Amendments
The Amendments system provides a means of introducing new features to the decentralized XAG Ledger network without causing disruptions. The amendments system works by utilizing the core consensus process of the network to approve any changes by showing continuous support before those changes go into effect. An amendment normally requires 80% support for two weeks before it can apply.
When an Amendment has been enabled, it applies permanently to all ledger versions after the one that included it. You cannot disable an Amendment, unless you introduce a new Amendment to do so.
For a complete list of known amendments, their statuses, and IDs, see: Known Amendments.
Background
Any changes to transaction processing could cause servers to build a different ledger with the same set of transactions. If some validators (rippled
servers participating in consensus) have upgraded to a new version of the software while other validators use the old version, this could cause anything from minor inconveniences to full outages. In the minor case, a minority of servers spend more time and bandwidth fetching the actual consensus ledger because they cannot build it using the transaction processing rules they already know. In the worst case, the consensus process might be unable to validate new ledger versions because servers with different rules could not reach a consensus on the exact ledger to build.
Amendments solve this problem, so that new features can be enabled only when enough validators support those features.
Users and businesses who rely on the XAG Ledger can also use Amendments to provide advance notice of changes in transaction processing that might affect their business. However, API changes that do not impact transaction processing or the consensus process do not need Amendments.
About Amendments
An amendment is a fully-functional feature or change, waiting to be enabled by the peer-to-peer network as a part of the consensus process. A rippled
server that wants to use an amendment has code for two modes: without the amendment (old behavior) and with the amendment (new behavior).
Every amendment has a unique identifying hex value and a short name. The short name is for human use, and is not used in the amendment process. Two servers can support the same amendment ID while using different names to describe it. An amendment's name is not guaranteed to be unique.
By convention, Ripple's developers use the SHA-512Half hash of the amendment name as the amendment ID.
Amendment Process
Every 256th ledger is called a "flag" ledger. The process of approving an amendment starts in the ledger version immediately before the flag ledger. When rippled
validator servers send validation messages for that ledger, those servers also submit votes in favor of specific amendments. If a validator does not vote in favor of an amendment, that is the same as voting against the amendment. (Fee Voting also occurs around flag ledgers.)
The flag ledger itself has no special contents. However, during that time, the servers look at the votes of the validators they trust, and decide whether to insert an EnableAmendment
pseudo-transaction into the following ledger. The flags of an EnableAmendment pseudo-transaction show what the server thinks happened:
- The
tfGotMajority
flag means that support for the amendment has increased to at least 80% of trusted validators. - The
tfLostMajority
flag means that support for the amendment has decreased to less than 80% of trusted validators. - An EnableAmendment pseudo-transaction with no flags means that support for the amendment has been enabled. (The change in transaction processing applies to every ledger after this one.)
A server only inserts the pseudo-transaction to enable an amendment if all of the following conditions are met:
- The amendment has not already been enabled.
- A previous ledger includes an EnableAmendment pseudo-transaction for this amendment with the
tfGotMajority
flag enabled. - The previous ledger in question is an ancestor of the current ledger.
- The previous ledger in question has a close time that is at least two weeks before the close time of the latest flag ledger.
- There are no EnableAmendment pseudo-transactions for this amendment with the
tfLostMajority
flag enabled in the consensus ledgers between thetfGotMajority
pseudo-transaction and the current ledger.
Theoretically, a tfLostMajority
EnableAmendment pseudo-transaction could be included in the same ledger as the pseudo-transaction to enable an amendment. In this case, the pseudo-transaction with the tfLostMajority
pseudo-transaction has no effect.
Amendment Voting
Each version of rippled
is compiled with a list of known amendments and the code to implement those amendments. By default, rippled
supports known amendments and opposes unknown amendments. Operators of rippled
validators can configure their servers to explicitly support or oppose certain amendments, even if those amendments are not known to their rippled
versions.
To become enabled, an amendment must be supported by at least 80% of trusted validators continuously for two weeks. If support for an amendment goes below 80% of trusted validators, the amendment is temporarily rejected. The two week period starts over if the amendment regains support of at least 80% of trusted validators. (This can occur if validators vote differently, or if there is a change in which validators are trusted.) An amendment can gain and lose a majority any number of times before it becomes permanently enabled. An amendment cannot be permanently rejected, but it becomes very unlikely for an amendment to become enabled if new versions of rippled
do not have the amendment in their known amendments list.
