Proposal to elect new release rc--2025-03-27_03-14

Governance NNS proposal discussions
,
1

Hello there!

We are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 136004.

Here is a summary of the changes since the last release:

Release Notes for release-2025-03-27_03-14-base (3ae3649a2366aaca83404b692fc58e4c6e604a25)

This release is based on changes since release-2025-03-20_03-11-base (4833f30d3b5afd84a385dfb146581580285d8a7e).

Please note that some commits may be excluded from this release if they’re not relevant, or not modifying the GuestOS image. Additionally, descriptions of some changes might have been slightly modified to fit the release notes format.

To see a full list of commits added since last release, compare the revisions on GitHub.

This release diverges from the latest release. Merge base is 2fe8aefafcb2fbee6fdb2785374d5de715560269. Changes were removed from this release.

Features:

  • d073bc43f Consensus,Execution,Interface: Increase sandbox limit (#4491)
  • 4070d82b7 Consensus,Execution,Interface: Introduce feature flags for canister snapshot import and export (#4519)
  • 3cdab8309 Consensus,Interface: use resuming downloads for file downloader (#4415)
  • 7099a3838 Consensus,Interface: Implement Consensus for ReshareChainKey for VetKD (#4248)
  • 0cc84afde Execution,Interface(EXC): Skip compilation charge when Wasm is in cache (#4506)
  • b5028d836 Interface: adding timestamps to HighCapacityRegistryValue (#4450)
  • c3f0331bc Interface(ICRC_Ledger): Export total volume counter metric for ICRC ledger (#4166)
  • 219abad14 Interface(ICP-Ledger): migrate ledger blocks to stable structures (#3836)
  • 6506fe857 Interface,Message Routing: Remove checkpoint asynchronously (#4263)

Bugfixes:

  • 27c9d2b5d Interface,Message Routing: Exclude unverified checkpoint marker when listing all paths for marking ReadOnly (#4429)

Chores:

Refactoring:

  • 1d63e9f6d Consensus,Interface(consensus): Merge Imports in consensus crate (#4481)
  • 7e78d5c32 Consensus,Interface: move ingress manager metrics to a separate file (#4454)
  • 01b6a4139 Consensus,Interface(consensus): Move Certification into its own crate (#4437)
  • ff89bb980 Execution,Interface,Message Routing: Remove the parts of old CanisterStateBits after migration (#4335)

Other changes:

Full list of changes (including the ones that are not relevant to GuestOS) can be found on GitHub.

IC-OS Verification

To build and verify the IC-OS disk image, after installing curl if necessary (sudo apt install curl), run:

# From https://github.com/dfinity/ic#verifying-releases
curl -fsSL https://raw.githubusercontent.com/dfinity/ic/master/ci/tools/repro-check | python3 - -c 3ae3649a2366aaca83404b692fc58e4c6e604a25 --guestos

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

While not required for this NNS proposal, as we are only electing a new GuestOS version here, you have the option to verify the build reproducibility of the HostOS by passing --hostos to the script above instead of --guestos, or the SetupOS by passing --setupos.

2

Proposal 136004 - Hamish | CodeGov

Vote: Adopt
Reason: I have successfully run the build script and in my opinion all the commits listed look fine and match their descriptions.

Screenshot 2025-03-28 at 23.59.17
Screenshot 2025-03-28 at 23.59.172000×882 287 KB

Features:

  • d073bc43f Consensus,Execution,Interface: Increase sandbox limit (#4491)
    Review: Looks fine + matches description
    Notes: Bumps DEFAULT_MAX_SANDBOX_COUNT from 7,000 to 10,000 which increases the number of canister sandboxes that can remain hot at any given time. Also reduces DEFAULT_SANDBOX_PROCESS_RSS from 50MiB to 5MiB which means each sandbox process is assumed to use less memory at the time it is created (the exact amount of memory is calculated later).

  • 4070d82b7 Consensus,Execution,Interface: Introduce feature flags for canister snapshot import and export (#4519)
    Review: Looks fine + matches description
    Notes: Adds the canister_snapshot_download and canister_snapshot_upload feature flags to the execution environment config. These flags are currently unused.

  • 3cdab8309 Consensus,Interface: use resuming downloads for file downloader (#4415)
    Review: Looks fine + matches description
    Notes: Modifies file_downloader::download_file to be able to resume partially complete downloads by using the range header to load bytes from the required starting point. This new functionality is only enabled if the file hash is specified so that the end result can be validated.

  • 7099a3838 Consensus,Interface: Implement Consensus for ReshareChainKey for VetKD (#4248)
    Review: Looks fine + matches description
    Notes: Finishes implementing the ability to reshare keys and then removes the short circuit within reshare_chain_key now that the underlying functionality is complete.

  • 0cc84afde Execution,Interface(EXC): Skip compilation charge when Wasm is in cache (#4506)
    Review: Looks fine + matches description
    Notes: I made this change! It reduces the cycles charge for compilation for wasms which are found in the compilation cache, this will save OpenChat a huge amount of cycles.

  • b5028d836 Interface: adding timestamps to HighCapacityRegistryValue (#4450)
    Review: Looks fine + matches description
    Notes: Adds timestamp_seconds to HighCapacityRegistryValue which gets set when mutating values and then gets returned in the response when querying values.

  • c3f0331bc Interface(ICRC_Ledger): Export total volume counter metric for ICRC ledger (#4166)
    Review: Looks fine + matches description
    Notes: Adds the total_volume metric to the ICRC ledger which incrementally counts total transaction volume but then is reset to 0 on each upgrade.

  • 219abad14 Interface(ICP-Ledger): migrate ledger blocks to stable structures (#3836)
    Review: Looks fine + matches description
    Notes: Finishes off the implementation to migrate ledger blocks to stable memory. It does this using the same pattern already in use to migrate allowances and balances to stable memory.

  • 6506fe857 Interface,Message Routing: Remove checkpoint asynchronously (#4263)
    Review: Looks fine + matches description
    Notes: Reduces the synchronous time spent waiting for each checkpoint to be removed by only waiting for the checkpoint directory to be renamed synchronously (which takes a few milliseconds), then notifying a background thread that the directory can be deleted. The checkpoint files are then all deleted by this background thread (which can take 20+ seconds) and blocks can continue being processed while this takes place.

Bugfixes:

  • 27c9d2b5d Interface,Message Routing: Exclude unverified checkpoint marker when listing all paths for marking ReadOnly (#4429)
    Review: Looks fine + matches description
    Notes: Skips the unverified checkpoint marker when marking all checkpoint files as readonly, since doing so is unnecessary and may cause an error because another thread may have already deleted this marker.

Chores:

  • 6c830bd2e Consensus,Interface: introduce a couple of new metrics to the ingress manager (#4455)
    Review: Looks fine + matches description
    Notes: Adds 4 new metrics to the ingress manager and then renames IngressMessageValidationError::UnexpectedStatus to IngressMessageAlreadyKnown.

