WIP: Software upgrade spec

[jaekwon]

This spec proposal requires a new SoftwareUpgradeKeeper because the mechanics of that keeper should be different than the governance keeper.

For example, only validators can "vote" (though it should be automatic), and the acceptable values are not yes/no/abstain/veto, but the specific commit hash that the validator already upgraded to.

[codecov]

Codecov Report

Merging #2116 into develop will increase coverage by 1.03%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #2116      +/-   ##
===========================================
+ Coverage    63.83%   64.86%   +1.03%     
===========================================
  Files          113      115       +2     
  Lines         6684     6863     +179     
===========================================
+ Hits          4267     4452     +185     
+ Misses        2133     2127       -6     
  Partials       284      284

[rigelrozanski]

what is "sufficient" here? kind of ambiguous should probably have a number of reference to a governance param or something.

[gamarin2]

+1. Something not too close to 2/3rd so we don't risk halting on switch if a couple of validators go off

[cwgoes]

Agreed, also we should clarify a bit how the new logic kicks in - conditionals in the code, for now?

[rigelrozanski]

What about the cosmos forum? - Is the idea that discussion moves from the forum then onto github for the implementation discussion?

[cwgoes]

I think this is just referring to code links (@jaekwon)?

[jaekwon]

code links, signatures, everything but discussions.

[rigelrozanski]

isn't it required that full nodes upgrade as well? - I mean if they don't upgrade they just risk not being able to run transactions

[cwgoes]

Depends on the upgrade (e.g. with an upgrade which strictly reduces the set of valid transactions, they don't really need to upgrade).

In most cases they'll need to, the node should warn the user.

[rigelrozanski]

w/ -> with ?

[gamarin2]

Should we have some slashing logic for validators that did not submit the message to the SoftwareUpgradeKeeper in case the quorum isn't met?

[cwgoes]

I think this could be a good idea.

[gamarin2]

Slashing would only occur if 1/3 < number of validator that signalled < quorum when deadline is met, i.e. we don't slash if less than a third of validators signalled. cf #2116 (comment)

[gamarin2]

+1. Something not too close to 2/3rd so we don't risk halting on switch if a couple of validators go off

[gamarin2]

Contingencies

[gamarin2]

I guess the keeper also ensures that validator can only signal a single version to a keeper? (1 to 1 map)

[gamarin2]

Confusing to place that here ("following template:" should be immediately followed by said template)

[cwgoes]

I think this is just referring to code links (@jaekwon)?

[cwgoes]

Depends on the upgrade (e.g. with an upgrade which strictly reduces the set of valid transactions, they don't really need to upgrade).

In most cases they'll need to, the node should warn the user.

[cwgoes]

To get accepted or to pass the SoftwareUpgradeKeeper quorum requirement? What if two proposals are accepted but the latter passes the quorum first?

[cwgoes]

We could have a second accepted proposal reset the SoftwareUpgradeKeeper, useful if a proposal is passed and validators start upgrading but discover an issue.

[gamarin2]

Oh! This gives me an idea.

Maybe we don't need a second proposal, but just the ability for individual validators to reset/cancel their entry in the keeper's map. A proposal won't pass if the quorum is not met. The only problem then is slashing, but we could have the slashing condition require a minimum quorum. Like if less than a third of validators signal, noone gets slashed.

Only if 1/3 < number of validators that signalled < Switch-triggering quorum and deadline is met do we slash validators that did not signalled.

[cwgoes]

But with their delegators' stake, presumably, which could be redelegated? How are these votes tallied?

[cwgoes]

I think this could be a good idea.

[cwgoes]

Agreed, also we should clarify a bit how the new logic kicks in - conditionals in the code, for now?

[cwgoes]

Can we include a suggestion for signed authorship / endorsement, using ICS 030?

[cwgoes]

Can these be handled by the SoftwareUpgradeKeeper or are these just "suggested dependencies"?

[ValarDragon]

I don't think we should indicate the specific commit hash indicated on-chain, this ties us down to AIB's implementation being canonical. If we really want commit-hash, I think we should prefix it by "implementation name" then. But also there are other non-breaking changes I may want to include, but that would yield a different commit hash. Then I have to either lie, or not take in the non-breaking changes. Valid non-breaking changes include switching to your own fork of tendermint so you can upgrade your mempool, or change something about the peer rating mechanism.

[yutianwu]

A question here, how can we ensure that the version of software that upgraded to is identical to the version proposed because the proposal is not structured.

[ebuchman]

don't really understand this part - presumably the validator operator keys arent on the machine running the software and dont interact direct with the gaiad they just upgraded. so not clear to me how this should be automatic.

It does make sense that validators should publish something that indicates they upgraded. I'm wondering:

• what is our appetite for not having this extra trigger for now, just letting folks download the new software and have it do a switchover at some height
• shouldn't we do this extra confirmation step through some other means, like including it in votes or proposals, rather than this app-level extra tx?