---
I found a recent post^ on Antenna rather thought-provoking. The question was posed: can computing be performed in a democratic way? The author discussed the idea of running a tilde in such a way that if the root user was thought to be doing a poor job, he or she could be voted out and another root user swapped in.
The most immediate issue I see with this concept is the question of the owner of the physical device running the server. System administrators can containerize, virtualize, or otherwise make their machines as abstract as they want, but ultimately there must be some physical piece of silicon with electrons running through it, and that piece of silicon houses the system. Therefore the question must be asked of who should own it.
Should the physical device belong to the current root user? That leads to the obvious concern of physical control over the device. The current root user could install a backdoor, or delete the server in an emotional fit, or refuse to give it to the next root user, or simply misuse CPU time or RAM for personal purposes. So should the device then belong to someone else as a check? What if THAT person doesn't want to pass it on, or decides to misuse it? What if critical maintenance needs to be performed, maintenance that requires physical access as well as root access?
I don't see a way to solve this problem while keeping a single device within the group. If only one device is to be used, it seem to me the only solution is for a third party to have control over the physical machine, such as a hosting service.
For administrative purposes, I'd think it best to have a barrier between the current root user and the actual system. A proxy system could be used to interface with the core server, a proxy that blocked undue privilege escalation or command intended to abuse. Another solution would be to simply make the current root user a regular user on the system itself, and only the third-party owner of the machine could make superuser-level changes. In either case, the current "root" user would be acting more as a current sysadmin.
On the other side, when decisions are taken--especially ones that are hostile to the current sysadmin--how can they be verified? E-mail and chat systems likely wouldn't be enough: votes could be forged or lost, and they likely wouldn't be anonymous. Some check system must ensure each person votes once and only once on a given issue. Many possible solutions exist, from simple PGP signing to the blind signature methods of systems like GNU Taler. Though the author of the original post expressed a pointed disinterest in the blockchain, it's also worth mentioning that blockchain concepts such as token transactions and contracts are often used in practice.
Then, once a decision has been taken and verified, how can it be enforced? Some mechanism must be in place for the action to go through, even if it goes against the current sysadmin's wishes. In the case of a proxy, a tool could be written to carry out the vote automatically; in the case of a third-party host, the operator of the machine could step in to be the executor.
No matter what, extensive intervention would likely be needed for such a system to work faultlessly. Either new software would have to be written to operate on a democratic basis, or a neutral and benevolent third party would have to be involved. To ensure vote integrity, special software would need to be included in the users' accounts on the tilde, and they would need to become informed on how to use it. For non-technical users, this seems to me like a tough ask.
I have more thoughts on this topic, but I'll save them for another time. As it stands, this seems like a system that could work in theory, but it would require a lot of development, as our current tools do not fit this paradigm.
---
[Last updated: 2024-10-06]