Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 128804.

Here is a summary of the changes since the last release:

Release Notes for release-2024-03-20_23-01-base (463296c0bc82ad5999b70245e5f125c14ba7d090)

Changelog since git revision 778d2bb870f858952ca9fbe69324f9864e3cf5e7

Features:

• 282d154e4 Consensus: Put the next start height into the batch
• a2038d04a Consensus,Execution: QueryStats aggregation that is robust against malicious nodes
• aba698463 Crypto: add threshold Schnorr traits and structs
• 73278306d Crypto: Support ring’s buggy PKCS8 format for Ed25519 keys
• 8e5186803 Execution,Runtime: Increase the instruction limit for update calls to 40B
• 1d9661c50 Execution,Runtime: Implement take canister snapshot
• a1a201bd0 Execution,Runtime: EXC:1532: Introduce delete canister snapshot arguments
• c6ad509b8 Execution,Runtime: Query Cache: Cache all but the transient errors
• 4e9578cb0 Message Routing,Execution,Interface: Add deadline fields to messages, callbacks and call contexts
• f4e5d56f9 Message Routing: New certification version with Request and Response deadlines
• 57bd87670 Message Routing,Runtime: merge sharded overlays
• 147403cca Networking(http-endpoint): Add HTTP/2 support to alpn protocol header
• ba9640a49 Networking,Consensus(consensus/p2p): push artifacts based on importance v2
• a072df420 Node: - Bazel base image target
• 5482ca3bc Node: Rename log_and_halt_installation_on_error
• 626d1fd79 Node: Remove python vsock code
• 5d94ab31d Node,Crypto(crypto): Add fstrim_tool to run fstrim and collect metrics
• 710b828e1 Runtime: implement charging instructions for canister logging when calling debug_print
• 9ec68e222 Runtime,Execution: add trap message to canister logging

Bugfixes:

• 6edce9829 Boundary Nodes,Node(boundary-nodes): enable slicing on raw
• ea37f353e Boundary Nodes,Node(nginx): intercept errors and display custom error page
• 79de489c4 Boundary Nodes,Node(static-testnet): allow deployments without denylist
• 8e4dc77fb Execution,Runtime: Re-classify hypervisor ic0.call_cycles_add trap as ContractViolation
• 31b77b74f Networking: don’t unwrap if downcasting failed
• 14c177e00 Networking: improve consistency of subnet read state path conditions
• dde8cc32b Networking: subnet read state path conditions
• b9fdc7d9c Networking(consensus_manager): disable request size limit
• cae6cdb8b Node: ipv4 connectivity endpoints

Performance improvements:

• 02d1dbb83 Message Routing,Runtime: Merge more often with LSMT

Chores:

• 541a311fd Consensus: Improve HostOS console logging during registration
• 909a2c495 Message Routing: Bring next checkpoint round to the execution level
• d41ccefd9 Consensus: Use warn! instead of trace! in batch delivery when there is no finalized block at the expected_batch_height
• cf03c9d5b Crypto: Upgrade curve25519-dalek crate to 4.1.1
• 808d4c01b Crypto: use the workspace version for x509-parser
• 635db6088 Crypto: Address Ed25519 crate review comments
• cf9fb5650 Crypto,Interface(crypto): Add AlgorithmId for ThresholdEd25519
• f2f03f803 Execution,Runtime: Add wasm_memory_limit to canister state and settings
• 334bc6082 Execution,Runtime: Always return error for fetching canister logs as ingress despite the feature flag
• 80dc31b92 Execution,Runtime: Remove unused InstallCodeContextError::InvalidCanisterId
• 1a8dd39aa Message Routing: refactor chunkable trait and simplify completed()
• 22d95d7e9 Message Routing: Refactor deliver_state_sync of the state sync client interface
• 4fb8056a7 Networking(http_endpoint): migrate query endpoint to axum
• cbf002f3f Networking(http_endpoint): migrate call endpoint to axum
• b083a168f Networking: small cleanup
• b340e2f3f Node: completely remove the sev dependancy from the replica build
• 3a604a703 Node: Clean up IC-OS configuration documentation
• 89ed76b01 Node: Remove old GuestOS documentation
• 966b05f45 Runtime: Upgrade Wasmtime to v18
• 838075e5b Runtime(RUN): Remove error on bad validation config
• e3755333d Runtime(RUN): Remove unused deserialize error

Refactoring:

• f7ceaded1 Boundary Nodes,Message Routing(crypto): Use ic-crypto-ed25519 instead of internal crypto basic_sig crate
• 879f18258 Crypto: Simplify dependencies of ic-crypto-utils-threshold-sig-der
• ba2ca6902 Crypto: Use ic-crypto-ed25519 for all Ed25519 key serialization and deserialization
• 725a52e61 Crypto: Remove EccFieldElement abstraction
• b969becdd Crypto: rename PreSignatureQuadruple to EcdsaPreSignatureQuadruple
• 98c225e28 Message Routing: Move PageMapLayout to state_layout
• b19657cf5 Networking: remove the SEV dep from the replica

