Votorola System Manual 0.2.2.2

Site Network

Core Subnets
Peripheral Subnets
Synchronization Interfaces

A site network is a wide-area network of sites that run Votorola, and share common streams of voter input. The sites are of two types: core sites that provide essential voter services, and peripheral sites that provide extended services. All sites are interconnected by synchronization interfaces, through which they share common streams of voter input data. (The site network needs a redesign, as does the register.)

A site network. A site network is comprised of 1 or more core sites, and zero or more peripheral sites, all interconnected by synchronization interfaces, through which they receive unidirectional streams of voter input data.

Core Subnets

Core subnets form the administrative backbone of the system. A core subnet is composed of one or more core sites that are interconnected to form a proper tree, the structure of which mirrors the formal hierarchy of a sovereign jurisdiction, in whole or part.

A core subnet. A core subnet is organized as a tree of super-sites and sub-sites, that together mirror the formal hierarchy of a sovereign jurisdiction. The example (right) shows a federation of provinces, and their designated local jurisdictions (bottom).

Subnet communications consist primarily of voter registration data that streams from sub-site to super-site. This enables a single registration facility, wherein the voters register once, and are eligible for all polls throughout the subnet. Other than this, the nodes of the subnet are expected to be largely independent of each other; no administrative hierarchy is intended.

The purpose of having more-or-less independent sites, as opposed to a centrally administered system, is two-fold: i) to broadly distribute the costs and incentives of administration; and ii) to narrowly root the provision of services within the communities that are served. The role of the sub-sites in this arrangement is to divide the administrative burden horizontally across multiple jurisdictions, while the role of the super-sites is to divide it vertically across multiple levels. Local representatives, mayors and bylaws are voted at local sub-sites, while heads of state and national laws are voted at super-sites. How this is done, exactly, is a site decision.

Peripheral Subnets

Peripheral subnets are composed of one or more nodes (peripheral sites) that are interconnected to receive a common stream of voter input data from a core site, either directly or indirectly. Peripheral subnets may be relatively unstructured. They may attach ad hoc to the core subnet. They need not form proper trees, nor need their nodes always correspond to proper jurisdictions.

Core and peripheral subnets. A portion of a large site network, showing multiple juridictions (horizontal) at multiple levels (vertical). The core subnets (tan) are ordered in sovereign hierarchies, while the peripheral subnets (blue) are attached ad hoc.

Peripheral sites are expected to offer extended services, such as additional polls, voter interfaces, analyses, and system oversight. In the figure above, for example, the peripheral sites include a pair of global sites that provide international polls (top); a local site that provides regional, cross-border polls (middle); and a local site that provides extended services for a single core site (right).

Synchronization Interface

The synchronization interface is the primary connector in the site network. It transmits unidirectional streams of voter input upward to core super-sites, and outward to perpipheral sites.

Cascading database synchronization. Data flows upward through core super-sites, and outward through peripheral sites.

The design of the synchronization interface is still undecided. It is expected to be based on a database synchronization protocol, such as Postgresql Slony-I or Oracle streams. In anticipation of this, all raw, public voter input is currently being stored in separate voter input tables. Each table has a fixed columnar structure, comprising the primary keys, and a single XML column for data.¹

Core Sites and Pollservers

Setting up a Core Site
Pollwiki
1. Setting Up the Pollwiki
Pollservers
File Server
Database Server
1. Setting Up Database Access for a Pollserver

A core site provides essential voter services to the population of a single sovereign jurisdiction such as a state, or a sovereign-designated sub-jurisdiction such as a municipality. The provision of basic voter services depends on three types of server: pollserver, file server and database server.

A core site. The pollserver (magenta) provides voter services and interfaces; the file server (bottom) provides archival file storage, including a public interface for the verification of poll results; and the database server (right) provides back-end data storage, including a synchronization interface with remote sites. The pollwiki (top) provides default drafting facilities and knowledge-base services.

Setting Up a Core Site

This section outlines the minimal procedure for setting up a core site. The site will serve the population of a single local jurisdiction, such as city or region. It will provide basic registration services, polling services, and a Web interface. It will include two pollservers: an off-line server (voff) for test purposes, and an on-line server (v) for public use.

Setting Up the Off-Line Pollserver

Install Votorola (2.3.1).
Set up database access for the pollserver voff (2.5.1).
Create the pollserver voff (2.3.2).
Set up the voter register (4.1).
Set up an initial test poll (5.1).
Set up the pollwiki (2.2.1).
Set up the Web voter interface (6.1).

Testing the Pollserver

Test voff by running a voter simulation, using the example script vosim-alex. This script should already be on the pollserver's path.

Ensure you are logged in as voff, then run the script with a small group of simulated voters. For example, run it for the group (a1, a2, a3, b1, b2, b3):

$ vosim-alex ab 1-3

sim-a1@zelea.com register set residence 146 A Street, M5N N5N
sim-a1@zelea.com test-p vote sim-a@zelea.com
sim-a2@zelea.com register set residence 147 A Street, M5N N5N
sim-a2@zelea.com test-p vote sim-a@zelea.com
sim-a3@zelea.com register set residence 148 A Street, M5N N5N
sim-a3@zelea.com test-p vote sim-a@zelea.com
sim-b1@zelea.com register set residence 147 B Street, M6O O6O
sim-b1@zelea.com test-p vote sim-b@zelea.com
sim-b2@zelea.com register set residence 148 B Street, M6O O6O
sim-b2@zelea.com test-p vote sim-b@zelea.com
sim-b3@zelea.com register set residence 149 B Street, M6O O6O
sim-b3@zelea.com test-p vote sim-b@zelea.com

It ouputs a list of voter commands.

Now run the commands by piping them to the voter shell:

$ vosim-alex ab 1-3 | voter

Old value:  none
New value:  A1
Old value:  none
New value:  146 A Street, M5N 5N5
Old value:  none
New value:  http://www.onefreeminute.net/#a1
Old value:  none
New value:  Simulated voter, registered by vosim-alex.
test-p

You were voting for:     nobody
You are now voting for:  sim-a@zelea.com

No results are available for this poll.  They have yet to be reported.
(Administrator see 'vocount report'.)
 . . . and so on

Compile the voter list.
```
$ nice volist
```
If the Web interface is running, you should see six registrations in the voter list at:

http://localhost:8080/voff/w/Register/
Count the votes.
```
$ nice vocount
```
You should see a tie between two leading candidates (a and b), at 3 votes apiece:

http://localhost:8080/voff/w/Pollspace/?p=test
Test the interface to the pollwiki by clicking on a candidate's link. It should take you to the candidate's position page. The page will have no text, however, until the candidate creates it.

When you are finished, you may wish to erase everything from the pollserver using the script vox-clean. First inspect the script in your editor.

$ emacs `which vox-clean`

Ensure the contents of subroutine clean() are uncommented, in order to erase registrations, list, votes, counts and everything. Then run it:

$ vox-clean

removing database table: in_registration
DROP TABLE
removing directory: /home/voff/votorola/out/volist
removing database schema: out_list
NOTICE:  drop cascades to table out_list."2009-bj-1-neighbourhood-1"
NOTICE:  drop cascades to table out_list."2009-bj-1-trust_edge-1"
NOTICE:  drop cascades to table out_list."2009-bj-1-list_node-1"
DROP SCHEMA
removing database table: in_vote
DROP TABLE
removing directory: /home/voff/votorola/out/vocount
removing database schema: out_count
NOTICE:  drop cascades to table out_count."2009-bj-1-count_node-1"
DROP SCHEMA

        List of schemas
        Name        |  Owner   
--------------------+----------
 information_schema | postgres
 pg_catalog         | postgres
 pg_toast           | postgres
 public             | postgres
(4 rows)

        List of relations
 Schema |  Name   | Type  | Owner 
--------+---------+-------+-------
 public | doubt   | table | voff
 public | geocode | table | voff
 public | user    | table | voff
(3 rows)

You should no longer see any voter list, nor any poll results:

http://localhost:8080/voff/w/Register/

http://localhost:8080/voff/w/Pollspace/?p=test

Setting Up the On-Line Pollserver

After working with voff, and configuring it as required, you will be in a position to set up the on-line pollserver v. This is the general pattern to follow for all software and configuration upgrades: first test them off-line, then transfer them on-line.

Simply repeat the setup procedure above, but this time for pollserver v. Copy its initial configuration from voff, and amend all references to the pollserver name. To find all references:

$ find ~/votorola  -name code -prune  -o -name out -prune \
-o -type f -exec grep voff {} +

Pollwiki

The pollwiki provides users with knowledge-base services and drafting facilities. The drafting facilities are for the purpose of editing candidate proposals and other position drafts. They are provided only as a convenient default. Candidates are free to use their own drafting facilities, and may store their documents at any location.

Knowledge-base services include distributed analyses such as classification, and distributed data input. Future releases of Votorola will be able to communicate with multiple knowledge bases. Again, the pollwiki is provided as a convenient default for this purpose.

Votorola works with any version of MediaWiki that is compatible with the Semantic MediaWiki extension. A single wiki may be shared between the on-line and off-line pollservers. The likelihood of collisions between the two is probably minimal.

Setting Up the Pollwiki

Follow the usual instructions in order to install the MediaWiki software, and get a basic wiki running. Do not create any pages until after you install Semantic MediaWiki (below).

During configuration, you are prompted for a “Wiki name”. Consider using the short title of your pollserver, as set in ~/votorola/pollserver.js.

You are also prompted for a database password. If you are using PostgreSQL “trust” authentication then there is no password. Leaving the field blank seems to work in that case, despite the warning “must not be blank”.
Once the basic wiki is running, and before creating any pages, install Semantic MediaWiki.

Note the special instructions for PostgreSQL. Despite what the instructions say, the MediaWiki tables need not be “accessible without explicit schema qualification”. The SQL commands to run before creating any pages must therefore be schema qualified. The corrected commands are:
```
$ select max(smw_id) from mediawiki.smw_ids;
```
```
 max
-----
  50
(1 row)
```
```
$ alter sequence mediawiki.smw_ids_smw_id_seq restart with 50;
```
When Semantic MediaWiki is fully installed, create a test page in some unimportant place. Wehn you save the page, you may see an error like this:

PHP Warning: pg_query() [function.pg-query]: Query failed: ERROR: duplicate key value violates unique constraint "smw_ids_pkey" in /var/www/localhost/htdocs/mediawiki/includes/db/DatabasePostgres.php on line 576

It should then recover. You should not see this error again. Probably it can be avoided by restarting the sequence (above) from 51 (one higher than max). But this has not been tested.
Reconfigure the wiki to use pretty URLs like those on Wikipedia. Votorola expects to find each user's page at an address that looks like this:

http://localhost/wiki/User:USERNAME

and not like this:

http://localhost/wiki/index.php5?title=User:USERNAME

That should be sufficient to start. Later, you can refine the configuration by copying from other pollwikis. See also the working example in the appendix.

votorola/a/
votorola.a

Pollservers

A pollserver and its primary facilities. These include, clockwise from left, one or more active voter interfaces (such as Web and mail); an administrative interface (command line); and one or more voter services (such as a register and polls).