  • 3a5e3ec21 Execution,Interface: Fix incorrect cost (#4490)
    Review: Looks fine + matches description
    Notes: Sets the cost of Operator::ReturnCallIndirect to 60 instructions.

  • b8ff2bc74 Execution,Interface: Unify Global type (#4376)
    Review: Looks fine + matches description
    Notes: Moves the definition of the Global enum out of execution_state and into management_canister_types.

  • 9feabf95a Interface(Ledgers): remove unused dfn build dependencies (#4465)
    Review: Looks fine + matches description
    Notes: Removes the deprecated DFN packages from a few places where they were still listed as dependencies.

  • 34176db11 Interface,Message Routing: Extra logs for the end of state sync (#4497)
    Review: Looks fine + matches description
    Notes: Adds some logging in the unhappy paths for state syncs to help detect what is causing flakiness in tests.

  • d67409872 Interface,Node: add a file size check for ic-os upgrade images (#4453)
    Review: Looks fine + matches description
    Notes: Adds a test which checks the size of the compressed IC-OS images. This way if they ever grow beyond the limit the developer will be made aware and will either have to raise the limit or fix whatever was causing the extra bloat.

  • 7351a7e2b Owners(IDX): upgrade bazel & bazelisk (#4494)
    Review: Looks fine + matches description
    Notes: Bumps Bazel from 7.4.1 to 7.6.0 and Bazeliskfrom 1.19.0 to 1.25.0.

  • 896cd1f34 Node: Remove exec mem permissions (#4492)
    Review: Looks fine + matches description
    Notes: Removes the execmem permissions from the replica and canister sandbox processes, this permission is no longer required now that the in-memory compilation cache has been removed.

  • 65ece1be4 Node: Update Base Image Refs [2025-03-26-0149] (#4517)
    Review: Looks fine + matches description
    Notes: Bumps the base IC-OS image references.

  • 4267d5b64 Node: Update Base Image Refs [2025-03-20-0807] (#4439)
    Review: Looks fine + matches description
    Notes: Bumps the base IC-OS image references.

Refactoring:

  • 1d63e9f6d Consensus,Interface(consensus): Merge Imports in consensus crate (#4481)
    Review: Looks fine + matches description
    Notes: No functional change, simply reorganises imports by merging them where possible.

  • 7e78d5c32 Consensus,Interface: move ingress manager metrics to a separate file (#4454)
    Review: Looks fine + matches description
    Notes: Moves ingress manager metrics out of lib.rs and into their own metrics.rs file.

  • 01b6a4139 Consensus,Interface(consensus): Move Certification into its own crate (#4437)
    Review: Looks fine + matches description
    Notes: Moves the certification logic out of the ic-consensus crate and into its own ic-consensus-certification crate, this speeds up compilation since it doesn’t need to rebuilt on each change to consensus.

  • ff89bb980 Execution,Interface,Message Routing: Remove the parts of old CanisterStateBits after migration (#4335)
    Review: Looks fine + matches description
    Notes: Removes the deprecated fields from CanisterStateBits now that all subnets are on the latest version.

Other changes:

  • 9daac230f Node: “chore(): Remove execmem permissions” (#4528)
    Review: Looks fine + matches description
    Notes: Reverts commit 896cd1f34, it’s not immediately obvious why but there must have been an issue with it, regardless, this commit is fine.
About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

1 Like
3

proposal - 136004 Cyberowl | CodeGov

Screenshot 2025-03-28 at 2.58.54 PM
Screenshot 2025-03-28 at 2.58.54 PM2092×906 171 KB

Vote: ADOPT

Reason:

The build was successful, and all the commit descriptions matched the changes in the code.

Checks

Hash Match: MATCH
2 Urls: MATCH
Feedback: NONE
Proposer Check: MATCH

Overall Summary:

Activates the reshare_chain_key endpoint, enabling the consensus layer to perform chain key resharing for VetKeys. Refines the canister compilation cost handling by distinguishing between full costs for a fresh compilation and reduced costs when a WASM module is cached. Transitions the ledger from heap-based block storage to stable memory using ic-stable-structures.

Commits Summary

Features:
d073bc43f
Increases sandbox limit DEFAULT_MAX_SANDBOX_COUNT to
10_000.

4070d82b7
Feature flag for canister_snapshot_download and canister_snapshot_upload.

3cdab8309
Adds support for resumable downloads through HTTP Range headers. Updated dependencies (e.g., Mockito, hyper, rand).

7099a3838
Activates the reshare_chain_key endpoint, enabling the consensus layer to perform chain key resharing for VetKeys. It factors out the handling of initial DKG requests (process_setup_initial_dkg_contexts) into a separate function. Dedicated process_reshare_chain_key_contexts for resharing, and updates the remote DKG configuration logic to optionally include a resharing transcript.

0cc84afde
Refines the canister compilation cost handling by distinguishing between full costs for a fresh compilation and reduced costs when a WASM module is cached. Updates the hypervisor to return the adjusted cost and revises tests to clear or preserve the cache as needed.

b5028d836
New timestamp_seconds field (of type uint64) to several high-capacity registry protocol messages (including HighCapacityRegistryValue, HighCapacityRegistryGetValueResponse, and HighCapacityRegistryAtomicMutateRequest).

c3f0331bc
Adds a “total volume” metric to the ICRC-1 ledger canister, tracking cumulative transaction volumes (including transfers, approvals, mints, and burns) as a normalized f64 value using token decimals.

219abad14
Transitions the ledger from heap-based block storage to stable memory using ic-stable-structures, ensuring data persists across upgrades. It removes the old BlockData trait and introduces a new BlockDataContainer trait with global block indices.

6506fe857
Asynchronous checkpoint removal in the StateLayout module by offloading file deletion to a background thread via an unbounded channel and adding detailed metrics for performance monitoring. Flush mechanism to ensure temporary directories are cleaned up before new checkpoints are created.

Bugfixes:
27c9d2b5d
Improves checkpoint file management by excluding the unverified checkpoint marker, processing files in parallel, and using Linux’s syncfs for efficient synchronization. Refactors the checkpoint read-only marking function to operate directly on the CheckpointLayout object.

Chores:
6c830bd2e
Add metrics for validated and invalidated ingress messages—tracking total size, field-level sizes, and processing latency—and refines the validation logic to specifically detect duplicate messages via a new error variant.

3a5e3ec21
Fix cost for Operator::ReturnCallIndirect.

b8ff2bc74
Relocates the Global enum to the ic-management-canister-types-private crate (which is used for management canister types), adds traits like CandidType (to expose it in public interfaces such as canister snapshot metadata), and ensures all users are updated to use the new centralized definition.

9feabf95a
Matches description remove unused dfn build dependencies.

34176db11
Replaces uninformative unwraps with expect calls that provide clear failure context. Reposition logs to capture intent earlier.

d67409872
Updated shell script to enforce maximum file size limits for canister artifacts and OS images. It ensures that file sizes remain within defined thresholds across different IC-OS environments.

7351a7e2b
Bazel to 7.6.0, updating Bazelisk to v1.25.0, and new SHA256 hash for container image.