As with all aspects of the consensus process, amendment votes are only taken into account by servers that trust the validators sending those votes. At this time, Ripple (the company) recommends only trusting the validators on the validator list that Ripple publishes at https://vl.ripple.com . For now, trusting only those validators is enough to coordinate with Ripple on releasing new features.
Configuring Amendment Voting
You can temporarily configure an amendment using the feature method. To make a persistent change to your server's support for an amendment, change your server's rippled.cfg
file.
Use the [veto_amendments]
stanza to list amendments you do not want the server to vote for. Each line should contain one amendment's unique ID, optionally followed by the short name for the amendment. For example:
[veto_amendments]
C1B8D934087225F509BEB5A8EC24447854713EE447D277F69545ABFA0E0FD490 Tickets
DA1BD556B42D85EA9C84066D028D355B52416734D3283F85E216EA5DA6DB7E13 SusPay
Use the [amendments]
stanza to list amendments you want to vote for. (Even if you do not list them here, by default a server votes for all the amendments it knows how to apply.) Each line should contain one amendment's unique ID, optionally followed by the short name for the amendment. For example:
[amendments]
4C97EBA926031A7CF7D7B36FDE3ED66DDA5421192D63DE53FFB46E43B9DC8373 MultiSign
42426C4D4F1009EE67080A9B7965B44656D7714D104A72F9B4369F97ABF044EE FeeEscalation
Amendment Blocked
When an amendment gets enabled for the network after the voting process, servers running earlier versions of rippled
that do not know about the amendment become "amendment blocked" because they no longer understand the rules of the network. Servers that are amendment blocked:
- Cannot determine the validity of a ledger
- Cannot submit or process transactions
- Do not participate in the consensus process
- Do not vote on future amendments
Becoming amendment blocked is a security feature to protect applications that depend on XAG Ledger data. Rather than guessing and maybe misinterpreting a ledger after new rules have been applied, rippled
reports that it does not know the state of the ledger because it does not know how the amendment works.
The amendments that a rippled
server is configured to vote for or against have no impact on whether the server becomes amendment blocked. A rippled
server always follows the set of amendments enabled by the rest of the network, to the extent possible. A server only becomes amendment blocked if an enabled amendment is not included in the amendment definitions compiled into the server's source code -- in other words, if the amendment is newer than the server.
If your server is amendment blocked, you must upgrade to a new version to sync with the network.
How to Tell If Your rippled
Server Is Amendment Blocked
One of the first signs that your rippled
server is amendment blocked is an amendmentBlocked
error that is returned when you submit a transaction. Here's an example amendmentBlocked
error:
{
"result":{
"error":"amendmentBlocked",
"error_code":14,
"error_message":"Amendment blocked, need upgrade.",
"request":{
"command":"submit",
"tx_blob":"479H0KQ4LUUXIHL48WCVN0C9VD7HWSX0MG1UPYNXK6PI9HLGBU2U10K3HPFJSROFEG5VD749WDPHWSHXXO72BOSY2G8TWUDOJNLRTR9LTT8PSOB9NNZ485EY2RD9D80FLDFRBVMP1RKMELILD7I922D6TBCAZK30CSV6KDEDUMYABE0XB9EH8C4LE98LMU91I9ZV2APETJD4AYFEN0VNMIT1XQ122Y2OOXO45GJ737HHM5XX88RY7CXHVWJ5JJ7NYW6T1EEBW9UE0NLB2497YBP9V1XVAEK8JJYVRVW0L03ZDXFY8BBHP6UBU7ZNR0JU9GJQPNHG0DK86S4LLYDN0BTCF4KWV2J4DEB6DAX4BDLNPT87MM75G70DFE9W0R6HRNWCH0X075WHAXPSH7S3CSNXPPA6PDO6UA1RCCZOVZ99H7968Q37HACMD8EZ8SU81V4KNRXM46N520S4FVZNSJHA"
},
"status":"error"
}
}
The following rippled
log message also indicates that your server is amendment blocked:
2018-Feb-12 19:38:30 LedgerMaster:ERR One or more unsupported amendments activated: server blocked.