A pollserver is a server that provides polls and other voter services. A core site typically has a pair of pollservers, one for on-line public use, and one for off-line testing. Each pollserver has a separate account on the local host computer, under which its data is stored and its processes are run. The login name of this account is also known as the pollserver name. Conventional pollserver names are v and voff.

File structure for pollservers. Shows the structure for a typical core site with two pollservers: an on-line server `v`, and an off-line server `voff`. In this example, `v` is linked to an older version of Votorola, and `voff` to a newer version. (Complete examples in `/home/voff` and `/home/vdev`.)
home v votorola code -> ../../../opt/votorola-0.1.11 ··· as below voff votorola code -> ../../../opt/votorola-0.2.2 in out poll register web pollserver.js opt votorola-0.1.11 votorola-0.2.2

The configuration of each pollserver is specified by its startup script, located in the votorola directory (shown above). The internal structure of the script is outlined in the figure below.

Startup configuration for a pollserver. Shows the hook function that is defined by the script `~/votorola/pollserver.js`. (Complete examples in `/home/voff/votorola` and `/home/vdev/votorola`.)
pollserver.js function contructingPollserver( psCC )

Each pollserver maintains a store of relational data, as shown in the figure below.

Database structure for pollservers. Shows the structure for a typical core site with two pollservers. Each pollserver has a namesake database wherein it maintains 2 general-purpose tables. (Not shown are the various special-purpose tables of the voter services.)
v as below voff geocode user

Installing Votorola

Unix is required. Although testing is currently limited to Linux, it should also work with other versions of Unix.

Java 6 is required.

$ java -version

Procedure

Create the votorola group. This will be the default group for all pollserver accounts.
```
$ groupadd votorola
```
Add yourself to the group.
```
$ usermod --append --groups votorola MYLOGIN
```
This is a convenience, enabling you to edit a pollserver's files without having to login in under the pollserver account.
Download votorola-0.1.12.tar.gz.
Unpack it.
```
$ tar --extract --gzip --file votorola-0.2.2.tar.gz --dir /opt
```
You may actually unpack it anywhere. This manual assumes the /opt directory.
Test one of Votorola's executables. Test it the long way, first:
```
$ java -jar /opt/votorola-0.2.2/votorola/s/bin/voqproperties | sort
```
```
file.encoding=ISO-8859-1
file.encoding.pkg=sun.io
file.separator=/
  . . .
```
Do not place these executables on the path yet. We'll do that later, when we create a pollserver.
If Linux kernel option binfmt_misc is enabled, and if PK-Zip is already bound to execute Java JAR archives, then you needn't type java -jar in front of each Votorola command. You may execute it directly, like this:¹³
```
$ /opt/votorola-0.2.2/votorola/s/bin/voqproperties | sort
```
For instructions on enabling this, see the example script jar-wrapper.

Creating a Pollserver

Create the pollserver's user account.

$ useradd voff --gid votorola --create-home

$ passwd voff

Set the file creation mask so that all new files are writeable by the votorola group.^{4, 5} For example, add this line to the pollserver's ~/.bashrc:
```
umask 0002 # creation mask (0002), files writeable by login group (votorola)
```
While you are there, also add the following line. This places the example scripts and the standard Votorola commands on the pollserver's path:¹³
```
PATH=$HOME/votorola/bin:$HOME/votorola/code/votorola/s/bin:$PATH
```
If necessary, add the pollserver to the database group.
```
$ usermod --append --groups postgres voff
```
Whether or not this is necessary depends on how the database engine is configured. It will be necessary, for example, if the engine's socket file is restricted to the postgres group. The typical location of the socket file is /var/run/postgresql/.s.PGSQL.5432.
Login as the pollserver.
```
$ whoami
```
```
voff
```
In the pollserver's home directory, create the votorola directory.
```
$ mkdir ~/votorola
```
In that directory, create a symbolic link to the code that was previously installed.
```
$ ln --force --no-deref --sym  /opt/votorola-0.2.2/  ~/votorola/code
```

Copy over the minimal configuration from the examples that were bundled with the release.

$ cp -R ~/votorola/code/votorola/s/example/minimal/home/voff/votorola/*  ~/votorola/

Confirm that the output directory is writeable by the votorola group.⁴

$ stat ~/votorola/out/

File: `/home/voff/votorola/out/'
Size: 4096              Blocks: 8          IO Block: 4096   directory
Device: 803h/2051d      Inode: 16199       Links: 2
Access: (0775/drwxrwxr-x)  Uid: ( 1006/voff)   Gid: ( 1008/votorola)
 . . .

Test that Votorola's executables are accessible. For example:
```
$ voqproperties | sort
```
```
file.encoding=ISO-8859-1
file.encoding.pkg=sun.io
file.separator=/
  . . .
```
If not, then look at the PATH environment variable. Also look at binfmt_misc.
Test the logging configuration, with the help of volog.
```
$ volog
```
In a default Java installation, the log is usually output to the console. Wherever it is output, you should see volog's test messages:
```
5-May-2008 2:47:59 PM votorola.a.line.VOLog main
INFO: volog is running with arguments []
5-May-2008 2:47:59 PM votorola.g.logging.LoggerX test
OFF: testing SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST and ALL...
5-May-2008 2:47:59 PM votorola.g.logging.LoggerX test
SEVERE: this is SEVERE
5-May-2008 2:47:59 PM votorola.g.logging.LoggerX test
WARNING: this is a WARNING
5-May-2008 2:47:59 PM votorola.g.logging.LoggerX test
INFO: this is INFO
```
You may want to increase the verbosity level for the off-line pollserver from INFO to at least CONFIG. And you may want to log the messages to files, and not just the console. Refer to the discussion of logging configuration in the examples appendix.

Upgrading Votorola

Download the new version of Votorola.

Unpack it.

$ tar --extract --gzip --file votorola-VERSION.tar.gz --dir /opt

At this point, you should be reading from the newly installed system manual.

Stop any processes that are running for the off-line pollserver.

Unreport and unmount any mounted counts and lists.²

$ vocount ureport && vocount umount

$ volist ureport && volist umount

If you are deploying the Web interface, then ensure no user sessions are persisted from the old version of Votorola:
```
$ (save=/tmp/var_run_tomcat-6_Catalina/; \
rm --force --recursive $save && mv /var/run/tomcat-6/Catalina/ $save)
```
Otherwise, Tomcat may experience serialization errors at next startup, as it tries to recover sessions from the previous run.³

Link to the newly installed code.

$ ln --force --no-deref --sym  /opt/votorola-VERSION/  /home/voff/votorola/code

Read the top entry in /home/voff/votorola/code/votorola/changes.xht. Update your configuration, if necessary.
Remount any lists and counts that were unmounted, above.
Restart any voter interface processes that were stopped, above.

File Server

The file server provides the file storage and communication interface of a pollserver's public archives. The main purpose of the public archives is to support results verification. Results are always based on discrete snapshots of voter input and administrative data. Whenever results are reported, a copy of the results together with the snapshot of the data on which it is based are combined into a single archive, and published through the file server. One may independently download the archive and recount the votes. When this is combined with tests of the accuracy of input data (e.g. by random spot checks) it provides complete verification of reported results. The verification facility is not implemented, however, in the current version of Votorola; so a public file server is not actually required yet.

A secondary purpose of the file server is to store backup data, as insurance against a database loss.⁹

Database Server

The database server provides one or more databases for each pollserver. Databases contain administrative data; raw voter input; streamed synchronization of voter input from site to site; and mounted voter lists and poll counts. Votorola requires the PostgreSQL database management system (DBMS), version 8.3 or later.

The database cluster must be installed with a UTF-8 character encoding. According to Semantic MediaWiki's installation instructions, it is not enough to install a non-UTF-8 cluster with UTF-8 databases.

Setting Up Database Access for a Pollserver

This assumes that a PostgreSQL DBMS is already installed on the database server, as described above.

Start the DBMS process (postmaster) on the database server.
From the server, ensure you are logged into Linux as a DBMS superuser. If root has not been made a DBMS superuser, then login as postgres.
```
$ su - postgres   # if necessary
```
Create a DBMS account for the pollserver, under the same user name.
```
$ createuser voff
```
When prompted, answer ‘no’ to special user permissions for creating databases, other users, and so forth. None of these are needed by the pollserver.
Create a pollserver database, with the same name as the pollserver.
```
$ createdb --owner=voff  voff
```

votorola/a/line/
votorola.a.line

Command Line

vocount — count the votes
vodeliver — deliver to the mail interface
voface-mail — respond to voter messages
volist — compile a voter list
volog — log test messages
vomir — pull remote votes for mirroring
voqproperties — print the runtime properties
voscript — compile a configuration script
voter — issue a voter command
votrace — trace a neighbourhood trust network

This section concerns the command-line administrative interface. Following are the details for each command provided by the interface.

vocount — count the votes

synopsis

vocount [--verbose] [--etc[=ready|mount|report|umount]]

vocount snap [--verbose] [--etc[=ready|mount|report|umount]]
vocount ready [--verbose] [--etc[=mount|report|umount]]
   [~/votorola/out/vocount/snap-YYYY-MD-S]
vocount mount [--verbose] [--etc[=report|umount]]
   [~/votorola/out/vocount/snap-YYYY-MD-S/readyCount-S]
vocount report [--verbose] [--etc]
   [~/votorola/out/vocount/snap-YYYY-MD-S/readyCount-S]
vocount umount [--verbose]
   [~/votorola/out/vocount/snap-OLD-YYYY-MD-S/readyCount-OLD-S]

vocount ureport [--verbose]

vocount status

vocount --help

description

Tool vocount counts the votes and makes the results available for other tools and processes. It does this in separate, staged invocations, with these action arguments:

snap — to capture a snapshot of the voter input, and archive it in the output store
ready — to capture the parameters for the count, and archive them in the output store
mount — to cascade the votes, sum the results, and record them in the output store
report — to mark the mounted results as current, for reporting in all voter interfaces
umount — to undo a prior mount, and clear its results from the output store

If no action is specified, the default is to carry out all actions from snap through umount. The following commands are therefore equivalent:

$ vocount

$ vocount snap --etc=umount

Repeated invocations of mount/umount will always generate the same results. The results depend only on the archival snap/readyCount record that was created by the previous invocation of snap/ready. Thus the snap/readyCount record alone is sufficient to do a recount, and anyone obtaining a copy may use it to verify the reported results.

