[WIP] Problem: Validators cannot vote on proposals (BEP-18) #44
Conversation
vrde
force-pushed
the
stateful-upsert-validator
branch
3 times, most recently
from
64d9f6d
to
7684871
Compare
18/README.md
Outdated
|
|
||
| ## Rationale | ||
| <!--The rationale fleshes out the specification by describing what motivated the design and why particular design decisions were made. It should describe alternate designs that were considered and related work, e.g. how the feature is supported in other languages. The rationale may also provide evidence of consensus within the community, and should discuss important objections or concerns raised during discussion.--> | ||
| Another idea to implement this protocol is to use a multi signature transaction. |
There was a problem hiding this comment.
The Rationale section should explain why the above design was chosen rather than some other design. In this case, you should explain why a multi-signature transaction wasn't used.
There was a problem hiding this comment.
Yes, I'll add it soon.
18/README.md
Outdated
|
|
||
| ## Implementation | ||
| <!--The implementations must be completed before any BEP is given status "stable", but it need not be completed before the BEP is accepted. While there is merit to the approach of reaching consensus on the BEP and rationale before writing code, the principle of "rough consensus and running code" is still useful when it comes to resolving many discussions of API details.--> | ||
|
|
There was a problem hiding this comment.
You can say that this section can be filled in once there is an implementation.
18/README.md
Outdated
|
|
||
| An Election is a transaction representing the matter of change, and some Vote tokens. The Initiator issues a `CREATE` transaction with the `amount` set to the total number of Validators, and transfer one vote token per Validator using the transaction `outputs`. | ||
|
|
||
| At this point the Election starts. Independently, and asynchronously, each Validator can spend its Vote Token to an Election Address to show agreement on the matter of change. The Election Address is the `id` of the first `CREATE` transaction. Once a Vote Token has been transferred to that address, it is not possible to transfer it again, because there private key is not known. |
There was a problem hiding this comment.
I don't understand how you can transfer/spend an election token to the 'id' of a CREATE transaction. That will be a hash, but in BigchainDB, one transfers/spends outputs to public keys, not hashes.
There was a problem hiding this comment.
That's a tricky part I should explain more. Last night I wrote a note about that.
A public key can be generated from a private key, or initialized with 32 bytes (256 bits). The id of a transaction is a 256 bit long hash. So we can use ids as seeds to initialize a public key 🍾. I need to expand this section to explain this process. Maybe we can have a quick chat with @kansi and you. It can be an informal BEP, so it can be reused in other BEPs.
|
After discussing this spec with @vrde following issue should be addressed i.e. The |
18/README.md
Outdated
| "Election Address" | ||
| ] | ||
| } | ||
| ] |
18/README.md
Outdated
| 1. `type`: must contain the string `election`. | ||
| 2. `name`: name of the election. | ||
| 3. `version`: version number. | ||
| 4. `matter`: a human readable, short paragraph on the matter of change. |
There was a problem hiding this comment.
The field is not specified in the schema below.
18/README.md
Outdated
|
|
||
| ## Motivation | ||
| <!--The motivation is critical for BEPs that want to change the BigchainDB protocol. It should clearly explain why the existing protocol BEP is inadequate to address the problem that the BEP solves. BEP submissions without sufficient motivation may be rejected outright.--> | ||
| Changing the shape of a BigchainDB Network at runtime is an important requirement. While this BEP does not address this issue directly, it wants to solve the limitations we had with [Upsert Validators][BEP-3] by giving a tool that can be used this and other situations. |
There was a problem hiding this comment.
it wants to solve the limitations we had with [Upsert Validators][BEP-3]
I would add a more detailed explanation of the limitations.
As I see them:
- Since Validator Set changes are not themselves expressed as transactions but are included into the metadata of an arbitrary block, all the nodes have to add a validator simultaneously - if less than the majority of the nodes attempt to include a validator, the block fails. Not only the attempt to add a validator fails but all the transactions in the block have to go through the consensus process again. The proposed algorithm, on the other hand, consists of the individual transactions each node can verify without making itself a decision to include a validator.
- Nodes fail to replay the blocks committed by the validators they do not know yet. The
Invalid commit (last validator set size) vs (number of precommits)problem.
18/README.md
Outdated
|
|
||
| ## Motivation | ||
| <!--The motivation is critical for BEPs that want to change the BigchainDB protocol. It should clearly explain why the existing protocol BEP is inadequate to address the problem that the BEP solves. BEP submissions without sufficient motivation may be rejected outright.--> | ||
| Changing the shape of a BigchainDB Network at runtime is an important requirement. While this BEP does not address this issue directly, it wants to solve the limitations we had with [Upsert Validators (BEP-3)][BEP-3] by giving a tool that can be used this and other situations. BEP-3 addresses a really interesting use case: adding a Member to a running Network. Since changes in the Validator Set are not themselves expressed as transactions but are included into the metadata of an arbitrary block, all the nodes have to add a validator simultaneously—if less than the majority of the nodes attempt to include a Validator, the block fails and the whole Network can stuck. Since those changes are **not** stored in the blockchain itself, a new Node that needs to sync with the Network will fail in validating blocks from a specific *height* on. The *height* will match the one of the first block voted by a new Validator that was **not** included in the `genesis.json` file (and Tendermint will fail with `Invalid commit (last validator set size) vs (number of precommits)`). |
There was a problem hiding this comment.
