Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8876DC002D for ; Wed, 19 Oct 2022 03:01:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 585B841B86 for ; Wed, 19 Oct 2022 03:01:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 585B841B86 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=lPeZ/BSH X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrKWm7hAAKze for ; Wed, 19 Oct 2022 03:01:25 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A648D41946 Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) by smtp4.osuosl.org (Postfix) with ESMTPS id A648D41946 for ; Wed, 19 Oct 2022 03:01:25 +0000 (UTC) Received: by mail-il1-x133.google.com with SMTP id i9so8503981ilv.9 for ; Tue, 18 Oct 2022 20:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9RN/NYvbFFRJeqRuS45pTZkUDTnE8q+BBmzAcJUvApo=; b=lPeZ/BSHlljj7ZA5G2FVVIOh2ZPWE8fYukly1cKd1jKWK0eNqxyJS2gnLOp2f+R8be aG6EUcxzmgV3iPi20xnqxYCC0ntl1yY3dVU24eWlY4v97aWFM5lAOvQn8SIW4IYcpDcu qYCXZPDA6FhnlOktPckVbhdmzynEgpy5nqoPbImThrLMfMouUjCRyAjl8auxX7O19WiB V/d2O9fw7ce3D5fJAAzwPDWg2Z1op3NV+2uyT1gXnJVxz4VLNthYmaDFmHQce/c24uMx drN8I8QczWI+iyG/E0NXE7GQJ5DqRiM/QCmsQ4H9dwgv7ASwmgdvjgoNBopuHek0ObRj qc6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9RN/NYvbFFRJeqRuS45pTZkUDTnE8q+BBmzAcJUvApo=; b=xhFRxp892hYFp+cOQcAKRwscqZ2ubrqW5QYyevRsbuc5fjG8gZc+7C0vFkBLEKFgVl 4DAe9ZiuB3li7fl78gGkNxEcxQ23kdHnr0LTfpJkciHTW98TdDXFlJ59ZL1nTJvH7H76 NN7JhaSsK+6NvSkkM3nVChFKswsR978m/FzoRvITYhRQddeZfiOQMgFknVRvr+ouL2oz h+eYBU7F1uSgtRvP2jnxPtmm209EBFl7WhFaw7a9aqFF4ulzNZuUbk3zmscJNboO+DEF jtKpYFcXj27/h6vRs2AO30kqFbhJUNn2G+lS/OJ5AnvNqNqwsM2KZj6Nrk/oOpUgotp1 hQfA== X-Gm-Message-State: ACrzQf2jnnlbtUVjJgZZpEKiAJDGeKjBryiq8aHFz1ZeAAk6XnkK4cZG 38rj4WKNnWfkcQ5BT43Vmk7Laa7vXmtcXp9sEJJmauLMK20= X-Google-Smtp-Source: AMsMyM5pHRn4J9GimBZevzack89bcCfnrqhqSPtDJV9Bt5B40Kq8a6tTf1GlFQBrwzyN0Pdr04/LcjAdR8dqF0trR8k= X-Received: by 2002:a05:6e02:18c6:b0:2fa:5726:e869 with SMTP id s6-20020a056e0218c600b002fa5726e869mr4064215ilu.250.1666148484289; Tue, 18 Oct 2022 20:01:24 -0700 (PDT) MIME-Version: 1.0 References: <0hpdGx-1WbZdG31xaMXGHKTCjJ2-0eB5aIXUdsp3bqI1MlCx6TMZWROwpl1TVI5irrBqRN2-ydM6hmf3M5L-7ZQfazbx66oameiWTHayr6w=@wuille.net> In-Reply-To: From: Antoine Riard Date: Tue, 18 Oct 2022 23:01:12 -0400 Message-ID: To: Anthony Towns Content-Type: multipart/alternative; boundary="0000000000008c99df05eb5a6cd9" X-Mailman-Approved-At: Wed, 19 Oct 2022 11:31:59 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] [Opt-in full-RBF] Zero-conf apps in immediate danger X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2022 03:01:29 -0000 --0000000000008c99df05eb5a6cd9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > Full RBF doesn't need a majority or unanimity to have an impact; it needs > adoption by perhaps 10% of hashrate (so a low fee tx at the bottom of > a 10MvB mempool can be replaced before being mined naturally), and some > way of finding a working path to relay txs to that hashrate. Yes, this has been the crux of the conceptual discussion in #25600. > I mean, I guess I can understand wanting to reduce that responsibility > for maintainers of the github repo, even if for no other reason than to > avoid frivolous lawsuits, but where do you expect people to find better > advice about what things are a good/bad idea if core devs as a whole > are avoiding that responsibility? > > Core devs are supposedly top technical experts at bitcoin -- which means > they're the ones that should have the best understanding of all the > implications of policy changes like this. Is opt-in RBF only fine? If > you look at the network today, it sure seems like it; it takes a pretty > good technical understanding to figure out what problems it has, and > an even better one to figure out whether those problems can be solved > while keeping an opt-in RBF regime, or if full RBF is needed. In the present case, I don't think there is a real concern of a frivolous or half-baked lawsuit. My concern is rather the pretension to omniscience that we would adopt as Core devs w.r.t policy changes, as far from being a more closed, hermetic system like the p2p stack, it's interfacing with the operations of a number of Bitcoin applications and second-layer contracting protocols. As of today, I think this is still a relatively short process to analyze the implications of any policy changes on the major Bitcoin applications flows and L2s of the day (i.e mainly Lightning and coinjoins). I'm not sure this statement will stay true in a future with a growing fauna of L2s (i.e vaults, DLC-over-channel, peerswaps, etc), each presenting unique characteristics. How do we minimize the odds of policy-based disruptions for current Bitcoin softwares and users ? I don't have strong ideas, though I wish for the Core project to adopt a more open-ended and smooth approach to release context-rich policy changes. I aimed with #25353 and #25600 to experiment with such a smoother approach advocated for (rather than the last year proposal of turning on by default full-rbf, that was a wrong and missing context). I hope at least one good outcome of this gradual process has been to give time to Dario to publish a thoughtful standpoint for 0conf operators, of which at least I learnt a few interesting elements on the UX of such applications. > It's a bit disappointing that the people that's a problem for didn't > engage earlier -- though looking back, I guess there wasn't all that > much effort made to reach out, either. There were two mentions in the > optech newsletter [3] [4] but it wasn't called out as an "action item" > (maybe those aren't a thing anymore), so it may have been pretty missable= , > especially given RBF has been discussed on and off for so long. And the > impression I got from the PR review club discussion more seemed like > devs making assumptions about businesses rather than having talked to > them (eg "[I] think there are fewer and fewer businesses who absolutely > cannot survive without relying on zeroconf. Or at least hope so"). Yeah, I'm still valuing the mailing list as a kind of "broadcast-all" communication channel towards all the community stakeholders, though this is the perspective of a developer and I'm not sure business/services operators have the same communication habits. There is definitely a reflection to hold, if we, as Core devs, we should follow a better communication standard when we propose significant policy changes. And go the full-tour of Reddit AMA, podcasts and newsletters as suggested in my reply to Dario. It's hard to know if lack of vocal reactions on the mailing list or to the publication of optech newsletter signifies a lack of opposition, a lack of negatively impacted users or lack of interest from the wider community. Maybe we should have a formalized, bulletpoints -based for future policy changes, with clear time buffers and actions items, I don't know. > If we're happy to not get feedback until we start doing rcs, that's fine; > but if we want to say "oops, we're into release candidates, you should > have something earlier, it's too late now", that's a pretty closed-off > way of doing things. > > And I mean: all this is only about drawing a line in *sand*; if people > think core devs are wrong, they can still let that line blow away in > the wind, by running different software, configuring core differently, > patching core, or whatever else. In the present case, it's more a lack of feedback showing up until we start doing rcs, rather than a pretty closed-off way of doing things. That we should amend expected and already-merged changes in the function of feedback, I'm all for it in principle. The hard question is the set of decision heuristics to converge on to qualify such feedback as worthy to react on. Again in this case, we're doing some risk arbitrage (which I really dislike as a situation) between 0conf applications and multi-party funding flows of contracting protocols. Correcting our release process isn't free of implications as we're removing the risk burden on some class of use-case to pour it on a second class, in my opinion. Moreover, assuming we have to bind to reasonable communication standards which is an open question, I'm also worried we would also normalize the publication of very late feedback from community stakeholders. > I don't think that's remotely true: take a look at taproot activation: > it took two months between releasing code that supported signalling and > having 98% of hashrate signalling; with 40% of blocks signalling within > the first two weeks. First, without more visibility brought back on the 0confs operations necessary to adapt their operations, two months might be considered as enough. 