Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to verify supervisor and lockdown bundles on chain start #9644

Open
mhofman opened this issue Jul 2, 2024 · 1 comment
Open

Ability to verify supervisor and lockdown bundles on chain start #9644

mhofman opened this issue Jul 2, 2024 · 1 comment
Labels
cosmic-swingset package: cosmic-swingset enhancement New feature or request liveslots requires vat-upgrade to deploy changes xsnap the XS execution tool

Comments

@mhofman
Copy link
Member

mhofman commented Jul 2, 2024

What is the Problem Being Solved?

When upgrading chain software, validators re-install and rebuild the SDK. If anything doesn't happen as expected, we should prevent the chain software from starting instead of failing later. See #8471

One place where we fail this early check is with supervisor and lockdown bundles. The bundles are only sampled from source when a vat is created or upgraded, which results in their insertion into the DB. That insertion (and the resulting vat heap snapshot) will cause a divergence of the state if the bundle is not the one that is expected. This divergence happens after a commit and is very expensive to recover from (restore from previous snapshot)

Description of the Design

Include the expected hash of the bundle in the source tree, and have a check to verify that the current bundle's hash match the expected value on chain software start.

This would result in a package version bump for every transitive dependency change that affects the bundle, which is a benefit (hash change without version change is somewhat surprising).

It would make dependency changes of agoric-sdk more costly as it's one more thing in the source that needs to be updated (we already have some test output snapshots that change in these cases). This can be addressed with maintainers instructions and scripts.

Security Considerations

None

Scaling Considerations

None

Test Plan

While existing integration tests would trigger this new check, we need a new targeted test that verifies the built bundle matches the hash in source control, in order to raise a clear and early error when the hash gets out of sync.

Upgrade Considerations

New check to prevent misapplied upgrade.

@mhofman mhofman added enhancement New feature or request cosmic-swingset package: cosmic-swingset xsnap the XS execution tool liveslots requires vat-upgrade to deploy changes labels Jul 2, 2024
@warner
Copy link
Member

warner commented Oct 9, 2024

We have a lot of checks to guard against agoric-sdk mismatches already. This is a nice-to-have but is probably only going to catch seriously weird things, so we're assigning a low priority.

It might have overlap with the worker-v1 ideas, where the tagged/released/NPM-uploaded versions of the supervisor package should have a 1:1 relationship with the bundle contents+hash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cosmic-swingset package: cosmic-swingset enhancement New feature or request liveslots requires vat-upgrade to deploy changes xsnap the XS execution tool
Projects
None yet
Development

No branches or pull requests

2 participants