896cd1f34
Splits the compiler_sandbox from the canister_sandbox, giving each its own SELinux domain and thereby tightening security boundaries. It removes the execmem privilege from the replica and canister_sandbox, pushing it into the newly created compiler_sandbox.

65ece1be4
Update base images.

4267d5b64
Update base images.

Refactoring:
1d63e9f6d
Reformat Rust import statements by consolidating multiple lines into single-line imports with nested braces. No functionality is altered.

7e78d5c32
Moves registry/keys and registry/subnet_type to dev-only usage. Extracts the IngressManagerMetrics struct into a dedicated metrics.rs module.

01b6a4139
Moves the certification logic out of the main rs/consensus crate into a new standalone rs/consensus/certification crate, updating dependencies and imports to match. It also relocates the MINIMUM_CHAIN_LENGTH constant to ic_consensus_utils.

ff89bb980
Removes the deprecated task_queue and on_low_wasm_memory_hook_status fields from CanisterStateBits.

Other changes:
9daac230f
Reverts chore(EXC-1837): Remove execmem permissions.

About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

1 Like
4

Proposal 136004 - Ipsita | ZenithCode

Summary

  1. Vote: Adopt
  2. Hash: All the hashes match
  3. Reason to Adopt The release notes match the commits and the code changes. Builds successfully.

136004
1360042064×818 203 KB

Commit

Features

  • d073bc43f
    Summary: Increase sandbox limit
    Notes: Increases DEFAULT_MAX_SANDBOX_COUNT from 7_000 to 10_000, this helps in improving performance.
    Review: Code changes match the commit message.

  • 4070d82b7
    Summary: Introduce feature flags for canister snapshot import and export
    Notes: Introduces two new features flags canister_snapshot_download and canister_snapshot_upload which will be used later on.
    Review: Code changes match the commit message.

  • 3cdab8309
    Summary: use resuming downloads for file downloader
    Notes: We now use resuming downloads to handle low bandwidth and network connectivity issues.
    Review: Code changes match the commit message.

  • 7099a3838
    Summary: Implement Consensus for ReshareChainKey for VetKD
    Notes: This PR implements consensus changes to activate reshare_chain_key endpoint which makes it possible to recover vet keys from consensus side.
    Review: Code changes match the commit message.

  • 0cc84afde
    Summary: Skip compilation charge when Wasm is in cache
    Notes: If a canister’s wasm code is expected to be in compilation cache then the canister is not charged the full compilation amount.
    Review: Code changes match the commit message.

  • b5028d836
    Summary: adding timestamps to HighCapacityRegistryValue
    Notes: Adds timestamp in seconds to HighCapacityRegistryValue
    Review: Code changes match the commit message.

  • c3f0331bc
    Summary: Export total volume counter metric for ICRC ledger
    Notes: Exports TOTAL_VOLUME metric for ICRC ledger.
    Review: Code changes match the commit message.

  • 219abad14
    Summary: migrate ledger blocks to stable structures
    Notes: Blocks stored in the ledger are migrated to stable structures which allows the ledger to store more blocks without archiving them.
    Review: Code changes match the commit message.

  • 219abad14
    Summary: migrate ledger blocks to stable structures
    Notes: Blocks stored in the ledger are migrated to stable structures which allows the ledger to store more blocks without archiving them.
    Review: Code changes match the commit message.

  • 6506fe857
    Summary: Remove checkpoint asynchronously
    Notes: Checkpoint removal can take around 10 to 20 seconds and with multiple checkpoints it can take too long if done synchronously. The process have two steps one to rename the checkpoint and the second to delete the files with this PR the second step is made async.
    Review: Code changes match the commit message.

Bugfixes

  • 27c9d2b5d
    Summary: Exclude unverified checkpoint marker when listing all paths for marking ReadOnly
    Notes: Bug fixes for failing test case can_state_sync_into_existing_checkpoint by excluding the unverified check point marker since read-only is unnecessary and may cause errors.
    Review: Code changes match the commit message.

Chores

  • 6c830bd2e
    Summary: introduce a couple of new metrics to the ingress manager
    Notes: Adds metrics to ingress manager also improved error message.
    Review: Code changes match the commit message.

  • 3a5e3ec21
    Summary: Fix incorrect cost
    Notes: updates the cost of Operator::ReturnCallIndirect from 6 to 60.
    Review: Code changes match the commit message.

  • b8ff2bc74
    Summary: Unify Global type
    Notes: Moves the wasm Global type to private management canister type. All current users are white listed to use them.
    Review: Code changes match the commit message.

  • 9feabf95a
    Summary: remove unused dfn build dependencies
    Notes: Removes unused dependencies.
    Review: Code changes match the commit message.

  • 34176db11
    Summary: Extra logs for the end of state sync
    Notes: Adds log messages to better debug flaky tests.
    Review: Code changes match the commit message.

  • d67409872
    Summary: add a file size check for ic-os upgrade images
    Notes: Adds test case to ensure that the ic-os image does not increase above a certain limit unintentionally. If the increase is expected then we can update the configured limit accordingly.
    Review: Code changes match the commit message.

  • 7351a7e2b
    Summary: upgrade bazel & bazelisk
    Notes: Upgrades bazel from 7.4.1 to 7.6.0 and Bazelisk from 1.19.0 to 1.25.0
    Review: Code changes match the commit message.

  • 896cd1f34
    Summary: Remove execmem permissions
    Notes: Removes execmem permission from replica and canister sandbox.
    Review: Code changes match the commit message.

  • 65ece1be4
    Summary: Update Base Image Refs [2025-03-26-0149]
    Notes: Updates base ic-os image references.
    Review: Code changes match the commit message.

  • 4267d5b64
    Summary: Update Base Image Refs [2025-03-20-0807]
    Notes: Updates base ic-os image references.
    Review: Code changes match the commit message.

Refactoring

  • 1d63e9f6d
    Summary: Merge Imports in consensus crate
    Notes: Code refactoring by merging imports in the consensus crate.
    Review: Code changes match the commit message.

  • 7e78d5c32
    Summary: move ingress manager metrics to a separate file
    Notes: Code refactoring by moving ingress manager metrics to rs/ingress_manager/src/metrics.rs, removing some bazel/cargo dependencies and some other code refactoring.
    Review: Code changes match the commit message.

  • 01b6a4139
    Summary: Move Certification into its own crate
    Notes: Moves certification submodule into its own crate to improve compilation speed.
    Review: Code changes match the commit message.

  • ff89bb980
    Summary: Remove the parts of old CanisterStateBits after migration
    Notes: follow-up on #2254 code refactoring by removing deprecated fields from CanisterStateBits.
    Review: Code changes match the commit message.

Other changes

  • 9daac230f
    Summary: Remove execmem permissions
    Notes: Reverts #4492
    Review: Code changes match the commit message.
1 Like
5

Proposal 136004 – ilbert | CodeGov

Vote: ADOPTED.
Reason: All reviewed commits match their description and hashes match.

build-2025-03-30 at 13.20.09
build-2025-03-30 at 13.20.091300×378 63.9 KB

Review:
For the Execution and Runtime layers, this proposal doesn’t introduce significant changes.

