Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 130984.

Here is a summary of the changes since the last release:

Release Notes for release-2024-07-03_23-01-base (e4eeb331f874576126ef1196b9cdfbc520766fbd)

Changelog since git revision 2e269c77aa2f6b2353ddad6a4ac3d5ddcac196b1

Features:

• db43f5d64 Execution,Message Routing,Interface: Introduce RejectReason variants
• 6cb282e89 Node: Add verbose flag to help debug NP support issues and add logrotation to host
• b955bdb6d Node: Send generate-network-config logs to console and journald
• 497c65309 Node: Switch IC-OS to newer FS build tools
• ebf98c05c Node,Crypto,Networking: remove the debug_override options from the logger config and remove the injection of the debug_override from the GuestOS
• 515ae9df2 Runtime: Wasm64 system api functions
• 0096f18ed Runtime,Execution: Adjust query stable read/write volume

Bugfixes:

• 32c5a6ed8 Consensus(backup): After a restart, backup CUP artifacts using their original proto bytes
• 82ffb578c Consensus(idkg): Validate initial dealings on the receiving subnet
• 023e03ccf Execution,Runtime: Properly handle updating of reserved cycles limit
• ad5629caa Node: Update comments around custom ICOS tools

Chores:

• 32be302da Consensus(github-sync): PR#296 / fix(consensus): Fix off-by-one error in notary bound
• bd3ad009f Consensus(github-sync): PR#289 / refactor(consensus): Merge imports in consensus crate
• 1d669afba Consensus(github-sync): PR#282 / chore(CON13-02): Remove make_ecdsa_signing_subnet_list_key from the codebase
• 29e5e1484 Consensus(github-sync): PR#285 / chore(schnorr): Manually implement Debug for ThresholdSchnorrSigInputRef and omit full message
• 2d4216930 Consensus(github-sync): PR#288 / fix(recovery): Reduce SSH timeout and number of attempts in ic-recovery
• 73c9752b9 Consensus(github-sync): PR#276 / feat(consensus): Introduce a bound on validation-CUP gap
• d5319fa1c Consensus(github-sync): PR#272 / chore(recovery): Generalize mentions of tECDSA in ic-recovery
• b0c2e812d Consensus(github-sync): PR#277 / refactor(): Move Chain Key related metrics into the ecdsa submodule
• 6ab169470 Consensus(github-sync): PR#270 / chore(): Remove CountBytes from CanisterHttpPayload
• d9b4568bb Execution,Runtime: Add doc links to HypervisorErrors
• 0a7291dfc Message Routing: Handle unverified checkpoint markers in downgrade
• 28d2e601d Message Routing: Un-templatize load_checkpoint
• 9b2809cc0 Networking: remove adverts from consensus
• b23fb5484 Networking: reqwest https outcalls
• 6a6470d70 Networking: remove unused logger config options
• 800c7e336 Networking: respond with 405 if reading body takes too long
• 9fbfe2493 Node: Update container base images refs [2024-07-02-1927]
• 6e18b52d7 Node: Update node exporter version
• 707e992d7 Node: Update container base images refs [2024-06-27-0815]
• 7b690eb98 Runtime: Limit max number of Wasm tables to 1
• f97beb05f Runtime,Execution: Update float instruction weights

Refactoring:

• c93f29221 Crypto: use ic-crypto-ed25519 for basic sig key generation and signing
• a34d8ba69 Execution,Runtime: Make ExecutionEnvironment::execute_canister_task private
• eb47b634d Execution,Runtime: use generic iDKG keys in ExecutionTest helper
• 8dc3fe1d5 Interface: remove the unused node_id config option from the logger config
• 6ae105978 Interface: add more comments and rename some fields and types in the logger config
• 04f1b316f Interface,Networking: move the artifact_manager under p2p
• 5f300334b Message Routing,Execution: Split off Ingress related errors from StateError

Tests:

• 7349faefe Consensus(github-sync): PR#301 / chore(): Make consensus framework tests more precise
• 9627d133c Execution,Runtime: add a test for fetching canister logs via composite_query which is not allowed
• 8e6b98db3 Execution,Runtime: Add regression test for executing multiple messages in a round with DTS
• f520aa5ed Message Routing: Add tests for reject responses generated by the StreamHandler
• 3823c665c Message Routing,Utopia: add CanisterHttpPayloadBuilderImpl to StateMachine tests

Other changes:

• 5ef64119a Execution,Runtime: feat(bitcoin-query-apis)!: Remove bitcoin query APIs from the management canister

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/e4eeb331f874576126ef1196b9cdfbc520766fbd/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c e4eeb331f874576126ef1196b9cdfbc520766fbd

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 130985.

Here is a summary of the changes since the last release:

Release Notes for release-2024-07-03_23-01-storage-layer-disabled (5849c6daf2037349bd36dcb6e26ce61c2c6570d0)

Changelog since git revision e4eeb331f874576126ef1196b9cdfbc520766fbd

Bugfixes:

• 5849c6daf Interface: Disable new storage layer

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/5849c6daf2037349bd36dcb6e26ce61c2c6570d0/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 5849c6daf2037349bd36dcb6e26ce61c2c6570d0

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Thanks for this release DFINITY. As part of reviewing this I ran a quick analysis on the proposed GuestOS versions to unelect. Based on IC-OS election proposal history, there currently appear to be 10 blessed replica versions registered, 5 of which would be unelected by this proposal.

I’ve listed these in the collapsible section below, ordered by elected date, and crossed out the versions that would be unelected.

