Security Review Period for Hardfork Roadmap

roadmap
istanbul
security

#1

I’ve added a section to the Istanbul Roadmap page on the Ethereum wiki proposing a security review period for proposed Core EIPs.

This means having some people do security reviews – which might mean engaging external auditors. But it also means communication around the Core EIP proposals that are effectively Last Call, but focused on security issues. Pay attention, have a look, does this impact your current or future use cases.

I’ve suggested 2019-06-21 (June 21st), this is half way between the hard deadline for proposals, and the soft deadline for major client implementations.


EIP: mandatory "Security Considerations" for EIPs
Higher standards for EIPs
#2

It is a very good idea. However, I would invite to think about this a bit more. Giving extra time will not necessarily result in more reviews, as we have seen historically.
As I suggested in my final part of Eth1x workshop blog posts, we may need to more “formally” appoint a reviewer (or two) for each change. Otherwise the time will drag on, and review will only happen just before the hard fork (and it does nowadays).


#3

I’m not suggesting more time.

Rather - a defined review period time where the specific purpose is security.

I also think we have to find funding to pay people for reviews. If people volunteer to do reviews as well — great! But I don’t think we can count on it.

Having people sign up to focus on reviewing all aspects of a change is definitely a good idea.


#4

Also relevant:

I think embedding the security considerations into the EIP itself is important.


#5

Yeah there’s two parts to this. One is adding security requirements to EIPs, the other is a security review period for release planning.

This proposal is the latter :wink: so: yes, AND.


#6

For what it’s worth, Gitcoin has added a 20 ETH security bounty for EIPs which starts in Mid May. https://github.com/gitcoinco/skunkworks/issues/89