From 866636826187d5fb02ba96a2ed534ae14857a0e1 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Mon, 11 Dec 2023 19:30:56 +0100 Subject: DD48: do not permanently brick wallets when an exchange is badly configured --- design-documents/048-wallet-exchange-lifecycle.rst | 28 +++++++++++++++++----- 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'design-documents') diff --git a/design-documents/048-wallet-exchange-lifecycle.rst b/design-documents/048-wallet-exchange-lifecycle.rst index b3df4d8a..75ec3afb 100644 --- a/design-documents/048-wallet-exchange-lifecycle.rst +++ b/design-documents/048-wallet-exchange-lifecycle.rst @@ -67,14 +67,24 @@ Update Status ~~~~~~~~~~~~~ * ``initial``: Not updated, no need to update -* ``initial(update)``: Update pending, possibly with error +* ``initial-update``: Update pending, possibly with error * ``suspended``: Exchange was manually disabled, should not be contacted anymore, but record is kept in the wallet. Mostly useful for testing. -* ``failed``: Updating the exchange info failed permanently, the exchange is - not usable for any operations. -* ``outdated(update)`` +* ``unavailable-update``: The exchange is currently unavailable to be used for withdrawals, + but it is possible that the exchange starts working again in the future. + The wallet will re-try contacting the exchange. The wallet will still try + operations that *spend* coins, but the user might be warned about the bad + exchange status. + + Examples: + + * The exchange updated to a new protocol version that is incompatible with the wallet + * The exchange advertises a new master public key. This might be a temporary + configuration issue or malicious attack. + * The exchange only advertises outdated denomination keys, making new withdrawals + impossible. * ``ready``: Exchange is useable. -* ``ready(update)``: Exchange is useable, but currently being updated. +* ``ready-update``: Exchange is useable, but currently being updated. ToS Status ~~~~~~~~~~ @@ -125,4 +135,10 @@ Definition of Done Discussion / Q&A ================ -(This should be filled in with results from discussions on mailing lists / personal communication.) +* Should there be a "permanently failed" update state? + + * dold => I don't think so, as it means that temporary configuration issues on the side of the + exchange might *permanently* brick users' wallets. + The wallet should always re-try contacting the exchange and of course possibly report + information to the auditor. + -- cgit v1.2.3