8 weeks is sensibly the release schedule followed by few open-source projects in the ecosystem. Second, the communication machine behind softforks activation sounds to be far more fine-tuned, or at least gather spontaneously community self-coordination than policy changes, and it would be reasonable to expect things to be slower with policy changes. However, I would agree you can have a quick adoption a day from another with one single well-crafted meme buzzing on Twitter. Social phenomenas don't offer the same degree of predictability than system engineering. How we cope up with that, as core devs, I don't know. > But if the line in the sand is "we're doing this, no matter how much that > increases the risk to existing businesses that weren't expecting it" then > it seems *very* disingenuous not to make those risks very clear so that > people who weren't expecting it actually take action to avoid those risks= . I'm not sure if it has been established clearly, though as I announced on IRC two weeks ago, Dario reached out to me offline before publishing his mail. My recommendation to him have been immediately to adjoin 0confs services examples impacted, if possible with numbers on users affected and evaluation of engineering and operational effort if would request to adapt their use-cases, and inviting to publish on this venue, as business operators might not be used to with open-source process (I can disclose the correspondence if requested and with Dario approval). Goal was to collect the maximum of data points in our community decision-making process about full-rbf. Now this doesn't relieve us of finding a common ground on what should be a minimal bar to accept those points, how to value those data points, if we should take operators on their raw numbers or request the publication of "light" proofs like on-chain transactions, lightning invoices (everyone in business would take the happy measure showing the most active users possible). The question of what signals we should collect, and how we process them is a hard question in a decentralized and trust-minimized process like the Bitcoin development one, from my perspective. I don't have strong ideas there. Though speaking for myself, and not for other contributors, I've raised the warnings about potential impacts of full-rbfs in both my June 2021 [0] and June 2022 [1] mails, so I find the qualification of disingenuous is a bit ungrounded. Overall, I would remind all that it's better to keep patience in face of complex changes in Core, rather than to fall quickly in a blame ascription position. [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-June/019074.ht= ml [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020557.ht= ml (I don't deny "blame-and-reward" assignments can be worthy a posteriori, once we're out of the "hot" discussion phase, especially to introspect on how we can improve our engineering process, though in the middle of a discussion... I don't know, it sounds premature and noisy). > (More generally, that's similar to one of the things I've hated > watching in mainstream economics over the past few years: "doing this > will cause massive inflation" "no it won't, there's no inflation risk" > "oops, inflation magically appeared, how did that happen? oh well, too > bad, we have to live with it now". This looks pretty similar to me: "do > something risky, deny the risk, make sure nobody can hold us accountable > when the risk eventuates later" so it makes me really uncomfortable) I can share the sentiment about mainstream economics and the way risk-management impacts large-range of human beings is completely shrug on... Though again in the present case, I think it would be more productive to describe what engineering needs or standards expectations of you are not fulfilled rather than to fallback on the pure expression of an uncomfortableness and how as a community of contributors we could improve on that. Though to object, speaking of risk appreciation, not hardening the funding phase of multi-party funding protocols also lets the door open to DoS attacks by deanonymizing attackers targeting things like coinjoin. > Sure; that's a fine reason to draw the line in the sand. But it's not > a good reason to have it happen immediately, rather than giving people > time to react, and it's not a good reason to understate the risk of > it happening now. Maybe there are good reasons for either or both of > those, though? I agree. I would like to observe that "reasonable time to react" and "adequate risk statement" is more an art than a science. > Using the passive voice there doesn't seem helpful. Who learnt these > things? You, I and Dario all seem to agree with (a), but John Carvalho > certainly appears not to, for instance. I'm not sure who agrees with > (b) -- I know I do, and I think Dario does; but multiple people seem > opposed to the clear timeline offered in #26323, and your #26305 seems > more likely to encourage a "pollination" approach rather than discourage > it ("oh, this will be the default option for 25.0, might as well enable > it now like all the cool kids are"). About John Carvalho disagreeing about full-rbf, I think he voiced a concern during the summer on one of the PR introducing a full-rbf setting and I did invite to voice his concerns on the ML, invitation stayed without follow-up until the recent days [2] [3]. I would have loved to spend time back then arguing on the full-rbf and miners incentives compatibility. [2] https://github.com/bitcoin/bitcoin/pull/25373#issuecomment-1163422654 [3] https://github.com/bitcoin/bitcoin/pull/25373#issuecomment-1163815017 I know we all have busy agendas and a short timeline to react to all the changes happening in the Bitcoin ecosystem... I think I replied to John Carvalho answer on this thread, inviting him to develop his argumentation further and I'm staying available to discuss with any full-rbf opponents, in a calm and respectful fashion [4]. [4] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021027= .html > For what it's worth, my guess is that releasing core with full rbf > support and having you and Murch and others advocating for people to > try it out, will mean that full RBF is usable on mainnet within two > or three months, supported by perhaps 5%-20% hashpower, but probably > still requiring special effort to actually find a peer that can relay > full rbf txs to that hashpower (probably doing an addnode, despite the > privacy implications). Even if that happens, I'm not super confident > that it would mean people would actively steal from zeroconf businesses > in any volume, though. It's not something I'd risk happening to me, > but accepting zeroconf from strangers isn't something I'd risk anyway. Yeah I mean this could have been a forward process before Dario published his thoughts. Achieving 5%-20% hashpower and full-rbf relay paths would have assumed landing #25600 _and_ actually reach out to few mining pools to inform them about the potential economic benefits. Now, I think the best process is to keep listening to more feedback from the community, lay out all the deployment options in code we have done and think more before committing to something. > And if the choice is between "bikeshedding" and "merge a PR, then ignore > feedback that it's harmful", I'd much rather the bikeshedding. What's > the point of having rcs if you're going to ignore negative feedback? I think this might be the point where I could say we're diverging. In principle, I agree we should listen to negative feedback raising harmful disruptions risks for users and services. The more open, practical question to me is more how we collect, qualify and sanitize such negative feedback in a way which is acceptable for the community at large. Giving concrete bounds to the immediate dangers in a consensual way, and asserting this danger results from a lack of communication of the Core project, I'm still wondering on those subjects. And note again, I didn't deny the option 3) approach as you laid out was zero-risk for 0conf operators. All that said, if we think as a project we should offer a "zero-risk" process towards 0conf operators w.r.t full-rbf, at the detriment of the risk encumbered by contracting protocols, I think it can be wise to resurrect #26287. Best, Antoine Le mar. 18 oct. 2022 =C3=A0 03:00, Anthony Towns a =C3= =A9crit : > On Mon, Oct 17, 2022 at 05:41:48PM -0400, Antoine Riard via bitcoin-dev > wrote: > > > 1) Continue supporting and encouraging accepting unconfirmed > "on-chain" > > > payments indefinitely > > > 2) Draw a line in the sand now, but give people who are currently > > > accepting unconfirmed txs time to update their software and > business > > > model > > > 3) Encourage mainnet miners and relay nodes to support unconditional > > > RBF immediately, no matter how much that increases the risk to > > > existing businesses that are still accepting unconfirmed txs > > To give more context, the initial approach of enabling full RBF through > > #25353 + #25600 wasn't making the assumption the enablement itself woul= d > > reach agreement of the economic majority or unanimity. > > Full RBF doesn't need a majority or unanimity to have an impact; it needs > adoption by perhaps 10% of hashrate (so a low fee tx at the bottom of > a 10MvB mempool can be replaced before being mined naturally), and