Introduction

If you came for the ICP giveaway, you’ll need to read to the end (and it’ll likely save you time if you read and absorb this post first I’ve tried my best to shorten it). If you care about the sanctity of IC governance and desire effective decentralisation then I think you should read to the end

Context

This post stems from prior discussion on a recent IC-OS proposal forum topic (along with prior discussion on Slack and OC) highlighting proposal summary inaccuracies and debating the unnecessary difficulty involved in validating proposal summaries.

This post also comes at a time where CodeGov may stop conducting technical reviews on IC-OS proposals, given that the funding and decentralisation landscape is changing. As a member of CodeGov, I see this post as an opportunity to consolidate and summarise some concerns that I’ve been raising over the last few months while conducting IC-OS proposal reviews.

See here if you’re unclear about what’s meant by IC-OS (the operating systems that run the IC - i.e. IMPORTANT stuff). Anybody who’s spent any length of time digging into the details presented by IC-OS proposal summaries (and then digging deeper) will know that they’re not always what they seem.

Overview

In this post I aim to:

• Introduce IC-OS proposal summary inaccuracies
• Provide my understanding of why these occur relatively frequently
• Explain why I think…
  • … current approaches to addressing this problem are insufficient (tackling symptoms rather the cause)
  • … this problem is far from optimal for effective governance decentralisation (which the IC is increasingly expected to demonstrate)
  • … this requires a rethink of how the IC repo is managed (tackling the cause rather than the symptoms, saving everyone time and effort in the long run)

I’ll finish off by proposing some simple next steps as well as requesting discussion and feedback from DFINITY and the rest of the community about the feasibility and utility of what I’m suggesting.

IC-OS Proposal Inaccuracies

As it stands, ICP stakers are invited to vote on IC-OS proposals that the proposer (DFINITY) hasn’t managed to maintain sufficient oversight of to accurately summarise (in a non-misleading manner). Here are a couple of recent examples where relevant commits have been left out of the summary, or irrelevant commits have been included - 130984, 130818. Another type of inaccuracy references an incorrect commit as the start of the change log - here are a couple of examples, 131055, 130749.

Straw that broke the camel’s back

Individually small discrepancies may seem harmless, but misleading proposal summaries collectively have the potential to be dangerous (it’s not something we should be normalising and accepting). I’ve recently started rejecting IC-OS proposals that have misleading summaries ( thank you @wpb for being receptive to this).

Note that if the community rejected IC-OS proposals every time the proposal summary is misleading (e.g. missing out relevant changes and/or including irrelevant changes) I would not be surprised if the majority would not be executed. Nevertheless, I’m confident that this is where effective governance decentralisation begins.

Proposal summaries currently risk doing more harm than good by eroding trust in the integrity of IC proposal history (history which is expected to have been comprehensively validated by at least some members of the community before execution).

Detecting Missing Commits

Regarding the problem of missing commits, I generally detect these by looking for files that have been modified by commits referenced in the proposal summary, and then looking for commits that weren’t referenced by the proposal summary but that also modified these files. This throws up a load of false positives (mostly cargo and bazel related files, or genuinely unrelated files due to fat commits), so I then sift through these manually in an attempt to pick out genuine IC-OS modifications.

Short of paying very close attention to the hundreds of commits that take place between GuestOS election proposals, and the thousands of commits that take place between HostOS election proposals (with a limited time budget) this seems like a sensible way of short-listing missing commit candidates (which should have been referenced by the proposal summary in question). I’ll come back to this point in the next section about so many unrelated commits to sift through (I believe it’s unnecessary, and costly to the objective of governance decentralisation).

Other Approaches

The approach I’ve described above is obviously far from perfect. Another approach would be to utilise the CODEOWNERS lookup file, which maps out which teams are responsible for which files in the IC repo. This is one of the techniques used by the tool that actually generates IC-OS proposal summaries. However this is also imperfect, and assumes that the CODEOWNERS file is accurate and kept up-to-date (which I don’t believe is often the case).

If proposal summaries cannot be depended on (in the sense of being easily validated to be true and accurate), their utility is brought into question. I don’t believe there’s a good reason for accurate and easily verifiable IC-OS proposal summaries to be difficult (to produce, nor to verify), as I’ll explain.

Why Do Inaccuracies Occur So Frequently?

