Page MenuHomePhabricator
Create Task
Maniphest T398299

tallying encrypted dumps is broken. fix or remove it (keyword: import)
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • $wgSecurePollShowErrorDetail=true;
  • create an encrypted poll
  • wait for it to start
  • vote
  • wait for it to finish
  • Special:SecurePoll -> Dump (XML) to download a dump
  • Special:SecurePoll -> Tallies -> fill out decryption key, verification key, and pick the downloaded encrypted dump file -> Create tally

image.png (847×1 px, 109 KB)

What happens?:

  • "Error tallying dump file: No decryption key is configured. Cannot decrypt."

image.png (873×1 px, 116 KB)

What should have happened instead?:

  • successful decryption and tallying

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

  • I think this is broken, per my testing just now and per Dom's comment in T403308#11162664
  • Let's decide if we want to fix this, or decide it's an unused feature and remove it to reduce maintenance burden. I'm leaning towards removal.
  • I think keeping it might have some security implications. The idea of an election administrator being able to upload whatever data they want and make it show up as a tally and trick scrutineers into certifying it could be problematic. If kept, may need to double check / rethink the security of this feature.
  • matrix of upload types and their errors:
    • encrypted XML - "Error tallying dump file: No decryption key is configured. Cannot decrypt." - this ticket
    • decrypted XML - "Error tallying dump file: Error interpreting vote record, cannot produce a tally." - it's good that trying to upload unencrypted dumps produces an error, but this is not a good error message. may want to improve this error message.
    • encrypted BLT - no such thing
    • decrypted BLT - "The dump file is corrupt and cannot be processed." (plus some uncaught PHP warnings) - it's good that trying to upload unencrypted dumps produces an error, but this is not a good error message. may want to improve this error message, and catch/fix/suppress the PHP warnings.

image.png (814×1 px, 168 KB)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
TallyListPage: remove uploading encrypted dumps to talliermediawiki/extensions/SecurePollmaster+2 -96
Customize query in gerrit

Related Objects

Event Timeline

Novem_Linguae created this task.Jul 1 2025, 11:30 AM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptJul 1 2025, 11:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Novem_Linguae added a subscriber: dom_walden.Jul 1 2025, 11:30 AM

@dom_walden, have you used this "tally SecurePoll encrypted dump file" feature before? Any insights?

STran subscribed.Jul 1 2025, 2:10 PM

I had a quick look so I apologize if I've misunderstood. This form is a little confusing. It seems like the form only allows you to pass through a key in order to decrypt the votes known to the db/attached to the election. Looking at OpenSslCrypt->decrypt which ElectionTallier eventually calls, If you want to decrypt a dump, the key must already be set as the openssl-decrypt-key property. My context on this is a little fuzzy since it's been a while but iirc it's done this way to prevent you from using your access to the tallying page to tally any dump.

STran added a comment.Sep 22 2025, 8:54 AM

A few more drive-by notes:

  • At one point we did update this to work (see I67e1cd86ae226e1deeab9f9ee7fed4857e6c07bb)
  • Comments here suggest we wanted to move to a job-only tally queue (see Ib689c8e3c373668625f77b0045fd26ab444f689f) but I've since forgotten the context
  • The function remained a no-op when OpenSSL support was implemented (see Iaab9f69bba835eab5d3f5a8585ae17b230169498) and could feasibly be added back with relative ease
  • However, based on comments from T272916, it sounds like 1. we at WMF don't use it and 2. we left it in out of an abundance of caution because we weren't sure if any one else was using it. Given that and seeing as it's been broken for...4 years now, perhaps we should consider just removing the "feature"?
Novem_Linguae merged a task: T404132: "Upload tally" feature is broken. Fix or remove it..Sep 22 2025, 5:16 PM
Novem_Linguae added subscribers: ZhaoFJx, jrbs, Stang.
Novem_Linguae renamed this task from tallying encrypted dumps is broken to tallying encrypted dumps is broken. fix or remove it..Sep 22 2025, 5:18 PM
Novem_Linguae updated the task description. (Show Details)
Novem_Linguae attached a referenced file: F65993964: image.png. (Show Details)
Novem_Linguae updated the task description. (Show Details)
Novem_Linguae added a comment.Sep 22 2025, 5:24 PM

Comments here suggest we wanted to move to a job-only tally queue (see Ib689c8e3c373668625f77b0045fd26ab444f689f) but I've since forgotten the context

All regular tallying uses the job queue now. Not sure about "tallying encrypted dumps".

However, based on comments from T272916, it sounds like 1. we at WMF don't use it and 2. we left it in out of an abundance of caution because we weren't sure if any one else was using it. Given that and seeing as it's been broken for...4 years now, perhaps we should consider just removing the "feature"?

I'd support removal. In another ticket, Dom suggested asking @jrbs if they use the feature. If they say no, then I think that'd be a green light for removal.

Novem_Linguae renamed this task from tallying encrypted dumps is broken. fix or remove it. to tallying encrypted dumps is broken. fix or remove it (keyword: import).Dec 11 2025, 9:50 AM
jrbs added a comment.Dec 11 2025, 10:16 PM
In T398299#11202639, @Novem_Linguae wrote:

I'd support removal. In another ticket, Dom suggested asking @jrbs if they use the feature. If they say no, then I think that'd be a green light for removal.

Not sure how I missed this, sorry. The totality of our use of the tally feature is to tally the vote that just happened. We do not import old dumps in order to tally them.

I can imagine a situation where this functionality might be useful, but for now I think we can remove it.

gerritbot added a comment.Dec 12 2025, 6:17 PM

Change #1217805 had a related patch set uploaded (by Novem Linguae; author: Novem Linguae):

[mediawiki/extensions/SecurePoll@master] TallyListPage: remove uploading encrypted dumps to tallier

https://gerrit.wikimedia.org/r/1217805

gerritbot added a project: Patch-For-Review.Dec 12 2025, 6:17 PM
gerritbot added a comment.Jan 1 2026, 1:08 PM

Change #1217805 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] TallyListPage: remove uploading encrypted dumps to tallier

https://gerrit.wikimedia.org/r/1217805

Maintenance_bot removed a project: Patch-For-Review.Jan 1 2026, 1:30 PM
Novem_Linguae closed this task as Resolved.Jan 1 2026, 5:48 PM
Novem_Linguae claimed this task.
Stang unsubscribed.Jan 4 2026, 9:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits