PEP 8001: Public or Private Ballots?

Continuing the discussion from PEP 8001: Python Governance Voting Process:

I wanted to follow back up on this. On python-committers it appears that a number of people are not entirely comfortable with public ballots. In that thread @skrah , @barry , and myself all expressed concerns that we weren’t entirely comfortable with public voting but would still be voting, while expressed that he was planning to abstain from the vote entirely because the ballots were public.

So I think given you have at least one prominent core developer stating that they’re planning to abstain completely, and 3 people saying it at least makes them feel uncomfortable we should consider the idea of making the ballots private.

Now the problem with private ballots is that it relies one having one of two things:

  • Some novel cryptographic scheme that allows computing the final result without leaking who the ballots belong to (Helios provides this for approval and plurality voting).
  • Some trusted person or system to anonymize the ballots before publishing them.

Given that I am unaware of any novel cryptographic schemes that exist for ranked ballots (much less is already implemented in a usable piece of software) that leaves us with trusting some person to handle it for us.

My suggestion then is that we should use CIVS to enable us to manage this vote, and still have private ballots. I would further suggest that we use the following settings:

[x] Private
[ ] Make this a test poll: read all votes from a file.
[ ] Do not release results to all voters.
[x] Enable detailed ballot reporting.
[ ] In detailed ballot report, also reveal the identity of the voter with each ballot.
[ ] Allow voters to write in new choices.
[ ] Present choices on voting page in exactly the given order.
[ ] Allow voters to select “no opinion” for some choices.
[ ] Enforce proportional representation
  • People’s identities are kept secret.
    • This assume that the people running that online system are discarding the voters like they claim to be. I don’t think they’re likely to be lying and it’s a popular online service so they’re unlikely to do anything nefarious specifically to attack us.
  • The actual ballots are public, and available to be viewed and even downloaded in CSV format.
  • The results are computed for us. There is no “pure” Condorcet option, but a nice property of the Condorcet method is that when there is a Condorcet winner, no matter what method you choose it will pick it, so the differences between the Condorcet methods are only in what they do in the case of a cycle. In the case of CIVS, we can differentiate a Condorcet winner (aka a “Pure” Condorcet winner) by if the tallied results say “Condorcet winner: wins contests with all other choices” instead of “Not defeated in any contest vs. another choice” and verifying that the extend ballot explanation has all green boxes for that person.
  • As a downside, the list of people who voted are not made public (it considers not participating at all to be something that deserves secret as well). This means that we won’t know who participated as well as not knowing how they voted.
  • As an upside, it will randomize the order ballots are in by default, and there is science/evidence to suggest that when ballots are in the same order for everyone, that items closer to the top of the ballot are more likely to win. Randomizing ballot order helps with this.
  • It doesn’t require you to make a total ranking of all the options (it allows you to rank some items equal). This is fine with Condorcet (it just means a cycle is slightly more likely).
  • A single person has to act as the election administrator, which basically only gives the power to start/stop the election and to add voters (you can’t add the same email address twice, doing so just re-sends the email to that person).

You can read more about the security/privacy implications of using CIVS here. You can see an example of a ballot with a “Pure” Condorcet winner here and one where we would consider it a “tie” and need to implement tie breaking procedures here.

Now if we go this path, there are two things we would need to contend with:

  • We can’t extend the vote a week as a tie breaking procedure, because once the election is ended and the results made public, CIVS doesn’t allow you to reopen the voting. We can do something similar though by just re-running the election for a week, but only amongst the options that were involved in the cycle. That would mean that people who are happy with any item that tied could just abstain from voting, and only people who feel strongly about one of the choices over another need to get involved in the tie breaking procedure.

  • We would need to pick someone to act as an election supervisor. This person sets the election up, starts it, adds voters, and finally ends it. The powers they have to influence the elections are fairly limited, the things I can think of are:

    • They can turn off randomized ballots, slightly favoring whatever options they put first (and disfavoring whatever they put last).
    • They can add “puppet” voter email addresses to the election, and thus given themselves extra votes. However they can’t see the results until after voting is closed, so they won’t know how many votes they’d need to make their preferred option win and if they did it extensively we’d be able to detect it by seeing an abnormal number of votes.
    • Maybe they can disenfranchise someone by ending the election right as that person is voting?

