Security Review Period for Hardfork Roadmap

I’ve added a section to the Istanbul Roadmap page on the Ethereum wiki proposing a security review period for proposed Core EIPs.

This means having some people do security reviews – which might mean engaging external auditors. But it also means communication around the Core EIP proposals that are effectively Last Call, but focused on security issues. Pay attention, have a look, does this impact your current or future use cases.

I’ve suggested 2019-06-21 (June 21st), this is half way between the hard deadline for proposals, and the soft deadline for major client implementations.


It is a very good idea. However, I would invite to think about this a bit more. Giving extra time will not necessarily result in more reviews, as we have seen historically.
As I suggested in my final part of Eth1x workshop blog posts, we may need to more “formally” appoint a reviewer (or two) for each change. Otherwise the time will drag on, and review will only happen just before the hard fork (and it does nowadays).


I’m not suggesting more time.

Rather - a defined review period time where the specific purpose is security.

I also think we have to find funding to pay people for reviews. If people volunteer to do reviews as well — great! But I don’t think we can count on it.

Having people sign up to focus on reviewing all aspects of a change is definitely a good idea.


Also relevant:

I think embedding the security considerations into the EIP itself is important.

Yeah there’s two parts to this. One is adding security requirements to EIPs, the other is a security review period for release planning.

This proposal is the latter :wink: so: yes, AND.

1 Like

For what it’s worth, Gitcoin has added a 20 ETH security bounty for EIPs which starts in Mid May.