Package Upgrades
A Move package consists of one or more modules that define how the package interacts with on-chain objects. These modules are written in Move, compiled into a package object, and then published on-chain. Once a package is on the IOTA network, its content and logic are transparent and accessible to anyone through an IOTA network explorer.
Packages Are Immutable
Once a package object is published on-chain, it becomes immutable—it cannot be directly altered. This immutability is crucial because other packages may rely on the modules provided by the original package. If a developer could alter the logic of their on-chain package post-publication, it could lead to unintended consequences for all dependent packages, potentially introducing bugs or vulnerabilities.
Upgrading Packages
Although you can't modify an existing on-chain package, you can upgrade it. Upgrading a package involves creating a new package object on-chain, which includes the improved or additional code. This approach ensures that the original package remains unchanged, safeguarding the integrity of packages that depend on it.
Upgrading Packages with IOTA Client CLI
The IOTA Client CLI provides an upgrade command,
which is a straightforward way to upgrade packages.
To use this command, the CLI's active address must own the UpgradeCap object
associated with the package you wish to upgrade.
While the IOTA CLI is convenient for initiating upgrades, especially during the early stages of development, relying on a single key to manage upgrades can introduce significant security risks:
- Conflicting Interests: The entity controlling the key may make changes that benefit themselves but are not in the best interests of the broader community.
- Lack of Consultation: Upgrades might be executed without sufficient time for package users to review the changes or decide whether to continue using the package if they disagree with the updates.
- Key Loss: If the key is lost, it could permanently prevent any future upgrades, leaving the package in a potentially vulnerable or outdated state.
Making Packages Truly Immutable
To eliminate the risks associated with single-key control, you can make your package immutable after it is published.
You can do this with the iota::package::make_immutable function,
which destroys the UpgradeCap associated with the package, preventing any future upgrades.
However, making a package immutable also means that you lose the ability to fix bugs or introduce new features,
so it should be done with caution.
For more secure and flexible upgrade management, consider implementing Custom Upgrade Policies that reduce the risks without completely sacrificing the ability to upgrade.