[jude-]

> You shouldn’t, because no code of sufficient complexity is flawless.

So why build an upgrade procedure at all, when you don't have to?

> On the Ethereum blockchain (for instance) storage and smart contracts are tightly coupled.

Sounds like an unforced error on these smart contracts' authors parts, and should not be used as an excuse to compromise the principle of code immutability.

If the possibility existed that they need to replace the business logic at a later date, then they should factor the storage logic so as to avoid this coupling. It can be done -- for example, a smart contract dapp can leverage a shared contract that only implements a public key/value store, where the keys are prefixed by the calling contract's address. Then, when the business logic contract changes, it can access any old versions' state with the old versions' contract address, apply any migrations on-the-fly, and store new state that will not overwrite old state due to this key prefixing.

In the Stacks blockchain (which I work on), we go one step further by making it so you can run an arbitrary read-only code snippet on the state of the blockchain at any point in the past (as given by a block hash). Then, you don't even need to do any migrations -- you can just query the historic state of your old contract and only store new data once it's necessary.

[davepeck]

> So why build an upgrade procedure at all, when you don't have to?

Flaws, once known, can be remediated. I don’t think macOS has bulletproof security but I’m sure glad Apple keeps updating it.

> In the Stacks blockchain (which I work on), we go one step further by making it so you can run an arbitrary read-only code snippet on the state of the blockchain at any point in the past (as given by a block hash).

That’s a super interesting design point; I’m excited to see where that leads.

Out of curiosity, how does this typically get exposed in dApps (or wallet UIs) built on Stacks?

[jude-]

> Flaws, once known, can be remediated. I don’t think macOS has bulletproof security but I’m sure glad Apple keeps updating it.

My point is that a piece of software does not need an upgrade procedure if there exists a way to install a newer copy without touching the old one. Trying to build an upgrade procedure when there is always the option to install a newer version this way (especially if it can seamlessly access the older version's state) is at best over-engineering.

> Out of curiosity, how does this typically get exposed in dApps (or wallet UIs) built on Stacks?

This is being done right now with Stacks' on-chain naming system, which is realized as a smart contract. The new naming system does not need to import any state from the old system in order to resolve pre-existing names, nor does the existing naming system need to be disabled, because the new system is instead able to call the name resolution method via this "run read-only code on the chainstate as of this block" feature. The past is immutable, so future changes to the state of the old system beyond a predetermined sunset block (defined in the new contract) will not be visible to the users of the new system.

Consider this example. Suppose the name "alice.btc" was registered at block 1000 (hash 0x123) in the old system, and suppose the new system was deployed to use all the state in the old system up to block 1001 (hash 0xabc). Resolving alice.btc in the new system runs code to the effect of:

  (let (
    (alice-rec (at-block 0xabc
      (contract-call? 'SP000000000000000000002Q6VF78.bns name-lookup? "alice.btc")))
    )
    ;; Do something with alice-rec
  )

Internally, the (at-block) function runs the given code body with access to the system state as it was as of the end of block 0xabc. The system state is represented internally as a set of key/value pairs indexed by a forest of authenticated hash tries which make it efficient to query a key as of a particular block (see https://github.com/stacksgov/sips/blob/main/sips/sip-004/sip... for details).

Suppose bob.btc was registered in block 1002 (hash 0xdef). The above (at-block) call will not resolve bob.btc in the old contract, because its state was written after the sunset block 0xabc.

[frazbin]

Being able to query arbitrary past blockchain history is kind of gross, because you can neither partition nor elide any of the data under consensus- your verifiers need to have a copy of everything. Leads to expensive nodes cause disk space and RAM use explodes. Not an uncommon complaint about immutable programming techniques generally. Idk, kinda seems like a bad tradeoff to me. But then again if you're building it on top of the literal money fire that is bitcoin, who cares about scalability and resource use!

[jude-]

> verifiers need to have a copy of everything.

Hate to break it to you, but if your consensus rules permit forks, then there's no getting around this. A fork can be mined arbitrarily far in the future that builds off of a block arbitrarily far in the past.

We intend to partition state by application, for applications that are willing to trade smart contract composibility for more block space: https://gist.github.com/jcnelson/c982e52075337ba75e00b799421...

> But then again if you're building it on top of the literal money fire that is bitcoin, who cares about scalability and resource use!

Show me a more resilient blockchain and we'll build on that instead. Popular systems see lots of usage; news at 11.

[frazbin]

well basically you have to throw out proof of work and then it's fine. If that's a philosophical thing then you're constrained to highly inefficient systems that yeah, are designed to fork like you say. But if you're okay with any kind of proof of stake setup, you don't have to consider forks, because you trust your validators.

Ultimately it comes down to what you like about the blockchain chimera. Some people like proof of work for its own sake; they think that's the way forward. Some of us think that public distributed append-only log structures with cryptographically enforced permissioning are super interesting all by themselves, maybe even MORE interesting without proof of work!

Long term I don't think it's going to be any fun until a larger subset of homomorphic computing is cheap enough to run distributed-consensus style. In the meantime all I know is it's a lot more fun once you stop trying to be the source of truth for the universe, and accept proof of stake as a natural compromise necessary to keep playing with our toys w/o burning up.

I'd be happy to share but you'll have to message me. And I'm an idiot.