Proposal to elect new release rc--2024-10-03_01-30

Thanks for preemptively providing an explanation for this @Luka. Governance-wise, I think there’s a general attack vector if commits like that are allowed to be obscured from GuestOS election proposal change logs. Precedent like this could be used to more easily obscure malicious changes in future commits (by future contributors). Attacks do not need to be actioned by one commit in one release, but can be spread over many releases (until a relatively harmless looking commit can be used to action dormant code). I don’t reject to be intentionally difficult, and I’ve written a whole lot about it before.

Also note that build hash verification was sketchy this week, as mentioned by @ZackDS, @cyberowl and @wpb. Although I could reproduce the GuestOS hash, I couldn’t for HostOS and SetupOS. Given discussions last week, these other hashes are now just as important (even if the current deployment target is GuestOS).

TLDR: I’m voting to reject both proposals.


133309

Build successful, but as mentioned hashes generated on my machine do not entirely match (CDN and local build).

There are 101 commits since the previous release, 46 of which are referenced in this proposal. There are 52 files that have been modified both by commits referenced in this proposal as well as commits that weren’t. Having skimmed through these I can see that at least 1 commit has been ommitted from the GuestOS change log presented in the proposal summary which should not have been.

All commits that I had time review appear to match their commit messages well and seem reasonable. If you're interested in my comments to this effect for every commit, then please expand.

Features:

  • ebe9a6230 Execution,Interface: Charge idle canisters for full execution (#1806 )

    • Scheduler enhancement foreshadowed here. Marks idle canisters as fully executed to rotate the round schedule faster.
  • fcb719280 Execution,Interface: Charge canisters for full execution (#1782 )

    • The changes are consistent with the commit message, which explains the even distribution of points charged across canisters.
  • 15c174d21 Execution,Interface: Limit backtrace visibility (#1624 )

    • Security enhancement to prevent accidental exposure of internal state in error logs
  • 8596e9813 Execution,Interface,Message Routing: Keep track of shed inbound responses (#1173 )

    • Introduces a mechanism to track shed inbound responses. Modifies the CanisterQueues structure to handle these responses and generate appropriate reject responses.
  • 1a1c213f3 Execution,Interface,Networking: Increase install_code limit for application subnets (#1705)

    • Makes application subnets more similar to verified application subnets. MAX_INSTRUCTIONS_PER_INSTALL_CODE is updated from 40 * 5 * B to 300 * B. The verified_application_subnet function now calls Self::application_subnet() instead of setting max_instructions_per_install_code explicitly.
  • 6cb46aac8 Interface(sns-cli): Add sns health command (#1711)

    • Introduces a command to the sns-cli, which checks the health of SNS canisters by evaluating memory consumption, cycles, and remaining upgrade steps
  • 735935aa2 Interface,Networking: Introduce p2p slot table limit and limit allowed ingress slots per peer (#1213)

    • Changes include adding a slot_limit parameter to various functions and structures, updating metrics to track when the slot table limit is exceeded, and modifying logic to enforce the slot limit.
  • 87ed92725 Node: Upgrade GuestOS to 24.04 (#938)

    • See mention of this regarding proposal 133310 below (still has outstanding questions from last week)
  • 47590772d Node: Upgrade HostOS to 24.04 (#1588) + 09ddd7d5b Node: Change monitoring strategy for GuestOS VM (#1586)

    • HostOS upgrade. Again, raises similar questions to the ones last week. Updates Dockerfile, system configurations, and GuestOS monitoring to align with the new OS version, but I’m unclear on some of the changes, such as removing a ‘reproducibility fix’

Bugfixes:

  • 60f1d5562 Execution,Interface: Cap ingress induction debit for cleanup callback (#1777)

    • Addresses an edge case in the cleanup callback related to cycles balance. This change caps the ingress induction debit, ensuring the cleanup callback can complete successfully
  • ba5ffe01a Execution,Interface: Fix full execution round definition (#1772)

    • Refines the definition of a full execution round and ensures that canisters are correctly marked as fully executed
  • d2657773d Execution,Interface,Networking: Tweak instruction overhead per canister (#1819)