    I’m not really worried about anyone we’d pick doing anything nefarious here. I went ahead and reached out to @EWDurbin and asked him if he would mind acting as the election supervisor for us if we went with this option. He said he was fine with that, and I think he represents a pretty good choice since he’s a PSF employee, he’s well known in the community, we trust him a whole hell of a lot already (he has root on like, every PSF box, admin on the Github org, is a PyPI core dev, etc), and he’s not a core committer nor does he have a PEP in the list of proposed PEPs so he is pretty neutral. Another fine choice would be Ewa, but I haven’t asked her if she would be willing.

    Honestly, I think really any core developer could do it as well, the power an election supervisor has is pretty limited, and I don’t think any of us would do anything to try and violate the integrity of the election.

To try to make this easier, I’ve gone ahead and created a PR to PEP 8001 which basically implements the above. I’m happy to make any changes (or have the PR merged and further changes made to it). If people agree with the move to a secret ballot and using the CIVS system, then we can just merge that PR.


I prefer private anonymous voting much more but will still vote if it is public.


As a point of clarification, Tim has mentioned on the PR that my understanding of his position was wrong, in his own words:

I haven’t said I won’t vote if the ballot is public, just that I probably won’t. That’s how I’m leaning .

Voting for a government is very different from voting on a technical proposal, and that’s very broadly accepted. That’s why, e.g., I don’t believe anyone has ever suggested that votes for the PSF Board be wholly public - or in just about any other organization. Contrarily, nobody ever asks that +1/0/-1 polls on technical issues be made private.

Voting for a governance structure isn’t wholly in either camp, which is why I’m only “leaning” so far. It’s close enough to “pure politics” that it makes me queasy. If, e.g., the PSF membership decided to vote for its Official Religion, I’d resist making that a public vote too :wink:.

Sorry for my error here!

1 Like

Polls help, but this certainly isn’t binding. It’s to get a sense of how people feel in a compact way. Note that this is specifically about the vote on the governance PEP. There is no implication or intent that it would apply to any other vote for anything else. According to the poll author, voting for a governance structure is somewhere between voting for government officials (which “almost everyone” agrees should be private) and voting on technical proposals (which “almost everyone” agrees should be public).

Note that “private” here means the ballots will still be made public, but without personal identifying information. So you can still see every ballot, but not who cast any ballot.

Pick one:

  • Ballots must be public.
  • Ballots must be private.
  • I prefer that ballots be public.
  • I prefer that ballots be private.
  • I don’t care either way.

0 voters

I think defaulting to private is better. Anyone who wants their vote to be public can still publish it in the voting thread.

1 Like

Right - if someone wants others to know how they voted, they can just tell them. Although they can’t prove they voted that way if ballots are private.

Which is one major reason for why private ballots are all but sacred in “political” matters: if A can’t see how B voted, then A can’t intimidate or bribe B to vote the way A wants them to do. Well, they can try, but who’s going to pay me a fortune to vote for their favored PEP if they can’t verify that I actually did? If I’m corrupt enough to bribe, I’m probably corrupt enough to lie too. Similarly for after-the-vote purges of “enemies”.

So it’s really about people wanting to know how others voted, even when the latter don’t want their vote known. For which there are many possible morally suspect motivations. And possibly some admirable motivations too, but I really can’t think of a good reason for why I should be able to know how you voted on this issue. That anonymous ballots are public is sufficient to ensure that anyone can independently verify they were tabulated correctly, scour the ballots for signs of “strategic voting” (which isn’t illegal anyway), and so on.

People being people, I’d rather cut off any possibility for, e.g., “Ms X rated her own PEP first? Selfish!” or “Ms X rated her own PEP last? Hypocrite!”. At some point “openness” and “transparency” are outweighed by “ignorance is bliss” :wink:.