File structure for vocount. Shows an example of typical file output, with daily snapshots. The latest of these is mounted. The various `SERVICE-NAME` are the names of the individual polls.
/home/voff/votorola/out/vocount _readyCount_report -> snap-2009-bl-1/readyCount-1 _snap_report -> snap-2009-bl-1 snap-2009-bj-1 ··· snap-2009-bk-1 ··· snap-2009-bl-1 _in_vote `SERVICE-NAME`.txt `SERVICE-NAME`.txt ··· readyCount-1 _in_config `SERVICE-NAME` `SERVICE-NAME` ··· _mountedCount `SERVICE-NAME`.serial `SERVICE-NAME`.serial ··· readyList -> ../../../ list/snap-2009-bl-1/readyList-3

Database structure for vocount. Shows the typical output structure for a pollserver with a single mounted count. Also shown is the voter input table, from which each snapshot is taken.
out_count 2009-bl-1-count_node-1 in_vote

actions

snap

Take a snapshot of voter input. This action reads the input from the input store, and writes it to the output store. In the process it creates a new snap directory, the path of which it prints to standard out. For example:

~/votorola/out/vocount/snap-YYYY-MD-S

ready

Capture and record the parameters for the count. This action takes for an argument a snap directory containing a snapshot of voter input, as created by a previous snap action. It stores within that directory any administrative input that may be needed by subsequent mount actions, such as special configuration for the count compiler. In the process it creates a new ready directory, the path of which it prints to standard out:

~/votorola/out/vocount/snap-YYYY-MD-S/readyCount-S

In this directory, a symbolic link named readyList is also created. It points to the snap/readyList record of the currently reported voter list. It is created as a copy of the symbolic link _readyList_report, which must already exist.

~/votorola/out/vocount/snap-YYYY-MD-S/readyCount-S/readyList

If no snap directory is specified, then it defaults to the most recently modified directory. This is usually the directory of the previous snap or ready action.

mount

Count the votes and make the results available for reporting. This action takes for an argument a ready directory created by a previous ready action. It reads the stored voter and administrative input. It dereferences the symbolic link to the snap/readyList record (which must already be mounted as a compiled voter list), and uses it to check the eligibility of voters. It cascades and sums the votes, and finally writes the results to the database and filebase for other tools and processes to read.

If no snap/readyCount record is specified, then it defaults to the most recently modified record, as determined by the modification time of its directory. This is usually the most recently created, mounted, or unmounted record.

report

Mark the results as current, for reporting in all voter interfaces. This action creates a symbolic links to a particular mounted snap/readyCount record.

~/votorola/out/vocount/_readyCount_report ->
   snap-YYYY-MD-S/readyCount-S
~/votorola/out/vocount/_snap_report -> snap-YYYY-MD-S

If no snap/readyCount record is specified, then it defaults to the most recently mounted record.

umount

Unmount the results of the count. This action reverses a previous mount action, erasing the results from the database and filebase. The snap/readyCount record is not deleted, but remains available for remounting.

If no snap/readyCount record is specified, then all counts are unmounted, except for the currently reported count. While it is being reported, a count cannot be unmounted.

ureport

Unreport the currently reported results. This action reverses a previous report action, unlinking the _readyCount_report and _snap_report links, so that no results are reported.

status

Print the status of all snap/readyCount records. For example:

$ vocount status

M  /home/voff/votorola/out/vocount/snap-2009-bj-1/readyCount-1
   /home/voff/votorola/out/vocount/snap-2009-bk-1/readyCount-1
MR /home/voff/votorola/out/vocount/snap-2009-bl-1/readyCount-1

The status flags are:

`M`	mounted
`R`	reported

options

--etc --etc=ready|mount|report|umount

Carry out all actions through to the specified end-action. For example:

$ vocount snap --etc=mount

The single command above is equivalent to these three commands, in order:

$ vocount snap

$ vocount ready

$ vocount mount

The end-action must be logically subsequent to the start action, otherwise it is ignored. If --etc is specified without an end-action, then it defaults to umount.

Output printing is suppressed for intermediate actions; the end-action alone prints its output. However, if --verbose is in effect, then all actions print their output as usual.

--verbose

Print additional information to standard output, as the actions are carried out.

caveats

Unlike a mounted file system, a mounted count persists across system re-starts until explictly unmounted. So ‘mount’ is something of a misnomer.

vodeliver — deliver to the mail interface

synopsis

cat MESSAGE-FILE | vodeliver

vodeliver < MESSAGE-FILE

vodeliver --help

description

Test tool vodeliver delivers a message to the inbox of the mail-based voter interface. It reads the message from standard input, and writes it to the inbox. This bypasses the authentication layer of the voter interface.

The location of the inbox is specified by the configuration of voface-mail, the process that will read the message.

voface-mail — respond to voter messages

synopsis

voface-mail [--help]

description

Process voface-mail is the primary process of the mail-based voter interface. It implements the response layer of the interface; waiting for email messages to arrive from voters, and responding to them. For each message delivered to the inbox, it parses it into separate commands; relays each command to the voter service; and transmits the reply back to the voter.

volist — compile a voter list

synopsis

volist [--verbose] [--etc[=ready|mount|report|umount]]

volist snap [--verbose] [--etc[=ready|mount|report|umount]]
volist ready [--verbose] [--etc[=mount|report|umount]]
   [~/votorola/out/volist/snap-YYYY-MD-S]
volist mount [--verbose] [--etc[=report|umount]]
   [~/votorola/out/volist/snap-YYYY-MD-S/readyList-S]
volist report [--verbose] [--etc]
   [~/votorola/out/volist/snap-YYYY-MD-S/readyList-S]
volist umount [--verbose]
   [~/votorola/out/volist/snap-OLD-YYYY-MD-S/readyList-OLD-S]

volist ureport [--verbose]

volist status

volist --help

description

Tool volist compiles a voter list from the register and makes it available for other tools and processes. It does this in separate, staged invocations, with these action arguments:

snap — to capture a snapshot of the voter input, and archive it in the output store
ready — to capture the parameters for the list compilation, and archive them in the output store
mount — to trace the trust network, compile the list, and record it in the output store
report — to mark the mounted list as current, for reporting in all voter interfaces
umount — to undo a prior mount, and clear its list from the output store

If no action is specified, the default is to carry out all actions from snap through umount. The following commands are therefore equivalent:

$ volist

$ volist snap --etc=umount

Repeated invocations of mount/umount will always generate the same voter list. The content of the list depends only on the archival snap/readyList record that was created by the previous invocation of snap/ready. Thus the snap/readyList record alone is sufficient to do a re-compilation, and anyone obtaining a copy may use it to verify the reported list.

File structure for volist. Shows an example of typical file output, with daily snapshots. The latest snapshot shows several snap/readyList records that have been captured for it, though normally there is only one. The latest of these is mounted.
/home/voff/votorola/out/volist _readyList_report -> snap-2009-bl-1/readyList-3 snap-2009-bj-1 ··· snap-2009-bk-1 ··· snap-2009-bl-1 _in_registration.txt readyList-1 _in_config readyList-2 _in_config readyList-3 _in_config _mountedList.serial

Database structure for volist. Shows the typical output structure for a pollserver with a single mounted list. Also shown is the voter input table, from which each snapshot is taken.
out_list 2009-bl-1-list_node-3 2009-bl-1-neighbourhood-3 2009-bl-1-trust_edge-3 in_registration

actions

snap

Take a snapshot of voter input. This action reads the input from the input store, and writes it to the output store. In the process it creates a new snap directory, the path of which it prints to standard out. For example:

~/votorola/out/volist/snap-YYYY-MD-S

ready

Capture and record the parameters for the compilation. This action takes for an argument a snap directory containing a snapshot of voter input, as created by a previous snap action. It stores within that directory any administrative input that may be needed by subsequent mount actions, such as special configuration for the list compiler. In the process it creates a new ready directory, the path of which it prints to standard out:

~/votorola/out/volist/snap-YYYY-MD-S/readyList-S

If no snap directory is specified, then it defaults to the most recently modified directory. This is usually the directory of the previous snap or ready action.

mount

Compile the list and make it available for reporting. This action takes for an argument a ready directory created by a previous ready action. It reads the stored voter and administrative input, traces the neighbourhood trust network, and writes the list to the database and filebase for other tools and processes to read.

If no snap/readyList record is specified, it mounts the most recently modified record. Records are considered modified by creation, mounting, unmounting, or anything else that alters the modification time of the record directory.

If no snap/readyList record is specified, then it defaults to the most recently modified record, as determined by the modification time of its directory. This is usually the most recently created, mounted, or unmounted record.

report

Mark the list as current, for reporting in all voter interfaces. This action creates a symbolic link to a particular mounted snap/readyList record.

~/votorola/out/volist/_readyList_report ->
 snap-YYYY-MD-S/readyList-S

If no snap/readyList record is specified, then it defaults to the most recently mounted record.

umount

Unmount the list. This action reverses a previous mount action, erasing the list from the database and filebase. The snap/readyList record is not deleted, but remains available for remounting.

If no snap/readyList record is specified, then all lists are unmounted, except for the currently reported list. While it is being reported, a list cannot be unmounted.

ureport

Unreport the currently reported list. This action reverses a previous report action, unlinking the _readyList_report link, so that no list is reported.

status

Print the status of all snap/readyList records. For example:

$ volist status

M  /home/voff/votorola/out/volist/snap-2009-bj-1/readyList-1
   /home/voff/votorola/out/volist/snap-2009-bk-1
   /home/voff/votorola/out/volist/snap-2009-bl-1/readyList-1
   /home/voff/votorola/out/volist/snap-2009-bl-1/readyList-2
MR /home/voff/votorola/out/volist/snap-2009-bl-1/readyList-3

The status flags are:

`M`	mounted
`R`	reported

options

--etc --etc=ready|mount|report|umount

Carry out all actions through to the specified end-action. For example:

$ volist snap --etc=mount

The single command above is equivalent to these three commands, in order:

$ volist snap

$ volist ready

$ volist mount

The end-action must be logically subsequent to the start action, otherwise it is ignored. If --etc is specified without an end-action, then it defaults to umount.

Output printing is suppressed for intermediate actions; the end-action alone prints its output. However, if --verbose is in effect, then all actions print their output as usual.

--verbose

Print additional information to standard output, as the actions are carried out.

caveats

Unlike a mounted file system, a mounted list persists across system re-starts until explictly unmounted. So ‘mount’ is something of a misnomer.

volog — log test messages

synopsis

volog [--help]

description

Test tool volog outputs messages to the log, one for each of the standard logging levels. It serves to verify the logger's configuration.

vomir — pull remote votes for mirroring

synopsis

vomir

vomir --help

description

Experimental tool vomir is a prototype of a pull-mode autocaster. It is not yet documented.

voqproperties — print the runtime properties

synopsis

voqproperties | sort

voqproperties --help

description

Test tool voqproperties writes the runtime properties of the Java virtual machine to standard output.

voscript — compile a configuration script

synopsis

voscript SCRIPT-FILE

voscript --help

description

Interpreter voscript tests the compilation of a configuration script using the JavaScript engine. The SCRIPT-FILE must be encoded in UTF-8 (or equivalently US-ASCII).

