki has its own, independent SecurePoll database tables. Therefore it can run elections independently from "votewiki". In the "global election" case we use a completely different path to populate the securepoll_lists table ot "votewiki". But that doesn't interfere at any point with the regular ("local election") functionality.

tl;dr
No, the method for connecting local wikis to "votewiki" does not conflict with having elections on the local wiki itself.
So yes, a wiki can host "local elections" at the same time it participates in a "global election".

Osnard added a comment.Apr 25 2023, 2:10 PM
  1. Are there any other Security ramifications to consider?

For my part, I can not see any.

Osnard mentioned this in T301180: Allow local wikis to set up elections.Apr 25 2023, 2:10 PM
jrbs moved this task from Needs evaluation to Evaluated on the MediaWiki-extensions-SecurePoll board.Apr 26 2023, 8:55 PM
jrbs added a comment.Apr 26 2023, 9:05 PM

Thanks @Osnard :) This is extremely helpful.

So it sounds to me like there isn't actually anything to technically change here. We might even be able to test this out immediately. I would be happy to dig into that on testwiki, as a local instance of SecurePoll... except that testwiki does not have electionadmin as a userright, so you can't actually do that because of T290808...

Xaosflux added a comment.Apr 26 2023, 9:30 PM

Prior to the revoking of testing on testwiki, I did do a local testwiki only election test, from what I recall it was fine.

WhitePhosphorus subscribed.Apr 27 2023, 9:50 AM
jrbs moved this task from Evaluated to Actively working on the MediaWiki-extensions-SecurePoll board.May 2 2023, 3:16 PM
jrbs moved this task from Actively working to Done on the MediaWiki-extensions-SecurePoll board.May 2 2023, 9:41 PM
jrbs added a subtask: T209892: SecurePoll is not compatible with GPG 2.1+.May 19 2023, 8:02 AM
RamzyM-WMF subscribed.Jun 14 2023, 7:03 AM
isaacl subscribed.Jul 18 2023, 9:15 PM
jrbs mentioned this in T342774: Use SecurePoll for the admin election of zhwiki (Oct 2023).Sep 28 2023, 10:34 PM
Stang added a comment.Oct 2 2023, 12:45 PM

Suggestion: On sites wish to setup their own election (for now I think there's enwiki, fawiki and zhwiki?), create the group electcomm and electionadmin (or probably we could merge these two groups, as it's reasonable for the person who setup the election electcomm also act as a scrutineer electionadmin). Candidates should pass some sort of community discussion to be in this group, and it should only be granted and removed by steward, when the candidate has signed the NDA. This imo could solve the issue addressed in T290808. From another view, we do have checkuser group on testwiki, and it is fine to grant to somebody when they were approved by the security team to test checkuser extension.

Frostly moved this task from Backlog to SecurePoll on the Elections board.Oct 14 2023, 1:24 AM
Johannnes89 subscribed.Apr 5 2024, 6:40 AM
A_smart_kitten subscribed.May 16 2024, 12:41 PM
Novem_Linguae added a comment.May 31 2024, 12:46 PM
In T335201#8809056, @jrbs wrote:

Thanks @Osnard :) This is extremely helpful.

So it sounds to me like there isn't actually anything to technically change here. We might even be able to test this out immediately. I would be happy to dig into that on testwiki, as a local instance of SecurePoll... except that testwiki does not have electionadmin as a userright, so you can't actually do that because of T290808...

electionadmin was added back to testwiki in https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1036633, if someone wants to do some testing.

SCP-2000 subscribed.Jun 1 2024, 3:58 AM
JWheeler-WMF closed subtask T209892: SecurePoll is not compatible with GPG 2.1+ as Resolved.Jun 3 2024, 8:57 PM
Xaosflux added a comment.Jun 3 2024, 11:30 PM

To be very clear, testwiki still collects and makes available the private data to the poll's election admins, so who can use this is still sensitve.

Ladsgroup added a comment.Jun 4 2024, 9:15 AM
In T335201#9857572, @Xaosflux wrote:

To be very clear, testwiki still collects and makes available the private data to the poll's election admins, so who can use this is still sensitve.

Seconding this, we had an incident exactly because of this a couple years ago.

Chqaz subscribed.Jun 6 2024, 9:26 AM
SD0001 subscribed.Tue, Nov 12, 1:33 PM
In T335201#9858546, @Ladsgroup wrote:
In T335201#9857572, @Xaosflux wrote:

To be very clear, testwiki still collects and makes available the private data to the poll's election admins, so who can use this is still sensitve.

Seconding this, we had an incident exactly because of this a couple years ago.

This is no longer the case now after r1083337 / T377531

drochford unsubscribed.Tue, Nov 12, 3:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits