From a3006814874f18efd9bcabd4733e0811eca445b5 Mon Sep 17 00:00:00 2001 From: teor Date: Tue, 18 Feb 2020 13:00:49 +1000 Subject: dir-spec: Edit uploaded vote rejection spec Be more specific: clearly distinguish between uploaded and downloaded votes. Add the Tor version that introduces this behaviour. Spec for ticket 4631. --- dir-spec.txt | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) (limited to 'dir-spec.txt') diff --git a/dir-spec.txt b/dir-spec.txt index a5f7460..1e91070 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -317,24 +317,28 @@ The timeline for a given consensus is as follows: - VA-DistSeconds-VoteSeconds: The authorities exchange votes. + VA-DistSeconds-VoteSeconds: The authorities exchange votes. Each authority + uploads their vote to all other authorities. VA-DistSeconds-VoteSeconds/2: The authorities try to download any - votes they don't have. Furthermore, they stopped accepting vote posted to - them. - - Note: The reason why the vote should be refused is to minimize the - chance of a consensus split if the authorities are under bandwidth - pressure. If an authority is struggling to upload its vote and finally - does it on a fraction of authorities after this period, they will - compute a consensus different from the others. By refusing the vote - after this period, we increase our chances that everyone will use the - same vote set. - - It does not fix the problem entirely because the problem also exists if - N authorities are able to fetch a specific vote but M authorities fail - to do so. However, it is an improvement towards making sure each - authority has the same set of votes. + votes they don't have. + + Authorities SHOULD also reject any votes that other authorities try to + upload after this time. (0.4.4.1-alpha was the first version to reject votes + in this way.) + + Note: Refusing late uploaded votes minimises the chance of a consensus + split, particular when authorities are under bandwidth pressure. If an + authority is struggling to upload its vote, and finally uploads to a + fraction of authorities after this period, they will compute a consensus + different from the others. By refusing uploaded votes after this time, + we increase the likelihood that most authorities will use the same vote + set. + + Rejecting late uploaded votes does not fix the problem entirely. If + some authorities are able to download a specific vote, but others fail + to do so, then there may still be a consensus split. However, this + change does remove one common cause of consensus splits. VA-DistSeconds: The authorities calculate the consensus and exchange signatures. -- cgit v1.2.3-54-g00ecf