Voscript provides the same include facility as the Votorola runtime. A script may load other JavaScript files, pulling them into the compilation, using a function call such as this:

vo.inc( '/home/voff/my-module.jsm' );

The filepath may be absolute, or relative to the including file. Shell variables in the filepath ($NAME) or expressions such as tildes (~) are not expanded.

voter — issue a voter command

synopsis

voter [VOTER-EMAIL] SERVICE-NAME COMMAND [OPTION...] [ARGUMENT...]

voter < ARGUMENT-FILE

cat ARGUMENT-FILE | voter

voter --help

description

Command shell voter issues commands directly to a voter service. The SERVICE-NAME identifies the service. It may be an ordinary service (register or poll), or the meta-service of the mail-based voter interface (if any is configured). The command is dispatched directly to the service's command/resonse interface, bypassing the usual voter interface (mail or Web). The reply is printed to standard output.

The VOTER-EMAIL argument is taken as the authentic issuer when carrying out the COMMAND. If the command allows for anonymous issue, then VOTER-EMAIL is optional. Most services allow for the anonymous issue of a help command, for example; as in this request, issued to a poll named ‘mayor’:

voter mayor help

If COMMAND is followed by any OPTIONS or ARGUMENTS, they are passed to the service's command responder. The --help option below, for example, does not request help regarding the voter shell, but regarding the poll's vote command:

voter test-a@zelea.com mayor vote --help

With no SERVICE-NAME and no other arguments, voter reads multiple lines from standard input, and executes them one at a time. The input must be encoded in UTF-8 (or equivalently US-ASCII). For example:

vosim-alex ab 1-3 | voter

votrace — trace a neighbourhood trust network

synopsis

votrace [--verbose] [--etc[=ready|mount|report|umount]]

votrace snap [--verbose] [--etc[=ready|mount|report|umount]]
votrace ready [--verbose] [--etc[=mount|report|umount]]
   [~/votorola/out/votrace/snap-YYYY-MD-S]
votrace mount [--verbose] [--etc[=report|umount]]
   [~/votorola/out/votrace/snap-YYYY-MD-S/readyTrace-S]
votrace report [--verbose] [--etc]
   [~/votorola/out/votrace/snap-YYYY-MD-S/readyTrace-S]
votrace umount [--verbose]
   [~/votorola/out/votrace/snap-YYYY-MD-S/readyTrace-S]

votrace ureport [--verbose]

votrace status

votrace --help

description

Tool votrace traces a neighbourhood trust network, calculates trust levels, compiles a residential registration list, and makes these available for other tools and processes. It does this in separate, staged invocations, with these action arguments:

snap — to capture a snapshot of the voter input, and archive it in the output store
ready — to capture the parameters for the trace, and archive them in the output store
mount — to trace the trust network, compile the list, and record them in the output store
report — to mark the mounted trace as current, for reporting in all voter interfaces
umount — to undo a prior mount, and clear its trace from the output store

If no action is specified, the default is to carry out all actions from snap through umount. The following commands are therefore equivalent:

$ votrace

$ votrace snap --etc=umount

Repeated invocations of mount/umount will always generate the same trace. The content of the trace depends only on the archival snap/readyTrace record that was created by the previous invocation of snap/ready. Thus the snap/readyTrace record alone is sufficient to do a re-compilation, and anyone obtaining a copy may use it to verify the reported trace.

File structure for votrace. Shows an example of typical file output, with daily snapshots. The latest snapshot shows several snap/readyTrace records that have been captured for it, though normally there is only one. The latest of these is mounted.
/home/voff/votorola/out/votrace _readyTrace_report -> snap-2009-bl-1/readyTrace-3 _snap_report -> snap-2009-bl-1 snap-2009-bj-1 ··· snap-2009-bk-1 ··· snap-2009-bl-1 _in_registration.txt readyTrace-1 _in_config readyTrace-2 _in_config readyTrace-3 _in_config _mountedTrace bot-trust.txt list.xml serial

Database structure for votrace. Shows the typical output structure for a pollserver with a single mounted trace.
out_trace 2009-bl-1-list_node-3 2009-bl-1-trust_edge-3

actions

snap

Take a snapshot of voter input. This action reads the input from the streetwiki(s), and writes it to the output store. In the process it creates a new snap directory, the path of which it prints to standard out. For example:

~/votorola/out/votrace/snap-YYYY-MD-S

ready

Capture and record the parameters for the compilation. This action takes for an argument a snap directory containing a snapshot of voter input, as created by a previous snap action. It stores within that directory any administrative input that may be needed by subsequent mount actions, such as special configuration for the network tracer and list compiler. In the process it creates a new ready directory, the path of which it prints to standard out:

~/votorola/out/votrace/snap-YYYY-MD-S/readyTrace-S

If no snap directory is specified, then it defaults to the most recently modified directory. This is usually the directory of the previous snap or ready action.

mount

Trace the network, compile the list, and make them available for reporting. This action takes for an argument a ready directory created by a previous ready action. It reads the stored voter and administrative input, traces the neighbourhood trust network, and writes the results to the database and filebase for other tools and processes to read.

If no snap/readyTrace record is specified, it mounts the most recently modified record. Records are considered modified by creation, mounting, unmounting, or anything else that alters the modification time of the record directory.

If no snap/readyTrace record is specified, then it defaults to the most recently modified record, as determined by the modification time of its directory. This is usually the most recently created, mounted, or unmounted record.

report

Mark the trace as current, for reporting in all voter interfaces. This action creates a symbolic link to a particular mounted snap/readyTrace record.

~/votorola/out/votrace/_readyTrace_report ->
   snap-YYYY-MD-S/readyTrace-S
~/votorola/out/votrace/_snap_report -> snap-YYYY-MD-S

If no snap/readyTrace record is specified, then it defaults to the most recently mounted record.

umount

Unmount the trace. This action reverses a previous mount action, erasing the trace from the database and filebase. The snap/readyTrace record is not deleted, but remains available for remounting.

If no snap/readyTrace record is specified, then all lists are unmounted, except for the currently reported trace. While it is being reported, a trace cannot be unmounted.

ureport

Unreport the currently reported results. This action reverses a previous report action, unlinking the _readyTrace_report and _snap_report links, so that no trace is reported.

status

Print the status of all snap/readyTrace records. For example:

$ votrace status

M  /home/voff/votorola/out/votrace/snap-2009-bj-1/readyTrace-1
   /home/voff/votorola/out/votrace/snap-2009-bk-1
   /home/voff/votorola/out/votrace/snap-2009-bl-1/readyTrace-1
   /home/voff/votorola/out/votrace/snap-2009-bl-1/readyTrace-2
MR /home/voff/votorola/out/votrace/snap-2009-bl-1/readyTrace-3

The status flags are:

`M`	mounted
`R`	reported

options

--etc --etc=ready|mount|report|umount

Carry out all actions through to the specified end-action. For example:

$ votrace snap --etc=mount

The single command above is equivalent to these three commands, in order:

$ votrace snap

$ votrace ready

$ votrace mount

The end-action must be logically subsequent to the start action, otherwise it is ignored. If --etc is specified without an end-action, then it defaults to umount.

Output printing is suppressed for intermediate actions; the end-action alone prints its output. However, if --verbose is in effect, then all actions print their output as usual.

--verbose

Print additional information to standard output, as the actions are carried out.

caveats

Unlike a mounted file system, a mounted trace persists across system re-starts until explictly unmounted. So ‘mount’ is something of a misnomer.

votorola/a/register/
votorola.a.register

Register and Lists

Setting Up the Register
Register Commands for Voters
1. doubt
2. set
3. trust
4. undoubt
5. unset
6. untrust
Compiling a Voter List
Trust Network
Doubt Signaling

Each core site provides a voter register, from which its voter lists are compiled. The voter register is a public repository of user-specific attributes and inter-user trust edges. The user-specific attributes serve to record the eligibility credentials that are claimed by each user, while the inter-user trust edges serve to authenticate the claims. The collection of all attributes for a particular user comprises that user's registration. Each registration is keyed by email address, which serves as the primary user identifier.¹⁰ (The register needs a redesign, to meet the requirements of a common registration framework.)

Register synchronization. Shows a network of two jusrisdictional levels, with registration data passing from voters to registers. Data passes first to local registers, thence to higher jusrisdictional registers via the synchronization interface.

Voter input to a register is synchronized throughout the core subnet. The purpose of synchronization is single registration. Voters register at their local sites, as shown in the figure above. The registration data is then streamed from the local sites to higher juridictional sites, and thence throughout the subnet. So voters may register once and be eligible for polls at all jurisdictional levels.

File structure for a voter register. Shows the structure for a typical off-line pollserver. (Complete examples in `/home/voff/votorola/register` and `/home/vdev/votorola/register`.)
/home/voff/votorola/register register-run.js register.js

Configuration is specified by startup and runtime scripts located in the register's service directory (shown above). The internal structure of the scripts is outlined in the figures below.

Startup configuration for a voter register. Shows the hook function that is defined by the script `~/votorola/register/register.js`.
register.js function contructingRegister( regCC )

Runtime configuration for a voter register. Shows the hook functions that are defined by the script `~/votorola/register/register-run.js`.
register-run.js - Compiling a Voter List ----------------------------- function indexingListEntry( listIC ) - Trust Network -------------------------------------- function extendingTrust( trustEC ) function trustBarUnregistered( destinationEmail, registerUID )

register-run.js

- Compiling a Voter List -----------------------------
    function indexingListEntry( listIC )

- Trust Network --------------------------------------
    function extendingTrust( trustEC )
    function trustBarUnregistered( destinationEmail, registerUID )

The register also maintains a store of relational data, as shown in the figure below.

Database structure for a voter register. Each register has a table for doubt signals, and a table for registration input, from which the voter lists are compiled. Tables for the compiled voter lists (not shown here) are stored under the `out_list` schema.
out_list doubt in_registration

Setting Up the Register

The minimal configuration already includes a register. It will suffice for a minimal setup. Test it first, using the voter command shell.

$ voter register  hello

hello

$ voter test-a@zelea.com  register  set residence 170 Main Street, M1M 1A1

Old value:  none
New value:  170 Main Street, M1M 1A1

$ voter test-a@zelea.com  register  unset residence

Old value:  170 Main Street, M1M 1A1
New value:  none

It should respond as shown above.

Register Commands for Voters

This section documents the command/response interface of the voter register. The command/response interface is responsible for servicing the command oriented clients of the register, such as the mail-based voter interface, and the voter command shell. The following general-purpose commands are provided:

hello
help
version

In addition, the register provides a number of special-purpose commands. These are documented below.

doubt

Cast doubt on another voter.

    doubt VOTER-EMAIL [REASON]

    doubt [--alter VOTER-EMAIL]

If an entry in the voter list appears to contain false information, then you
may mark it as such by casting doubt on the voter.  For example:

    doubt falseVoter@domain.dom nobody lives at 7 Turncott, the building
    is empty

You must be in the voter list yourself before your doubt will reach the other
voter.  When it does reach her, it will not affect her own inclusion in the
list, nor her eligibility to vote in the polls.  It will only serve to
indicate your suspicion that her entry in the register is false.  Other voters
may then consider whether or not to withdraw their trust from her.

