Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The Unbrick Collective #117

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

pandres95
Copy link

@pandres95 pandres95 commented Aug 24, 2024

Rendered document

Related to polkadot-fellows/runtimes#376, this RFC defines the process of constituting the collective and the mechanisms needed by the collective to fulfill its mission.

@burdges
Copy link

burdges commented Aug 24, 2024

An unbricking call could also issue assets of course. A parachain could turstile foreign assets, so that unbricking could only issue native assets, and steal wrapped foreign assets, but not issue foreign assets.

Yet, we've long envisioned synchronous privliged library calls, initially the SPREE idea by Gav or whoever, seemingly now folded into JAM. All these proposals exist firstly so that assets can be native on multiple parachains, so then unbricking could issue foreign assets in theory.

We've no alternatives of course, since staying bricked maybe worse, but unbricking could demand audits based upon usage of SPREE-like or JAM functionality. It's not necessarily assets either, so in general pallets or whatever should document their security concerns, and unbricking should review these. You'd expect mostly they say nothing, but in general you would not be permitted to say roll back your own DOT SPREE state to a known good state.

A parachain could've a maximum block gap configuration so the parachain itself could respond to the unbricking calls. If a parachains wants one block every six seconds, then maybe they want to unbrick within minutes. If a parachain makes one block every 24 hours, then maybe they require days.

@xlc
Copy link
Contributor

xlc commented Aug 26, 2024

Maybe worthwhile to mention that:

Before this change, a parachain will be one of two state: unlocked (para manager essentially have sudo permission), or locked (para manager don't have any permission).

After this change, a parachain will be one of three state: unlocked, locked, and managed by Unbrick Collective. The new state sets between fully centralized (controlled by one account or wasm), fully decentralized (only controlled by the wasm). The chain is controlled by the wasm or the Unbrick Collective + OpenGov. The goal is trying to find the right balance between fully centralized (bad) and fully decentralized (inefficient).

Another thing is that on how to determine if a parachain is bricked. With the old parachain slot model, it is relatively easy that we can assume if no block is produced for sufficiently long time, there must be something wrong. However this heuristic no long works with core time model. So maybe we need a mechanism like @burdges suggested that when a parachain opt-in, it should also set how many blocks are required to consider the parachain is bricked.

@burdges
Copy link

burdges commented Aug 26, 2024

We'd maybe want declared estimates for how often parachains make blocks elsewhere, like in some flavours of off-chain messaging. If so, we might make this number mandatory even for parachains who do not join the unbrick colelctive, or maybe that's a slightly different number, but regardless that's future work.


I'll clarify my comments above:

In future, we'll have functionality that's more sensitive than a parachains own code, so an unlocked/sudo parachain could use such functionalities, but could not change the code or state of that functionality. The unbrick collective might be similarly limited, or maybe not, depending upon how its ellections work in practice.

Initially, I'd suggest the unbrick collective be limited to what sudo does, meaning it cannot touch SPREE-like code or state. We'd consider strengthening the unbrick colelctive if the ellections are polkadot wide and seems strong like our original faster pre-opengov governance (unlikely). We've no difference anyways right now, since we do not yet have SPREE, JAM, etc, so this could be discussed once those come into being.

In other words, my SPREE comments do not propose changing this RFC per se, except maybe notes in the seeding section and/or Unresolved Questions.

Auditing requirements provides another option, which slows everything down, but nothing like the opengov slowdown. At the extreme, auditors could be selected at random after the new code & state were proposed, almost like running the machine elves protocol or the sampling beefy off-chain among humans, but that's likely too complex. It's also possible parachains themselves would want auditing before unbricking, beyond merely the delay.

Auditing could be defined by some future RFCs which would maybe take things in other directions, like maybe parachains want auditing for regular upgrades, etc. In other words, my auditing comments do not propose changing this RFC per se, except maybe notes in Unresolved Questions.

damage to the parachain and users.

Finally, other instances of governance that might enact a call using the `Root` origin (like the
Polkadot Fellowship), due to the nature of their mission, are not fit to carry these kind of tasks.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence is too hard to parse. It's they're too busy, right?

Copy link
Author

@pandres95 pandres95 Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessarily. It's just a matter of mission and scope. 😅

Same case with the Unbrick Collective: it's scope would be providing assistance to para teams which need help unbricking their para, not helping teams design their newest runtime version, or auditing code (in which case, your suggestion of an auditing collective sounds great).

Adhering to a single responsibility principle sometimes can be in the best interest of decentralisation.

@pandres95 pandres95 marked this pull request as ready for review October 15, 2024 05:04
@pandres95 pandres95 requested a review from burdges October 15, 2024 05:12
Copy link
Contributor

@bkchr bkchr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looking good. Left some ideas around improvements/questions.

text/0117-unbrick-collective.md Outdated Show resolved Hide resolved
text/0117-unbrick-collective.md Outdated Show resolved Hide resolved
- Any other requirements to become a member?
- We would like to keep this simple, so no funding support from the Polkadot treasury. But do we
want to compensate the members somehow? i.e. Allow parachain teams to donate to the collective.
- We hope SPREE/JAM would be carefully audited for miss-use risks before being
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get what you want to say with this point.

- What are the parameters for the `WhitelistedUnbrickCaller` track?
- Any other methods that shall be updated to accept `Unbrick` origin?
- Any other requirements to become a member?
- We would like to keep this simple, so no funding support from the Polkadot treasury. But do we
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO most of the members should be from different parachain teams. This way it is a quid-pro-quo in longterm.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But depending on their involvement they could maybe get retroactive payment for helping with a certain fix.

para.

Initially, the unbrick collective has powers similar to a parachains own sudo, but permits more
decentralized control. In the future, Polkadot shall provide functionality like SPREE or JAM that
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get the JAM part. Even in JAM this could be build into the parachain service to be have the unbrick collective.

decentralized control. In the future, Polkadot shall provide functionality like SPREE or JAM that
exceeds sudo permissions, so the unbrick collective cannot modify those state roots or code.

### The Unbrick Process
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this should still require that the chain is actually bricked, aka not producing blocks. When the chain enables the unbrick collective it could for example pass a time out after which the chain is seen as "bricked".

@anaelleltd anaelleltd added the Proposed Is awaiting 3 formal reviews. label Oct 15, 2024
pandres95 and others added 3 commits October 24, 2024 11:08
@pandres95 pandres95 requested a review from al3mart October 24, 2024 16:10
@burdges
Copy link

burdges commented Oct 25, 2024

Indirectly related but.. paritytech/polkadot-sdk#5588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposed Is awaiting 3 formal reviews.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants