This is a shorter than usual voting period, as there was a security-related fix.
This is an amendment of the hotfix proposal announced yesterday. In other words, 135300 includes the changes from 135286, plus another small fix. To avoid confusion, DFINITY plans to adopt 135300 and reject 135286.
We will provide more info about the fix shortly.
Proposals to be Submitted
# Upgrade the Registry Canister to Commit 4f60863
__Proposer__: arshavir.ter.gabrielyan at dfinity.org
__Source code__: [4f60863183c418782800fc8ffacf41be494a9a15][new-commit]
[new-commit]: https://github.com/dfinity/ic/tree/4f60863183c418782800fc8ffacf41be494a9a15
## Features & Fixes
### Fixed
#### Disable replacement of nodes that are active in subnets
Direct node replacements of nodes that are active in a subnet may result in unexpected behavior and potential problems in the current Consensus code.
So to be on the safe side we need to disable the functionality on the Registry side until the rest of the core protocol can handle it safely.
## New Commits
```
$ git log --format="%C(auto) %h %s" 2d4bcba47ea10520ff21ce54a8acb9cdb0629317..4f60863183c418782800fc8ffacf41be494a9a15 -- ./rs/registry/canister
4f60863183 fix(registry): disable replacement of nodes that are active in subnets (#3935)
8a3737fa65 fix(registry): Update the correct node operator ID in node removal (#3924)
527f4adf99 chore: Quotation in error messages (#3828)
4c20acbce9 chore(nervous-system): Update changelog for release 2025-02-07 (#3867)
```
## Current Version
__Current git hash__: 2d4bcba47ea10520ff21ce54a8acb9cdb0629317
__Current wasm hash__: f8b2aba5d7217cc07a84d59a18af825c2a8813dd38073b96456b2e83d1e78e37
## Verification
See the general instructions on [how to verify] proposals like this. A "quick
start" guide is provided here.
[how to verify]: https://github.com/dfinity/ic/tree/4f60863183c418782800fc8ffacf41be494a9a15/rs/nervous_system/docs/proposal_verification.md
### WASM Verification
See ["Building the code"][prereqs] for prerequisites.
[prereqs]: https://github.com/dfinity/ic/tree/4f60863183c418782800fc8ffacf41be494a9a15/README.adoc#building-the-code
```
# 1. Get a copy of the code.
git clone git@github.com:dfinity/ic.git
cd ic
# Or, if you already have a copy of the ic repo,
git fetch
git checkout 4f60863183c418782800fc8ffacf41be494a9a15
# 2. Build canisters.
./ci/container/build-ic.sh -c
# 3. Fingerprint the result.
sha256sum ./artifacts/canisters/registry-canister.wasm.gz
```
This should match `wasm_module_hash` field of this proposal.
Please note that the release notes for commits 4c20acbce9-8a3737fa65 were omitted form the Features & Fixes section by mistake, but those commits are indeed part of this release, as announced yesterday. They should have read as follows:
### Update the correct node operator ID in do_remove_node_directly
Fix for the do_remove_node_directly function to update the correct node operator ID record.
In the past the caller_id and the node_operator_id for the node were always the same.
However, since #3285 the caller_id and the node_operator_id for the removed node may differ,
and this introduces a bug in this edge case.
The bug resulted in a node reward discrepancy for a few operator records, identified in the
regular administrative checks before the reward distribution and [described in the forum](https://forum.dfinity.org/t/issue-with-node-provider-rewards/41109/2) and
mitigated with a few NNS proposals referenced in the forum thread.
A bit more context around the issue, now that the proposal has been adopted.
Earlier today we got an alert from our monitoring stack that an unexpected behavior has been encountered and we tracked it down to the recently added functionality:
Without disabling this functionality in some edge cases it might come to consensus stalling, and requiring subnet recovery.
The reason we introduced this functionality in the first place is mostly around Proposal: Update Interim Gen-1 Node Provider Remuneration After 48 months and the related node redeployments.
The need to go through the NNS proposals for these node redeployments significantly increases the friction and worsens the UX for node providers.
So we will give our best to re-enable the functionality as soon as possible.
Vote: ADOPT
Reason: Build completes successfully, both hashes and reviewed commits match their descriptions.
4f60863183 Temporarily disabled direct replacement of already deployed nodes functionality in make_remove_or_replace_node_mutations and annotated related tests with ignore attribute.
8a3737fa65 In make_remove_or_replace_node_mutations retrieve node operator record using operator id instead of the caller id. Updated tests to ensure node operator record allowance is properly updated after node removal.
527f4adf99 Improved readability for CalledTrap type errors.
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.
Learn more about CodeGov and its mission at codegov.org.
Canister id rwlgt-iiaaa-aaaaa-aaaaa-cai is indeed the registry canister.
The upgrade args correspond to the empty args.
The install mode is indeed upgrade.
The wasm hash is reproducible.
Code Review
The direct replacement of already deployed nodes in the make_remove_or_replace_node_mutations function has been temporarily disabled, and related tests have been annotated with the ignore attribute.
Additionally, the make_remove_or_replace_node_mutations function now retrieves the node operator record using the operator ID instead of the caller ID, with tests updated to ensure that the node operator record allowance is properly updated after node removal.
Readability improvements have been made for CalledTrap type errors. Lastly, the changelog files have been updated to reflect these changes.
4f60863183
The main fix temporaily disables direct active nodes replacements by setting replacements_of_nodes_in_subnets_enabled to false.
8a3737fa65
Uses the correct node_operator_id that not always matched caller_id for node removal in do_remove_node_directly.rs.
527f4adf99
Added single quotes to the trapp error messsages to improve readability.
4c20acbce9
Updates the changelog files to latest executed Proposals.
About CodeGov
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.
Learn more about CodeGov and its mission at codegov.org.
Reason:
Build successful and hashes match, commits look great and match the description. Found no issues.
[4f60863183]: Temporarly disables replacement of Active nodes in subnets until the protocol can handle this safely by using the variable replacements_of_nodes_in_subnets_enabled which is set to false.
[8a3737fa65]: Since the caller_id previously used as the variable for Node Operator ID may differ from it , the PR #3285 changed restrictions to allow checking the Node Provider ID and DC of the caller. But there was a stage that retrieved the NO record and incremented it by 1 that was still using the caller_id instead of the node_operator in the payload.
[4c20acbce9]: Moved added features and fixes from unrealeased_changelog.md to CHANGELOG.md in the form of proposals that were released.
About CodeGov
CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.
Learn more about CodeGov and its mission at codegov.org.
