docs: ADR 016 Removing Token Voting for Upgrades #1491
Conversation
evan-forbes
added
the
ADR
Co-authored-by: Rootul P <[email protected]>
Co-authored-by: Rootul P <[email protected]>
|
Co-authored-by: Rootul P <[email protected]>
evan-forbes
changed the title
|
|
||
| ## Context | ||
|
|
||
| Standard cosmos-sdk based chains are sovereign and have the ability to hardfork, but the current implementation makes heavy use of onchain token voting. This bypasses social consensus, one of the core principles of Celestia. After a proposal is submitted and crosses some threshold of agreement, the halt height is set in the state machine for all nodes, and validators are expected to switch binaries after the state machine halts the node. The ultimate security, ruleset, and result of that ruleset rests solely on the shoulders of node operators, not validators or token holders. Therefore we are seeking a solution that engraves social consensus into the implementation itself. |
There was a problem hiding this comment.
Token voting doesn't actually bypass social consensus. It is still only a coordinating mechanism that forces nodes to halt at an agreed upon height (kind of like a difficulty bomb). There is no enforcement of what the next binary could be.
There was a problem hiding this comment.
You are correct that people can always use which ever binary they choose, which is what the first part of the sentence was attempting to address.
Standard cosmos-sdk based chains are sovereign and have the ability to hardfork,
but the upgrade module does put a loose blocker to this by stopping binaries that don't match the version and the point of the onchain mechanism is to use token voting to decide. Meaning that the social contract is to do whatever token voting determines, which is not the social contract that celestia wants to adhere to.
There was a problem hiding this comment.
I understand avoiding the term bypass and will try to find a different word
There was a problem hiding this comment.
updated, and I tried to focus on difference in social contract more
| Given that we don't have a lot of time until mainnet, we could leave the current implementation in place which gives us the option to use it if needed. Ideally, we would work on the longer term upgrade mechanism that respects social consensus and finish it before the first upgrade. While this option does allow for maximum flexibility, it is also very risky because if the mechanism is ever needed or used, then it could set a precedent for future upgrades. | ||
|
|
||
| ### Option 2: Removal of token voting for upgrades | ||
| The goal of this approach is to force social consensus to reach an upgrade instead of relying on token voting. It works by simply removing the current upgrade module. This way, the only way to upgrade the chain is to agree on the upgrade logic and the upgrade height. |
There was a problem hiding this comment.
Might be helpful to expand on what the upgrade mechanism would be. Given that we've decided to use a single binary sync which basically enables rolling upgrades, operators can update their binaries ahead of time and a height is embedded in the binary which indicates when to switch to the next state machine.
Co-authored-by: Callum Waters <[email protected]>
|
I have some offline updates that I still want to push, just been busy or ooo, apologies for any delay |
|
before merging, we should also understand how ibc uses the upgrade module. we might only want to remove the ability for the gov module to use the upgrade module, and then incorporate the existing upgrade management into social upgrades #1014 |
|
So the idea now is that the upgrade module still remains but we remove the proposal handler and the messages (do we even need to remove the messages if only governance can call this?). I still think it's important that we clarify how, after these changes, a chain would expect to upgrade else this ADR feels incomplete. |
That's fair, we can postpone merging this one until ADR018 is finished, as I think that topic requires an entire separate ADR. Or perhaps we could just move the relevant portions of this ADR into that one and only merge that ADR. |
My personal view is that these shouldn't be considered two separate decisions but one |
|
that makes a lot of sense! iirc per sync discussion this ADR was initially separate because we just wanted to explore what a difficulty bomb and removing the upgrade module would look like before we discussed it during the onsite, but wanted to wait on upgrades. I'll close this ADR for now, and we can update ADR018 to ADR016 |
Overview
rendered
TLDR; just remove the upgrade module and do this
closes #1477
Checklist