Let me be clear about what I’m saying. DFINTY is doing an unparalleled job of building something incredible and world changing. My hat goes off to them. I’m extremely grateful for the work that they’re continuing to do expertly. The root of the problem doesn’t lie with the DRE team nor the proposal summary tooling - I think they’re forced to fight a loosing battle against how the IC repo is being maintained…

As I see it, the problem stems from a choice of how the IC repo is maintained to reduce certain burdens on the development teams (requiring voters/reviewers in the community to work many times harder to work around that choice). It’s a trade-off, but the community is increasingly forced to pay for it. In my opinion it’s a choice that only pushes complexity around, kicking the can down the road where it becomes harder to account for.

The Choice of Trunk-based Development

I’m speaking about the choice to practice what’s called ‘trunk-based development’. You’ll need to be familiar with Git to grasp this. In a nutshell, trunk-based development assumes untenable merge conflicts are practically unavoidable when performing development work on separate git branches. It seeks to avoid these merge conflicts by ensuring that branches are merged into a single trunk (master branch) as frequently as possible (so that any merge conflicts either do no exist, or are small and easier to resolve). IC branches often contain only 1 commit.

Note that the IC repo contains many projects (deployment targets that are handled by different proposals and/or different types of proposals), including system canisters and other system components such as GuestOS and HostOS. Trunk-based development mixes commits for all of these systems together into a big jumble on the master branch (or trunk) before they’ve even been deployed/approved by the community.

This is a jumble that’s evidently hard to untangle when composing/reviewing releases. Trunk-based development is clearly a bad fit for a Web3 foundation (probably why Google doesn’t see an issue with practising trunk-based development - they’re a different enterprise with different trade-offs to juggle).

What’s the point of a branch if it contains only 1 commit?

Branches that contain only 1 commit are largely pointless (many popular git clients provide the option to automatically “keep a single branch line if possible” to avoid such pointless branches cluttering the git graph).

Git is a powerful and flexible fully fledged source control system supporting numerous branches for features, environments and deployment targets (with no end of tooling for working with and visualising the resulting git graph). In this context, trunk-based git development is a bit like using a broom to paint a masterpiece, as you don’t want to have to keep cleaning your job-specific, assorted paint brushes (even though they’re there to be used). You’ll get the job done and cover more ground, but there will be mistakes in the presentation of your work, and the audience will be left wondering what they’re looking at (repository-wise).

Rethinking the IC Repo

It’s DFINITY’s contention that trunk-based development is a practical necessity that pays for itself by avoiding merge conflict headaches. I’m not convinced by this. I am convinced that there’s huge cost that’s being paid by the community and the mission for governance decentralisation.

The fact that DFINITY struggle to compose their own IC-OS proposal summaries accurately should be seen a red flag, indicating that something fundamental needs to change. How can the community be expected to step up and take responsibility for proposals when even the proposer often fails to do so accurately. This goes deeper than just tweaking tooling and dependency graphs (a current approach for addressing this - e.g. see here).

We should be minimising the number of tools that the community needs to (or is inclined to) place trust in. Aside from build/hash verification, Git is the only source of truth that should be needed, and I think it can and should be made easy for the community to validate the integrity of a proposal summary based on the content of a release branch (a branch that does not contain any irrelevant commits, and therefore is listed in it’s entirety in the proposal summary).

Proposed Next Steps

I strongly believe that a long-term goal should be making IC-OS proposal summaries something that is validated in a similar fashion to build verification. This sort of thing can and should be simple, but the IC repo needs to be managed differently for it to be feasible.

Here are some quick wins and low hanging fruit:

1. Committers begin listing the deployment targets that their commit modifies in the commit message, using a standardised format on a single line (e.g. “Target: GuestOS, HostOS” or “Target: GuestOS, RegistryCanister”)
   • I also think it would be useful to explicitly distinguish between a “Direct Target” (e.g. directly modifying GuestOS code) and “Indirect Targets” (e.g. modifying/upgrading a library that indirectly impacts the behaviour of the GuestOS, as a dependant system)
2. In the case of “Direct Target” commits, committers should aim to limit commits to a single deployment target (split changes between separate commits if needed/possible - e.g. don’t directly modify GuestOS and HostOS in the same commit)
   • In the event that this isn’t possible, provide an explanation for why deployment targets are so coupled that separate commits would not be feasible/sensible
3. Committers should aim to not mix “Direct Targets” with “Indirect Targets” in the same commit (e.g. do not modify common library code that’s depended on by GuestOS in the same commit that directly modifies GuestOS code). This might seem odd to anyone who’s bread and butter is trunk-based development, but it’s what makes commits composable into different branches (it doesn’t necessarily matter if one commit doesn’t represent a completely working state if it’s not merged into master yet).
4. @DRE-Team can then utilise these Target labels to quickly and reliably construct IC-OS proposals (and/or use existing proposal summary tooling to detect most cases where the committer is not abiding by these guidelines, so that they can be reminded for next time)

