The current upgrade mechanism for the safe network (testnets) is to wipe the network and start again.
Are there are any proposals for how new features are to be released to the live network? I haven’t been able to find any. Obviously the existing method of turning the network off won’t work!
I want to spitball some ideas about how upgrades may happen, which relates to node ageing and node ranking (which I think is completely contained with ageing?).
Upgrade by deranking
If the version (or even better, capabilities) of nodes can be known, old nodes can be deranked. This encourages upgrading.
This may be done naively via a user-agent header, and perhaps evolve to a more complex zero-knowledge proof for determining the availability of new features.
The balance is between making upgrades hard to spoof vs creating a lot of extra work and complexity.
Upgrade automatically
Vaults could upgrade themselves by downloading the new version from the safe network automatically and loading the changes on-the-fly. This is difficult to enforce, since nodes may simply remove the autoupdate portion of the code. Still a nice feature to have, but not a secure mechanism for upgrading the network.
Enforce backward compatability
Another option to handle upgrades is to have all changes be backward compatible. I think this is impossible to achieve.
Goodwill
If all node operators are active members of the community and behave as good citizens then all it takes is an announcement and nodes will be upgraded by their operators. This is unreliable since some nodes will be abandoned, or have lazy operators, or be operating under malicious conditions.
Further to this list of possible mechanisms is also how upgrades will be rolled out. When the first ‘upgraded’ node comes onto the network, it will appear to be ‘faulty’ and possibly be deranked. How can this be solved? How can the network know the difference between ‘upgraded’ nodes and ‘malicious’ nodes?