If you are on rippled
version 0.80.0+, you can verify that your rippled
server is amendment blocked using the server_info
command. In the response, look for result.info.amendment_blocked
. If amendment_blocked
is set to true
, your server is amendment blocked.
Example JSON-RPC Response:
{
"result": {
"info": {
"amendment_blocked": true,
"build_version": "0.80.1",
"complete_ledgers": "6658438-6658596",
"hostid": "ip-10-30-96-212.us-west-2.compute.internal",
"io_latency_ms": 1,
"last_close": {
"converge_time_s": 2,
"proposers": 10
},
...
},
"status": "success"
}
}
If your server is not amendment blocked, the amendment_blocked
field is not returned in the response.
Caution: rippled
versions older than 0.80.0 do not include the amendment_blocked
field, even if your server is amendment blocked.
How to Unblock an Amendment-Blocked rippled
Server
Upgrade to the rippled
version that supports the amendments that are causing your server to be amendment blocked. Ripple recommends that you upgrade to the newest rippled
version to unblock your server and enable it to sync with the network again.
Depending on the scenario, you may be able to (and want to) unblock your server by upgrading to a rippled
version that is older than the newest version. This is possible if the older version supports the amendments that are blocking your rippled
server.
Warning: If the newest rippled
version provides security or other urgent fixes, you should upgrade to the newest version as soon as possible.
To determine if you can unblock your rippled
server by upgrading to a version older than the newest version, find out which features are blocking your server and then look up the rippled
version that supports the blocking features.
To find out which features are blocking your rippled
server, use the feature
admin command. Look for features that have "enabled" : true
and "supported" : false
. These values for a feature mean that the amendment is currently enabled (required) in the latest ledger, but your server does not know how to support, or apply, the amendment.
Example JSON-RPC Response:
{
"result": {
"features": {
"07D43DCE529B15A10827E5E04943B496762F9A88E3268269D69C44BE49E21104": {
"enabled": true,
"name": "Escrow",
"supported": true,
"vetoed": false
},
"08DE7D96082187F6E6578530258C77FAABABE4C20474BDB82F04B021F1A68647": {
"enabled": true,
"name": "PayChan",
"supported": true,
"vetoed": false
},
"1562511F573A19AE9BD103B5D6B9E01B3B46805AEC5D3C4805C902B514399146": {
"enabled": false,
"name": "CryptoConditions",
"supported": true,
"vetoed": false
},
"157D2D480E006395B76F948E3E07A45A05FE10230D88A7993C71F97AE4B1F2D1": {
"enabled": true,
"supported": false,
"vetoed": false
},
...
"67A34F2CF55BFC0F93AACD5B281413176FEE195269FA6D95219A2DF738671172": {
"enabled": true,
"supported": false,
"vetoed": false
},
...
"F64E1EABBE79D55B3BB82020516CEC2C582A98A6BFE20FBE9BB6A0D233418064": {
"enabled": true,
"supported": false,
"vetoed": false
}
},
"status": "success"
}
}
In this example, conflicts with the following features are causing your rippled
server to be amendment blocked:
-
157D2D480E006395B76F948E3E07A45A05FE10230D88A7993C71F97AE4B1F2D1
-
67A34F2CF55BFC0F93AACD5B281413176FEE195269FA6D95219A2DF738671172
-
F64E1EABBE79D55B3BB82020516CEC2C582A98A6BFE20FBE9BB6A0D233418064
To look up which rippled
version supports these features, see Known Amendments.
Testing Amendments
If you want to see how rippled
behaves with an amendment enabled, before that amendment gets enabled on the production network, you can run use rippled
's config file to forcibly enable a feature. This is intended for development purposes only.
Because other members of the consensus network probably do not have the feature enabled, you should not use this feature while connecting to the production network. While testing with features forcibly enabled, you should run rippled
in stand-alone mode.
To forcibly enable a feature, add a [features]
stanza to your rippled.cfg
file. In this stanza, add the short names of the features to enable, one per line. For example:
[features]
MultiSign
TrustSetAuth