I certainly won’t be abstaining because of ballots being private, but I’m actually kind of baffled about why people are so in favor of private ballots here, which usually means that there’s some important perspective I’m missing :slight_smile:

The main argument for private ballots in real-world votes is to prevent vote-selling and other forms of coercion. I don’t think that really applies here (though maybe this is my privilege showing?).

For F/OSS projects, we have a general bias towards openness and transparency, and in particular, the ideal for decision making is open discussion and consensus. For the governance discussion, I have some ideas about the different options, but I want to know what other people are thinking too, because I am a highly fallible mortal, and usually in discussions I learn new things and my opinions become better. I feel like voting at all is a sad and unfortunate thing to do, since it misses out on the opportunity to listen and explore ways to reconcile different perspectives, and end up with something that really reflects the best our community can do. Of course there are still cases where we have to give up on that ideal and vote (esp. in a case like this where we need to not just agree, but have some common knowledge that we’ve agreed), but my bias is that even in those cases we should try to keep things as close to the conversational ideal as we can manage.

One specific reason not to would be if we were voting on people, because doing that in public creates all kinds of potential awkwardness. But that’s not what we’re doing here.

Another concern that @dstufft raised earlier is that public ballots allow for more tactical voting, but I don’t think that’s a serious issue with “pure Condorcet” – the options for tactical voting here are extremely limited.

So like I said, I’ll go along with whatever people want, but if someone can explain more about why they like private ballots here, I would appreciate it. I would like to understand where you’re coming from!

@dstufft: On a slight tangent: do you know if CIVS allows people to change their votes? We’re looking at something like a two-week voting period here, so if I vote on the first day and then discussion during that period makes me change my mind, can I change the vote, or am I stuck with my old vote that I now disagree with?

Another reason that updating votes could be useful: in the unlikely event that we have a tie and need to re-vote, I think it would be better to carry over votes for people who don’t revote. Doing otherwise risks disenfranchising people who are exhausted with the whole thing. If we’re voting in a github repo where we can edit our votes, then we get that for free, but if a system like CIVS allows us to do the re-vote by keeping a single election open and allowing people to update their votes if they want, that seems better to me than re-starting from scratch.


I think of it less in terms of coercion and more in terms of extrinsic motivations, one of which could be coercion, but could also include other less obvious forms of extrinsic motivations. A simple example is that someone who wrote a PEP might actually like another PEP better, but feel obligated to support their own PEP if they are publicly attaching their name to a ballot. When ballots are secret people don’t have to worry about any sort of optics for how they might vote, they can vote their true preference regardless of any sort of external pressure that may exist.

A private ballot doesn’t prevent discussion, nor does a public ballot aid in discussion. There should be nothing preventing people from discussing things as it is, the fact that people aren’t really might be sad, but it doesn’t seem to be an effect of the voting system. In fact the only way I can imagine a public ballot could aid in “discussion”, is that it would allow people to see before the vote is over if their favorite option is losing, and try to apply pressure to other people to change their vote (or put their first vote) to favor the outcome that persons likes. IOW, a public ballot during the election doesn’t seem like it helps anything except to make it possible for people to do the sort of political pressuring that people generally find unpleasant. A public ballot after the fact can’t aid discussion, because at that point the decision has already been made.

IOW, the time for debate and discussion is now, not once we know for sure how people are voting.

CIVS does not appear to allow someone to update their vote and as part of it’s goals to prevent a election supervisor from being able to influence the votes, it doesn’t even make the results available until after the election has been closed (at which point the election can’t be re-opened anyways). So using CIVS would mean that we’d have to effectively run a whole new election. In my PR I limited the tie breaking elections to only be the choices that participated in the tie/cycle (IOW, the run off election is only amongst those in the smith set). That way people who would be happy with any of those choices can “check out” at that point.

1 Like

@njs, I’m going to approach this from the other end, but first a digression. In CIVS terminology, we’re doing what they call a “private” poll regardless. Meaning that only people with a known email address can vote. In a CIVS “public” poll, anyone in the world with the election URL can vote.

