Voting for a new IC release - 2024-01-18_23-01

Hello there!

We are happy to announce that voting is now open for a new IC release and the retirement of old replica versions 91d71f05,206a50f0.
The NNS proposal is here: IC NNS Proposal 127094 .

Here is a summary of the changes since the last release:


  • [0f707cd] Boundary Nodes,Node: Adds Crowdsec bouncer to BN
  • [882bcfa] Boundary Nodes,Node: Add Crowdsec, refactor base docker a bit
  • [751cf03] Boundary Nodes,Node: reconfigure vector
  • [5627103] Boundary Nodes,Node: bump nginx to 1.25.3 in the base image
  • [e0993fb] Consensus(ecdsa): Add get_oldest_ecdsa_state_registry_version()
  • [44fdb94] Consensus(ecdsa): populate key_id in QuadrupleId for newly crated Quadruples
  • [683a67c] Consensus(ecdsa): add ecdsa_key_id label to ECDSA metrics
  • [2c828fa] Consensus(ecdsa): Serialize key transcript ref in quadruple
  • [2f64ebd] Consensus(ecdsa): Refill matched quadruples
  • [adba2f9] Consensus: Add metrics for the size of the certification pools
  • [1951764] Consensus: Add an artifact_type label to consensus_pool_size metric.
  • [dec4b88] Execution,Runtime(ecdsa): Add metrics for delivered quadruples and completed ECDSA contexts
  • [3c5cfc6] Execution,Runtime(ecdsa): Match quadruples with contexts in replicated state
  • [6f75846] Node: add the IC OS Name Service Switch library to enable guestos and hostos host name resolution.


  • [2a4477c] Boundary Nodes,Node: update cs-bouncer, decrease freq
  • [96b16d0] Boundary Nodes,Node: rollback nftables counters
  • [ed617e7] Consensus(ecdsa): Do not count transient retain_active_transcripts errors as critical
  • [b207778] Consensus(ecdsa): fix reporting of the key_transcripts_created metric
  • [98dc82c] Crypto: Update BSGS memory estimator to account for recent changes
  • [97e4d6a] Execution,Runtime(execution): Include bitcoin canisters as aliases for IC_00 routing
  • [794a7ba] Message Routing: Accidental full manifest for some files
  • [323fde8] Message Routing,Runtime: Create base files efficiently with LSMT
  • [29fc6ad] Networking(state_sync_manager): reject state adverts that differ from current state sync
  • [fd19e57] Node(ic-os): only enable systemd units that are enableable.
  • [a47bd69] Node(ic-os): Update telemetry data centers in HostOS.

Performance improvements:

  • [1344231] Crypto: improve efficiency of mul_by_node_index


  • [bd7f498] Boundary Nodes,Networking: bump h2
  • [0f805c2] Consensus(ecdsa): add ecdsa_key_id label to EcsdaPayloadMetrics
  • [c776b8b] Consensus(backup): Add subnet_id KV to every logged message in BackupHelper
  • [3f0220c] Consensus: split ic_consensus_utils::get_active_data_at into three separate functions
  • [60c4dd8] Consensus(ecdsa): Add metric for available quadruples with key transcript
  • [4cdbd4e] Consensus: remove unnecessary clone in ic_consenus_utils::get_adjusted_notary_delay_from_settings
  • [a36a6bd] Crypto: expose StandaloneIngressSigVerifier
  • [6808e9d] Execution: use CanisterSettingsArgsBuilder instead of corresponding constructor
  • [fb70937] Execution,Runtime: Increase query cache max expiry time to 5min
  • [9d3651c] Execution,Runtime: add round_inner_iteration_exe to scheduler metrics
  • [46595ae] Message Routing,Interface: Make fields in RequestMetadata non-optional.
  • [9c4c774] Networking: build read state service with builder and expose it
  • [2dfa7b6] Node: Update docs on where config info comes and goes
  • [e198508] Runtime,Execution: Use let-else in embedders and execution_environment


  • [d5fd7bf] Consensus: Refactor malicious_code in ecdsa component
  • [49be34e] Crypto: make IDkgReceivers::position() private
  • [a3addc7] Crypto: refactor IDkgDealers
  • [6dac73b] Crypto: remove obsolete CryptoComponentForNonReplicaProcess trait
  • [24abd67] Networking,Message Routing: move the StateSyncArtifactId into the P2P interfaces
  • [2e614cf] Networking,Message Routing: Make the error code when adding chunks sane


