Hello there!

We are happy to announce that voting is now open for a new IC release, revision 69e1408347723dbaa7a6cd2faa9b65c42abbe861 and the retirement of old IC version d430f7ad.

The NNS proposal is here: IC NNS Proposal 126095.

Release Notes:

• [fb32e0fc1] Consensus: chore(consensus): Introduce ProposalContext to pass into payload validators
• [9514946d0] Consensus: chore(consensus): remove the allow(dead_code) attributes from Consensus production code
• [cf5579b08] Consensus: chore(orchestrator): don’t throw away the errors
• [412d6cef0] Consensus: feat(): Implement query stats delivery
• [8982dfca7] Consensus: fix(consensus): try to always return the random beacon
• [13bafa584] Consensus: fix: Replace current_time with time_source so that it can be mocked properly in benchmark
• [9916d741d] Crypto: chore(crypto): Delete not_after parameter in CspKeyGenerator::gen_tls_key_pair
• [56123a83c] Crypto: chore(crypto): Remove unused verify_combined_threshold_sig function
• [c557f818c] Crypto: fix: ensure nonce used for update request is at most 32 bytes
• [e3a6b3db0] Execution: feat: Time out stop_canister requests
• [4600ce305] Execution: perf: Execute postponed raw rand messages
• [fbf09601a] Execution: perf: Handle raw_rand messages during subnet split
• [dae13303f] Message Routing: chore: Clean up Message Routing constructors
• [b6cb57729] Message Routing: doc: Better documentation and naming
• [e300986b3] Networking: build: fix few build dependencies
• [f5e4a8ed8] Networking: chore: bump rust to 1.73
• [30c2c0be1] Networking: chore: bump rust to 1.74
• [cb46ac4f0] Networking: chore: enable https outcalls on all newly created subnets
• [c98f779ea] Networking: chore: remove the policy monitoring code
• [ff24b5ef9] Networking: chore: remove un-existing destinations from the owners file
• [04e66e570] Networking: chore: upgrade prost to 0.12 and tonic to 0.10
• [22f839557] Networking: fix(consensus_manager): move rpc response encoding into blocking thread
• [2bc3ec0a0] Networking: fix(https_outcalls_adapter): Set default User-Agent header if not set by user
• [0622ec9f1] Node: Feat(): Rewrite generate-network-config into rust guestos_tool
• [c0773c6bb] Node: feat(,): SEV feature tooling
• [6fc1aac54] Runtime: Allow canister to control its chunk store
• [2575e5376] Runtime: Increase guard region size for Wasm memory
• [e233f292d] Runtime: Upgrade wasmparser and wasm-encoder
• Various tech-debt management: code refactoring, docs, bug fixes, test updates

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#verifying-releases
sudo apt-get install -y curl && curl --proto '=https' --tlsv1.2 -sSLO https://raw.githubusercontent.com/dfinity/ic/69e1408347723dbaa7a6cd2faa9b65c42abbe861/gitlab-ci/tools/repro-check.sh && chmod +x repro-check.sh && ./repro-check.sh -c 69e1408347723dbaa7a6cd2faa9b65c42abbe861

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image,
must be identical, and must match the SHA256 from the payload of the NNS proposal.

Folks,

It has come to our attention that the URL list in the proposal does not include the link to the gzipped tarball, only to the tarball compressed with zstd. This is an oversight that I take responsibility for. We’ve been gearing up to distributing more highly-compressed replica updates in order for all of us to save bandwidth, and in the process of producing a viable release, I forgot to include the less-compressed replica update in the proposal.

URLs that should have been embedded in the proposal:

• https://download.dfinity.systems/ic/69e1408347723dbaa7a6cd2faa9b65c42abbe861/guest-os/update-img/update-img.tar.zst (this was)
• https://download.dfinity.systems/ic/69e1408347723dbaa7a6cd2faa9b65c42abbe861/guest-os/update-img/update-img.tar.gz (this was not)

Fortunately, the images will build reproducibly, and you can verify yourself that the two images we distribute for this update are identical. To verify that the gzipped tarball and the zstd-compressed tarball images are identical, you can download both images then check with code as follows:

# This assumes your shell is bash or bash-compatible.

cd # return to home directory
mkdir -p tmp/extraordinaryverification # create a temporary directory
cd tmp/extraordinaryverification

# now obtain the two update image tarballs
wget -c https://download.dfinity.systems/ic/69e1408347723dbaa7a6cd2faa9b65c42abbe861/guest-os/update-img/update-img.tar.zst https://download.dfinity.systems/ic/69e1408347723dbaa7a6cd2faa9b65c42abbe861/guest-os/update-img/update-img.tar.gz 

# calculate the sum of both, uncompressed
zcat update-img.tar.gz | sha256sum - ; zstdcat update-img.tar.zst | sha256sum -
# output ought to be identical for both commands, verifying they contain the same data when uncompressed
# e43d0638dd47afb08ba69f93769155fdd7842f74b912d1e5c05968bffea0de37  -
# e43d0638dd47afb08ba69f93769155fdd7842f74b912d1e5c05968bffea0de37  -

# verify sum of the supplied zstd-compressed tarball
sha256sum update-img.tar.zst
# update-img.tar.zst 972df53a4d2fac0279c237289e579b94d9ccbbd28a626e6dc734e10519467df8"
# will match the sha256_hex noted in https://dashboard.internetcomputer.org/proposal/126095

# release disk space after this verification step
rm -f update-img.tar.zst update-img.tar.gz
# return to previous directory
cd -

I apologize for this extraordinary circumstance. To err is human – I guess I was a bit extra human today .

@dmanu thank you for making this comment on the forum. It saved the CodeGov team from asking several questions. Everyone seemed to understand what happened based on your explanation.

Reviewers for the CodeGov project have completed our review of these replica updates.

Proposal ID: 126095
Vote: ADOPT
Full report: CodeGov portal on DSCVR

At the time of this comment on the forum there are still 2 days left in the voting period, which means there is still plenty of time for others to review the proposal and vote independently.

We had several very good reviews of the Release Notes on these proposals by @Zane, @cyberowl, @ZackDS, @massimoalbarello, and @ilbert. The IC-OS Verification was also performed by @Gekctek, @tiago89, and @jwiegley. I recommend folks talk a look and see the excellent work that was performed on these reviews by the entire CodeGov team. Feel free to comment here if you have any questions or suggestions.

@ZackDS made a few interesting observations in his review. Nothing in particular that was a question or concern, but he did provide some references to additional information that is directly related to the changes in several of the commits. It was interesting to see how he can connect changes to other information.

@ilbert left a few questions and comments on GitHub.
question about commit cb46ac4f0
question about commit 2bc3ec0a0
comment about commit e233f292d

@massimoalbarello left a few questions on GitHub.
question about commit 9514946d0
question about commit 13bafa584 - This question helped the change owner realize an update is still needed in this part of the code for slightly better accuracy.