.. whole Network can get stuck ..
18/README.md
Outdated
| @@ -15,7 +15,9 @@ This specification introduces the new concept of **Election**. An Election is an | |||
|
|
|||
| ## Motivation | |||
| <!--The motivation is critical for BEPs that want to change the BigchainDB protocol. It should clearly explain why the existing protocol BEP is inadequate to address the problem that the BEP solves. BEP submissions without sufficient motivation may be rejected outright.--> | |||
| Changing the shape of a BigchainDB Network at runtime is an important requirement. While this BEP does not address this issue directly, it wants to solve the limitations we had with [Upsert Validators][BEP-3] by giving a tool that can be used this and other situations. | |||
| Changing the shape of a BigchainDB Network at runtime is an important requirement. While this BEP does not address this issue directly, it wants to solve the limitations we had with [Upsert Validators (BEP-3)][BEP-3] by giving a tool that can be used this and other situations. BEP-3 addresses a really interesting use case: adding a Member to a running Network. Since changes in the Validator Set are not themselves expressed as transactions but are included into the metadata of an arbitrary block, all the nodes have to add a validator simultaneously—if less than the majority of the nodes attempt to include a Validator, the block fails and the whole Network can stuck. Since those changes are **not** stored in the blockchain itself, a new Node that needs to sync with the Network will fail in validating blocks from a specific *height* on. The *height* will match the one of the first block voted by a new Validator that was **not** included in the `genesis.json` file (and Tendermint will fail with `Invalid commit (last validator set size) vs (number of precommits)`). | |||
There was a problem hiding this comment.
all the nodes have to add a validator simultaneously—if less than the majority of the nodes attempt to include a Validator, the block fails and the whole Network can stuck. Since those changes are not stored in the blockchain itself
I would put it slightly differently:
- all the nodes have to agree on the validator set updates;
- if the majority agrees on the update, the majority can further post transactions but all other nodes who did not agree on the update get stuck.
If the network is small, there might be not enough nodes to form a majority and thus the whole network might be stuck but it's fine - it just reflects the disagreements between the nodes on the validator topic.
Since those changes are not stored in the blockchain itself, a new Node that needs to sync with the Network will fail in validating blocks from a specific height on.
They are actually stored in the blockchain. If the node does not accept the validator, this behaviour is expected. If the node does accept the validator, it needs to determine the height when to include it upon replay. Basically, that's the main problem the election approach solves - determines the height when to include the new validator.
18/README.md
Outdated
|
|
||
| ## Abstract | ||
| <!-- The abstract is a short (~200 word) description of the technical issue being addressed. --> | ||
| This specification introduces the new concept of **Election**. An Election is an asynchronous process that when successful triggers Network wide changes synchronously (i.e. at the same *block height*). An Election is started by any Validator in the Network, called **Initiatior**. The Election itself and all cast Votes are transactions, hence stored in the blockchain. This enables new Validators to replay Network changes incrementally, while syncing. |
There was a problem hiding this comment.
nit: maybe a , after successful, triggers network wide changes
18/README.md
Outdated
|
|
||
| ## Motivation | ||
| <!--The motivation is critical for BEPs that want to change the BigchainDB protocol. It should clearly explain why the existing protocol BEP is inadequate to address the problem that the BEP solves. BEP submissions without sufficient motivation may be rejected outright.--> | ||
| Changing the shape of a BigchainDB Network at runtime is an important requirement. While this BEP does not address this issue directly, it wants to solve the limitations we had with [Upsert Validators (BEP-3)][BEP-3] by giving a tool that can be used this and other situations. BEP-3 addresses a really interesting use case: adding a Member to a running Network. Since changes in the Validator Set are not themselves expressed as transactions but are included into the metadata of an arbitrary block, all the nodes have to add a validator simultaneously—if less than the majority of the nodes attempt to include a Validator, the block fails and the whole Network can stuck. Since those changes are **not** stored in the blockchain itself, a new Node that needs to sync with the Network will fail in validating blocks from a specific *height* on. The *height* will match the one of the first block voted by a new Validator that was **not** included in the `genesis.json` file (and Tendermint will fail with `Invalid commit (last validator set size) vs (number of precommits)`). |
There was a problem hiding this comment.
