Thanks Brian! All great points. The release process was indeed designed to prioritize safety and velocity, and I agree that the atomic approach makes a governability tradeoff in favor of these priorities.
- I suppose it depends on when the reviewing happens. Even though the governance proposal will include a batch of changes, each individual change will still have been reviewed as individual PRs. Ideally, the actual code changes would get the most scrutiny here, before being proposed as on-chain changes. Furthermore, design changes (e.g. governance 2.0, support for multiple stable currencies in Exchange.sol) should be proposed as CIPs before any code is written, providing an additional forum for feedback. Finally, part of the release process includes reputable third party auditors carefully examining the changes to be deployed, providing an additional layer of protection beyond individual PR reviews and automated tests.
- Unfortunately I believe the effect you described would happen in some cases. If a core contract upgrade contains changes A and B, where A has universal support and B has middling support, desire to deploy A quickly may result in B being deployed, when in fact B may not have been deployed if the governance proposals were independent. I would hope that we would be able to catch controversial changes before they are written and merged into master via the CIP process, but it’s hard to guarantee this is the case. If B was met with broad opposition, I would hope that the governance proposal for A and B would still be voted down, as it will generally probably not be terribly hard to revert B in master and make a new proposal to adopt only A.
- I think it depends. It may be noisy to broadly flag every smart contract change (e.g. this minor change to add checks in LockedGold.sol may not be worthy of broad examination). Large design changes, IMO, should go through the CIP process (and be rejected if they don’t!), which would address your concern, I think.
- The governance contract allows for empty proposals, like was done for the cGLD/CELO rename. We could consider using those to vote on CIP adoption.