The above points serve the following purposes:

1. Quickly get to a point where IC-OS proposals more reliably contain all of the relevant commits, and none of the irrelevant ones (though there’s still the problem of simple and reliable verification, which is something to tackle later - see next point)
2. Acquire clearly interpretable quantitative and qualitative data about how frequently cross-cutting concerns and common dependencies result in a commit that directly modifies multiple deployment targets, and in those cases, information about why the commit cannot sensibly be decoupled into separate commits for the separate deployment targets (this is provided by all of the commit messages).
   • Note that this same constraint wouldn’t be expected to be upheld by commits for “Indirect Targets” (common library/utility code), because it’s purpose is to be shared between projects.

Once/if the above could be ticked off, as a community it’ll be a lot easier to engage in further discussion about how matters could be improved, and git workflows and processes that are more conducive to an inclusive and active NNS DAO and Web3 community (where proposal summary verification is made simple due to deployment-target-specific release branches).

I think the IC is well positioned to explore and set a gold standard for how source control for Web3 projects are managed in the future. We just need to want this - do we?

Wrapping Up

In the meantime, It’s my contention that the community should be aiming to reject IC-OS proposal summaries that are incorrect or miss out commits that modify the relevant IC-OS (I will be aiming to do this from now on, as mentioned). This is my public neuron if you’d like to follow it for this purpose (IC OS Version Election) - 16459595263909468577. I plan to make this a known neuron at some point.

Please voice your opinion in comments, ask questions, express if you agree or disagree with points raise in this post, and what it would take to move forward with these ideas. @Sat, @Luka, @EnzoPlayer0ne and @basvandijk, I’d be particularly interested to know what your thoughts are if you have the time

Summary

In summary, the current approach to managing the IC repo creates significant challenges for accurate proposal summaries, and proposal summaries that can be easily validated, which in turn hampers effective governance decentralization. By adopting the proposed steps, we can inch towards making the process more reliable, and easier for the community to engage with.

I urge the community to consider showing their support for these simple changes to commit messages, in aid of exploring a more robust and trustworthy governance workflow. Please share your thoughts, questions, and feedback to help us move forward together.

I

Hey @Lorimer. I’m always impressed with the attention to detail you put into these IC-OS Version Election proposals. You have an amazing talent. I appreciate how you are always seeking to learn from the DFINITY team and others in the community and always thinking about how to improve the replica update experience. It’s important work.

I think you are providing a valuable voice from the community reviewer perspective on some of the features that make reviews challenging and can be improved. I look forward to reading the responses to this thread. I hope it triggers a lot of active and valuable discussion.

Also, thank you for putting your neuron ID out there for others to follow. I look forward to voting on your proposal some day to become a registered known neuron. It’s a strong demonstration of your commitment to the betterment of the internet computer. It’s really cool to watch you help advance decentralization of the IC using your talents in this way.

I’m reading it just because I enjoy your technical writing. As someone newer in their Software Engineering degree it’s been a learning curve. However, your technical voice is “on-point”. I enjoy it.

I don’t specifically care about the giveaway… I mean I care that’d be cool… but like I’m here mainly to support your work.

Just know my read and input for this post will be (if anything) to support you, and that dog of yours. <3 I’ll be back with a serious reply…

Just leaving this for now…

EDIT: do not draw from the ending conversation…

I had a bit I was going to say… Then I realized it wouldn’t address the specific technical concerns you raised. So, I’ll leave it as this…

I appreciate the opportunity to follow your neuron for these proposals. I was going to freelance these at one point because I liked code gov and @wpb despite our differing opinions on hot topics. Then I got seriously sidetracked by life. However, knowing how these should be done I do/ did follow code gov for most of these specifically because I knew the workers were good at what they do and I respect that. I can read things out of order at times. So, I also found having the dedicated members (who don’t) do it as a perfect solution. However, I am interested in learning how to do these in the future once my never-ending cycle of work-related tasks and classes eases… Mainly for free though because I like to practice my decoding skills and this was oddly a great practice to verify the order I’m reading it versus how it’s written.

That is pretty much all I wanted to say to you on this topic my friend and please continue your technical writing. You’re very well spoken.

Is the 10,000 ICP in the same place as the commit with hash 076402…a63f? My parents always told me that it’s not good to deceive. If there’s a double deception here, I’ll demand double compensation with equally high-quality posts. Great job, @Lorimer.