  • [597bca3] Consensus: Refactor validator unit test dependencies
  • [4ff506b] Consensus: Share aggregator unit tests
  • [6dea12a] Consensus: add malicious ecdsa test to consensus test framework
  • [98eceed] Consensus(ecdsa): Purge unmatched quadruples referencing old key transcripts once certified height reaches the latest summary height
  • [09bb6f3] Consensus: Run ecdsa component in consensus test framework
  • [7be5fcc] Crypto: fix test_combined_secret_key that fails if num_receivers=0
  • [27e0d68] Crypto: use clib functions to corrupt dealings
  • [1985b9a] Crypto: fix should_verify_transcript_reject_reshared_transcript_with_dealings_swapped
  • [ac6d92d] Crypto: fix flakiness in a remote vault test
  • [a7fbbd6] Message Routing,T&V: ensure malicious state sync chunks are rejected


  • [b2ab069] Crypto: Update IDkgProtocol::retain_active_transcripts docs
  • [505ae39] Crypto: add documentation for the prefix size variable in BSGS

Other changes:

  • [f0373c6] Boundary Nodes,Node: () Limit the number of open tcp connections in BN per ip
  • [8868cfa] Boundary Nodes,Node: feat() fix nginx config to match v1.25.3
  • [19533e6] Execution: Avoid traps in the ic0.call_perform System API
  • [88160bf] Execution,Runtime: Charge for chunked install on hash mismatch
  • [879331e] IDX,Consensus,Cross Chain,Execution,Runtime: fix existing cargo clippy errors and make sure we run cargo clippy on the whole repository only with relevant lints
  • [f64d6cc] IDX,T&V,Node(datavolume): add lgcy population annotation
  • [3c9dd30] Networking,Message Routing,Runtime: remove the dependency on the old static_assertions crate
  • [2c80687] Node: Updating container base images refs [2024-01-18-0814]
  • [78c3331] Node: Reduce network dependencies for replica service
  • [3c82921] Node: Updating container base images refs [2024-01-17-1411]
  • [0dc5c64] Node: Updating container base images refs [2024-01-15-1422]
  • [bf0a7cb] Node: Updating container base images refs [2024-01-11-1533]
  • [5a76af8] Runtime: Upgrade wasmtime to 15.0.1
  • [8f2ae8e] Runtime,Execution: Add DTS slicing for messages that touch many pages.
  • [630ea70] Runtime,Message Routing,Execution: Populate Request Metadata

Link to the forum post: Voting for a new IC release - 2024-01-18_23-01

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO && chmod +x && ./ -c a7862784e8da4a97a1d608fd5b3db365de41a2d7

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.


And this week we also have another special build with the new p2p consensus layer enabled. This feature was deployed last week to subnet fuqsr only and performed very well.

1 Like

Reviewers for the CodeGov project have completed our review of these replica updates.

Proposal ID: 127094
Full report: Replica Version Management Reviews channel in the CodeGov community on OpenChat

Proposal ID: 127096
Full report: Replica Version Management Reviews channel in the CodeGov community on OpenChat

At the time of this comment on the forum there are still 2 days left in the voting period, which means there is still plenty of time for others to review the proposal and vote independently.

We had several very good reviews of the Release Notes on these proposals by @Zane, @cyberowl, @ZackDS, @massimoalbarello, @ilbert, @Gekctek, and @hpeebles. The IC-OS Verification was also performed by @jwiegley and @tiago89. I recommend folks talk a look and see the excellent work that was performed on these reviews by the entire CodeGov team. Feel free to comment here or in the thread of each respective proposal in our community on OpenChat if you have any questions or suggestions about these reviews.


@sat there were two comments from @hpeebles in his review posted here that you might want the change owners to see.

I couldn’t load ‘[a3addc7] Crypto: refactor IDkgDealers’, and ‘[323fde8] Message Routing,Runtime: Create base files efficiently with LSMT’ has a value which looks like it will now be negative where before it was always positive.

He also credited @cyberowl for already having commented on the issue with 323fde8 on GitHub.

1 Like

@wpb it’s odd that the commit a3addc7 does not load in github, seems like a bug on github side.

However, local command git show a3addc7 works. As well as these:

and also the long commit sha

So I’ll just bump up the hash substring (commit identifier) from 7 to 9, hopefully that resolves such problems in the future.

1 Like

Sounds good. Thank you @sat.

Agreed. Also, @cyberowl confirmed here that he can see the commit. He uses the GitKraken application.

I submitted another proposal based on the ask of our engineers, as risk management.
The new build should be deployed to system subnets only:

PTAL. Thanks!


What’s the reason that only system subnets are affected, I am not aware of any differences in replicas in the past that had similar issue. Thank you

1 Like

@ZackDS as far as I understand, system subnets have higher instruction limit than app subnets, and DTS has not been thoroughly tested with these numbers of instructions, that’s all. I haven’t heard that engineers actually saw an issue. They are just trying to be extra safe.


Reviewers for the CodeGov project have completed our review of this replica update.

Proposal ID: 127104
Full report: CodeGov community Replica Version Management Reviews channel on OpenChat

At the time of this comment on the forum there are still 2 days left in the voting period, which means there is still plenty of time for others to review the proposal and vote independently.