None of that has anything to do with whether ballots are associated with personal identifying information. That part is controlled by this section when a poll is created:

Enable detailed ballot reporting.

Which we want, so that everyone can see all the ballots (for verification, analysis, curiosity, whatever). Once that option is selected, another option appears:

In detailed ballot report, also reveal the identity of the voter with each ballot.

And that’s the only option that has to do with “public” vs “private” in the sense being used in this thread. It’s orthogonal to CIVS’s “public/private” distinction. By default, that option is not selected, so it’s “private” by default in this thread’s sense.

Now regardless of any of the choices made above, CIVS will not allow anyone - not even our election supervisor - to see partial results while the vote is in progress. It’s only when the election is closed that CIVS will reveal results.

At that point, what good would it do to reveal voter identities? The discussion already ended, and indeed the vote already ended. Because people are human, there is potential for some to dig through the voting info to nurse, or create, grudges. I just can’t see any compensating upside. Can you?

The poll I created here is in the context of Donald’s CIVS suggestion (which I like). If we’re foolhardy enough to try to roll our own voting system on the fly (“what could possibly be hard about an election?” - heh), then it may actually be difficult to do what’s being called “private” here. But it’s as easy as merely not overriding a default under CIVS.

That’s the “bottom up” reasoning for me. Top down, it’s human psychology to me: regardless of whether they’re aware of it, if someone’s ballot is publicly associated with them, their vote will be influenced by how they expect others to perceive & judge their choices. The more purely “tech” the decision is, the less those largely subconscious pressures matter. But few of us are professional philosophers with highly developed theories of governance. It’s enough of a burden for most of us to struggle with our own best understandings of the implications of these non-tech decisions. The parts of us worried about how others will perceive us drive us toward pack-animal behavior regardless of our best tenuous understanding of the actual issues.

Keeping ballots anonymous can short-circuit most of that, reducing stress and freeing up more energy to focus on making the “objectively” best decision possible, based solely on what we believe to be the merits and demerits of the proposals.

There is a third problem – at least in consideration for using CIVS – is it also requires having a clean list of email addresses to send ballots to. ATM we totally lack that, so we would have to take the time to actually collect those email addresses (probably in a private repo where people add their email address to some list or something since we can’t trust python-committers to be clean and GitHub doesn’t require access to someone’s email address).

1 Like

Are there voters who don’t participate in PSF Board elections? Dunno. Email is very much a part of the Helios voting process those elections use.

I tossed together a quick script to seed a CSV out of what Github does make public.

It basically generates two outputs, a CSV of github username,email or blank if none , plus a list of github usernames that we need email addresses for, based on who is currently in the python-core team. Looks like there is 40 names we currently need email addresses based on Github.

So it seems like the right thing to do is make a quick private repo using the output of that script, ask people to modify that file to add their email address (or change one if they don’t like the address Github has for their public email address). And then post the emails needed issue which will notify each of the people who we don’t have an email address for, as well as posting a message to discourse and python-committers telling people to check it out, and if they aren’t on the list they won’t get a ballot.

If someone comes part way through and asks to be added to the ballot, CIVS allows you to add more people after the fact, as long as the election hasn’t ended, so the risk of losing someone (who otherwise would have voted in the git repo style) should be minimal.


I guess I should say, if nobody has an aversion to this. I’ll set up a private repository later today and do this. I think it would be a worthwhile thing to have anyways, as a record of who was a “registered voter” at the time of the election anyways.


This also will quite possibly not be the last time we need such an email list, so having the script available along with a place already in existence to go and get email addresses as appropriate would be a great thing to have when the time comes again (even if we have to start the actual list of emails from scratch again as necessary).

Yes, I don’t move in these circles. :wink:

1 Like

I’ve gone ahead and done this, the voter roll is located here and the list of people who we don’t have emails for is listed at python/voters#1.

In the spirit of making this more general, I’ve gone ahead and enhanced the script a little bit to generate the file directly and to also support the ability for people to, in that private repo, add their email to a “permanent” file mapping github usernames to email addresses for future voter rolls that get generated.