some > way of finding a working path to relay txs to that hashrate. > > Having a majority of nodes/hashrate support it makes the upsides better, > but doesn't change the downsides to the people who are relying on it > not being available. > > > Without denying that such equilibrium would be unstable, it was designe= d > to > > remove the responsibility of the Core project itself to "draw a hard > line" > > on the subject. > > Removing responsibility from core developers seems like it's very much > optimising for the wrong thing to me. > > I mean, I guess I can understand wanting to reduce that responsibility > for maintainers of the github repo, even if for no other reason than to > avoid frivolous lawsuits, but where do you expect people to find better > advice about what things are a good/bad idea if core devs as a whole > are avoiding that responsibility? > > Core devs are supposedly top technical experts at bitcoin -- which means > they're the ones that should have the best understanding of all the > implications of policy changes like this. Is opt-in RBF only fine? If > you look at the network today, it sure seems like it; it takes a pretty > good technical understanding to figure out what problems it has, and > an even better one to figure out whether those problems can be solved > while keeping an opt-in RBF regime, or if full RBF is needed. > > At that point, the technical experts *should* be coming up with a > specific recommendation, and, personally, I think that's exactly what > happened with [0] [1] and [2]. > > [0] > https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033= .html > [1] https://github.com/bitcoin/bitcoin/pull/25353 > [2] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020557.= html > > That did draw hard line in the sand: it said "hey, opt-in RBF had a good > run, but it's time to switch over to full RBF, for these reasons". > > It's a bit disappointing that the people that's a problem for didn't > engage earlier -- though looking back, I guess there wasn't all that > much effort made to reach out, either. There were two mentions in the > optech newsletter [3] [4] but it wasn't called out as an "action item" > (maybe those aren't a thing anymore), so it may have been pretty missable= , > especially given RBF has been discussed on and off for so long. And the > impression I got from the PR review club discussion more seemed like > devs making assumptions about businesses rather than having talked to > them (eg "[I] think there are fewer and fewer businesses who absolutely > cannot survive without relying on zeroconf. Or at least hope so"). > > [3] https://bitcoinops.org/en/newsletters/2022/06/22/ > [4] https://bitcoinops.org/en/newsletters/2022/07/13/ > > If we're happy to not get feedback until we start doing rcs, that's fine; > but if we want to say "oops, we're into release candidates, you should > have something earlier, it's too late now", that's a pretty closed-off > way of doing things. > > And I mean: all this is only about drawing a line in *sand*; if people > think core devs are wrong, they can still let that line blow away in > the wind, by running different software, configuring core differently, > patching core, or whatever else. > > > Moreover, relying on node operators turning on the setting > > provides a smoother approach offering time to zero-conf services to rea= ct > > in consequence. > > I don't think that's remotely true: take a look at taproot activation: > it took two months between releasing code that supported signalling and > having 98% of hashrate signalling; with 40% of blocks signalling within > the first two weeks. > > > So the current path definitely belongs more to a 3) approach. > > > > 3) Encourage mainnet miners and relay nodes to support unconditional > > > RBF immediately, no matter how much that increases the risk to > > > existing businesses that are still accepting unconfirmed txs > > Yes, that's how it appears to me, too. It's not my preference (giving > people clear warning of changes seems much better to me), but I can > certainly live with it. > > But if the line in the sand is "we're doing this, no matter how much that > increases the risk to existing businesses that weren't expecting it" then > it seems *very* disingenuous not to make those risks very clear so that > people who weren't expecting it actually take action to avoid those risks= . > > That is, it seems to me that Dario was exactly right in titling this > thread "Zero-conf apps in immediate danger", and our co-developers who > are dismissing the risk by saying things along the lines of "probably > nothing will change anytime soon" are exactly wrong. > > (More generally, that's similar to one of the things I've hated > watching in mainstream economics over the past few years: "doing this > will cause massive inflation" "no it won't, there's no inflation risk" > "oops, inflation magically appeared, how did that happen? oh well, too > bad, we have to live with it now". This looks pretty similar to me: "do > something risky, deny the risk, make sure nobody can hold us accountable > when the risk eventuates later" so it makes me really uncomfortable) > > > While this > > way cannot be denied to be a zero-risk deployment for business acceptin= g > > unconfirmed transactions, it should be weighed in face of multi-party > > contracting protocols encumbering an annoying pinning vector. > > Sure; that's a fine reason to draw the line in the sand. But it's not > a good reason to have it happen immediately, rather than giving people > time to react, and it's not a good reason to understate the risk of > it happening now. Maybe there are good reasons for either or both of > those, though? > > > Since Dario's mail, I think we have learnt new data points, a) on the > long > > term full RBF to align miner incentives is acknowledged and b) a clear > > timeline based on e.g a block height is favored over the pollination > > deployment. > > Using the passive voice there doesn't seem helpful. Who learnt these > things? You, I and Dario all seem to agree with (a), but John Carvalho > certainly appears not to, for instance. I'm not sure who agrees with > (b) -- I know I do, and I think Dario does; but multiple people seem > opposed to the clear timeline offered in #26323, and your #26305 seems > more likely to encourage a "pollination" approach rather than discourage > it ("oh, this will be the default option for 25.0, might as well enable > it now like all the cool kids are"). > > For what it's worth, my guess is that releasing core with full rbf > support and having you and Murch and others advocating for people to > try it out, will mean that full RBF is usable on mainnet within two > or three months, supported by perhaps 5%-20% hashpower, but probably > still requiring special effort to actually find a peer that can relay > full rbf txs to that hashpower (probably doing an addnode, despite the > privacy implications). Even if that happens, I'm not super confident > that it would mean people would actively steal from zeroconf businesses > in any volume, though. It's not something I'd risk happening to me, > but accepting zeroconf from strangers isn't something I'd risk anyway. > > Slowing that down from January-ish to May seems like it ought to be a > big win for anyone who has been doing zeroconf, and having it be easy > to find a path to miners when it is supported seems like a big win even > given a cost of a few months delay. > > OTOH, if we're really not expecting full rbf to be available for many > months, then I would have expected the "disable this for mainnet, > reconsider after the release" PR (#26287) to have gone ahead already. > > > Tie-breaking between > > both, I believe I would favor something like #26323 though only post 24= .0 > > to avoid introducing a bikeshedding precedent in terms of release > process, > > Doing something like #26323 only after 24.0 is out does nothing to > mitigate whatever immediate risk there is to bitcoin businesses/users... > > And if the choice is between "bikeshedding" and "merge a PR, then ignore > feedback that it's harmful", I'd much rather the bikeshedding. What's > the point of having rcs if you're going to ignore negative feedback? > > I mean, if you think the feedback is wrong, that's different: maybe we > shouldn't care that zeroconf apps are in immediate danger, and maybe > bitcoin would be better if any that don't adapt immediately all die > horribly as a lesson to others not to make similarly bad assumptions. > > But saying "we don't want them to be in danger" and also refusing to do > anything to avoid it? > > Cheers, > aj > > --0000000000008c99df05eb5a6cd9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> Full RBF doesn't need a majority or unanimity to = have an impact; it needs
> adoption by perhaps 10% of hashrate (so a = low fee tx at the bottom of
> a 10MvB mempool can be replaced before = being mined naturally), and some
> way of finding a working path to r= elay txs to that hashrate.