I’ve reviewed all the commits listed in the proposal, for the Execution and Runtime layers:

d073bc43f:
Decreases the DEFAULT_SANDBOX_PROCESS_RSS const from 50 MiB to 5 MiB.
Increases the DEFAULT_MAX_SANDBOX_COUNT const from 7000 to 10000.

4070d82b7:
Adds the canister_snapshot_download and canister_snapshot_upload FlagStatus fields to the execution environment’s Config struct. These fields are set to FlagStatus::Disabled in the default configuration of the Config struct.

0cc84afde:
Changes the create_execution_state method of the Hypervisor struct to return the instructions calculated with the adjusted_compilation_cost method of the CompilationCostHandling struct instead of the instructions returned by the create_execution_state method of the WasmExecutor struct.

3a5e3ec21:
Changes the instruction_to_cost function to return 60 instead of 6 for the instructions’ cost for the Operator::ReturnCallIndirect case.

b8ff2bc74:
Moves the Global enum from the execution_state module to the ic-management-canister-types-private crate. Changes all the imports accordingly.

ff89bb980:
Removes the task_queue and on_low_wasm_memory_hook_status fields from the CanisterStateBits protobuf type.
Removes the from_checkpoint and get_queue methods from the TaskQueue struct. Simplifies the CanisterStateBits deserialization to remove the logic for deserializing old messages.

About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

6

Proposal: 136004 Manvick | ZenithCode

Summary:

  1. Build Hash: Build has from the proposal, local build and CDN matches and is “ 1816ff15e4f9a4937b246699ba9e72e59494eb6e29a71ee1757fb63f9f4ca3bd”.
  2. Summary: The release notes matches the code changes
  3. Vote: I vote to adopt the proposals

136004
1360041920×1003 203 KB

Commit

Detailed Review:

Features:

  • d073bc43f Consensus,Execution,Interface: Increase sandbox limit (#4491):
    Review: Matches description + changes are appropriate
    Notes: This commit increases the sandbox process limit from 7,000 to 10,000 (DEFAULT_MAX_SANDBOX_COUNT), this means that the system can support more active canisters without needing to shut down their sandboxes. Additionally, this reduces the need to spin up new sandboxes as often. Furthermore, it improves throughput (more canisters can be executed simultaneously or quickly). The commit also updates the default RSS estimate per sandbox from 50 MiB to 5 MiB (DEFAULT_SANDBOX_PROCESS_RSS). This change prevents premature shutdown of canisters.

  • 4070d82b7 Consensus,Execution,Interface: Introduce feature flags for canister snapshot import and export (#4519)
    Review: Matches description + changes are appropriate
    Notes: This feature is not yet completely implemented, but it lays down the foundation for the implementation that will come in the future. This commit will allow us to control whether a canisters meta data can be downloaded or uploaded by the controller through flags. Both flags are disabled by default. Once the logic is implemented, it should allow for a smoother rollout.

  • 3cdab8309 Consensus,Interface: use resuming downloads for file downloader (#4415)
    Review: Matches description + changes are appropriate
    Notes: This commit introduces the capability to resume downloads for files.

  1. It detects incomplete downloaded files using the ‘Range’ HTTP header. If a file exists, provided with a hash, if hash matches (meaning that file is fully downloaded) then it accepts the file otherwise it attempts to resume the file download.
  2. Previously, the FileDownloader used a single timeout value that applied to all aspects of downloading, this lead to issues where large files or slower connections, even if download is steadily progressing, it would trigger timeouts unnecessarily. This commit introduces ‘chunk_timeout’ which ensures that each chunk is received within a reasonable time(15 secs). It also introduces ‘overall_timeout’ which is set to 10chunk_timeout which puts an upperbound to the download time of the full file, though personally, I think it should be set to amount_chunkchunk_timeout by default, which would only add the complexity of knowing file size.

Finally, this commit also introduces logging, error handling, and updating Mockito to 1.7.0 from 1.2.0 to allow for more extensive testing.

Overall this commit makes downloads resumable and fault-tolerant making the system more robust, saving bandwidth, and improving latency

  • 7099a3838 Consensus,Interface: Implement Consensus for ReshareChainKey for VetKD (#4248)
    Review: Matches description + changes are appropriate
    Notes: This is a pretty crucial commit for the recovery of VetKD keys. This commit introduces consensus layer support for VetKD Key Recovery using the reshare_chain_key API, which when activated, enables the Distributed Key Generation(DKG) protocol to handle remote DKGs for VetKeys. Codewise, it adds reshare_key_chain which contains process_reshare_chain_key_contexts which handles new context type along with the existing process_setup_initial_dkg_contexts. It introduces a simpler DKG config generator for VetKD called create_remote_dkg_config_for_key_id. Other changes include code and API cleanup, addition and modification of structures for helping the aforementioned API such as create_remote_dkg_config_for_key_id.

Overall, this commit is a step towards reclaiming VetKD keys at the consensus level.

  • 0cc84afde Execution,Interface(EXC): Skip compilation charge when Wasm is in cache (#4506)
    Review: Matches description + changes are appropriate
    Notes: This commit optimizes the compilation charge for installing Wasm if in cache. Previously Wasm would always be installed, however, now, if a Wasm hash exists in the expected_compiled_wasms set which means it was previously compiled, the canister is only charged for the overhead and not the full charge, if not then full cost is applied for compilation. Commit also adjusts round_limits.instructions to reflect whether full or reduce costs apply.

  • b5028d836 Interface: adding timestamps to HighCapacityRegistryValue (#4450)
    Review: Matches description + changes are appropriate
    Notes: This commit adds timestamp_seconds to several registry related messages. This helps in tracking when registry mutations or requests occur. Placeholder for timestamp_seconds has also been added to the tests. The new field, timestamp_seconds has been added to the following: HighCapacityRegistryValue, HighCapacityRegistryGetValueResponse, HighCapacityRegistryAtomicMutateRequest. Overall, this commit allows us to track registry mutations, helps in debugging and time based auditing changes. Further work on this area can allow us improve transparency, enable more precise auditing.

  • c3f0331bc Interface(ICRC_Ledger): Export total volume counter metric for ICRC ledger (#4166)
    Review: Matches description + changes are appropriate
    Notes: Commit introduces new metric total_volume to the ICRC ledger, allowing operations to track the total volume of tokens moved through the ledger. Total_volume is a counter and gets incremented with each transfer which includes minting and burning. It also gets incremented for each approval’s fee amount. Upon a canister upgrade, the counter gets reset to 0. Codewise, TOTAL_VOLUME, TOTAL_VOLUME_DENOMINATOR, TOTAL_VOLUME_FEE_IN_DECIMALS are thread-local counters introduced in this commit, also update_total_volume() is called after each operation which affects the ledger. New tests have been added which validate this commits behavior as well.