To recall who you are doubting, simply send:

    doubt

The service replies, identifying the doubted voters:

    You are casting doubt on 1 voter(s).

        falseVoter@domain.dom
            nobody lives at 7 Turncott, the building is empty

Or, to see where another voter has cast doubt, send:

    doubt --alter VOTER-EMAIL

To cast doubt on additional voters, use the 'doubt' command repeatedly.  To
withdraw it, use 'undoubt'.

If your registration comes to be doubted by several voters, then you may wish
to attach a note of explanation to it, as a defence.  See the command "set
note".  [There is currently no easy way to discover who is doubting you, or to
view registration details, except through the Web interface.  This will be
corrected in the beta-two release.]

set

Set the value of a register attribute.

    set [--alter VOTER-EMAIL] name|residence|link|note VALUE

The attributes that may be set are:

    name
            set name James Madison

        Your proper name.  This attribute is optional, and may be left unset.

    residence

            set residence 11407 Constitution Highway, 22957

        Your primary residential address.  This attribute is required to
        establish your eligibility to vote in the various electoral districts.
        Avoid abbreviations, and always place the postal code last.

    link
            set link http://~jim/emontpelier.net

        A Web link in standard URI format, pointing to further information
        about you.  This attribute is optional, and may be left unset.

    note
            set note My Internet connection may be down, but I'm still here.

        A short note explaining or commenting on your registration.  This
        attribute is optional, and may be left unset.

Under certain conditions, you may be able to set the attributes of a
registrant other than yourself, by using the --alter option.  You may set the
attributes of another registrant, in this way, only if none were previously
set by the registrant.  (Once a registrant sets or resets a single attribute
in the register, she assumes exclusive control of all attributes.)

    set --alter muller@wintermere.nz link http://~muller@wintermere.nz

All attributes in the register are in public view.  Once set, you may alter an
attribute's value with another 'set' command, or erase it with 'unset'.

[There is currently no easy way to view your register settings.  This will be
corrected in the beta release.]

trust

Extend trust to another voter.

    trust VOTER-EMAIL

    trust [--alter VOTER-EMAIL]

To be eligible to vote, you must have the trust of other voters in your
neighbourhood.  A sufficient number of them (themselves trusted) must extend
their trust to you.  Only then will your registration be included in the voter
list, and your votes included in the poll counts.  The exact amount of trust
you require will usually be specified in the voter list.  [The list is
currently posted only in the Web interface.]  The list is also a helpful
resource for locating suitable neighbours prior to requesting their trust (by
email, telephone, and so forth).

Trust usually has a limited range, restricting it to the local neighbourhood.
The range is usually symmetric (the direction does not matter).  So, before
requesting trust *from* a neighbour, you may wish to test your range by
extending your own trust *to* that neighbour.  To extend your trust, use the
'trust' command.  For example:

    trust myNeighbour@somewhere.net

If you cannot obtain trust because too few voters are registered in your
neighbourhood, then you must contact your local registrar.  [Instructions will
be provided in a future release.]

To recall who you are trusting, simply send:

    trust

The service replies, identifying the recipients of your trust:

    You are trusting 1 voter(s).

        myNeighbour@somewhere.net

Or, to see the recipients of another voter's trust, send:

    trust --alter VOTER-EMAIL

To extend trust to additional voters, use the 'trust' command repeatedly.  To
withdraw it, use 'untrust'.

[There is currently no easy way to discover your own trust level, or to see
who is extending trust to you, except through the Web interface.  This will be
corrected in the beta-two release.]

undoubt

Withdraw doubt that was previously cast on another voter

    undoubt VOTER-EMAIL

The service replies, confirming the withdrawal:

    You were casting doubt on 1 voter(s).
    You are now casting doubt on 0 voter(s).

If you change your mind later, and wish to re-cast your doubt, use the 'doubt'
command.

unset

Unset the value of a register attribute, erasing it.

    unset [--alter VOTER-EMAIL] name|residence|link|note

For example:

    unset link

The service replies, confirming the erasure:

    Old value:  http://~muller@wintermere.nz
    New value:  none

If you change your mind later, and wish to set a value once again, use the
'set' command.

Under certain conditions, you may be able to erase the attributes of a
registrant other than yourself by using the --alter option.  See the 'set'
command for details.

untrust

Withdraw trust that was previously extended to another voter

    untrust VOTER-EMAIL

The service replies, confirming the withdrawal:

    You were trusting 1 voter(s).
    You are now trusting 0 voter(s).

If you change your mind later, and wish to re-extend your trust, use the
'trust' command.

Compiling a Voter List

A voter list is a snapshot copy of the register in which the network of trust edges is traced, and each voter's registration is evaluated at a particular level of trust. The compilation of the lists is configured by the runtime script register-run.js.

Runtime configuration for list compilation. Shows the hook function that is defined for this purpose by the script `~/votorola/register/register-run.js`.
register-run.js - Compiling a Voter List ----------------------------- function indexingListEntry( listIC )

To compile a voter list, use the tool volist:

$ nice volist

Lists may be compiled either one at a time, or repeatedly at scheduled intervals.⁶ Each newly compiled list creates a new snap/readyList record in the output filestore. For a quick overview of the records in the filestore, use volist status:

$ volist status

   /home/voff/votorola/out/volist/snap-2009-bh-1/readyList-1
   /home/voff/votorola/out/volist/snap-2009-bi-1/readyList-1
MR /home/voff/votorola/out/volist/snap-2009-bj-1/readyList-1

The newly compiled list is automatically mounted (M) and reported (R), making it immediately visible in all voter interfaces. At the same time, all previous lists are unmounted. To revert to one of the previous lists, simply remount it and re-report it. For example:

$ nice volist mount --etc \
~/votorola/out/volist/snap-2009-bi-1/readyList-1

$ volist status

   /home/voff/votorola/out/volist/snap-2009-bh-1/readyList-1
MR /home/voff/votorola/out/volist/snap-2009-bi-1/readyList-1
   /home/voff/votorola/out/volist/snap-2009-bj-1/readyList-1

Much like count records, list records will require occaisional cleaning or archiving. It is best to clean the count records first, because you must be careful afterwards not to break the readyList links of those that remain. When cleaning the list records, you must avoid deleting the referents of those links. (It is usually safe to delete all records in a particular date range, unless you know that counts were tallied against older lists.)

votorola/a/register/trust/
votorola.a.register.trust

Trust Network

The trust network is a directed graph of user-to-user trust edges that are extended by the users for the purpose of cross-authenticating the voter register. Individual trust edges are stored as public input to the register. During compilation of a voter list, the edges are traced to determine the level of trust for each particular registration. These levels are then incorporated into the resulting voter list.¹¹

A trust edge extends from one registrant (source node) to another (destination node). It pertains to the following attributes of the latter's registration (D):

D.voterEmail
D.residence

The trust edge asserts, “Yes. That's the email address of my neighbour across the street, and she really does live there.” More formally:

D.voterEmail is the email address of a person (P) living at D.residence. It is not the email address of an imposter, posing as P.
D.residence is the primary residence of P.
P is registered exactly once at D.residence. For each other registration (E), where E.residence equals D.residence, E.voterEmail is the email address of a person other than P.

A given source node may extend trust to any number of destination nodes (subject to any bars imposed by the configuration), but may extend at most one edge to each. The extension of trust is configured and controlled by the runtime script register-run.js.

Runtime configuration for trust extension. Shows the hook functions that are defined for this purpose by the script `~/votorola/register/register-run.js`.
register-run.js - Trust Network -------------------------------------- function extendingTrust( trustEC ) function trustBarUnregistered( destinationEmail, registerUID )

In a fully elaborated network, each destination node is evaluated at a particular level of trust, which is recorded in its entry in the voter list. The recorded level (t) depends exclusively on the levels among the source nodes, where it is calculated as the highest level that does not exceed the count n(t) of sources at that level or higher. In other words, to have a trust level of 3, a voter must have 3 or more immediate trust sources, each itself having a trust level of 3 or higher.

t ≤ n(t)

where:: (t) is the trust level; n(t) is the count of immediate source nodes at level (t) or higher

The ultimate trust source is the root node, which is the core site. All trust edges must be traceable to the root, otherwise they are discounted in the elaborated network. Unlike an ordinary node, the root has a high (effectively infinite) trust level, and it may extend any number of edges (primary trust edges) to the same destination.

The maximum trust level in the network, max(t), is limited both by the redundancy of primary edges, and by the number and distribution of primary destinations. As a rule, to attain a network with a max(t) of 3 requires a minimum of 3 destinations, with a minimum of 3 edges to each. Furthermore, in order for the primary destinations to propagate max(t) to other voters, at least max(t) of them must cooperate as a group in extending their edges to further destinations. In practice therefore, the primary destinations must be grouped such that:

group size n ≥ max(t);
members cooperate with each other; and
members are located closely enough such that common destination nodes do not exceed the range limitations imposed by register-run.js.

A typical register-run.js will impose range limits on trust extension. Network activity is thus localized to neighbourhood scales, where it may be moderated by everyday social constraints. Rogue sources may not inject trust from afar, and be shielded by distance from the fallout. All trust is locally traceable and locally accountable. (The range limits imposed on individual edges must nevertheless allow for sufficient overlap, so the overall network is not limited in extent. Trust extension ought not to be limited to a single postal code area, for example; but rather to multiple, contiguous areas.)

Doubt Signaling

Doubt signaling is an adjunct facility in the trust network. It serves to formally indicate suspicious voter registrations. A doubt signal extends from one voter (source) to another (destination). The source may extend signals to any number of destinations, but may extend at most one to each.

The negative messages of doubt signaling are complementary to the positive messages of the trust network. However, doubt signals propagate in a separate network of their own. The two polarities of message are kept apart, and never cancel each other in combination. This separation prevents instability that might arise if, for example, contention among sources and destinations were to lead to a tit-for-tat escalation of messages. This is prevented because the formal authenticity of the register depends only on the positive messages of the trust network. The negative doubt signals serve only to indicate that particular destinations in the network (particular voter registrations) are suspicious, and that the trust sources and registrars ought to consider withdrawing their trust from them. But the actual withdrawal does not follow automatically. Rather it is conditional on the understanding and agreement of the trust sources. Social inter-mediation of the opposing networks thus dampens any tendency to systematic instability. (The response time for withdrawal is nevertheless likely to be faster than any subsequent re-extension of trust to the untrustworthy destinations, so the asymettry between the two should be sufficient to deter abuse of the register.)

Being the target of doubt signals does not formally affect a voter's inclusion in the voter list, nor her eligibility to vote in polls. Doubt signals are not needed therefore in order to compile a voter list, especially outside of the local site. Consequently they are not considered as part of the core voter input, and are not synchronized up to the super-sites.

votorola/a/poll/
votorola.a.poll

Polls and Vote Counts

Setting Up a Poll
Poll Commands for Voters
1. unvote
2. vote
Counting the Votes
Leader Configuration
1. Initializing the Leader Configuration
2. Modifying the Leader Configuration

A core site may provide any number of polls. A poll is a collection of votes that are stored in a public repository, from which vote counts are generated. The poll is provided by the lowest sub-site that is able to compile a complete list of eligible voters from its own register. For example, a poll on the issue of electing a member to a national assembly would be provided by a local site (regional or municipal), because the constituencies for such a non-proportional assembly are local. On the other hand, a poll to propose a legislative bill for the same assembly would be provided by a national super-site, because such bills are national issues, on which everyone is entitled to vote. (A super-site would also host any local poll for which the voter list happened, somehow, to straddle the boundary between two local sub-sites.)