Yes, this has been the crux of the concep= tual discussion in #25600.

> I mean, I guess I can understand wan= ting to reduce that responsibility
> for maintainers of the github re= po, even if for no other reason than to
> avoid frivolous lawsuits, b= ut where do you expect people to find better
> advice about what thin= gs are a good/bad idea if core devs as a whole
> are avoiding that re= sponsibility?
>
> Core devs are supposedly top technical exper= ts at bitcoin -- which means
> they're the ones that should have = the best understanding of all the
> implications of policy changes li= ke this. Is opt-in RBF only fine? If
> you look at the network today,= it sure seems like it; it takes a pretty
> good technical understand= ing to figure out what problems it has, and
> an even better one to f= igure out whether those problems can be solved
> while keeping an opt= -in RBF regime, or if full RBF is needed.

In the present case, I don= 't think there is a real concern of a frivolous or half-baked lawsuit. = My concern is rather the pretension to omniscience that we would adopt as C= ore devs w.r.t policy changes, as far from being a more closed, hermetic sy= stem like the p2p stack, it's interfacing with the operations of a numb= er of Bitcoin applications and second-layer contracting protocols. As of to= day, I think this is still a relatively short process to analyze the implic= ations of any policy changes on the major Bitcoin applications
flows and= L2s of the day (i.e mainly Lightning and coinjoins). I'm not sure this= statement will stay true in a future with a growing fauna of L2s (i.e vaul= ts, DLC-over-channel, peerswaps, etc), each presenting unique characteristi= cs.

