Voting is open for a new IC release - bf81563

Hello there!

we are happy to announce that voting is now open for a new IC release .
The NNS proposal is here: IC NNS Proposal 75109.

There are lots of exciting new features and bugfixes. Here is a more complete list of changes:

* Consensus: Set CanisterHttp timeout to 1 minute
* Consensus: Use Eddsa in CanisterHttp
* Crypto: Add a crate implementing the getrandom workaround for wasm32-unknown-unknown
* Crypto: Add a public crypto crate supporting extended BIP32 derivation
* Crypto: Add serialization and stability tests for NI-DKG
* Crypto: Enabling remote CSP vault.
* Crypto: Fix aggregation and verification of BasicSignatureBatch to reject empty signatures
* Crypto: Move the FS NI-DKG tests from src to tests
* Crypto: Remove ECDSA Wycheproof test crate
* Execution: Add an enum to differentiate between replicated and non-replicated callback execution
* Execution: Bitcoin: Make parsing pages safer
* Execution: Refactor canister effective id for Request
* Execution: add `subnet_size` to `idle_cycles_burned_rate`
* Execution: add `subnet_size` to `ingress_induction_cost`
* Execution: add `subnet_size` to the rest of `cycles_account_manager` functions
* Message Routing: Do not remove latest certified state
* Message Routing: Fix potential race condition for getting certified state
* Message Routing: Introduce deadlines for requests in output queues.
* Networking: Add support for outbound firewall rules, add automatic output deny-listing for the ic-http-adapter
* Networking: Don't exit the accept loop if OS error occurred for a single TCP stream
* Networking: Make the BodyReceiveService receive a service with infallible error
* Networking: Merge on_disconnect and retry_connection
* Networking: Move the functions for creating replica and normal loggers for tests in a separate crate
* Networking: Remove the SendError as part of the event handler response
* Networking: Temporarily move canister_http tests to staging.
* Node: Retry LV/VG creation operations
* Orchestrator: Add ic-recovery input parameter for source ECDSA subnet id
* Orchestrator: Assert version is proper
* Orchestrator: Extract functionality into registry_helper
* Runtime: Add paused/aborted install code tasks
* Runtime: Avoid panics when applying canister state changes
* Runtime: Calculate total memory before taking the canister out
* Runtime: Move the task queue to the system state
* Runtime: Persist canister task queue in checkpoint
* Various tech-debt management: code refactoring, docs, bug fixes, test updates

And a complete list of changes can of course be found on GitHub.
Please reply to this message if you have any questions or comments.


What do we expect to use this for?

What do we expect to use this for?

The HTTP adapter is a separate process that makes outbound HTTP calls as part of the Canister HTTP requests feature. It runs with its own user, ic-http-adapter. This change is intended to prevent canisters from making HTTP calls to IC nodes. The firewall on the source node will reject such connections and an error will be returned to the canister.

Will be blocked? In other words, can the IC call itself?(use case: a canister has an I thermal t-ecdsa identity that wants to submit messages to the ic via an http request instead of calling canisters directly.) will not be blocked. Canisters can call the IC, but it will go through the boundary nodes.