Thanks, Lorimer for sharing so honestly and in a straightforward way. I’m always a big fan of open and direct feedback.

The number of inaccuracies you’ve picked up in recent proposals is crazy. For me, trusting the proposal summaries has always been a concern of mine, but I’ve never actually taken the time to put work into checking them properly. You’ve found ample evidence that something needs to change.

I don’t personally work in the IC monorepo, my work at DFINITY lies elsewhere, so I would be out of place to comment on your suggestions as a DFINTY employee. As a software developer / ICP community member, I think your suggestions for release branches makes sense. If I was working in the monorepo, I would personally have no issue with merging to a release branch instead of the master branch.

I hope we can continue some open dialogue about the pros and cons of these approaches.

Thanks @wpb! If it weren’t for you I wouldn’t have become as involved in IC governance as I am now. I really appreciate your kind words!

Thanks for the support @NathanosDev! I imagine transitioning from trunk-based development to multiple feature/release branches will require a bunch of initial coordination. Even though I don’t expect it to be an easy transition (maybe it will ) it definitely seems necessary and well worth it in the long run. Assuming it would be difficult to tackle this in one fell swoop I’m hoping that a poor man’s approach might help in the meantime (labelling commits by deployment target). Hopefully this’ll also provide some data that will make planning the optimum git workflow easier.

Thanks again for showing your support!

I appreciate your post and drive to make things better @Lorimer!

I disagree pretty strongly with moving away from trunk-based development. There are already quite some merge challenges, and having longer-standing branches would make that much worse.

I agree with your point about the change logs in the proposals, but I think that’s not indicative of some big fundamental problem, but rather that everybody thinks that reviewers should look at the git log since the previous replica version, so the changelog is not extremely carefully checked. Anything other than looking at the git history feels a bit missing the point (because whoever submits the proposal can conveniently omit some malicious commit from the changelog). So to make life easier for reviewers, i see more value in splitting things into separate repositories than long-lived branches or better changelogs. That way, if you eg review an ICOS version, that every commit in the history is actually relevant to review, and they’re not polluted by eg commits to some canister.

Thanks @Manu!

I completely agree. The proposal summary serves as a convenience, and if every commit is included in the proposal summary then it’s extremely easy to validate that none are missing (I think it could be automated much like running the build verification script). Without the ability so simply verify the fidelity of the proposal summary, I think its utility is questionable as mentioned.

Breaking up the monorepo would also address this problem. You’re in a much better position to comment on whether that’s a better outcome, and not too much of a burden for managing shared dependencies. I’d definitely be in favour of this and I’m sure lots of other reviewers would too.

Out of interest, are you able to elaborate on the kind of merge conflicts that typically crop up? I wouldn’t be surprised if there are lots of merge conflicts in build / package dependency related bazel files. Are there commonly merge conflicts in actual source code files? What would this look like if the monorepo were split into separate repos - the same source code file duplicated in the separate repos?

Please note

Due to an interesting turn of events, this ICP giveaway challenge has now switched to a first come first serve basis

In fact, I just noticed that @Manu has already posted the link as an emoji!

For anyone else who tried to complete this challenge earlier today, they will have noticed that the commit hadn’t been pushed to Github and wasn’t publicly available. This has changed within the last hour thanks to Manu! Now every commit that’s referenced by an IC-OS election proposal (even from over a year ago) is publicly available on Github (123008 is the only proposal I detected that didn’t previously conform to this).

I will transfer the full 10.000 directly to Manu shortly. Thanks again Manu, this was fun!..

…Done - via OC

@wpb should become a senior leader in ICP

This was interesting, is this a new way to bribe Dfinity ? kidding ofc but then again you never expected anyone from outside to win.

I actually didn’t expect anyone would likely have access to that commit. I assumed it was more likely that it was never pushed and only hanging around in someone’s local repository (and eventually deleted as it’s a year old).

The giveaway was really just intented to raise awareness about this important topic - but of course I’m also prepared to stand by my word as well and follow through (give or take a decimal point or two … was that misleading? ).

Hi @Lorimer

Thank you for your detailed and thoughtful post regarding the IC-OS proposal process and the challenges posed by the current trunk-based development model. I appreciate your concerns and agree that the release notes are not perfect. However, I believe some of the comments or the recommendations may stem from the lack of familiarity with the process and the evolution that led us to the current state. Transitioning to a different development model would require significant time and effort, which might be better spent elsewhere.