How do we minimize the odds of policy-based disruptions for curr= ent Bitcoin softwares and users ? I don't have strong ideas, though I w= ish for the Core project to adopt a more open-ended and smooth approach to = release context-rich policy changes. I aimed with #25353 and #25600 to expe= riment with such a smoother approach advocated for (rather than the last ye= ar proposal of turning on by default full-rbf, that was a wrong and missing= context). I hope at least one good outcome of this gradual process has bee= n to give time to Dario to publish a thoughtful standpoint for 0conf operat= ors, of which at least I learnt a few interesting elements on the UX of suc= h applications.

> It's a bit disappointing that the people th= at's a problem for didn't
> engage earlier -- though looking = back, I guess there wasn't all that
> much effort made to reach o= ut, either. There were two mentions in the
> optech newsletter [3] [4= ] but it wasn't called out as an "action item"
> (maybe= those aren't a thing anymore), so it may have been pretty missable,> especially given RBF has been discussed on and off for so long. And t= he
> impression I got from the PR review club discussion more seemed = like
> devs making assumptions about businesses rather than having ta= lked to
> them (eg "[I] think there are fewer and fewer business= es who absolutely
> cannot survive without relying on zeroconf. Or at= least hope so").

Yeah, I'm still valuing the mailing list = as a kind of "broadcast-all" communication channel towards all th= e community stakeholders, though this is the perspective of a developer and= I'm not sure business/services operators have the same communication h= abits. There is definitely a reflection to hold, if we, as Core devs, we sh= ould follow a better communication standard when we propose significant pol= icy changes. And go the full-tour of Reddit AMA, podcasts and newsletters a= s suggested in my reply to Dario. It's hard to know if lack of vocal re= actions on the mailing list or to the publication of optech newsletter sign= ifies a lack of opposition, a lack of negatively impacted users or lack of = interest from the wider community. Maybe we should have a formalized, bulle= tpoints -based for future policy changes, with clear time buffers and actio= ns items, I don't know.

> If we're happy to not get feedb= ack until we start doing rcs, that's fine;
> but if we want to sa= y "oops, we're into release candidates, you should
> have so= mething earlier, it's too late now", that's a pretty closed-of= f
> way of doing things.
>
> And I mean: all this is onl= y about drawing a line in *sand*; if people
> think core devs are wro= ng, they can still let that line blow away in
> the wind, by running = different software, configuring core differently,
> patching core, or= whatever else.

In the present case, it's more a lack of feedbac= k showing up until we start doing rcs, rather than a pretty closed-off way = of doing things. That we should amend expected and already-merged changes i= n the function of feedback, I'm all for it in principle. The hard quest= ion is the set of decision heuristics to converge on to qualify such feedba= ck as worthy to react on. Again in this case, we're doing some risk arb= itrage (which I really dislike as a situation) between 0conf applications a= nd multi-party funding flows of contracting protocols. Correcting our relea= se process isn't free of implications as we're removing the risk bu= rden on some class of use-case to pour it on a second class, in my opinion.= Moreover, assuming we have to bind to reasonable communication standards w= hich is an open question, I'm also worried we would also normalize the = publication of very late feedback from community stakeholders.