Independent polls in a core subnet. Shows a network of two jusrisdictional levels, with data passing from the voters to the polls. Each poll is independently hosted at a separate core site, which receives its data directly from the voters. (Cf. register synchronization.)

File structure for polls. Shows the structure for a minimal, off-line pollserver. The various `SERVICE-NAME` are the names of the individual polls. (Complete examples in `/home/voff/votorola/poll` and `/home/vdev/votorola/poll`.)
/home/voff/votorola/poll services `SERVICE-NAME` leader.rdf poll-run.js poll.js `SERVICE-NAME` ··· `SERVICE-NAME` ··· district.js divisional-scheme.js

Configuration is specified by scripts and other files that are located in the poll's service directory (shown above). The internal structure of the scripts (startup and runtime) is outlined in the figures below.

Startup configuration for a poll. Shows the hook function that is defined by the script `~/votorola/poll/services/SERVICE-NAME/poll.js`.
poll.js function contructingPoll( pollCC )

Runtime configuration for a poll. Shows the hook functions that are defined by the script `~/votorola/poll/services/SERVICE-NAME/poll-run.js`. (Complete examples in `/home/voff/votorola/poll/services` and `/home/vdev/votorola/poll/services`.)
poll-run.js - Counting the Votes --------------------------------- function castingVote( vCC ) function voterBarUnknown( voterEmail ) function voterBarUnregistered( voterEmail, registerUID )

poll-run.js

- Counting the Votes ---------------------------------
    function castingVote( vCC )
    function voterBarUnknown( voterEmail )
    function voterBarUnregistered( voterEmail, registerUID )

Every poll is associated with a district. A district is any one of a number of geographical subdivisions that divide the overall area of a core site, according to a particular divisional scheme. If the configuration of a poll does not explicitly assign a district, then the poll is automatically assigned to the default district, for which a configuration file is expected to be found at ~/votorola/poll/district.js.

Startup configuration for a district. Shows the hook function that is defined by the default script `~/votorola/poll/district.js`.
district.js function constructingDistrict( districtCC )

Every district is associated with a divisional scheme. A divisional scheme is a method of dividing the area of a core site into separate districts. For example, a Canadian city might have two schemes: a municipal “Wards” scheme that divides the area according the jursidictions of City Councillors; and a federal “Ridings” scheme that divides it according the jursidictions of Members of Parliament. If a particular district were not explicitly assigned to one of these two schemes, nor to any other, then it would be assigned automatically to the default scheme. In that case, the configuration of the default scheme is expected to be found in the file ~/votorola/poll/divisional-scheme.js.

Startup configuration for a divisional scheme. Shows the hook function that is defined by the default script `~/votorola/poll/divisional-scheme.js`.
divisional-scheme.js function constructingDivisionalScheme( schemeCC )

Polls also store of relational data, as shown in the figure below.

Database structure for polls. All polls share a single table for voter input, wherein the votes are stored. Tables for counts (not shown here) are stored under the `out_count` schema.
out_count in_vote

Setting Up a Poll

The minimal configuration already defines a poll with a service name of “test-p”. To create another, simply copy it to another service directory with a different name.
```
$ (s=~/votorola/poll/services; cp -R $s/test-p/ $s/SERVICE-NAME)
```

Test the new poll.

$ voter SERVICE-NAME hello

hello

$ voter test-a@zelea.com SERVICE-NAME vote test-b@zelea.com

 . . .
You were voting for:     nobody
You are now voting for:  test-b@zelea.com

No results are available for this poll.  They have yet to be reported.
(Administrator see 'vocount report'.)

$ voter test-a@zelea.com SERVICE-NAME unvote

 . . .
You were voting for:     test-b@zelea.com
You are now voting for:  nobody
 . . .

Poll Commands for Voters

This section documents the command/response interface of a poll. The command/response interface is responsible for servicing the command oriented clients of the poll, such as the mail-based voter interface, and the voter command shell. The following general-purpose commands are provided:

hello
help
version

In addition, the poll provides a couple of special-purpose voting commands. These are documented below.

unvote

Withdraw a vote from a poll.

    unvote

The service replies, confirming the withdrawal:

    null

    You were voting for:     mychoice@somewhere.net
    You are now voting for:  nobody

If you change your mind later, and wish to vote again, use the 'vote' command.

vote

Cast a vote in a poll.

    vote CANDIDATE-EMAIL

    vote [--alter VOTER-EMAIL]

You can vote for anyone you choose.  All you need is a person's email address.
For example:

    vote myChoice@somewhere.net

To recall who you last voted for, simply send:

    vote

The service replies, identifying the recipient of your vote:

    null

    You are voting for:  myChoice@somewhere.net

If that person also casts a vote, then your vote is carried with it.  Whoever
gets that person's vote also get yours.  And so on.  Your vote is carried
until it reaches someone who does not vote.  This is called a 'delegate
cascade'.  At the end of the cascade, votes accumulate to reveal the favoured
candidates.

A trace of the cascade is included in the reply, so you can follow the path of
your vote, and see who ultimately receives it.  Or you can mark the vote as
non-cascading, so it stays put until you change it:

    vote --cascade no  (however, this option is not yet implemented)

To see how another voter is voting, send:

    vote --alter VOTER-EMAIL

To change your vote, send another 'vote' command.  Or withdraw it altogether
using 'unvote'. 

[There is currently no easy way to see who is voting for you, or to view the
overall results.  This will be corrected in the beta release.]

Counting the Votes

A vote count is a snapshot copy of the results of a poll in which the flow of votes is traced, and the total received by each candidate is recorded. The count is configured by the runtime script poll-run.js.

Runtime configuration for a vote count. Shows the hook functions that are defined for this purpose by the script `~/votorola/poll/services/SERVICE-NAME/poll-run.js`.
poll-run.js - Counting the Votes --------------------------------- function castingVote( vCC ) function voterBarUnknown( voterEmail ) function voterBarUnregistered( voterEmail, registerUID )

poll-run.js

- Counting the Votes ---------------------------------
    function castingVote( vCC )
    function voterBarUnknown( voterEmail )
    function voterBarUnregistered( voterEmail, registerUID )

To count the votes, use the tool vocount. A voter list must already be mounted and reported.

$ nice volist  # if a new list is need

$ nice vocount

Counts may be done either one at a time, or repeatedly at scheduled intervals.⁶ Each separate count creates a new snap/readyCount record in the output filestore. For a quick overview of the records in the filestore, use vocount status:

$ vocount status

   /home/voff/votorola/out/vocount/snap-2009-bh-1/readyCount-1
   /home/voff/votorola/out/vocount/snap-2009-bi-1/readyCount-1
MR /home/voff/votorola/out/vocount/snap-2009-bj-1/readyCount-1

The new count is automatically mounted (M) and reported (R), making the results immediately visible in all voter interfaces. At the same time, all previous counts are unmounted. To revert to one of the previous counts, simply remount it and re-report it. For example:

$ nice vocount mount --etc \
~/votorola/out/vocount/snap-2009-bi-1/readyCount-1

$ vocount status

   /home/voff/votorola/out/vocount/snap-2009-bh-1/readyCount-1
MR /home/voff/votorola/out/vocount/snap-2009-bi-1/readyCount-1
   /home/voff/votorola/out/vocount/snap-2009-bj-1/readyCount-1

Snap/readyList records will accumulate in the filestore over time, as new lists are compiled. For the off-line pollserver, the records may be cleaned away by simply erasing the entire filestore, using the script vox-clean.

The on-line pollserver ought to be cleaned more carefully. Provided a particular list is not currently mounted (M), and no poll readyList links are pointing to it then its snap/readyList subdirectory may be deleted from the output store. Deletion will cleanly remove all traces of it from the pollserver. Any snap directory that is left childless (without a snap/readyList subdirectory) may likewise be deleted.

It is also possible to move snap/readyList records. You may wish to archive them, for example. When moving any particular record, be sure to include the parent snap directory and its immediate files. (There is no need to include sister snap/readyList records that happen to share the same parent, you may move them independently.) In addition, when a count record is moved, its linked readyList record must also be moved.⁸

under revision

Leader Configuration

Leader configuration is the portion of a poll's configuration that is distributed out to the leading candidates of the poll. Most of a poll's configuration is centrally defined at the pollserver, but a part of it may be distributed out to the leading candidates. This part includes items that are expected to fluctuate as the poll proceeds, such as its description and categorization. These items are periodically pulled from the candidate who is currently leading the poll, hence the term “leader configuration”.

Note: The design of leader configuration is undergoing revision. In an upcoming release, all distributed data will be pulled from the voters (and admin) via media such as pollwiki pages.

Distributed leader configuration is gathered in the file leader.rdf, which is located in the poll's service directory. The structure and semantics of this file are defined in votorola/poll/Leader.xsd and Poll.rdf. The file is automatically overwritten by configuration that is pulled from the candidates.

File structure for leader configuration. Shows a poll with its leader configuration under an administrative override.
/home/voff/votorola/poll/services/SERVICE-NAME leader-override.rdf leader.rdf poll-run.js poll.js

Administrative override of leader configuration is controlled by the file leader-override.rdf. As long as the override file is present, any ordinary leader.rdf is ignored. The administrator then has complete control of the configuration, while the candidates have none.

Initializing the Leader Configuration

When the poll is first created, the leader configuration is undefined. If you wish, you may provide initial defaults, or define an administrative override.

Copy the initial leader configuration from the provided example. You have two choices: either provide initial defaults, or define an administrative override. To provide initial defaults (subsequently to be overwritten by whatever is pulled from the candidates):
```
$ cp ~/votorola/code/votorola/a/poll/leader.rdf \
~/votorola/poll/services/SERVICE-NAME/
```
Alternatively, you may define an administrative override:
```
$ cp ~/votorola/code/votorola/a/poll/leader.rdf \
~/votorola/poll/services/SERVICE-NAME/leader-override.rdf
```
Edit the file to customize the configuration. The contents are largely self-explanatory. For the complete structural schema, see Leader.xsd. The most important item is Poll/@rdf:about, which must exactly match the service UID of the poll.

Modifying the Leader Configuration

After editing the configuration file, the changes will take effect immediately in the command-line interface (script voter). For other interfaces, the changes will take effect at the next mounting or unmounting of the poll's count.

You may speed up this process by touching the serial file of an already-mounted count:

$ touch ~/votorola/out/vocount/_readyCount_report/_mountedCount/SERVICE-NAME.serial

The configuration changes then take effect after the next fetch of count data in the voter interface. In the Web interface, for example, this occurs when any user visits a page that shows count data. Thereafter, the configuration changes will be visible to all users, on all pages that are fetched.

votorola/a/web/
votorola.a.web

This section concerns the Web-based voter interface (Web interface).