Tests:

• 586cd38f6 Consensus(exhaustive): Add unit tests writing exhaustive CUP set to disk
• 838549128 Consensus(exhaustive): Extend ExhaustiveSet unit test
• a831c94f2 Consensus: Split off an ic-test-utilities-consensus crate from ic-test-utilities
• 44b1cd8db Message Routing: Add a test for stability of shard size.
• 9193b06db Message Routing,Interface: Split off an ic-test-utilities-io crate from ic-test-utilities
• a29c1907f Message Routing,Interface: Move ic_test_utilities::notification into the only test using it
• 8b4abff88 Runtime: Split off an ic-test-utilities-embedders crate from ic-test-utilities

Documentation:

• 6e045f4e8 Crypto: fix comment in tECDSA

Other changes:

• 2f6164518 Boundary Nodes,Node: leave slicing only on raw domain
• f61c56422 Consensus,Boundary Nodes,Node: don’t suffix the newer clap version
• 5cd5d6568 Consensus,Crypto,Interface: yet another attempt to fix the time source complexity we currently have
• 4372669f5 Consensus,Execution,Message Routing: Split off an ic-test-utilities-types crate from ic-test-utilities
• 193ae4efc Consensus,T&V,IDX(consensus): Always purge artifacts which are at least 50 heights below the last CUP height.
• 98c0060a2 Consensus,Networking,Boundary Nodes,Node,Financial Integrations: don’t suffix the newer clap version (cargo edition)
• 460a49acd Crypto: fix rustdoc warning for EcdsaPreSignatureQuadruple
• df2b015a4 Execution,Consensus,Message Routing,Interface: Split off an ic-test-utilities-state crate from ic-test-utilities
• e6913a356 T&V,Execution,Runtime,Interface: Change some error codes to keep the convention
• f49910865 Node: Updating container base images refs [2024-03-19-0726]
• 6e839a1de Node: Finish adding manual tags to ic-os
• 32037614a Node: Updating container base images refs [2024-03-14-0814]
• 310086145 Node: Updating container base images refs [2024-03-07-2303]
• 816c2a0df Node: Continue to use SEV kernel on SetupOS
• fc0ba734c Node: Updating container base images refs [2024-03-07-0812]
• 8776594c5 Node,Boundary Nodes: Remove remaining SEV code
• 7a3c9dc6f Node,Crypto,T&V,IDX(crypto): Run fstrim_tool with randomized delay on the guest OS crypto partition
• 70d75fabb Node,Execution,Runtime: Update epoch lengths to be around 10 min

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/463296c0bc82ad5999b70245e5f125c14ba7d090/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 463296c0bc82ad5999b70245e5f125c14ba7d090

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 128805.

Here is a summary of the changes since the last release:

Release Notes for release-2024-03-20_23-01-p2p (04775a0d6a27b65be2412f73172e529a138a6f44)

Changelog since git revision 463296c0bc82ad5999b70245e5f125c14ba7d090

Features:

• ebf31104c Networking(p2p): Enable the new p2p for consensus

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/04775a0d6a27b65be2412f73172e529a138a6f44/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 04775a0d6a27b65be2412f73172e529a138a6f44

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 128806.

Here is a summary of the changes since the last release:

Release Notes for release-2024-03-20_23-01-ecdsa-latency (425a0012aeb40008e2e72d913318bc9dbdf3b4f4)

Changelog since git revision 04775a0d6a27b65be2412f73172e529a138a6f44

Features:

• 41f6c91d1 Consensus(ecdsa): Enable reduced tECDSA latency feature

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/425a0012aeb40008e2e72d913318bc9dbdf3b4f4/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 425a0012aeb40008e2e72d913318bc9dbdf3b4f4

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

This week’s second feature release (IC NNS Proposal 128806) introduces the first part of our feature to reduce the latency of tECDSA signature requests. After upgrading to this version, the Internet Computer’s tECDSA signing subnets will require one less consensus round when answering signature requests. Initially, we propose to only upgrade the tECDSA test key subnets, which are:

• fuqsr; the backup subnet of Secp256k1:test_key_1
• 2fq7c; the signing subnet of Secp256k1:test_key_1

For compatibility reasons, we propose to temporarily handle signature requests on the backup subnet, while the signing subnet is being upgraded. This switch will be made with additional update subnet proposals. In particular, the rollout will be scheduled as follows, where each point represents a single proposal:

1. Enable signing on fuqsr
2. Upgrade backup subnet fuqsr
3. Disable signing on signing subnet 2fq7c
4. Upgrade signing subnet 2fq7c
5. Re-enable signing on signing subnet 2fq7c
6. Disable signing on backup subnet fuqsr

Note that if signing is enabled on two subnets, requests are handled by the subnet that signing was enabled on first.