> = I don't think that's remotely true: take a look at taproot activati= on:
> it took two months between releasing code that supported signal= ling and
> having 98% of hashrate signalling; with 40% of blocks sign= alling within
> the first two weeks.

First, without more visib= ility brought back on the 0confs operations necessary to adapt their operat= ions, two months might be considered as enough. 8 weeks is sensibly the rel= ease schedule followed by few open-source projects in the ecosystem. Second= , the communication machine behind softforks activation sounds to be far mo= re fine-tuned, or at least gather spontaneously community self-coordination= than policy changes, and it would be reasonable to expect things to be slo= wer with policy changes. However, I would agree you can have a quick adopti= on a day from another with one single well-crafted meme buzzing on Twitter.= Social phenomenas don't offer the same degree of predictability than s= ystem engineering. How we cope up with that, as core devs, I don't know= .

> But if the line in the sand is "we're doing this, no= matter how much that
> increases the risk to existing businesses tha= t weren't expecting it" then
> it seems *very* disingenuous = not to make those risks very clear so that
> people who weren't e= xpecting it actually take action to avoid those risks.

I'm not s= ure if it has been established clearly, though as I announced on IRC two we= eks ago, Dario reached out to me offline before publishing his mail. My rec= ommendation to him have been immediately to adjoin 0confs services examples= impacted, if possible with numbers on users affected and evaluation of eng= ineering and operational effort if would request to adapt their use-cases, = and inviting to publish on this venue, as business operators might not be u= sed to with open-source process (I can disclose the correspondence if reque= sted and with Dario approval).

Goal was to collect the maximum of da= ta points in our community decision-making process about full-rbf. Now this= doesn't relieve us of finding a common ground on what should be a mini= mal bar to accept those points, how to value those data
points, if we sh= ould take operators on their raw numbers or request the publication of &quo= t;light" proofs like on-chain transactions, lightning invoices (everyo= ne in business would take the happy measure showing the most active users p= ossible). The question of what signals we should collect, and how we proces= s them is a hard question in a decentralized and trust-minimized process li= ke the Bitcoin development one, from my perspective. I don't have stron= g ideas there.

Though speaking for myself, and not for other contrib= utors, I've raised the warnings about potential impacts of full-rbfs in= both my June 2021 [0] and June 2022 [1] mails, so I find the qualification= of disingenuous is a bit=C2=A0 ungrounded. Overall, I would remind all tha= t it's better to keep patience in face of complex changes in Core, rath= er than to fall quickly in a blame ascription position.

[0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-June/0= 19074.html
[1] https://lists.linuxfoundation.org/pipe= rmail/bitcoin-dev/2022-June/020557.html

(I don't deny "= blame-and-reward" assignments can be worthy a posteriori, once we'= re out of the "hot" discussion phase, especially to introspect on= how we can improve our engineering process, though in the middle of a disc= ussion... I don't know, it sounds premature and noisy).

> (Mo= re generally, that's similar to one of the things I've hated
>= ; watching in mainstream economics over the past few years: "doing thi= s
> will cause massive inflation" "no it won't, there&#= 39;s no inflation risk"
> "oops, inflation magically appear= ed, how did that happen? oh well, too
> bad, we have to live with it = now". This looks pretty similar to me: "do
> something risk= y, deny the risk, make sure nobody can hold us accountable
> when the= risk eventuates later" so it makes me really uncomfortable)

I = can share the sentiment about mainstream economics and the way risk-managem= ent impacts large-range of human beings is completely shrug on... Though ag= ain in the present case, I think it would be more productive to describe wh= at engineering
needs or standards expectations of you are not fulfilled = rather than to fallback on the pure expression of an uncomfortableness and = how as a community of contributors we could improve on that. Though to obje= ct, speaking of risk appreciation, not hardening the funding phase of multi= -party funding protocols also lets the door open to DoS attacks by deanonym= izing attackers targeting things like coinjoin.

> Sure; that'= s a fine reason to draw the line in the sand. But it's not
> a go= od reason to have it happen immediately, rather than giving people
> = time to react, and it's not a good reason to understate the risk of
= > it happening now. Maybe there are good reasons for either or both of> those, though?

I agree. I would like to observe that "re= asonable time to react" and "adequate risk statement" is mor= e an art than a science.

> Using the passive voice there doesn= 9;t seem helpful. Who learnt these
> things? You, I and Dario all see= m to agree with (a), but John Carvalho
> certainly appears not to, fo= r instance. I'm not sure who agrees with
> (b) -- I know I do, an= d I think Dario does; but multiple people seem
> opposed to the clear= timeline offered in #26323, and your #26305 seems
> more likely to e= ncourage a "pollination" approach rather than discourage
> = it ("oh, this will be the default option for 25.0, might as well enabl= e
> it now like all the cool kids are").

About John Carva= lho disagreeing about full-rbf, I think he voiced a concern during the summ= er on one of the PR introducing a full-rbf setting and I did invite to voic= e his concerns on the ML, invitation stayed without follow-up until the rec= ent days [2] [3]. I would have loved to spend time back then=C2=A0 arguing = on the full-rbf and miners incentives compatibility.

