1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
Return-Path: <aj@erisian.com.au>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 72CBEC0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 6 Mar 2021 11:33:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 60E6047036
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 6 Mar 2021 11:33:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5
tests=[UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id H6aAPVoI8TG5
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 6 Mar 2021 11:33:37 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226])
by smtp4.osuosl.org (Postfix) with ESMTPS id E5C6046CA8
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 6 Mar 2021 11:33:36 +0000 (UTC)
Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au)
by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian))
id 1lIVBb-0008QY-Mp; Sat, 06 Mar 2021 21:33:33 +1000
Received: by sapphire.erisian.com.au (sSMTP sendmail emulation);
Sat, 06 Mar 2021 21:33:26 +1000
Date: Sat, 6 Mar 2021 21:33:26 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Matt Corallo <lf-lists@mattcorallo.com>
Message-ID: <20210306113326.mrftlkmmloy2dsag@erisian.com.au>
References: <c35e1761-43ca-e157-6a5c-72d27f2c6c6e@mattcorallo.com>
<20210303145902.cl4mzg6l7avjboil@erisian.com.au>
<281679eb-860b-c6cb-7e7a-5ae28b60f149@mattcorallo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <281679eb-860b-c6cb-7e7a-5ae28b60f149@mattcorallo.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Score-int: -18
X-Spam-Bar: -
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Straight Flag Day (Height) Taproot Activation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2021 11:33:38 -0000
On Wed, Mar 03, 2021 at 11:49:57AM -0500, Matt Corallo wrote:
> On 3/3/21 09:59, Anthony Towns wrote:
> > A couple of days ago I would have disagreed with this; but with Luke
> > now strongly pushing against implementing lot=false, I can at least see
> > your point...
> Right. It may be the case that the minority group threatening to fork off
> onto a lot=true chain is not large enough to give a second thought to.
> However, I'm not certain that its worth the risk, and, as Chris noted in his
> post this morning, that approach is likely to include more drama.
I think there's two different interpretations of what a "user-activated
fork" means:
1) if people try to take bitcoin in a direction that risks destroying
it, it's possible to ignore both devs and hashpower entirely and force
a chain split to ensure it's possible to continue transacting with
"the real bitcoin".
2) removing miners' influence over consensus rules entirely -- so that
not only can users overcome miner objections by risking a chain split,
but so that miners don't have any greater ability to object than
anyone else in the ecosystem.
In my opinion, bip8's optional lockinontimeout setting and must-signal
approach is well-designed for case 1; if miners object for good reasons,
then there is no need to override them (if there's a good reason not to do
something, it shouldn't be done!), while still having the possibility to
override them if they object for bad reasons. Because hashpower disagrees,
there's always a risk of a chain split in that case, so the additional
risk introduced by a signalling requirement is pretty minimal. That the
lockinontimeout value is a setting means it can be switched only when
we're sure there aren't good reasons for the objection.
There is a lot of work to be done to make bitcoind have an acceptable
chance of gracefully *surviving* a network split introduced by this sort
of conflict; but provided no one started setting lockinontimeout=true
until we were six or so months into an activation attempt (and hence
had the opportunity to judge whether the reasons for not activating
were bad), that would likely be enough time to start implementing some
safety mechanisms.
But there seems to be much more signficant support for the case 2 than I
expected; as evidenced by the "let's do lockinontimeout=true immediately"
advocacy, eg:
I am not willing to go to war for Taproot. I'll be honest the reason
I'm interested at all is that devs I respect spent a lot of energy and
time on it and I was reluctant to let their marginally beneficial work
go to waste.
I am, however, willing to go to war against LOT=False.
-- https://twitter.com/francispouliot_/status/1363876292169465856
I don't think bip8 is well-designed for that approach: most importantly,
with early adoption of lockinontimeout=true, bip8 *encourages* a consensus
split in the event that good reasons for not activating are discovered
afterwards, because lockinontimeout=false nodes remain able to abandon
the activation attempt. Consensus splits are terrible; they should be
a last resort used only in the event that bitcoin's fundamental nature
is threatened, not a standard risk if bugs happened to be discovered
late. But additionally, if we are worried miners might not be acting
in the interests of all bitcoin users, there are other games they could
play, such as "if you want X activated quickly, also give us Y; otherwise
we'll delay it as long as possible".
Losing the opportunity to abandon an activation attempt, by whatever
mechanism, also puts a lot more pressure on being absolutely sure of the
desirability of the change at the point when it's merged; because miners,
third-party devs, businesses, and users don't even have the option of
attempting to influence miners, all objections needs to be raised when
the activation parameters are merged, which raises the stakes for that
event substantially.
I think my conclusions from that are:
* as it stands, people are expecting to run bip8/lot=true nodes on the
network immediately; so deploying bip8/lot=false with compatible
parameters risks causing consensus splits, and should not be done
* David Harding's "speedy trial" approach probably doesn't suffer from
the problems -- running a lot=true variant would require enforcing
signalling prior to the end of July, which is an unreasonable timeframe
to expect the majority of economic nodes to upgrade in; if bip9 is
used, then the risk of enforcement occuring with minority hashrate
(and thus having fewer retarget periods before the timeout is
reached) would also make a bip148/lot=true variant difficulty
* if people want a "taproot is guaranteed to activate no later than X"
PR merged, someone needs to do a *lot* more outreach to be sure that
that's the right outcome, and it's not just devs/maintainers making
the call
* IMO, Matt's proposed approach is both a better and simpler approach
to avoid giving miners undue influence on consensus; as such I've
drafted up a sample implementation:
https://github.com/bitcoin/bitcoin/pull/21378
(Backporting it to 0.21 just requires backporting #19438, which is
straightforward)
So I think that means my preference is to do the "speedy trial" with
signalling first, and if that fails, then either we've established there
are real problems with taproot and will go back to the drawing board to
fix them, or if we have not found problems by that time we should simply
switch to a straight flag day activation as Matt proposes. Presumably
we'll have established broard community consensus for activation if no
objections are discovered during the speedy trial.
Cheers,
aj
|