    • Instruction overhead per canister is adjusted to better reflect the actual system performance (according to metrics gathered by DFINITY)
  • a9ebaa9e9 Interface,Networking: use OnceCell to store nns certificate delegation and use it in https outcalls transform function (#875)

    • Aims to fix a bug where no certificate was passed to the HTTPS outcalls transform function. The use of OnceCell seems appropriate for a value that is set once and read many times (reducing the overhead of locking)
  • 77dc52029 Node: query_nns_nodes bug (#1665)

    • Improves the robustness of the fetch-property.sh script and the query_nns_nodes function

Chores:

  • e773cf5df Consensus,Interface(consensus): avoid recomputing the block hash when notarizing a block (#1726)

    • modifies the notarize_block function to use a HashedBlock instead of a Block. This allows the function to utilize a precomputed hash (get_hash()) rather than recomputing it
  • c972dc928 Consensus,Interface: Remove unused pool reader functions (#1721)

    • Unused functions get_dkg_payloads and get_replica_version_from_highest_catch_up_package were removed from pool_reader.rs
  • 9fe63e2f7 Crypto,Interface(crypto): Clean up BIP340 signature processing (#1233)

    • Appears to be a simplification that aligns with the BIP340 specification. Removing unnecessary operations reduces the potential for errors and vulnerabilities, so looks good.
  • 726cb686a Execution,Interface: Apply priority credit at the round start (#1736)

    • Simplifies the code
  • 286f2cbbe Execution,Interface: Update comments (#1739)

    • Updates comments to improve code clarity
  • fa2329782 Execution,Interface,Message Routing: Drop CanisterQueue::QueueItem proto, part 1 (#1797) + f8f2d84f3 Execution,Interface,Message Routing: Drop old canister queue implementations (#1733)

    • Removes CanisterQueue::QueueItem proto and old queue implementations and simplifies the representation of canister queues.
  • 6ed86361e Interface: duplicate btc header validation to main repo #769 (#1766)

    • Decoupling repos. Looks reasonable.

… Did not take a look at the remaining commits as I ran low on available time.

I’ve also validated the unelection component of this proposal below.

There currently appear to be 10 blessed replica versions registered, 4 of which would be unelected by this proposal. These unelected versions are not running on any subnets, nor any unassigned nodes, so appears safe to unelect. Expand for details.

I’ve listed these below, ordered by elected date, and crossed out the versions that would be unelected.

  • afe1a18, elected 2024-09-16 (proposal 132481), UNELECTION PROPOSED, running on 0 subnets
  • 1799735, elected 2024-09-16 (proposal 132482), UNELECTION PROPOSED, running on 0 subnets
  • c664899, elected 2024-09-18 (proposal 132547), UNELECTION PROPOSED, running on 0 subnets
  • cacf86a, elected 2024-09-18 (proposal 132548), UNELECTION PROPOSED, running on 0 subnets
  • 0441f40, elected 2024-09-23 (proposal 133061), running on 0 subnets
  • 7f6a81f, elected 2024-09-23 (proposal 133062), running on 1 subnets, and all unassigned nodes (since proposal 133159)
  • c87abf7, elected 2024-09-23 (proposal 133063), running on 0 subnets
  • 35153c7, elected 2024-09-30 (proposal 133142), running on 1 subnets
  • d101161, elected 2024-09-30 (proposal 133143), running on 35 subnets
  • c43a488, elected 2024-09-30 (proposal 133144), running on 0 subnets

133310

Build successful, but as mentioned hashes generated on my machine do not entirely match (CDN and local build).

This proposal is largely the same as 133309 (above), except that this proposal reverts one of 133309’s commits (the GuestOS upgrade to 24.04). Note that this has the same effect as last week, which did this but in reverse (where the second proposal upgraded the GuestOS instead of reverting it). The point is that in both cases there are two elected GuestOS’ that should differ only in that one has the 24.04 upgrade, and the other doesn’t. I say should because →

:point_up: Are you able to chase some commentary on this @DRE-Team?

2 Likes