[2] http= s://github.com/bitcoin/bitcoin/pull/25373#issuecomment-1163422654
[3= ] https://github.com/bitcoin/bitcoin/pull/25373#issuecomment-1163815= 017

I know we all have busy agendas and a short timeline to reac= t to all the changes happening in the Bitcoin ecosystem... I think I replie= d to John Carvalho answer on this thread, inviting him to develop his argum= entation further and I'm staying available to discuss with any full-rbf= opponents, in a calm and respectful fashion [4].

[4] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/02= 1027.html

> For what it's worth, my guess is that releasi= ng core with full rbf
> support and having you and Murch and others a= dvocating for people to
> try it out, will mean that full RBF is usab= le on mainnet within two
> or three months, supported by perhaps 5%-2= 0% hashpower, but probably
> still requiring special effort to actual= ly find a peer that can relay
> full rbf txs to that hashpower (proba= bly doing an addnode, despite the
> privacy implications). Even if th= at happens, I'm not super confident
> that it would mean people w= ould actively steal from zeroconf businesses
> in any volume, though.= It's not something I'd risk happening to me,
> but accepting= zeroconf from strangers isn't something I'd risk anyway.

Ye= ah I mean this could have been a forward process before Dario published his= thoughts. Achieving 5%-20% hashpower and full-rbf relay paths would have a= ssumed landing #25600 _and_ actually reach out to few mining pools to infor= m them about the potential economic benefits. Now, I think the best process= is to keep listening to more feedback from the community, lay out all the = deployment options in code we have done and think more before committing to= something.

> And if the choice is between "bikeshedding&quo= t; and "merge a PR, then ignore
> feedback that it's harmful= ", I'd much rather the bikeshedding. What's
> the point = of having rcs if you're going to ignore negative feedback?

I thi= nk this might be the point where I could say we're diverging. In princi= ple, I agree we should listen to negative feedback raising harmful disrupti= ons risks for users and services. The more open, practical question to me i= s more how we collect, qualify and sanitize such negative feedback in a way= which is acceptable for the community at large. Giving concrete bounds to = the immediate dangers in a consensual way, and asserting this danger result= s from a lack of communication of the Core project, I'm still wondering= on those subjects. And note again, I didn't deny the option 3) approac= h as you laid out was zero-risk for 0conf operators.

All that said, = if we think as a project we should offer a "zero-risk" process to= wards 0conf operators w.r.t full-rbf, at the detriment of the risk encumber= ed by contracting protocols, I think it can be wise to resurrect #26287.
Best,
Antoine

Le=C2=A0mar. 18 oct. 2022 =C3=A0=C2=A003:00, Antho= ny Towns <aj@erisian.com.au>= a =C3=A9crit=C2=A0:
On Mon, Oct 17, 2022 at 05:41:48PM -0400, Antoine Riard via bitcoin-de= v wrote:
> >=C2=A0 1) Continue supporting and encouraging accepting unconfirme= d "on-chain"
> >=C2=A0 =C2=A0 =C2=A0payments indefinitely
> >=C2=A0 2) Draw a line in the sand now, but give people who are cur= rently
> >=C2=A0 =C2=A0 =C2=A0accepting unconfirmed txs time to update their= software and business
> >=C2=A0 =C2=A0 =C2=A0model
> >=C2=A0 3) Encourage mainnet miners and relay nodes to support unco= nditional
> >=C2=A0 =C2=A0 =C2=A0RBF immediately, no matter how much that incre= ases the risk to
> >=C2=A0 =C2=A0 =C2=A0existing businesses that are still accepting u= nconfirmed txs
> To give more context, the initial approach of enabling full RBF throug= h
> #25353 + #25600 wasn't making the assumption the enablement itself= would
> reach agreement of the economic majority or unanimity.

Full RBF doesn't need a majority or unanimity to have an impact; it nee= ds
adoption by perhaps 10% of hashrate (so a low fee tx at the bottom of
a 10MvB mempool can be replaced before being mined naturally), and some
way of finding a working path to relay txs to that hashrate.

Having a majority of nodes/hashrate support it makes the upsides better, but doesn't change the downsides to the people who are relying on it not being available.

> Without denying that such equilibrium would be unstable, it was design= ed to
> remove the responsibility of the Core project itself to "draw a h= ard line"
> on the subject.

Removing responsibility from core developers seems like it's very much<= br> optimising for the wrong thing to me.

I mean, I guess I can understand wanting to reduce that responsibility
for maintainers of the github repo, even if for no other reason than to
avoid frivolous lawsuits, but where do you expect people to find better
advice about what things are a good/bad idea if core devs as a whole
are avoiding that responsibility?

Core devs are supposedly top technical experts at bitcoin -- which means they're the ones that should have the best understanding of all the
implications of policy changes like this. Is opt-in RBF only fine? If
you look at the network today, it sure seems like it; it takes a pretty
good technical understanding to figure out what problems it has, and
an even better one to figure out whether those problems can be solved
while keeping an opt-in RBF regime, or if full RBF is needed.

At that point, the technical experts *should* be coming up with a
specific recommendation, and, personally, I think that's exactly what happened with [0] [1] and [2].

[0] https://lists.linu= xfoundation.org/pipermail/lightning-dev/2021-May/003033.html
[1] https://github.com/bitcoin/bitcoin/pull/25353 [2] https://lists.linux= foundation.org/pipermail/bitcoin-dev/2022-June/020557.html

That did draw hard line in the sand: it said "hey, opt-in RBF had a go= od
run, but it's time to switch over to full RBF, for these reasons".=

It's a bit disappointing that the people that's a problem for didn&= #39;t
engage earlier -- though looking back, I guess there wasn't all that much effort made to reach out, either. There were two mentions in the
optech newsletter [3] [4] but it wasn't called out as an "action i= tem"
(maybe those aren't a thing anymore), so it may have been pretty missab= le,
especially given RBF has been discussed on and off for so long. And the
impression I got from the PR review club discussion more seemed like
devs making assumptions about businesses rather than having talked to
them (eg "[I] think there are fewer and fewer businesses who absolutel= y
cannot survive without relying on zeroconf. Or at least hope so").