GuestOS versions e3fca54 and 9c006a5 interested me. They’re not running on any subnets (and e3fca54 has never been deployed to any subnet as far as I can tell), and they’re older than all but one of the GuestOS versions that are currently running on subnets. Yet they’re not being unelected. Are these intentionally being reserved in case there’s a need to rollback (or something)?

Unelections haven’t historically gone off without a hitch, so it would be useful for the community to have some guidelines for how DFINITY plans and prioritise unelections. This would help with spotting any unintended out-of-the-ordinary situations.

I’ve asked similar questions on previous proposals (e.g. 130083, 130315) but haven’t yet received a reply on this matter (specifically regarding what the policy is for determining which versions get unelected).

Thanks in advance

In fact, now that my attention is drawn to it, it’s interesting that the NNS subnet (tdb26) is still running GuestOS version ae3c4f3. This version precedes the hotfix that got elected on 2024-06-24/2024-06-25. tdb26 has been running ae3c4f3 since 2024-07-01 (5 days). This seems worth noting, given that NNS is running a GuestOS version with a known vulnerability.

Presumably this is the case because a hotfix wasn’t deployed with the LSMT feature switched off (currently required by the NNS subnet), and subsequent GuestOS versions have contained additional changes that aren’t yet considered battled tested enough for the NNS subnet yet?

This relates to a question I had about the hotfix when it was being elected (but I didn’t receive an answer)

Just FYI, I think at least these two commits should have been included in the proposal summary but weren’t - b032518, ccec3cb

As mentioned last week, I’m in the process of writing up a forum topic to try and prompt some brainstorming for ways to avoid these sorts of issues (I think it feeds into deeper discussions that I’ve tried to start previously (on slack) about how commits and branches are managed). This also relates to the fact that the ‘Properly handle updating of reserved cycles limit’ commit is referenced again in this proposal summary, even though it was technically part of the previous week’s proposal (under a different commit, but which is essentially the exact same change).

Reviewers for the CodeGov project have completed review of these two replica updates and voted to adopt. Few questions were raised for couple of commits on github.

Proposal ID: 130984
Vote: ADOPT
Full report on OpenChat

Proposal ID: 130985
Vote: ADOPT
Full report on OpenChat

At the time of this comment on the forum there are still 2 days left in the voting period, which means there is still plenty of time for others to review the proposals and vote independently.
We encourage everyone to try it and are happy to help. Feel free to ask any question in the Public OpenChat Channel

We had several very good reviews of the Release Notes on these proposals by @Zane, @cyberowl, @ZackDS, @massimoalbarello and @Lorimer. The IC-OS Verification was also performed by @tiago89 and @hpeebles. I recommend folks take a look and see the excellent work that was performed on these reviews by the entire CodeGov team. Feel free to comment here or in the thread of each respective proposal in our community on OpenChat if you have any questions or suggestions about these reviews.

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 131028.

Here is a summary of the changes since the last release:

Release Notes for release-2024-07-03_23-01-hotfix-https-outcalls (16fabfd24617be66e08e00abc7ba3136bbd80010)

Changelog since git revision 5849c6daf2037349bd36dcb6e26ce61c2c6570d0

Bugfixes:

• 16fabfd24 Networking: revert: reqwest https outcalls

A regression was observed in a commit 357ec1a, which switched the HTTP client library used for HTTPS outcalls in this week’s RC. This regression affects HTTPS outcalls to IPv4 targets, potentially causing more frequent timeouts compared to the previous version. These outcalls are only allowed on system subnets.

Subnet uzr34 was upgraded to this version, and the Exchange Rate Canister (XRC) experienced sporadic timeouts when making requests to IPv4 targets. Despite these issues, the Exchange Rate Canister is still able to retrieve enough data to keep exchange rates up to date. However, to be cautious, we propose reverting the offending commit and deploying a version without it on uzr34 with an expedited schedule. The same version will be deployed on w4rem. The remaining subnets will be upgraded to the RC version proposed and adopted earlier this week by the community, as they should not be affected by this change.

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/16fabfd24617be66e08e00abc7ba3136bbd80010/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 16fabfd24617be66e08e00abc7ba3136bbd80010

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 131032.

Here is a summary of the changes since the last release:

Release Notes for release-2024-07-03_23-01-hotfix-https-outcalls-with-lsmt (7dee90107a88b836fc72e78993913988f4f73ca2)

Changelog since git revision e4eeb331f874576126ef1196b9cdfbc520766fbd

Bugfixes:

• 7dee90107 Networking: revert: reqwest https outcalls

A regression was observed in a commit 357ec1a, which switched the HTTP client library used for HTTPS outcalls in this week’s RC. This regression affects HTTPS outcalls to IPv4 targets, potentially causing more frequent timeouts compared to the previous version. These outcalls are only allowed on system subnets.

Subnet uzr34 was upgraded to this version, and the Exchange Rate Canister (XRC) experienced sporadic timeouts when making requests to IPv4 targets. Despite these issues, the Exchange Rate Canister is still able to retrieve enough data to keep exchange rates up to date. However, to be cautious, we propose reverting the offending commit and deploying a version without it on uzr34 with an expedited schedule. The same version will be deployed on w4rem. The remaining subnets will be upgraded to the RC version proposed and adopted earlier this week by the community, as they should not be affected by this change.

Compared to release-2024-07-03_23-01-hotfix-https-outcalls, this version has LSMT enabled and would be preferable to use it for the bitcoin subnet w4rem and if possible also on uzr34 and tdb26, based on the observed performance.

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/7dee90107a88b836fc72e78993913988f4f73ca2/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 7dee90107a88b836fc72e78993913988f4f73ca2

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.