-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Write Ahead Log & Rebroadcast #392
Comments
An alternative is to wait an instance. That is, always consider the latest finality certificate as "pending" until one has been built on-top-of it. We can do this safely due to the power table lookback. The network would have to be willing to "switch" decisions while the latest instance is still pending. This lookback won't be completely transparent to the client, but shouldn't be that hard to implement.... |
We discussed this in person. The alternative is not a good solution because we don't have a hash link (and even the existence of that additional finality certificate has serious consequences). |
We still need a way to re-start an instance halfway through... which is going to require some work. |
This also allows us to re-config without re-bootstrap (by restarting the local F3 instance). This is only safe for non-consensus parameters and will be horribly unsafe until we fix #392. Also: - Removes reliance on hashing json, relies on the network name and manual equality checks. - Removes versions. We now expect the version to be explicitly specified in the network name. - Starts message sequence numbers at the current time so we don't need to save them. fixes #468
This also allows us to re-config without re-bootstrap (by restarting the local F3 instance). This is only safe for non-consensus parameters and will be horribly unsafe until we fix #392. Also: - Removes reliance on hashing json, relies on the network name and manual equality checks. - Removes versions. We now expect the version to be explicitly specified in the network name. - Starts message sequence numbers at the current time so we don't need to save them. fixes #468
This also allows us to re-config without re-bootstrap (by restarting the local F3 instance). This is only safe for non-consensus parameters and will be horribly unsafe until we fix #392. Also: - Removes reliance on hashing json, relies on the network name and manual equality checks. - Removes versions. We now expect the version to be explicitly specified in the network name. - Starts message sequence numbers at the current time so we don't need to save them. - Remove the EC from the manifest sender as it's unused. - Tests. fixes #468
This also allows us to re-config without re-bootstrap (by restarting the local F3 instance). This is only safe for non-consensus parameters and will be horribly unsafe until we fix #392. Also: - Removes reliance on hashing json, relies on the network name and manual equality checks. - Removes versions. We now expect the version to be explicitly specified in the network name. - Starts message sequence numbers at the current time so we don't need to save them. - Remove the EC from the dynamic manifest provider as it's unused. - Tests. fixes #468
* Remove manifest versions This also allows us to re-config without re-bootstrap (by restarting the local F3 instance). This is only safe for non-consensus parameters and will be horribly unsafe until we fix #392. Also: - Removes reliance on hashing json, relies on the network name and manual equality checks. - Removes versions. We now expect the version to be explicitly specified in the network name. - Starts message sequence numbers at the current time so we don't need to save them. - Remove the EC from the dynamic manifest provider as it's unused. - Tests. fixes #468 * additional equality test * send updates whenever the manifest changes
Punting to M2 because this isn't absolutely required for testing. |
We've implemented limited rebroadcasting to help lagging/restarting nodes catch up. However, if the 66%+ of the network crashes after starting an instance but before sending a single decide message, the network could decide on two different values for the same instance.
A simple solution here is write-ahead logging. That is:
Of course, nothing will help if the actual disks die. But this will at least help us recover in case someone finds a way to crash the entire network all at once.
The specific attack I'm worried about is as follows:
The text was updated successfully, but these errors were encountered: