aragonOS
aragonOS copied to clipboard
Kill switch: provide emergency upgrade path
Fixes #523 Follow up #518
This PR provides an entry point in the Kernel that a new way to access the setApp
functionality, but only when the app address that is requested to be updated is disallowed in the kill-switch instance of a DAO. It also implements a new role called APP_MANAGER_EMERGENCY_ROLE
, obviously different than the APP_MANAGER_ROLE
, since it is supposed to be used from a separate flow. For example, if the APP_MANAGER_ROLE
app has been kill-switched, then the APP_MANAGER_EMERGENCY_ROLE
app is allowed to perform an upgrade of the APP_MANAGER_ROLE
app.
We could use this new entry point from the voting app to provide all the DAOs a way to bypass the root of authority chain in case any of its components gets kill-switched. Ofc, as explained in the issue linked, there is a list of minimum components we will need whitelist to make that happen (Kernel, ACL, Kill switch, Voting app, ...). But note that with this entry point we can now make sure we don't need the full chain whitelisted.