Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Hash and verify CVRs are unaltered between ballot count and actual tabulation #853

Open
yezr opened this issue Jun 21, 2024 · 0 comments
Open

WIP: Hash and verify CVRs are unaltered between ballot count and actual tabulation #853

yezr opened this issue Jun 21, 2024 · 0 comments
Labels
WIP

Comments

@yezr
Copy link
Collaborator

yezr commented Jun 21, 2024
edited
Loading

There are two steps in the tabulation verification modal: calculating ballot counts and the tabulation itself. We'd like to throw a halting exception if anything in the CVR has changed in between calculating the ballot count and the tabulation itself. Tabulation will always run with the contents of the CVR files at the time of clicking the 'Tabulate' button in the modal. We want to alert the user if that state is different than the state of the CVRs at the time of calculating ballot counts.

Armin's comments

Originally posted by @artoonie in #847 (comment) Armin raises some things to consider before implementing

Some considerations:

  1. I could hash every file in a directory, but that several downsides, including having to recursively search a potentially very big directory with unnecessary files. We don't mandate that the CVR directory is free of clutter today, and I don't know if we should add that restriction. What if the Dominion CVR directory is just C:/ ? It will also fail if files are opened and temp hidden auto-save files are created, or .DS_STORE on mac.
  2. I could enumerate every file we read in the directory, but this feels error-prone: what if a future release reads a new file from the directory, and we forget to add it to the list of files to hash? That feels like an easy-to-miss bug.

(1) is easier, but (2) seems safer. Still, it makes me want to move away from file hashing, and towards something a little cleaner.

  1. I could hash each CVR, but I run into the same issue as (2): what if, in the future, a new field is added? This feels like a hard-to-catch bug once again, requiring manually spotting it via a PR.
  2. I could hash the entire RCTab CVR, since we have plans to test and mandate that this file contains all information needed to exactly reproduce the election results.

So I'm leaning towards the latter: a checksum validation of the RCTab CVR. The downside is: (1) that means the file can never include timestamps, and (2) we can't inform the user which of their CVR sources has changed.

To sum up the four options:

Checksum Of Downside
Every file in Directory Clutter in directory
Only relevant files in directory Easy to miss a file in the future
Every field in the CastVoteRecord data structure Easy to miss a field in the future
Entire RCTab CVR Lost mapping from changed field to CVR that changed; requires generating this file twice

Thoughts?
@yezr yezr added the WIP label Jun 21, 2024
@yezr yezr changed the title Hash and verify CVRs are unaltered between ballot count and actual tabulation WIP: Hash and verify CVRs are unaltered between ballot count and actual tabulation Jun 21, 2024
@yezr yezr mentioned this issue Jun 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WIP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yezr