File structure the Web interface. Shows the structure for a minimal core site with two pollservers: an on-line server `v`, and an off-line server `voff`. In this example, the servlet container Tomcat is set up to run the Web interface of pollserver `voff`. (Complete examples in `/home/voff/votorola/web` and `/home/vdev/votorola/web`.)
`CATALINA_BASE` (Tomcat) conf Catalina localhost voff.xml -> /home/voff/votorola/web/voff.xml server.xml web.xml ··· home v votorola ··· out ··· web v.xml ··· voff votorola ··· out ··· login-persistance.serial web-activity-list.serial web voff.xml voface-web.js

The configuration of the Web interface is specified by its startup script, located in the pollserver's votorola/web directory (shown above). The internal structure of the script is outlined in the figure below.

Startup configuration for the Web interface. Shows the hook functions that are defined by the script `~/votorola/web/voface-web.js`.
voface-web.js function constructingVOFaceWeb( webCC ) function initializingVOFaceWeb( web )

The file votorola/out/login-persistance.serial contains hash salts (random numbers) for use by the login persistance facility (“keep me logged in”). The security of persisted logins depends on keeping this file private. You may delete this file in order to invalidate all persisted logins. A new file containing new salts will automatically be generated.

The file votorola/out/web-activity-list.serial contains the activity list (http://localhost:8080/voff/w/Activity/). It is periodically rewritten at runtime. To clear it, first shut down the Web interface, then delete the file.

Setting Up the Web Interface

A Java servlet container is required. Only Tomcat has been tested. The minimal configuration already includes a startup configuration file voface-web.js, and a Tomcat Context file voff.xml.

Ensure that the servlet container is a member of the votorola group. For example, assuming the container runs under the name tomcat:
```
$ groups tomcat
```
```
votorola tomcat
```
If it is not a member of votorola, then add it:
```
$ usermod --append --groups votorola tomcat
```
Define the Web interface as a servlet Web application, by linking to its Context file from Tomcat. Do this as root:
```
$ ln --force --symbolic  /home/voff/votorola/web/voff.xml \
CATALINA_BASE/conf/Catalina/localhost/
```
Alternatively you can simply copy the Context file to that directory.⁷

You may need to create the destination directory first. The Context directories (Catalina/localhost) are not pre-created in a clean installation of Tomcat. For more information, see Tomcat's documentation regarding the directories CATALINA_BASE/conf/[enginename]/[hostname].
Restart the servlet container. The Web interface will be accessible at:
```
http://localhost:8080/voff/w/
```
If you shut down the interface and restart it, then also remember to clear any old pages from the browser history. Their links may behave incorrectly after a restart. To clear them, go back to the first page, press refresh, and continue from there.

Web Services

In addition to its interactive services for users, the Web interface also provides non-interactive services (just one at present) for the use of Web developers and page authors.

Candidate Referral

http://SERVER-NAME/v/w/Pollspace/?p=POLL-NAME&u=CANDIDATE-USERNAME
http://SERVER-NAME/v/w/Pollspace/?p=POLL-NAME&v=CANDIDATE-EMAIL

The server name is that of the pollserver that hosts the poll. It replies with a vote confirmation page in which the user may accept or reject the suggested vote shift, or browse for other candidates. For more information, see the API of WP_Pollspace.

votorola/a/mail/
votorola.a.mail
rough draft

Mail Voting

Setting Up the Mail Interface
Mail Commands for Voters
1. hello
2. help
3. version
Challenge-Response Authentication

This section concerns the mail-based voter interface (mail interface). The mail interface is currently only documented in rough draft. It is not required for a minimal installation.

File structure for the mail interface. Shows the structure for a typical off-line pollserver. (See also the working examples.)
/home/voff .tmda ··· Maildir ··· votorola ··· mail mail-meta-service-run.js mail-meta-service.js voface-mail.js

Startup configuration for the mail meta-service. Shows the hook function that is defined by the script `~/votorola/mail/mail-meta-service.js`. (Complete example in `/home/vdev/votorola/mail`.)
mail-meta-service.js function constructingMailMetaService( metaCC )

Runtime configuration for the mail meta-service. Shows the hook function that is defined by the script `~/votorola/mail/mail-meta-service-run.js`. (Complete example in `/home/vdev/votorola/mail`.)
mail-meta-service-run.js function serviceEmail( service )

Startup configuration for the mail-based voter interface. Shows the hook function that is defined by the script `~/votorola/mail/voface-mail.js`. (Complete example in `/home/vdev/votorola/mail`.)
voface-mail.js function constructingVOFaceMail( mailCC )

# # # # # # # # # #

- inner response layer, to respond to (act on) authenticated messages
- structure and function
    - MessageResponder.java feeds commands to voter services; gathers their responses;
      and transmits them back to sender
- in exceptional cases, the responder may act repeatedly on the same message
    a) if processing of a message is interrupted by a server failure,
       the message will be reprocessed on a subsequent run
        - it is therefore possible that users will see multiple replies to a single message
            / but most re-processed messages will generate only a single reply
    b) a user might re-send a message
    - in any case, no critical anomalies will occur from partial processing of messages,
      or from repeated response to some/all of the commands they contain
- localization
    - respond with language, date formats, etc. according to sender's MIME header
      Content-Language, per RFC 3282 
        - http://www.ietf.org/rfc/rfc3282.txt
        - some canned messages will not be localized:
            - error messages
                - expected to be rare
                - typically in English, or programmer's language
            - bar descriptions from runtime configuration scripts
                - difficult to localize, so this is postponed
                - will be in primary language(s) of the core site's internet domain
    - respond in UTF-8
        - 7-bit characters (ASCII) will pass cleanly
        - 8-bit will be over-encoded for email (in whatever standard it uses)
            / presumeably the user's client can decode it,
              if they are used to receiving non-ASCII messages

Setting Up the Mail Interface

Ensure you have a mail transfer agent (MTA) that is configured to receive mail for your pollserver account. Votorola has been tested with qmail, but it should work with any MTA that is supported by TMDA.
Set up an inbox for the mail interface. The default (which you can change in your configuration script, further below) is:
```
~/Maildir
```
Messages for all voter services (service-name@HOST.DOMAIN.DOM) will be delivered to this inbox.
[Create configuration scripts for the mail interface.]
Test the meta-service from the command-line.
```
$ voter mail hello
```
```
hello
```
Run the mail interface, voface-mail.
```
$ voface-mail &
```
(It's running in the background, so use fg if you ever need to foreground it.)

Deliver an email message for the meta-service, using vodeliver.

$ echo 'Return-Path: <me@domain.dom>
Delivered-To: voff@HOST.DOMAIN.DOM
Date: Thu, 19 Nov 2009 12:24:37 -0400
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
To: voff@HOST.DOMAIN.DOM
From: me@domain.dom
Subject: this is a test message...

hello there

help me please' | vodeliver

That should put a message in the inbox. Vomailrd should pick it up, and send a reply to me@domain.dom, within about 20 seconds.

Use your ordinary mail client to send a message to the pollserver at the same address, voff@HOST.DOMAIN.DOM. If your MTA receives the message and delivers it to the pollserver inbox, then you should get a reply momentarilly.
Configure the MTA to deliver messages for all voter services (register and polls) to the pollserver inbox. (For qmail, see the example /var/qmail/alias directory in the appendix.)
Send a message to the voter register (register@HOST.DOMAIN.DOM), consisting of the single line:
```
help
```
You should get a reply momentarilly.

Test a poll too, by sending a help command to SERVICE-NAME@HOST.DOMAIN.DOM.

The interface will not support voter-input commands (such as 'vote'), until the authentication layer (below) is in place. If a voter-input command is received, then voface-mail will terminate with an error message.

Mail Commands for Voters

This section documents the command/response interface of the mail meta-service. The meta-service provides bootstrap instructions on accessing the voter services, as well as general information about the pollserver. Its commands are accessible by mail clients, and through the voter command shell. For access from the shell, the service name is “mail”. For example:

$ voter mail version

Votorola 0.2.2

hello

Say hello to the service.

    hello

    hello TEXT

The service replies 'hello'.  Any TEXT arguments are ignored.  This command is
used for testing.

help

Request general information on the service, and instructions on using it.

    help

The service replies with information and instructions.

To request help for a specific command, try 'COMMAND --help'.

version

Ask what version of software the pollserver is running.

    version

The service replies with the version.

Challenge-Response Authentication

The mail interface authenticates messages in order to verify sender identity. The only authentication method currently supported is a handshake across a challenge filter. The apparent sender must reply to a specific challenge (Did you send this message?) before the message is accepted.

# # # # # # # # # #
- this section concerns the basic authentication layer of the mail interface
- outer authentication layer, to authenticate address of sender
    - bypassed if message contains no command that requires authentication
        / some messages, such as read-only queries, do not require authentication
    - different methods of authentication will eventually be available,
      according to voter choice
        / e.g. challenge filter, or signed email
        - but challenge filter is the only one implemented at present

    - structure:
        1. mail/tmda-filter-wrapper
        2. Tagged Message Delivery Agent (TMDA)
        3. spam filter, to suppress challenge of obvious spam
    - usage #TMDA
    - function
        - nominal senders are challenged in order to authenticate them as actual senders
        - once authenticated, messages pass to the response layer
    - localization
        - challenge message (TMDA template) will be in language(s)
          of sender's internet domain
        - otherwise:
            / global site might be the only one that needs this
            - use the top-level domain (country code) of the sender's address
              to select an appropriate template (which may itself be multilingual)
            - see TMDA configuration variable TEMPLATE_DIR_MATCH_SENDER
                / this is the best TMDA can do, at present;
                  (it cannot read standard MIME headers, as the response layer does, below)

Ensure you have Tagged Message Delivery Agent (TMDA) — any recent version.
Ensure you have Perl 5:
```
$ perl --version
```

# # # # # # # # # #
- basic TMDA
- not forgetting to gen. a crypt_key
= test TMDA

# # # # # # # # # #
= ensure you have libraries needed by tmda-filter-wrapper,
  by test running it, without arguments

# # # # # # # # # #
= set up MTA and TMDA for voter authentication
    - e.g., by following the example configuration
- note the CAVEATS in tmda-filter-wrapper
    - it may need tweaking for your MTA

Examples of Pollserver Configuration

example/minimal

Minimal configuration for Votorola 0.2.2.2. A few of the files are location dependent, and will require modification. Pay particular attention to these files:

/home/voff/votorola/pollserver.jsm
/home/voff/votorola/web/voff.xml
/home/voff/votorola/web/voface-web.js

example/full

Full configuration for Votorola 0.2.2.2. Again, some modifications will be required. Pay particular attention to these files:

/home/vdev/votorola/private.jsm
/home/vdev/votorola/pollserver.jsm
/home/vdev/votorola/web/vdev.xml
/home/vdev/votorola/web/voface-web.js

Most of the source files for the images, and so forth, are excluded. Some of them are available here.

http://zelea.com/system/host/t

Root directory (partial copy only) of the reference server t. It hosts the on-line and off-line pollservers for Toronto. The following subdirectories are of interest:

/etc

Configuration (partial) of Web servers.