Maybe add a reference to BEP/19 here, I feel I can, understand the motivation more clearly when I understand whats happening in BEP/19 and over here it is kind of skimmed .
|
I have some concerns about implementing proposals and votes via assets compared to new transaction types. As of now:
Here I am trying to ponder about what we will face if we change either of those. Do we validate proposal transactions upon their placement? If yes, we need to put additional effort into implementing asset validation and we further restrict what users can put into their assets. If not, we lose the convenient feature of reporting about the invalid proposals early on. In any case, since assets are parts of transactions, introducing the election mechanism requires a new version of the transaction spec - it needs to be documented there that certain assets gain special treatment. Versioning itself poses another question - if we support multiversioned transactions, when do we increase the transaction version and when do we increment the election asset version? The whole topic is quite vague at the moment, but IMO those versions might be connected and we may end up writing validators that check for a cartesian product of transaction and asset versions to apply different validation. I understand the desire to build on top of what we already have but on the other hand network changes is a fundamental entity so it is worth making them first-class citizens of the system. I think, it's possible to implement and manage it both ways, but due to the abovementioned I am personally in favor of the new transaction types, like What do you think guys? |
|
I like the suggestion of @ldmberman to have two new transaction types (in addition to the current That would mean creating a new version of the BigchainDB Transaction Spec, i.e. v3, which I'm reluctant to do at this point in time, since BigchainDB 2.0 assumes v2 and BigchainDB 2.0 is almost in Beta. Maybe we can go with using v2 transactions, and special assets, for now (in BigchainDB 2.0). Then we will have time to do a proper design of v3 transactions. |
|
@ttmc a new transaction type is a backwards-compatible spec change so we can do |
ttmc
changed the title
|
I concur i.e. it would be good to solve this problem via new transaction types i.e.
This approach is much elaborate than the current one and its been already suggested that beta releases should be feature freezed so I don't think this approach can be implemented before stable release. So I see two options here,
@vrde @ttmc @ldmberman let me know which approach would be preferable. |
|
Insteand of rolling The implementation with |
The "BigchainDB Transactions Spec v2" allows |
@ttmc how do you decide what to include into the transaction spec? Why should the spec describe the special meaning of |
Solution: write a transactional election protocol.
vrde
force-pushed
the
stateful-upsert-validator
branch
2 times, most recently
from
3cb7f5f
to
a8ceb68
Compare
vrde
force-pushed
the
stateful-upsert-validator
branch
from
a8ceb68
to
ce94075
Compare
18/README.md
Outdated
| 9. Return true. | ||
| 2. If `asset.data.id` is **not** a valid Election, return. | ||
| 3. If the Election has less than ⅔ of positive votes, return. | ||
| 4. If the Election has been already implemented, return. |
There was a problem hiding this comment.
What do you think about replacing has been already implemented with already has more than ⅔ of positive votes, for clarity?
It would then expand into 3 bullet points instead of 2:
- If the Election including the current vote has less than ⅔ of positive votes, return.
- If the Election excluding the current vote has more than ⅔ of positive votes, return. It has been concluded already.
- If the Election excluding the current vote has less than ⅔ of positive votes and including the current vote has more than ⅔ of positive votes, conclude the election.
18/README.md
Outdated
|
|
||
| The basic idea is to formalize the concept of an Election storing its data in a [BigchainDB Transaction Spec v2][BEP-13]. | ||
| The basic idea is to formalize the concept of an Election storing its data in a [BigchainDB Transaction Spec v2 (BEP-13)][BEP-13]. |
There was a problem hiding this comment.
Should we mention the need for a new version of the transaction spec here?
18/README.md
Outdated
| "version": "2.0" | ||
| } | ||
| ``` | ||
| ### Constraints |
There was a problem hiding this comment.
I think, it makes sense to put this into the About Election finality section - the text there seems to be a perfect introduction into what we explain here.
|
|
||
| 1. Elections can have intersections. In other words, the following is possible: | ||
|
|
||
| ```election 1 creation height < election 2 creation height < election 1 conclusion height < election 2 conclusion height``` |
There was a problem hiding this comment.
I was not right about the intersections - in case 2 elections do not update the validator set, they can interleave even in the first approach. So, the second approach is just about surviving validator set updates.
18/README.md
Outdated
| 5. Each Validator is represented in `outputs`. | ||
| 6. Each entry in `outputs` can be spent by only one Validator, and the amount attached to it is equal to the power of that Validator. | ||
|
|
||
| **Note: any change in the Validator Set will make old Elections invalid.** |
There was a problem hiding this comment.
It seems to belong to the What is a valid Vote? section. The vote is valid if it transfers some vote tokens to a valid election and the validator set has not changed since the election was placed. Does it sound good?
There was a problem hiding this comment.
Side note:
The vote is valid if it transfers some vote tokens to a valid election and the validator set has not changed since the election was placed
The vote could be a valid vote even if it doesn't transfer to a valid election but to another (non) validator
Solution: write a transactional election protocol.