Humbedooh commented on issue #27: URL: https://github.com/apache/steve/issues/27#issuecomment-2616073505
yes and no. the tl;dr of this is that if you only have access to the web interface, you cannot figure out who voted for what. while there is a one-way trail from the user session to the ballot ID, it can't be reverse-engineered without knowing the exact salts that were used for the SHA512/SHA224 digests that slowly turned into the ballot ID. If you have sudo on the physical box, then all bets are off as with most things, as you could install various networking loggers and what have you. but someone without that level of access can't map a ballot to a user. the vote monitors and admins can extract the final ballots for record keeping, but there is nothing in those records that can be reverse-engineered into a username, as it depends on other confidential secrets. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@steve.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
