Hello there!

we are happy to announce that voting is now open for a new IC release.
The NNS proposal is here: IC NNS Proposal 110724 .

Here is a summary of the changes since the last release:

• [21d3a113d] Consensus: feat: Add proposal to update elected replica versions
• [553942cd1] Consensus: fix: Purge Inmemory states also while recomputing
• [ccdbfd2cd] Consensus: fix: Improve alerts & logging for ECDSA
• [b0b1493de] Crypto: feat: provide standalone crate to verify ingress messages
• [d294bbc05] Execution: chore: Improve error message when there is not enough capacity for Wasm sections
• [ce6bc6fab] Execution: fix: Add cycles consumed in apply_cycles_debit() to consumed_cycles_since_replica_started, and make cycles_debit less generic
• [0150589b5] Execution: fix: Include Wasm Custom Sections to subnet memory limits
• [fa47a46bc] Execution: perf: Optimize Scheduler::inner_round by caching heartbeat/timer method lookups in ExportedFunctions
• [6f75ab310] Message Routing: fix: Reintroduce is_already_exists_err and return LayoutError::AlreadyExists when rename fails
• [cb2f8bec0] Networking: [Observability Canister] [6/N] Send canister message
• [ba3e56a14] Networking: chore: Make the build method of the processor to return ArtifactManagerBackendImpl
• [87eb51bc9] Networking: chore: Simplify current_time_and_expiry_time() to expiry_time_from_now()
• [04bbcba30] Networking: chore: don’t use a setup callback, pass the objects directly in the constructor
• [5471210e3] Networking: chore: improve naming
• [398cffbe3] Networking: chore: make the build function of the handlers free
• [f51b37970] Networking: chore: move the ArtifactManagerBackend trait and impl into the manager module
• [066a9b3aa] Networking: chore: reduce type complexity
• [79186af69] Networking: chore: remove unused get_remaining_quota and return a default priority function instead of none
• [25c58da1f] Node: (Mostly) Use generic bootloader on SetupOS and HostOS - Fixes grub bootloader failure in HostOS.
• [9bb8f35cc] Node: Add libusb dependency to hostOS and CI builder
• [ced285287] Node: Fix docker build output parsing - was preventing several build processes from completing.
• [378652c38] Node: Fix for failing SetupOS SEV-SNP check - was preventing installation on Gen2 nodes.
• [875da2ac8] Node: Fixes for pseudo-HSM flow. NitroKey is now optional. Documentation forthcoming.
• [d5499405d] Runtime: Add heap memory benchmarks
• [84bba776c] Runtime: Add iteration to report’s label
• [f51f354ba] Runtime: Don’t pass certificate when calling other canisters in composite queries
• [e12cedb3d] Runtime: Handle all inputs in count clean pages function
• [965774554] Runtime: chore: Create exported globals function
• Various tech-debt management: code refactoring, docs, bug fixes, test updates

IC-OS Verification

To build and verify the IC-OS disk image, run:

# From https://github.com/dfinity/ic#building-the-code
# This process requires Mac/Linux/WSL2, Git and Podman on your machine.
git clone https://github.com/dfinity/ic
cd ic
git fetch origin
git checkout e4843a130730f515cf342d6b3ffa7191529a9df0
if ./gitlab-ci/container/build-ic.sh -i ; then
    wget -c https://download.dfinity.systems/ic/e4843a130730f515cf342d6b3ffa7191529a9df0/guest-os/update-img/update-img.tar.gz
    shasum -a 256 artifacts/icos/update-img.tar.gz update-img.tar.gz
else
    echo "IC-OS build failed. Verification unsuccessful." >&2
fi

The two SHA256 sums printed above from a) the downloaded CDN image and b) the locally built image, must be identical, and must match the SHA256 from the payload of the NNS proposal.

Hey @sat

The sha256 sums match in all 3 locations, but I had to run it twice because the first time the sha256 sum from the file retrieved with the wget command didn’t work. The latest file didn’t download since I already had a file with the same filename in my folder. I had to manually delete the previous update-img.tar.gz file from my ./ic/ folder and run the script again. Do you mind modifying the script to either automatically delete the file or overwrite the file if it exists?

Also, in the first sentence of this post you indicated that this proposal for IC release e4843a1 is proposal 108153. That’s the wrong proposal number. IC release e4843a1 is submitted with proposal 110724.

image1207×1011 94.8 KB

Here is the result before I deleted the update-img.tar.gz file from my ./ic/ directory. The message says “nothing to do” because the “file is already fully retrieved”. The corresponding file in the artifacts folder has a sha256 sum consistent with the payload of the proposal, so that was further evidence that the problem was not likely to be related to the build on the ic replica.

image1217×483 24.7 KB

Thanks for the comment and for the work on checking the build @wpb .
These posts are still manually created so some copy&paste errors happen from time to time. We do plan to switch to automatic posts, so this class of problems (a link points to an old proposal) will go away. In the meantime I manually updated the link, thanks for spotting and reporting this!
Regarding the other issue you reporter, I suppose the part that is missing is

wget -c https://download.dfinity.systems/ic/e4843a130730f515cf342d6b3ffa7191529a9df0/guest-os/update-img/update-img.tar.gz

which doesn’t re-download because you already had an existing file from a previous verification.
I’ll change that to curl -LO which should behave as expected but please confirm that I understood correctly.

Thanks!

Hi all!
We submitted proposal 111724 for a security update on top of e4843a1 . The security update will be applied to all subnets and after that the changes from the security update will be shared publicly, in accordance with the Security Patch Policy and Procedure that was adopted in proposal 48792.
The community will be able to retroactively verify the binaries that were rolled out. The instructions for doing this are in the proposal summary.