Proposal: 128808 - ICP Dashboard is already live.

Welcome to the forum @eichhorl. Thank you for the explanation of this new feature.

It’s just an update to a test subnet this week.

Just to double-check: the Proposal 128806 elects a version that includes the changes from the Proposal 128805 too.
This means that the new p2p for consensus will also be enabled with 128806’s version. Is it intentional?

Yes, this is intentional. p2p is already rolled out to all subnets except NNS, so it wouldn’t make much sense to exclude some of those subnets for this release.

Reviewers for the CodeGov project have completed our review of these replica updates.

Proposal ID: 128804
Vote: ADOPT
Full report on OpenChat

Proposal ID: 128805
Vote: ADOPT
Full report on OpenChat

Proposal ID: 128806
Vote: ADOPT
Full report on OpenChat

At the time of this comment on the forum there are still 2 days left in the voting period, which means there is still plenty of time for others to review the proposal and vote independently.

We had several very good reviews of the Release Notes on these proposals by @Zane, @cyberowl, @ZackDS, @massimoalbarello, @ilbert, and @hpeebles. The IC-OS Verification was also performed by @jwiegley and @tiago89. I recommend folks talk a look and see the excellent work that was performed on these reviews by the entire CodeGov team. Feel free to comment here or in the thread of each respective proposal in our community on OpenChat if you have any questions or suggestions about these reviews.

Just a brief side note, we’re not discussing a new “protocol feature”, but refer to the change as a “feature” due to internal Jira-related nomenclature.

This change does not alter the functionality, but significantly improves the existing one: the ECDSA signatures requested by the canister will now take less time to complete. We want to deploy it to a separate subnet first because the amount of code changes is substantial and we want to roll it out in the safest possible manner.

Proposal 128804 failed since we had a bug in the new version of release automation. Specifically, there was a version proposed to unelect which was still active on unassigned nodes. Since the unassigned nodes got upgraded today, we’ll resubmit proposal 128804 exactly as it was proposed and adopted before.

Proposal: Proposal: 128816 - ICP Dashboard

As you may have noticed, there was an issue with the new version that was being rolled out and a subnet recovery was necessary on two subnets (cv73p and 4ecnw) yesterday:

We have a hotfix for the issue, and I will soon send a proposal with the hotfix.

In addition, we noticed another critical problem with the pjljw subnet which manifests in the finalization rate on subnets reducing over time. The hotfix will include a fix for that problem as well, and it would be really good to urgently roll out the hotfix to all affected subnets, to avoid bigger incidents.

UPDATE:The new proposal is out:

So just to be clear both Fixes were in the same commit ? Thanks .

Will there be a post mortem regarding this incident? I’d like to get a deeper understanding of what caused it and how the hotfix addresses it.
For instance, I’ve noticed the proposed build has reverted some components of the P2P stack to the legacy ones, why was this necessary?

So just to be clear both Fixes were in the same commit ? Thanks .

Yes, all fixes are in the same commit. We did this to save CI time. Going through the entire CI testing suite takes multiple hours.

Will there be a post mortem regarding this incident? I’d like to get a deeper understanding of what caused it and how the hotfix addresses it.

There will certainly be a post mortem internally, yes. We can also make a public post mortem if there is enough interest. Please react to this message if you would like to have this.

For instance, I’ve noticed the proposed build has reverted some components of the P2P stack to the legacy ones, why was this necessary?

It was not necessary, but it was again done just for technical reasons, to save the CI time.
This will be one of the primary topics for improvements in the future, we want to improve our flexibility and reduce the toil in this area.

Unrelated question who is DRE-team ? DRE-Team

DRE team stands for Decentralized Reliability Engineering.
It’s envisioned as a community that would maintain GitHub - dfinity/dre: Decentralized Reliability Engineering – a set of tools and docs / processes to keep the IC up and running.
Although at the moment it’s pretty much only DFINITY maintaining the repo. I do hope that this will change in the future though, since it’s the interest of many parties that the IC runs well. Right?

I published a post mortem report here:

Feel free to dig in and leave a comment.

The rollout of our improvement to the latency of ECDSA signatures has now been completed for the test key, as well. Signing requests are again handled by the original signing subnet 2fq7c using the new implementation. Summary of all proposals:

1. Upgrade backup subnet fuqsr: Proposal 128823
2. Enable signing on fuqsr: Proposal 128808
3. Disable signing on signing subnet 2fq7c: Proposal 128817
4. Upgrade signing subnet 2fq7c: Proposal 129039
5. Re-enable signing on signing subnet 2fq7c: Proposal 129512
6. Disable signing on backup subnet fuqsr: Proposal 129513

Thanks to everyone who participated!