[3] https://bitcoinops.org/en/newsletters/2022/06/2= 2/
[4] https://bitcoinops.org/en/newsletters/2022/07/1= 3/

If we're happy to not get feedback until we start doing rcs, that's= fine;
but if we want to say "oops, we're into release candidates, you sh= ould
have something earlier, it's too late now", that's a pretty cl= osed-off
way of doing things.

And I mean: all this is only about drawing a line in *sand*; if people
think core devs are wrong, they can still let that line blow away in
the wind, by running different software, configuring core differently,
patching core, or whatever else.

> Moreover, relying on node operators turning on the setting
> provides a smoother approach offering time to zero-conf services to re= act
> in consequence.

I don't think that's remotely true: take a look at taproot activati= on:
it took two months between releasing code that supported signalling and
having 98% of hashrate signalling; with 40% of blocks signalling within
the first two weeks.

> So the current path definitely belongs more to a 3) approach.

> >=C2=A0 3) Encourage mainnet miners and relay nodes to support unco= nditional
> >=C2=A0 =C2=A0 =C2=A0RBF immediately, no matter how much that incre= ases the risk to
> >=C2=A0 =C2=A0 =C2=A0existing businesses that are still accepting u= nconfirmed txs

Yes, that's how it appears to me, too. It's not my preference (givi= ng
people clear warning of changes seems much better to me), but I can
certainly live with it.

But if the line in the sand is "we're doing this, no matter how mu= ch that
increases the risk to existing businesses that weren't expecting it&quo= t; then
it seems *very* disingenuous not to make those risks very clear so that
people who weren't expecting it actually take action to avoid those ris= ks.

That is, it seems to me that Dario was exactly right in titling this
thread "Zero-conf apps in immediate danger", and our co-developer= s who
are dismissing the risk by saying things along the lines of "probably<= br> nothing will change anytime soon" are exactly wrong.

(More generally, that's similar to one of the things I've hated
watching in mainstream economics over the past few years: "doing this<= br> will cause massive inflation" "no it won't, there's no in= flation risk"
"oops, inflation magically appeared, how did that happen? oh well, too=
bad, we have to live with it now". This looks pretty similar to me: &q= uot;do
something risky, deny the risk, make sure nobody can hold us accountable when the risk eventuates later" so it makes me really uncomfortable)
> While this
> way cannot be denied to be a zero-risk deployment for business accepti= ng
> unconfirmed transactions, it should be weighed in face of multi-party<= br> > contracting protocols encumbering an annoying pinning vector.

Sure; that's a fine reason to draw the line in the sand. But it's n= ot
a good reason to have it happen immediately, rather than giving people
time to react, and it's not a good reason to understate the risk of
it happening now. Maybe there are good reasons for either or both of
those, though?

> Since Dario's mail, I think we have learnt new data points, a) on = the long
> term full RBF to align miner incentives is acknowledged and b) a clear=
> timeline based on e.g a block height is favored over the pollination > deployment.

Using the passive voice there doesn't seem helpful. Who learnt these things? You, I and Dario all seem to agree with (a), but John Carvalho
certainly appears not to, for instance. I'm not sure who agrees with (b) -- I know I do, and I think Dario does; but multiple people seem
opposed to the clear timeline offered in #26323, and your #26305 seems
more likely to encourage a "pollination" approach rather than dis= courage
it ("oh, this will be the default option for 25.0, might as well enabl= e
it now like all the cool kids are").

For what it's worth, my guess is that releasing core with full rbf
support and having you and Murch and others advocating for people to
try it out, will mean that full RBF is usable on mainnet within two
or three months, supported by perhaps 5%-20% hashpower, but probably
still requiring special effort to actually find a peer that can relay
full rbf txs to that hashpower (probably doing an addnode, despite the
privacy implications). Even if that happens, I'm not super confident that it would mean people would actively steal from zeroconf businesses
in any volume, though. It's not something I'd risk happening to me,=
but accepting zeroconf from strangers isn't something I'd risk anyw= ay.

Slowing that down from January-ish to May seems like it ought to be a
big win for anyone who has been doing zeroconf, and having it be easy
to find a path to miners when it is supported seems like a big win even
given a cost of a few months delay.

OTOH, if we're really not expecting full rbf to be available for many months, then I would have expected the "disable this for mainnet,
reconsider after the release" PR (#26287) to have gone ahead already.<= br>
> Tie-breaking between
> both, I believe I would favor something like #26323 though only post 2= 4.0
> to avoid introducing a bikeshedding precedent in terms of release proc= ess,

Doing something like #26323 only after 24.0 is out does nothing to
mitigate whatever immediate risk there is to bitcoin businesses/users...
And if the choice is between "bikeshedding" and "merge a PR,= then ignore
feedback that it's harmful", I'd much rather the bikeshedding.= What's
the point of having rcs if you're going to ignore negative feedback?
I mean, if you think the feedback is wrong, that's different: maybe we<= br> shouldn't care that zeroconf apps are in immediate danger, and maybe bitcoin would be better if any that don't adapt immediately all die
horribly as a lesson to others not to make similarly bad assumptions.

But saying "we don't want them to be in danger" and also refu= sing to do
anything to avoid it?

Cheers,
aj

--0000000000008c99df05eb5a6cd9--