  • 219abad14 Interface(ICP-Ledger): migrate ledger blocks to stable structures (#3836)
    Review: Matches description + changes are appropriate
    Notes: This commit introduces BlockDataContainer to abstract stable block storage, moreover, blocks are now stored using StableBTreeMap<u64, Vec> in stable memory. Commit also clears and migrates heap-based locations when upgrading from versions < 3 using in post_upgrade(). The ledger version has also been upgraded to 3 for the main net from 2. Functions like migrate_next_part() and migrate_one_block() have been added to help the migration process. Tests coverage has also been increased to accommodate these changes. These changed allow scaling the ledger capacity without memory issues, and reduces reliance on archive canisters.

  • 6506fe857 Interface,Message Routing: Remove checkpoint asynchronously (#4263)
    Review: Matches description + changes are appropriate
    Notes: This commit introduces remove checkpoint asynchronously. Previously, deleting a checkpoint would take 10-20 seconds on larger subnets blocking ‘Consensus’ while doing this, thus slowing down the system, now this process has been made asynchronous using functions StateLayout::remove_checkpoint() which detects the checkpoint to remove, remove_checkpoint_async which moves the selected checkpoint to a temporary file and adds the request to remove the temporary file to the queue using self.checkpoint_removal_sender.send(CheckpointRemovalRequest::Remove(tmp_path)) and adds a thread to delete this temporary file. This sequence does not block ‘Consensus’ thus making the system more efficient.

Bug fixes

  • 27c9d2b5d Interface,Message Routing: Exclude unverified checkpoint marker when listing all paths for marking ReadOnly (#4429)
    Review: Matches description + changes are appropriate
    Notes: This commit fixes the bug of a thread calling mark_files_readonly_and_sync() on a checkpoint which may have already been deleted by modifying ‘paths’ to remove the file if it exists and mark the remaining files as readonly and sync them. Also, old helper function mark_files_readonly_and_sync(path: &Path) was removed and instead the logic is added inside ‘CheckpointLayout::mark_files_readonly_and_sync()’. Overall, this commit eliminates the bug by preventing unnecessary readonly attempts on markers that may have already been deleted and syncs the files that are marked safely.

Chores:

  • 6c830bd2e Consensus,Interface: introduce a couple of new metrics to the ingress manager (#4455)
    Review: Matches description + changes are appropriate
    Notes: This commit adds new metrics in metrics.rs which validate the ingress message size, provide a field level size breakdown, including arg, method name, nonce, and remainder, time spent in ingress pool before validation, and count of invalidated ingress messages labelled by reason of invalidation. There are also a few refactors such as renaming ‘UnexpectedStatus’ to ‘IngressMessageAlreadyKnown’ which provides more clarity. Overall, this commit provides valuable data for monitoring, debugging, and optimizing the ingress data pipeline.

  • 3a5e3ec21 Execution,Interface: Fix incorrect cost (#4490)
    Review: Matches description + changes are appropriate
    Notes: This commit updates cost model in the Wasm logic to reflect corrected cost for ‘ReturnCallIndirect’. The cost has been updated from 6 to 60, the previous cost was underestimated compared to the actual benchmark and relative cost instruction analysis. ‘ReturnCallIndirect’ involves call stack manipulation and indirect call overhead, thus the increase is much justified. The commit ensures more accurate accounting of instruction costs which impacts the overall cycle charge and execution limits in the runtime.

  • b8ff2bc74 Execution,Interface: Unify Global type (#4376)
    Review: Matches description + changes are appropriate
    Notes: This commit unifies global types enums. Previously, multiple objects had their own copies or definitions of a Global enum to represent WASM globals, now these multiple copies or definitions have been defined in ic-management-canister-types-private. All previous declarations have also been cleaned up and now use ic_management_canister_types_private::Global. This change overall removes redundant logic, keeps maintenance simple, and ensure consistency across the usage of WASM globals. It also ensures backward compatibility by preserving the enum structure and serialization and updating the crates accordingly.

  • 9feabf95a Interface(Ledgers): remove unused dfn build dependencies (#4465)
    Review: Matches description + changes are appropriate
    Notes: This commit is a simple cleanup of unused build dependencies specifically from the Bazel configuration of the Ledger Suite Components. It deletes the following unused dependencies: //rs/rust_canisters/dfn_core and //rs/rust_canisters/dfn_http_metrics. This cleanup speedups building the Bazel Graph and reduces its complexity.

  • 34176db11 Interface,Message Routing: Extra logs for the end of state sync (#4497)
    Review: Matches description + changes are appropriate
    Notes: This commit implement diagnostic logging, StateManagerImpl. Currently, when state sync finishes, it is expected to produce a new StateMetaData and a Snapshot, however, in some runs, either or both could already exist, this commit helps trace when this happens. Codewise, more logs have been added in ‘initialize_tips’, logs have been added when a synced state already exists in metadata as well as when a synced state already exists in ‘in-memory’ states. Finally, instead of using .unwrap(), the code now uses .expect with an error message to provide more clarification. Overall, this commit provides a more clear explanation as to why a test is switching between passing and failing when tested multiple times.

  • d67409872 Interface,Node: add a file size check for ic-os upgrade images (#4453)
    Review: Matches description + changes are appropriate
    Notes: This commit introduces automatic file size checks for IC-OS upgrade images in order to catch unintended size regressions via CI. A new macro is introduced, ‘file_size_check()’, which when called fails if the size of a file exceeds a defined size. Additional checks for the file size have been added to IC-OS images for disk-img.tar.zst, update-img.tar.zst, update-img-yesy.tar.zst. Moreover, compressed WASM artifacts now use file_size_check() for consistency, other lists like CANISTER_NAME_TO_MAX_COMPRESSED_WASM_SIZE_E5_BYTES have been updated accordingly. This commit provides early alerts for size regression that could lead to performance or boot time issues.

  • 7351a7e2b Owners(IDX): upgrade bazel & bazelisk (#4494)
    Review: Matches description + changes are appropriate
    Notes: This commit upgrades bazel & bazelisk across the codebase, bazel has been upgraded from 7.4.1 to 7.6.0 and bazelisk has been updated from 1.19.0 to 1.25.0. The docker container has also been updated to reflect the new upgrader version of bazelisk. This update overall includes bug fixes, improved performance, better stability, and future compatibility. Finally, the hash updates ensure that container is reproducible across the entire CI pipeline

  • 896cd1f34 Node: Remove exec mem permissions (#4492)
    Review: Matches description, however, rolled back.
    Notes: (ROLLED BACK IN #4258, 9daac230f) This update directly affects the systems security by removing exemem permissions from the replica and canister sandbox domains. This commit removes execmem from ic_replica_t and ic_canister_sandbox_t and keeps execmem only in ic_compiler_sandbox_t. Keeping it in sandbox is fine since sandbox does not execute the code and only compiles it. Overall, security is improved by removing execmem from components that do not require it.

