Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify IBC client governance unfreezing to reflect ADR changes #8405
Modify IBC client governance unfreezing to reflect ADR changes #8405
Changes from 36 commits
a654f27
9aa500c
51b5001
a47dbbb
73b2821
8d27dcf
fcb97ff
0e93fb6
bbd6d26
0282996
ce4fe37
c4cb7de
a7ef263
d15f901
0c6d98d
fa28622
4c6688c
a041987
eefccd5
a5bc8d5
861b1cb
908e5a0
51905db
c74a5af
dbe1341
0c96f99
0fda643
f17b5e5
e141f19
18b82ba
2369e07
bc6a359
2b55583
ef2fb8a
c9bca48
6a96b6d
78d04f4
20b7a5d
696b5f2
0d60013
b14ea6c
bbb4acf
10dfe43
1edf9ab
eb5823c
e01e8c5
1869fbd
84ebde6
912fdf5
613cf69
b7834c6
1ba2c3d
9fae3ce
26837e2
a5c09a7
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand this sentence, what is the relation? Do you mean that the security model would be the same?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I was just trying to refer to the security model outlined in the ADR. Why this feature is safe and why it requires a governance proposal. Is there a way I could clarify this better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"a quorum validators can sign arbitrary state roots which may not be valid executions of the state machine"
something like this is clearer I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be two separate paragraphs since they're two separate situations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is two separate situations? I was intending to show that unplanned upgrades results in client expiry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also don't understand the question
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, do you mean that they could be expired just because no headers have been submitted even if there was no unplanned upgrade?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that should be clarified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The case when a light client is expired is a different situation from when the chain undergoes an unplanned upgrades.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated to separate general expiry from expiry due to unplanned upgrade by the counterparty chain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the cases where the client is frozen or had an unplanned upgrade, there may be many clients of the counterparty chain that are now non-updatable. The proposal should be able to specify multiple
subject-client-ids
as a string array. So that a single proposal can unfreeze all clients of the chain in question.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree this seems practical, but I have some concerns:
As I stated below, I think the trusting period needs to remain the same. It seems unlikely to me that there would exist identical clients that both need to be updated, since if they are identical, only 1 is needed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be
repeated string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought of trying to enforce subject and substitute client types being equal here but just doing
ClientType()
doesn't add any more security from a malicious light client implementation, and if the light client implementation is malicious, it could just mess with other clients of its own type.It is up to governance never to pass a vote where the subject belongs to a malicious light client implementation. Ideally, best practice (which I will document/recommend) would be to create an entirely new substitute client after the subject became frozen/expired. This way no other connection/channels are relying on the substitute.