Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
permissioned bundle/contract-installation limits
See original GitHub issueWhat is the Problem Being Solved?
Under what circumstances should a new contract be installable on MN-1? We don’t want to admit a lot of unvetted code until a later stage, but we might still decide to install some new carefully-audited contracts during MN-1: how does the chain know what is ok and what is not?
When we switch to MN-2 and start to open it up, this mechanism will change. How?
There are a couple of separate aspects to this question:
- what policy do we want?
- how is this policy enforced?
- how will we execute a change in that policy?
Two implementation tools which come to mind are:
- a cosmic-swingset guard around the SwingSet.installBundle txn/message type
- this protects
controller.installBundle(), which is how a code bundle gets installed into the kernel and made available for zoe installation - anyone who can invoke this gets to consume significant storage space on the chain
- this could require the txn be signed by some hardcoded list of addresses, or by an account that has at least one magic “install” token
- this protects
- an ocap-style guard around
zoe~.install()- I think
installis on the Zoe public facet, making it widely-held - we could move it off that facet and restrict access to some other object, but then we need to implement that other object
- I think
In the long run, we may want to use deposits of some sort, or something to make sure the installer 1: is serious, and 2: is providing long-term benefit to the chain, both to compensate for the cost they’re imposing upon validators and their storage space. Paying a fee proportional to the size of the installed bundle (and remembering the perpetual storage obligation they’re purchasing) might be enough. Discouraging spam is important.
But fees are independent of our policy around permissioned/permissionless contracts, and the latter needs a concrete mechanism to be in place by MN-1.
Description of the Design
TBD
Security Considerations
We’ll rely upon this mechanism to protect the chain against malicious contracts that might seek to cause a chain halt, or to cause non-determinism and validator problems.
Test Plan
TBD
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
From our conversation today, it sounds like:
zoeobject, so a governance action can evaluate code that grants it to parties that did not have it beforehome.zoe(orhome.zoe1, TBD) object which goes through a forwarder that denies access to.installand.startInstancezoe, allowing that group to perform installs.installand.startInstanceI want to make sure that the MN-3 transition doesn’t require a
forloop over millions of user objects: it should only change one forwarder’s behavior. I think that means users should gethome.zoeinstead ofhome.zoe1, despite the potential confusion of “but it sayszoe, why doesn’t it provide all of Zoe’s methods?”.@erights , @dtribble suggests another approach to this issue:
I suppose part of my hesitation to consider it is the amount of tests and docs such that it would impact.
That effort seems better directed at Zoe 2.