  • 65ece1be4 Node: Update Base Image Refs [2025-03-26-0149] (#4517)
    Review: Matches description + changes are appropriate
    Notes: This commit updates the references to the various base container images used in the ic-os layers to newer image versions. The changes include repathing each image path to the new base image. Example of a few components that were updated: BoundaryOS, GuestOS, SetupOS, HostOS. This commit ensures latest security patches, libraries, and runtime improvement.

  • 4267d5b64 Node: Update Base Image Refs [2025-03-20-0807] (#4439)
    Review: Matches description + changes are appropriate
    Notes: This commit is not code dependent on commit 65ece1be4 but essentially does the same thing by updating docker-base image reference across the system in multiple OS context. This commit is superseded by 65ece1be4.

Refactoring:

  • 1d63e9f6d Consensus,Interface(consensus): Merge Imports in consensus crate (#4481)
    Review: Matches description + changes are appropriate
    Notes: This commit makes use statements consistent across the consensus crate especially under the idkg module. Some of the imports that were grouped and merged are crate::idkg:pre_signer::{IDkgPreSigner, IDkgPreSignerImpl}, {ThresholdSigner, ThresholdSignerImpl}. After merging it reduces the amount of repeated use…. lines which makes it easy to import all related imports from a module to one place. This commit does not change the behavior of the system but makes the structure cleaner and more maintainable. It’s a good refactor.

  • 7e78d5c32 Consensus,Interface: move ingress manager metrics to a separate file (#4454)
    Review: Matches description + changes are appropriate
    Notes: this commit extracts metric logic from lib.rs in the ‘ingress_manager’ crate into a new dedicated file, ‘metrics.rs’ while also making minor build system cleanups and simplification of tests. This commit has removed unnecessary Bazel and Cargo dependencies like ic-registry-keys, and ic-registry-subnet-type. These are now only declared where used, majorly in tests context. run_test() has also been simplified by removing unused test names and parameters. Additionally, ‘.into_iter().for_each()’ has been changed to a for loop in on_state_change which is more readable and logically sound. This refactor provides several benefits such as encapsulating metrics and making it easier to test and maintain code with separate responsibilities.

  • 01b6a4139 Consensus,Interface(consensus): Move Certification into its own crate (#4437)
    Review: Matches description + changes are appropriate
    Notes: This refactor moves Certification module from ic-consensus into a standalone crate called ic-consensus-certification. New dependency on ic-consensus-certification has been added to ic-consensus, replica, replay, setup_ic_network which makes the code consistent with the change. There are also a few cleanups in this commit like moving the constant MINIMUM_CHAIN_LENGTH from ic-consensus/src/consensus.rs to ic-consensus-utils. Also removed tokio from uc-consensus main dependency and added to dev-dependencies wherever needed. Code can now also import CertificationCrypto, VerifierImpl, CertifierImpl and more from the new crate. Overall, this refactor modularizes the code base providing a cleaner structure by decluttering ic-consensus crate.

  • ff89bb980 Execution,Interface,Message Routing: Remove the parts of old CanisterStateBits after migration (#4335)
    Review: Matches description + changes are appropriate
    Notes: This refactor finalizes the removal of legacy fields from CanisterStateBits following a successful shift to the new TaskQueue model. Repeated ExecutionTask removed from protobuf definitions, rust generated structs, decode and encode logic. Option on_low_wasm_memory_hook_status is also removed. Tests are fully functional and helper utilities have been updated to work with the new TaskQueue model. Overall, this refactor consolidates the system around a single task management model, eliminated redundant and deprecated code, and reduces complexity in logic.

Other changes:

9daac230f Node: “chore(): Remove execmem permissions” (#4528)
Review: Matches description + changes are appropriate
Notes: This is related to commit #4492, 896cd1f34, which removed execmem from every other place except ic_compiler_sandbox_t, this commit reverts the change and adds it back to to ic_replica_t which requires it for native WASM execution and ic_canister_sandbox_t which requires it for compiled WASM code. This commit reintroduces a known security risk, but, keeps it since it is essential in executing the code. This change is a pragmatic rollback in the favor of runtime stability.

7

Proposal 136004 | Tim - CodeGov

Screenshot 2025-03-31 094828
Screenshot 2025-03-31 0948281288×370 18.3 KB

Vote: Adopt

Reason: Build is successful, hashes match, commits match descriptions and the reasoning behind the changes is sound. I’ve reviewed commits for Consensus and Interface as detailed below.

Review

Features:

[d073bc43f]
Decreases DEFAULT_SANDBOX_PROCESS_RSS from 50 MiB to 5 MiB and increases DEFAULT_MAX_SANDBOX_COUNT from 7000 to 10000.

[4070d82b7]
Adds flags canister_snapshot_download and canister_snapshot_upload to indicate whether canister snapshot metadata and data can be downloaded or uploaded by controllers.

[3cdab8309]
Modifies FileDownloader::download_file and associated methods such that a file donload will be resumed, fetching only the missing parts of the file, if a file exists matching the given hash.

[7099a3838]
Various changes matching the detailed outline in the description in order to allow the reshare_chain_key API to be utilised for VetKeys.

[b5028d836]
Adds field timestamp_seconds to types HighCapacityRegistryValue, HighCapacityRegistryGetValueResponse and HighCapacityRegistryAtomicMutateRequest.

[c3f0331bc]
Adds thread-local variables TOTAL_VOLUME, TOTAL_VOLUME_DENOMINATOR and TOTAL_VOLUME_FEE_IN_DECIMALS and supporting functions initialize_total_volume and update_total_volume in order to provide a total volume counter metric for ICRC1 ledgers.

[219abad14]
Replaces impl BlockData for HeapBlockData with an implementation of new trait BlockDataContainer for BlockData<BDC>. The new trait has methods with_blocks and with_blocks_mut which utilise ic_stable_structures::StableBTreeMap in order to migrate blocks stored in the ledger to stable structures.

[6506fe857]
Adds remove_checkpoint_async method and related logic so that the file deletion stage of checkpoint removal can happen asynchronously, resulting in a significant time saving.

Bugfixes:

[27c9d2b5d]
Adapts StateLayout::mark_checkpoint_files_readonly and CheckpointLayout::mark_files_readonly_and_sync so that the unverified_checkpoint_marker is removed from the list of paths in order to maintain consistency between the main thread and the state sync thrread.

Chores:

[6c830bd2e]
Adds new metrics validated_ingress_message_size, validated_ingress_message_field_size, validated_ingress_message_time and invalidated_ingress_message_count to the ingress manager.

[9feabf95a]
Removes unused dependencies rust_canisters/dfn_core and rust_canisters/dfn_http_metrics from BUILD.bazel files.

[34176db11]
Adds additional log messages for state sync completion.

[d67409872]
Adds file_size_check test and specifies expected maximum sizes for ic-os build images and system canister .wasm.gz files.

Refactoring:

[1d63e9f6d]
Reconfigures imports (use statements) for clarity throughout the consensus crate.

[7e78d5c32]
Moves IngressManagerMetrics into a new file rs/ingress_manager/src/metrics.rs.

[01b6a4139]
Moves the certification submodule into its own crate, as per description.