/home/v

The home directory of the on-line pollserver. It usually runs the latest release of Votorola (or an early cut of the next one).

/home/voff

The home directory of the off-line pollserver.

/opt/jdk/jre/lib

Default logging configuration for the server's Java applications. The off-line pollserver overrides this by pointing to its own


                     logging.properties

file. Since it is using jar-wrapper to invoke Java, it does this by adding the following line to its ~/.bashrc:

export JAR_WRAPPER_OPT = \
  "-Djava.util.logging.config.file=$HOME/.java/logging.properties"

The Web interface also has it own logging.properties, under /etc/tomcat-6.

/var/qmail/alias

Delivery control files for incoming mail. The voter services of the two pollservers have their own, specially tagged addresses.

/var/www/localhost/htdocs/mediawiki-c

MediaWiki installation directory, containing the pollwiki configuration. For the configuration of the interface look-and-feel, see Special:AllMessages?uselang=en-gb (loads slowly) and MediaWiki:Common.css.

Notes and References

1.	It is not yet clear that synchronization of raw voter input data will be sufficient for registrations. Super-sites may find it difficult to compile their voter lists from scratch, because compiler configuration may vary depending on the sub-site of origin.
2.	Mounts may become inaccessible owing to structural changes in the database tables, files or code. Unmounting prior to each upgrade will avoid exceptions such as `java.io.InvalidClassException ... serialVersionUID`. In any case, you may recover from these exceptions simply by remounting.
3.	If you make frequent code changes (developer) you may want to disable session persistence entirely. See example/full/home/vdev/votorola/web/vdev.xml.
4.	Not all pollserver files must be writeable by the `votorola` group. This is mostly a convenience for human members of the group, especially the administrators. For automated members, such as the Web voter interface (`tomcat`), only certain directories need be writeable. These are: ~/votorola/out/ Output files are created here. ~/votorola/poll/services/ New service directories `SERVICE-NAME` are created here. ~/votorola/poll/services/`SERVICE-NAME`/ New leader configuration is written here.
5.	You may choose to set your own personal `umask` to 0002, and your own group ID to `votorola`. $ usermod --gid votorola `MYLOGIN` Then you may create pollserver files from your own account, without having to fix up the permissions. They will automatically be writeable by all pollservers. (The drawback is that, by default, this will apply to all of your newly created files.)
6.	List compilations and counts may be scheduled using a `crontab` file, generated by the `crontab` command. An example of a `crontab` file for an online pollserver (`/var/spool/crontabs/v`) is: # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.XXXXZZq0rg installed on Thu Aug 20 08:21:37 2009) # (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $) MAILTO=mike@zelea.com VOBIN=/home/v/votorola/code/votorola/s/bin # Min Hour Day Month Day of week Command 25 /4 * * nice $VOBIN/volist; sleep 30s; nice $VOBIN/vocount # "sleep 30s" for tails to catch up, before next command rotates log files The command runs every 4 hours, at 25 minutes past the hour. It would be better to run it with a degree of randomness, however, to reduce the possibility of timed exploits.
7.	For a script to simplify switching between on and off-line Web interfaces, see: http://zelea.com/system/host/t/usr/local/bin/vox-tomcat-context.
8.	Symbolic links created in the output filestore are not currently relative. They must therefore be recreated in archival copies, to point internally. Alteratively, the links may be replaced with copies of the entire referent (not yet tested).
9.	For an example backup script, see: http://zelea.com/system/host/t/usr/local/bin/vox-backup.
10.	The method of user identification is constrained by the following requirements. Each identifier must be: Globally unique. No two registrants may have the same identifier, even if they are registering on different pollservers. Machine readable and stable. The combination of name and street address that suffices for traditional voter registers will not work. The identifier must remain constant despite name changes (addition of titles, marriage) and despite relocation of residence. Known in advance of registration. Voters must be able to nominate and vote for a candidate who is not yet registered. The nominee's identifier must therefore be known in advance of registration. Verifiable against actual identity. In the trust network, each trust edge is an assertion that a particular identifier corresponds to a particular person. The extender of trust must be able to verify this correspondence, at least when challenged. The method that most easily meets all requirements is an email address. The requirement of nomination (3), in particular, is satisfied by the fact that an email address identifies not only a person, but also a communication channel. It is therefore likely to be known by others, so they can start voting for the addressee right away, and post relevant information in the pollwiki. Prior knowledge of the identifier also simplifies verification (4). Any identifier can be verified by a formal handshake between two parties (doubter and doubted), but a typical user would have to be guided through the process. A familiar email address that is recognized in advance, however, requires no handshake at all. Even if it is not recognized, the handshake can be informal, because an imposter would eventually be exposed through everyday communication. On the other hand, using email addresses as identifiers is likely to expose users to additional spam in their mail boxes. The usual remedies will not work here. Naive obsfuscations ("at" for "@" etc.) do not work at all, because the harvesting bots can see through them. Captcha guards cannot be used, because all registration and voting data is ultimately made public. The votes in particular must be published in machine-readable format for purposes of verification, and each vote is a couplet of email addresses. Closing this data to spammers would also close it to public verification. The whole verification process would then be suspect and the legitimacy of the polls questioned. So the possibility of increased spam will be a concern for some participants who lack adequate protections, at least until we have a fix for the general problem of spam. (That in itself may be something to vote for.)
11.	The design of the neighbourhood trust network was intially sketched by Michael Allan.¹²
12.	Open electoral system (strawman plan). APSA_ITP, mailing list of the American Political Science Association, Information Technology and Politics Section, August 2007. http://lists.hmdc.harvard.edu/lists/apsa_itp_at_lists_hmdc_harvard_edu/2007_08/threads.html#00037
13.	Friedrich Lindenberg has scripted some launchers/wrappers for the Votorola commands. Use these in the event that `binfmt_misc` cannot be enabled. See /home/vdev/votorola/bin/volaunchers.

Glossary and Typographic Conventions

`~`	pollserver home directory
`$`	BASH command prompt
`ITEM`	variable, subtitute your own value for `'ITEM'`
`[item]`	optional item in a command, type 'item' or nothing
`a \| b`	choice of items in a command, type either 'a' or 'b'

assent•an expression of agreement

candidate•an object of assent; one who receives a vote

communicative action•a type of social action that is coordinated by discussion aimed at mutual understanding or agreement

communicative assent•an expression of agreement that arises from discussion

core site•a node in a core subnet, providing essential voter services to the population of a single sovereign jurisdiction, such as a state, or a sovereign-designated sub-jurisdiction, such as a municipality

core subnet•one or more core sites that are interconnected to form a proper tree, the structure of which mirrors the formal hierarchy of a sovereign jurisdiction, in whole or part

count•see vote count

delegate•a subject and object of assent; one who is both a candidate and a voter, who both receives and casts votes

delegate cascade•a voting mechanism in which received votes are carried along with cast votes

district•any one of a number of geographical subdivisions that divide the overall area of a core site, according to a particular divisional scheme

divisional scheme•any one of a number of geographical subdivisions that divide the overall area of a core site, according to a particular divisional scheme

issue•the action that occurs in society as a direct consequence of a poll

issue type•the category of an issue•the general description of an issue, such as provided by leader configuration

leader configuration•the portion of a poll's configuration that is distributed out to the leading candidates of the poll

mass assent•assent that derives from a voting process in which there are relatively few candidates and little or no communication between candidates and voters

norm•a standard or pattern of social behaviour; especially one that may be formalized, such as a law, plan or policy

peripheral site•a node in a peripheral subnet, providing extended services such as poll analyses, verification of results, or an enhanced voter interface

peripheral subnet•one or more peripheral sites that are interconnected to receive a common stream of voter input data from a core site

poll•a collection of votes for measuring the consensus or dissensus of voters with regard to a group of rival candidates•a collection of votes that are stored in a public repository, and from which vote counts are generated

pollserver•a server that provides polls and other voter services

pollserver name•the login name of the account on the local host computer, under which the pollserver's data is stored and its processes are run

primary trust edge•an edge that extends directly from the root of the trust network, which is the core site

register•see voter register

site•a node in a site network; either a core site, or a peripheral site

site network•a wide-area network of nodes that run Votorola, and share common streams of voter input

snap/readyCount record•an archival snapshot of voter input and administrative data, located on the pollserver path ~/votorola/out/vocount/snap-YYYY-MD-S/readyCount-S, from which a particular vote count is generated and verified

snap/readyList record•an archival snapshot of voter input and administrative data, located on the pollserver path ~/votorola/out/volist/snap-YYYY-MD-S/readyList-S, from which a particular voter list is compiled and verified

snap/readyTrace record•an archival snapshot of voter input and administrative data, located on the pollserver path ~/votorola/out/votrace/snap-YYYY-MD-S/readyTrace-S, from which a particular residential trust network is traced and verified

synchronization interface•the primary connector in the site network, transmitting unidirectional streams of voter input upward to core super-sites, and outward to perpipheral sites

trust network•a directed graph of user-to-user trust edges that are extended by the users for the purpose of cross-authenticating the voter register

vote•a formal unit of assent

vote count•a snapshot copy of the results of a poll in which the flow of votes is traced, and the total received by each candidate is recorded

voter•a subject of assent; one who votes for a candidate•the voter command shell

voter list•a snapshot copy of the voter register in which the network of trust edges is traced, and each voter's registration is evaluated at a particular level of trust

voter register•a public repository of voter-specific attributes and inter-voter trust edges, from which a voter list is compiled

Votorola System Manual

Site Network

Core Subnets

Peripheral Subnets

Synchronization Interface

Core Sites and Pollservers

Setting Up a Core Site

Setting Up the Off-Line Pollserver

Testing the Pollserver

Setting Up the On-Line Pollserver

Pollwiki

Setting Up the Pollwiki

Pollservers

Installing Votorola

Procedure

Creating a Pollserver

Upgrading Votorola

File Server

Database Server

Setting Up Database Access for a Pollserver

Command Line

vocount — count the votes

synopsis

description

actions

options

caveats

vodeliver — deliver to the mail interface

synopsis

description

voface-mail — respond to voter messages

synopsis

description

volist — compile a voter list

synopsis

description

actions

options

caveats

volog — log test messages

synopsis

description

vomir — pull remote votes for mirroring

synopsis

description

voqproperties — print the runtime properties

synopsis

description

voscript — compile a configuration script

synopsis

description

voter — issue a voter command

synopsis

description

see also

votrace — trace a neighbourhood trust network

synopsis

description

actions

options

caveats

Register and Lists

Setting Up the Register

Register Commands for Voters

doubt

set

trust

undoubt

unset

untrust

Compiling a Voter List

Trust Network

Doubt Signaling

Polls and Vote Counts

Setting Up a Poll

Poll Commands for Voters

unvote

vote

Counting the Votes

Leader Configuration