-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Unbrick Collective #117
base: main
Are you sure you want to change the base?
Conversation
a8b44b7
to
f383a54
Compare
An unbricking call could also issue assets of course. A parachain could turstile foreign assets, so that unbricking could only issue native assets, and steal wrapped foreign assets, but not issue foreign assets. Yet, we've long envisioned synchronous privliged library calls, initially the SPREE idea by Gav or whoever, seemingly now folded into JAM. All these proposals exist firstly so that assets can be native on multiple parachains, so then unbricking could issue foreign assets in theory. We've no alternatives of course, since staying bricked maybe worse, but unbricking could demand audits based upon usage of SPREE-like or JAM functionality. It's not necessarily assets either, so in general pallets or whatever should document their security concerns, and unbricking should review these. You'd expect mostly they say nothing, but in general you would not be permitted to say roll back your own DOT SPREE state to a known good state. A parachain could've a maximum block gap configuration so the parachain itself could respond to the unbricking calls. If a parachains wants one block every six seconds, then maybe they want to unbrick within minutes. If a parachain makes one block every 24 hours, then maybe they require days. |
Maybe worthwhile to mention that: Before this change, a parachain will be one of two state: unlocked (para manager essentially have sudo permission), or locked (para manager don't have any permission). After this change, a parachain will be one of three state: unlocked, locked, and managed by Unbrick Collective. The new state sets between fully centralized (controlled by one account or wasm), fully decentralized (only controlled by the wasm). The chain is controlled by the wasm or the Unbrick Collective + OpenGov. The goal is trying to find the right balance between fully centralized (bad) and fully decentralized (inefficient). Another thing is that on how to determine if a parachain is bricked. With the old parachain slot model, it is relatively easy that we can assume if no block is produced for sufficiently long time, there must be something wrong. However this heuristic no long works with core time model. So maybe we need a mechanism like @burdges suggested that when a parachain opt-in, it should also set how many blocks are required to consider the parachain is bricked. |
We'd maybe want declared estimates for how often parachains make blocks elsewhere, like in some flavours of off-chain messaging. If so, we might make this number mandatory even for parachains who do not join the unbrick colelctive, or maybe that's a slightly different number, but regardless that's future work. I'll clarify my comments above: In future, we'll have functionality that's more sensitive than a parachains own code, so an unlocked/sudo parachain could use such functionalities, but could not change the code or state of that functionality. The unbrick collective might be similarly limited, or maybe not, depending upon how its ellections work in practice. Initially, I'd suggest the unbrick collective be limited to what sudo does, meaning it cannot touch SPREE-like code or state. We'd consider strengthening the unbrick colelctive if the ellections are polkadot wide and seems strong like our original faster pre-opengov governance (unlikely). We've no difference anyways right now, since we do not yet have SPREE, JAM, etc, so this could be discussed once those come into being. In other words, my SPREE comments do not propose changing this RFC per se, except maybe notes in the seeding section and/or Unresolved Questions. Auditing requirements provides another option, which slows everything down, but nothing like the opengov slowdown. At the extreme, auditors could be selected at random after the new code & state were proposed, almost like running the machine elves protocol or the sampling beefy off-chain among humans, but that's likely too complex. It's also possible parachains themselves would want auditing before unbricking, beyond merely the delay. Auditing could be defined by some future RFCs which would maybe take things in other directions, like maybe parachains want auditing for regular upgrades, etc. In other words, my auditing comments do not propose changing this RFC per se, except maybe notes in Unresolved Questions. |
damage to the parachain and users. | ||
|
||
Finally, other instances of governance that might enact a call using the `Root` origin (like the | ||
Polkadot Fellowship), due to the nature of their mission, are not fit to carry these kind of tasks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sentence is too hard to parse. It's they're too busy, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessarily. It's just a matter of mission and scope. 😅
Same case with the Unbrick Collective: it's scope would be providing assistance to para teams which need help unbricking their para, not helping teams design their newest runtime version, or auditing code (in which case, your suggestion of an auditing collective sounds great).
Adhering to a single responsibility principle sometimes can be in the best interest of decentralisation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looking good. Left some ideas around improvements/questions.
- Any other requirements to become a member? | ||
- We would like to keep this simple, so no funding support from the Polkadot treasury. But do we | ||
want to compensate the members somehow? i.e. Allow parachain teams to donate to the collective. | ||
- We hope SPREE/JAM would be carefully audited for miss-use risks before being |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get what you want to say with this point.
- What are the parameters for the `WhitelistedUnbrickCaller` track? | ||
- Any other methods that shall be updated to accept `Unbrick` origin? | ||
- Any other requirements to become a member? | ||
- We would like to keep this simple, so no funding support from the Polkadot treasury. But do we |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO most of the members should be from different parachain teams. This way it is a quid-pro-quo in longterm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But depending on their involvement they could maybe get retroactive payment for helping with a certain fix.
para. | ||
|
||
Initially, the unbrick collective has powers similar to a parachains own sudo, but permits more | ||
decentralized control. In the future, Polkadot shall provide functionality like SPREE or JAM that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get the JAM part. Even in JAM this could be build into the parachain service to be have the unbrick collective.
decentralized control. In the future, Polkadot shall provide functionality like SPREE or JAM that | ||
exceeds sudo permissions, so the unbrick collective cannot modify those state roots or code. | ||
|
||
### The Unbrick Process |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO this should still require that the chain is actually bricked, aka not producing blocks. When the chain enables the unbrick collective it could for example pass a time out after which the chain is seen as "bricked".
Co-authored-by: Alejandro Martinez Andres <[email protected]>
Co-authored-by: Bastian Köcher <[email protected]>
Co-authored-by: Bastian Köcher <[email protected]>
Indirectly related but.. paritytech/polkadot-sdk#5588 |
Rendered document
Related to polkadot-fellows/runtimes#376, this RFC defines the process of constituting the collective and the mechanisms needed by the collective to fulfill its mission.