1 Like

And one more follow up, I’ve sent the email to python-committers now (archive view).

Oh yeah, keeping the votes secret during the vote and then revealing them at the end doesn’t make any sense. That would be the worst of all worlds :-).

When I say “public ballot” I’m imagining something like PEP 8001’s current text, where the core devs are able to see the votes, and modify their own vote, all the way until the end. Basically the same experience as these Discourse polls we’ve been running.

Huh, I think these polls are actually a good example of how a public ballot can aid in discussion! I wasn’t saying anything about the advantages of public ballots before, because I genuinely had no idea that anyone would disagree :-). And this discussion would be going very differently if the poll were sitting at 9:1 in favor of public ballots, or 5:5, instead of 9:1 in favor of private like it is now.

Of course, maybe everyone else thinks this discussion is useless, or that my posts here are “political pressuring”. I hope not. The reason I started this subthread is that the poll revealed a substantial gap between how I understand things and how other folks understand things, and IME it’s often useful to explore those, because there are all kinds of possible beneficial outcomes: (a) it turns out that I’m the only one who’s thought of some critical problem and everyone changes their mind!, (b) it turns out that I’m the only one who missed some critical problem, so I switch positions and now we have a unanimous vote!, (c) it turns out that we’re not actually talking about the same thing in the first place (the idea of keeping the votes private during the election and then revealing them definitely never occurred to me), (d) when the side in the minority realizes that they’re in the minority, they become suddenly motivated to find some compromise that makes everyone even happier than any of the original options, (e) nothing changes but people on the losing side at least have some time to get used to that idea and feel that they at least made a full case for their position, (f) … well you get the idea …

I guess we could get many of these advantages by holding a Discourse poll ahead of time.

I am quite concerned about being able to change votes, and especially about the following scenario, which seems very possible to me:

  • We announce the start of actual voting
  • People start actually reading the PEPs, now that they have to do something about them
  • They start posting about things they like/dislike
  • In the resulting discussion, we realize that a PEP has some issues, or someone comes up with a wildly popular new idea
  • Oh crud now we’re running an election that we know doesn’t have what we actually want in it

Merely being able to adjust votes doesn’t totally solve this, but it definitely mitigate things a bit. In the vote-by-Github-commit model in the original PEP 8001, if we do end up with new ideas happening during the poll, we would have lots of options to smoothly adjust course, e.g. announce that we’re extending the voting period a week and ping the people who’ve already voted to make sure they know about what’s and have a chance to adjust their votes.


I agree. How about starting a poll on the governance PEPs? Perhaps in @vstinner’s new

There’s no reason “the vote” needs to be the only summary of opinions.

Note: I made the poll here public deliberately, to counter my own obvious bias in favor of not making the CIVS ballots identifiable. If, e.g., someone was just knee-jerk opposed to ever attaching their name to anything, I expected they’d leave a public poll untouched. So making this poll public was “a ploy” to ensure that only people who thought there was something special about the governance vote that merited privacy would say so in public.

I wouldn’t object to a public poll on the PEPs either, although I can’t say whether that’s true of all the others who favored anonymous ballots.


I too would like it better if people could change votes, as often as they like, before the election ends. Against that, CIVS has battle-tested software to get everything else right.

So, if we use CIVS, that’s a tradeoff: people need to be aware that they cannot change their vote. And so they’d be well advised to delay voting until near the end of the voting window.

A good point: CIVS does not close the election on its own. Our election supervisor has to close it “by hand”. So if a slew of last-second voters speaks up saying they need a few more hours, they can get it.

Before then, I expect starting a Discourse approval poll on the PEPs would go a very long way toward spurring the kind of pre-vote discussions we all want to see, along with a (self-selected) sample of how people are leaning. You can change your votes in a Discourse poll as often as you like.

Too painful to be serious: instead of a poll just listing 7 PEPs, we could have a poll with the 7*6 = 42 distinct ordered pairs, where each voter picks the (up to) 7C2 = 21 pair rankings they prefer :wink:.