Here are a few key points to consider:

1. Human vs. Automation: Relying on humans to annotate commits instead of automation could lead to higher error rates. Humans are prone to mistakes, and while automation isn’t perfect, it can be improved continuously to reduce inaccuracies over time.
2. Effort and Time: Changing our development model would necessitate a substantial investment in both time and resources. This effort could be directed towards enhancing our current processes and tools to mitigate the issues you’re highlighting.
3. Invitation to Collaborate: I’d like to invite you to a call (or multiple calls) where we can discuss how the entire process works in more detail. Understanding the intricacies of our current system might provide you with a clearer perspective and enable you to contribute effectively to improving our automation scripts, which could help to completely eliminate these observed problems.
4. Community Contributions: Everyone is welcome to contribute improvements, particularly to the GitHub - dfinity/dre: Decentralized Reliability Engineering repo. Given your insights and dedication, I believe you could make terrific contributions to our automation and proposal summary processes.

Let’s schedule a call to go over the process in depth and explore how we can work together to enhance our system. Your participation and feedback will be invaluable in driving these improvements.

Looking forward to your response and to our collaboration!

I think this would be a welcome opportunity. @lorimer has been really good about asking questions publicly and keeping his thoughts and observations organized. Other members of CodeGov have often had similar questions. Hence, I think the entire CodeGov team would appreciate this collaborative opportunity. We’d be happy to invite you to our biweekly team meeting (Friday afternoon UTC). Or if you find others who are also interested and want to host a call yourself then we’d love to know the time and date.

This is a really cool opportunity @sat. Thank you!

Awesome @wpb !
Please share the call details. I can join this Friday, in case the biweekly call falls then, but then will be out (on PTO) for 2 weeks. But I’ll be very happy to join when I get back.

Thank you @sat. Looking forward to going through things in more detail. I’ll let @wpb confirm a date for going through things with the CodeGov team.

I really appreciate your feedback. I have some initial thoughts:

There are already conventions that commit messages are expected to conform to. Automation already depends on the committer not making a mistake. The committer is obviously the best placed individual to label the deployment targets affected by the commit (and I’m only suggesting this as a temporary measure for gaining more data and improving the reliability of tooling in the meantime).

I think it comes down to whether or not governance decentralisation is a primary goal of the IC, and whether or not the current setup is well aligned with that aim. I also think the sunk cost fallacy is a common feature in large IT projects. If it can be agreed that the current repository setup is suboptimal (damaging to effective governance decentralisation), I’d expect the best time to tackle that problem to be the present (or it just becomes technical debt that becomes harder and more expensive to fix in the future).

I’m looking forward to going through things in more detail. My concern is that even if the tool could be made to work perfectly today, that doesn’t mean it will work perfectly tomorrow. In addition, I think the need for this tool to exist in the first place is problematic - which is really what I’m trying to get at. It encourages people to trust it, which they shouldn’t, and they shouldn’t feel the need to (but most people would be hard pressed to do anything other than rely on it given the current repository setup).

That’s very kind of you to say. My concern is that piling more effort into a tool that ideally shouldn’t be needed in the first place seems counter productive to me (in the long term). But I appreciate there may be vital things that I’m missing that you’ll go through with me on a call or two

Do you have thoughts on the feasibility of @Manu’s suggestion?

This is super detailed and I learned a lot. I didn’t realize some of these things about how the repo was managed.

For me there has been a consistent frustration with how much is in the repo. I’m guessing trunk-based development isn’t as big of a deal when things are split out into modular repos, but perhaps you pick up additional complications.

It has always been frustrating that things like the ledger, the sns ledger, the sns governance canisters, and other IC system-based canisters are lumped in with all the replica code. It makes it extremely difficult to do any kind of community review or contribution(I know there is a good bit of prep work going into to moving to github to make this easier which is great!).

It would be MUCH easier to track changes to those canisters(and thus vote on canister upgrades) if those were split out and one did not have to wade through hundreds of irrelevant commits. For a couple of years we were on a fork of the ICP ledger for Origyn and trying to keep it in sync was such a hairy process that we just avoided it unless there some kind of significant bug(which was really hard to keep track of because we couldn’t just check one repo and see if there was an updated version number).

Thanks again @sat for joining our biweekly CodeGov meeting. It was great to meet you face to face and super useful for you to go through the history of how the repo and associated tooling developed over time. As discussed, making any significant changes to how the repo is structured and/or git workflows would be a large undertaking. But I’m happy to hear that the deployment target labelling convention is something that DFINITY may be able to get on board with at this stage (making it easier to revisit these bigger challenges down the line).

Please keep me up to date with how you get on pushing this initiative. As mentioned, I’m happy to jump on another call if and when. Thanks so much for your help with this