About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neurons’ Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralisation of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

8

Proposal: 136004 | Yuvika - ZenithCode

Summary:

  1. Build Hash: Build has from the proposal, local build and CDN matches and is “ 1816ff15e4f9a4937b246699ba9e72e59494eb6e29a71ee1757fb63f9f4ca3bd”.
  2. Summary: The release notes matches the code changes
  3. Vote: I vote to adopt the proposals

Screenshot 2025-03-30 at 10.02.53 PM
Screenshot 2025-03-30 at 10.02.53 PM1920×868 188 KB

Commits

Detailed Review:

Features:

  • d073bc43f Consensus,Execution,Interface: Increase sandbox limit (#4491)
    Notes:The default limit for canister sandboxes has been increased from 7,000 to 10,000 (DEFAULT_MAX_SANDBOX_COUNT). At the same time, the estimated memory usage per sandbox process was lowered from 50 MiB to 5 MiB, allowing more sandboxes to run simultaneously. These changes help improve performance by keeping more sandboxes active while staying within the same memory limits.
    Review: Code changes look good and match release notes.
  • 4070d82b7 Consensus,Execution,Interface: Introduce feature flags for canister snapshot import and export (#4519)
    Notes: ​Adds canister_snapshot_download and canister_snapshot_upload to the configuration and are initialized as FlagStatus::Disabled, so that no impact is detected until the real implementation replaces the current no-op logic.These changes prepare the system for future canister snapshot import/export functionality.
    Review: Code changes look good and match release notes.
  • 3cdab8309 Consensus,Interface: use resuming downloads for file downloader (#4415)
    Notes: Resumes downloads to address issues caused by low bandwidth and connectivity problems. It adds a new test for resuming downloads which uses a large image from the proxy that includes network requirements and dependencies to make sure the test runs smoothly.
    Review: Code changes look good and match release notes.
  • 7099a3838 Consensus,Interface: Implement Consensus for ReshareChainKey for VetKD (#4248)
    Notes: This PR implements the consensus changes to enable remote DKG for VetKeys using the reshare_chain_keys API, making it possible to recover VetKeys from the consensus side. Refactored process_setup_initial_dkg_contexts into process_reshare_chain_key_contexts and simplifying the creation of DKG configurations by renaming do_create_remote_dkg_config to create_remote_dkg_config_for_key_id. Removing reshare_chain_key requests as the safety check rejected it, allowing these requests to be processed. These changes lay the foundation for VetKeys recovery on the mainnet, with only the Registry migration remaining.
    Review: Code changes look good and match release notes.
  • 0cc84afde Execution,Interface(EXC): Skip compilation charge when Wasm is in cache (#4506)
    Notes: The code clears the expected_compiled_wasms metadata to ensure that the full execution cost is applied when the canister is upgraded. The system is forced to recompile the Wasm, and the full cycle charge for compilation is incurred by removing the cached Wasm code.
    Review: Code changes look good and match release notes.
  • b5028d836 Interface: adding timestamps to HighCapacityRegistryValue (#4450)
    Notes: This PR adds a timestamp_seconds field to the registry system to track the exact time of registry mutations and atomic mutate requests. This addition improves the ability to audit and trace the timing of these events.
    Review: Code changes look good and match release notes.
  • c3f0331bc Interface(ICRC_Ledger): Export total volume counter metric for ICRC ledger (#4166)
    Notes: Adds total_volume counter metric to the ICRC ledger implementation to track the total transaction volume processed by the ledger to improve the ledger’s efficiency and reliability.
    Review: Code changes look good and match release notes.
  • 219abad14 Interface(ICP-Ledger): migrate ledger blocks to stable structures (#3836)
    Notes: The ledger’s blocks have been transitioned to stable data structures, improving storage capacity and reducing reliance on archiving by configuring parameters such as trigger_threshold,allowing for tailored storage management.
    Review: Code changes look good and match release notes.
  • 6506fe857 Interface,Message Routing: Remove checkpoint asynchronously (#4263)
    Notes: Improves checkpoint removal performance by moving the deletion step to a background thread, remove_checkpoint() to allow the main process to return quickly after renaming the checkpoint. This change prevents the Consensus thread from being blocked and boosts the finalization rate, mainly on subnets with many canisters.
    Review: Code changes look good and match release notes.

Bugfixes:

  • 27c9d2b5d Interface,Message Routing: Exclude unverified checkpoint marker when listing all paths for marking ReadOnly (#4429)
    Notes: This PR fixes a test failure in can_state_sync_into_existing_checkpoint to make sure that the unverified checkpoint marker is not marked as read-only. The update removes the marker from the list of paths to prevent issues when multiple threads are working with the checkpoint.
    Review: Code changes look good and match release notes.

Chores:

  • 6c830bd2e Consensus,Interface: introduce a couple of new metrics to the ingress manager (#4455)
    Notes: The commit introduces new metrics to the ingress manager, such as ingress_handler_validated_ingress_message_size, ingress_handler_validated_ingress_message_field_size, ingress_handler_validated_ingress_message_time, and ingress_handler_invalidated_ingress_message_count. The error variant IngressMessageValidationError::UnexpectedStatus has been renamed to IngressMessageValidationError::IngressMessageAlreadyKnown to better reflect its purpose.
    Review: Code changes look good and match release notes.
  • 3a5e3ec21 Execution,Interface: Fix incorrect cost (#4490)
    Notes: Increases the cost of the Operator::ReturnCallIndirect operation from 6 to 60 to capture its computational overhead in a better way.
    Review: Code changes look good and match release notes.
  • b8ff2bc74 Execution,Interface: Unify Global type (#4376)
    Notes: Moves the Global type from ic_replicated_state to ic_management_canister_types_private to be part of the public interface for canister snapshot metadata while keeping existing users whitelisted.
    Review: Code changes look good and match release notes.
  • 9feabf95a Interface(Ledgers): remove unused dfn build dependencies (#4465)
    Notes: Removes unused dfn build dependencies, dfn_http_metrics and dfn_core to reduce unnecessary dependencies.
    Review: Code changes look good and match release notes.
  • 34176db11 Interface,Message Routing: Extra logs for the end of state sync (#4497)
    Notes: Adds extra logging to track less common paths during state synchronization when a checkpoint is recovered and provides more details on state sync completions when an in-memory state or state metadata is already present locally.
    Review: Code changes look good and match release notes.
  • d67409872 Interface,Node: add a file size check for ic-os upgrade images (#4453)
    Notes: Adds file_size_check function that ensures a given file does not exceed a specified maximum size.
    Review: Code changes look good and match release notes.
  • 7351a7e2b Owners(IDX): upgrade bazel & bazelisk (#4494)
    Notes: Upgrades Bazel from version 7.4.1 to 7.6.0, and Bazelisk from 1.19.0 to 1.25.0 to improve build efficiency and compatibility.
    Review: Code changes look good and match release notes.
  • 896cd1f34 Node: Remove exec mem permissions (#4492)
    Notes: Creates a separate SELinux domain for the compiler sandbox while removing execmem permissions from the replica and canister sandbox domains to reduce security risks.
    Review: Code changes look good and match release notes.
  • 65ece1be4 Node: Update Base Image Refs [2025-03-26-0149] (#4517)
    Notes: Updates the base container image references to newer versions to have secure container images.
    Review: Code changes look good and match release notes.
  • 4267d5b64 Node: Update Base Image Refs [2025-03-20-0807] (#4439)
    Notes: Updates the base container image references to newer versions to have secure container images.
    Review: Code changes look good and match release notes.

