Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

separate E(zoe).startInstance() authority from E(zoe).offer() #3725

Open
rowgraus opened this issue Aug 18, 2021 · 5 comments
Open

separate E(zoe).startInstance() authority from E(zoe).offer() #3725

rowgraus opened this issue Aug 18, 2021 · 5 comments
Labels
enhancement New feature or request security vaults_triage DO NOT USE Zoe package: Zoe

Comments

@rowgraus
Copy link

rowgraus commented Aug 18, 2021
edited by dckc
Loading

Description

In Mainnet1 and Mainnet2, we share E(zoe).offer() access widely, but until Mainnet3, we restrict access to E(zoe).startInstance(). This reminds us of rule # 1 of ocap design: separate authority should be on separate objects. Having both on the same zoe object is awkward.

Solution

E(zoe).startInstance() should be moved to a separate ocap returned from Zoe creation, and should be provided to appropriate services which are allowed to create other contracts as private arguments in their construction. (See #4395 for doing likewise with E(zoe).install().)
@rowgraus rowgraus added this to the Mainnet: Phase 1 - Treasury Launch milestone Aug 18, 2021
@rowgraus rowgraus added the Zoe package: Zoe label Aug 18, 2021
@Tartuffo Tartuffo added the MN-1 label Jan 20, 2022
@Tartuffo Tartuffo removed the MN-1 label Feb 7, 2022
@Tartuffo Tartuffo removed this from the Mainnet: Phase 1 - RUN Protocol milestone Feb 8, 2022
@dckc dckc mentioned this issue Feb 10, 2022
Closed
@rowgraus rowgraus removed their assignment Feb 11, 2022
@Tartuffo Tartuffo added this to the Mainnet 1 milestone Mar 23, 2022
@Tartuffo Tartuffo modified the milestones: Mainnet 1, RUN Protocol RC0 Apr 5, 2022
@dtribble
Copy link
Member

dtribble commented Apr 6, 2022

There are 15 uses of zcf.getZoeService() in the system. Only 2 appear to use that to create contract instances. Those contracts would need the additional contract creation object to be provided,

@dckc dckc added the pso label Aug 19, 2022
@dckc
Copy link
Member

dckc commented Aug 19, 2022
edited
Loading

hm... without REMOTE_WALLET privilege (for ag-solo), one can't do REPL nor deploy script stuff, so you can't provoke E(zoe).startInstance().

that is: in the PSM config (#6009), this is addressed by #5965.

@dckc dckc removed their assignment Aug 22, 2022
@Tartuffo Tartuffo removed the pso label Aug 26, 2022
@dckc dckc mentioned this issue Aug 28, 2022
Closed
@Tartuffo Tartuffo removed this from the Mainnet 1 RC0 milestone Sep 21, 2022
@ivanlei ivanlei added the vaults_triage DO NOT USE label Jan 17, 2023
@ivanlei
Copy link
Contributor

ivanlei commented Jan 23, 2023

from @Chris-Hibbert in slack

The issue is about removing some authority from the public I/F of Zoe in line with POLA expectations. That same functionality would need to be made available in other ways in order for us to continue to create new instances of contracts.
Up to at least MN2, the only contracts that need to be dynamically instantiated are probably for governance (ballot counter, e.g.).
But after MN2 or MN3, there will be other contracts that we'll want people to be able to make new instances of. We can wait until we need this to be available to settle on a design for "permissioned instantiation". (fees seem like an obvious choice, but I'll be we have other ideas.)

@dckc
Copy link
Member

dckc commented Jan 26, 2023

postponing as discussed in yesterday's Zoe meeting: #4395 (comment)

@dckc dckc added enhancement New feature or request security and removed MUST-HAVE labels Jan 26, 2023
This was referenced Jun 15, 2023
Closed
Open
@dckc
Copy link
Member

dckc commented Nov 9, 2023

where to track separating E(zoe).startInstance() authority from E(zoe).offer()?

Mainnet1 and Mainnet2 both require contract installation and instantiation to be approved as a result of governance.

True.

Those features must therefore be removed from the Zoe service object that is available in home and that is available via the zcf.getZoeService().

False. We found another way to control access to E(zoe).startInstance() while providing permissioned instantiation of contracts:

So the issue stated in the title here has been addressed.

But...

Rule # 1 of ocap design: separate authority should be on separate objects. Therefore, these operations [startInstance] should be moved to a separate ocap returned from Zoe creation

is still true. So we should address that, along with...

So I'm inclined to re-scope this issue to be about separating offer() access, which is shared widely, from startInstance() access, which is more closely held.

@dckc dckc changed the title Permissioned instantiation of contracts separate E(zoe).startInstance() authority from E(zoe).offer() Nov 9, 2023
@dckc dckc mentioned this issue Nov 9, 2023
Merged
@dckc dckc mentioned this issue Jan 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security vaults_triage DO NOT USE Zoe package: Zoe
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@turadg @dckc @Tartuffo @dtribble @ivanlei @katelynsills @Chris-Hibbert @rowgraus