Refactoring:

  • 1d63e9f6d Consensus,Interface(consensus): Merge Imports in consensus crate (#4481)
    Notes: This PR joins imports within the consensus crate by merging previously unmerged imports inside the idkg module.
    Review: Code changes look good and match release notes
  • 7e78d5c32 Consensus,Interface: move ingress manager metrics to a separate file (#4454)
    Notes: Moves ingress manager metrics to a separate metrics.rs file for better organization and maintainability, removes Bazel and Cargo dependencies while making minor code improvements.
    Review: Code changes look good and match release notes.
  • 01b6a4139 Consensus,Interface(consensus): Move Certification into its own crate (#4437)
    Notes: Refactors the certification submodule by moving it from ic_consensus to a new standalone crate, ic_consensus_certification to improve compilation speed.
    Review: Code changes look good and match release notes.
  • ff89bb980 Execution,Interface,Message Routing: Remove the parts of old CanisterStateBits after migration (#4335)
    Notes: Removes deprecated components from the CanisterStateBits structure following the completion of migration tasks outlined in EXC-1752.
    Review: Code changes look good and match release notes.

Other changes:

  • 9daac230f Node: “chore(): Remove execmem permissions” (#4528)
    Notes: This PR reverts a previous change that removed execmem permissions to restore the process to execute memory allocated at runtime.
    Review: Code changes look good and match release notes.
9

Proposal #136004 — Zack | CodeGov

for release-2025-03-27_03-14-base.

Vote: Adopted
Reason: The build is reproducible and all three OS hashes match (GUESTOS, HOSTOS and SETUPOS) as well as the listed commits descriptions.

Screenshot 2025-03-30 140619
Screenshot 2025-03-30 1406191906×956 79.8 KB

Commits
About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

10

Proposal 136004– Zane | CodeGov

Vote: ADOPT
Reason: Build completes successfully, both hashes and reviewed commits match their descriptions, so I’ve decided voted to adopt.

136004
1360041893×467 100 KB

Features:

d073bc43f Decreased default sandbox process resident set size from 50MB to 5MB and increased from 7k to 10k default number of max sandbox processes.

4070d82b7 Added two feature flags to Execution environment’s config which will be used to toggle canister upload/download functionality, once it starts being implemented.

0cc84afde In Hypervisor’s create_execution_state method, the compilation cost is adjusted based on the current CompilationCostHandling, which is determined in execute_install_code depending on whether the wasm hash is expected to already be in the compilation cache and if that is the case, the cost is divided by a factor of 100 as it doesn’t have to be compiled and only needs to be deserialized from the cache. Some existing tests have been updated to preserve old behaviour by clearing the cache on each run so the amount of instructions matches the expected one. compilation_cost_ignored_from_install_to_install and compilation_cost_charged_when_state_is_cleared have been modified to validate the new logic, with the former ensuring full cost is applied only to the first compilation, with the adjusted cost applied for second one, while the latter ensures full cost is always applied if the cache is cleared in between compilations.

b5028d836 Added timestamp_seconds field to HighCapacityRegistryValue, HighCapacityRegistryAtomicMutateRequest and HighCapacityRegistryGetValueResponse. Matches description.

219abad14 Implemented logic to migrate blocks of the icp ledger to stable memory. BlockData trait has been removed alongside its impl blocks, BlockData struct has been added to encapsulate blocks’ CRUD and migration logic, it abstracts the data location using BlockDataContainer trait, the struct is used in place of the removed trait. A memory ID has been reserved and a new virtual memory has been allocated to store a StableBTreeMap containing all blocks. In the icp ledger’s post upgrade hook the existing logic previously used to migrate allowances/balances has been repurposed for blocks.
block_ , tip_of_chain_ , iter_blocks_ , get_blocks_ and query_blocks methods have been modified so that if they are called while the migration is still in progress they panic to prevent returning erroneous data.

6506fe857 When creating a StateLayout instance a background thread to handle checkpoint file deletion asynchronously is setup by calling spawn_checkpoint_removal_thread method, which spawns the thread and creates an unbounded channel to be used to send removal requests. The StateLayout struct has also been extended with 2 new fields to hold the channel sender and the thread’s JoinOnDrop reference, so that it can be automatically joined when the StateLayout instance goes out of scope.
The existing remove_checkpoint method has been renamed to remove_checkpoint_sync and is still used in force_remove_checkpoint. The new version makes use of remove_checkpoint_async method, which renames the checkpoint path into tmp_path and then sends a removal request to the background thread. Finally in create_checkpoint_and_switch a Wait request, containing a bounded channel, is sent to the thread, this is done so that before a new checkpoint is created, all pending removal requests must first be processed, if they already have been then a completion signal is received almost immediately after the request is sent, otherwise the process is stalled until the signal is received. The StateLayoutMetrics now have 2 separate metrics for sync/async remove checkpoint duration and an additional metric to track the size of the removal channel.

Bugfixes:

27c9d2b5d Filter out the unverified checkpoint marker from the list of paths to mark as read only.

Chores:

6c830bd2e Renamed UnexpectedStatus variant of IngressMessageValidationError to IngressMessageAlreadyKnown and added four fields to IngressManagerMetrics, three of them are used to observe validated ingress message stats, i.e overall size, individual fields sizes (such as arg/method name/nonce) and for how long the message was in the pool before it was validated, the fourth is a counter to track number of invalidated messages.

3a5e3ec21 Increased ReturnCallIndirect from 6 to 60 and updated documentation comment. Matches description.

b8ff2bc74 Moved Global enum definition and its implementations from execution state to ic-management-canister-types-private crate. Updated imports accordingly.

9feabf95a Deleted unused dfn_* dependencies from the ledger suite.

34176db11 In initialize_tip moved log to the start of the method, added logs for completed StateSync in on_synced_checkpoint and replaced unwraps with expect in take_tip to provide context on why the process panicked.

d67409872 Added bazel check which logs to console if the compressed ICOS build artifacts size is greater than expected.

7351a7e2b Bumped bazel and bazelisk versions. Matches description.

65ece1be4, 4267d5b64 Updated ICOS image refs.

Refactoring:

ff89bb980 Deleted task_queue and on_low_wasm_memory_hook_status fields from both CanisterStateBits’s rust and proto definitions. Simplified serialization/deserialization methods by getting rid of deprecated fields and logic used to guarantee backwards compatibility with old state versions. Deleted from_checkpoint and get_queue methods of TaskQueue.

About CodeGov

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

1 Like