summaryrefslogtreecommitdiff
path: root/2d/0bf0a44bf0c62e521ce500b155b2fd9b5f5883
blob: 46667376fe6927b1244c081b17580fc742d26851 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
Return-Path: <jaredr26@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id E4A32BDE
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Jun 2017 21:50:20 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f180.google.com (mail-ua0-f180.google.com
	[209.85.217.180])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D952716C
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  7 Jun 2017 21:50:19 +0000 (UTC)
Received: by mail-ua0-f180.google.com with SMTP id q15so12088207uaa.2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 07 Jun 2017 14:50:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=3QC8Yad2NXx2AU57GOtYBNVZztEFq2ZT7qHlxdmNcpY=;
	b=qwZ81ykIgvdESU3AFsioy23TjC4n76/aSvgIOPk05Vy6NPfh3wUawppSLW022u6FzM
	ALMX0dlQALrRuPKFUd+Ky97NhXm1X2NH9jTipemcPq79Z57LMT+hdquLAkjQmqL0lcJv
	sO54aRh42duJqtHg9UTpI455GWaP45IepsOKBU/ZhUQvwlrehNWX3nx0EB38WftsvZpT
	RteCkUhQk6hHK7HQWEmW1iUbB3wVusDfTSd1HlFgaYzgAijop1aSOgiuz2+lkuN/q/qk
	n3ab1jTFjdOpFU7IteGR81KVhdoijaaixXduX6VucB9uBBObAPB3FbS0BNCcyE8gA+n/
	XIlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=3QC8Yad2NXx2AU57GOtYBNVZztEFq2ZT7qHlxdmNcpY=;
	b=MF0zh0IuzuW3jqLBXoqxT/LM8FcDissyzj6MT86B9G8DAj26GEcyl5I+PVv1khzAFW
	/rvveth/rPIaIRaYQFX0D1wZCYABVSxsRWoqe3pZU9qzWXOeGI2N1ObFPtbZeVu7BVym
	Z0RUa4DOWzF7Ca4RFAq1J+Rb45DNknbKuVMlGzV+UxmlDBfhGiXbeZPZWDaUi/Sjjty0
	F0gaMdVukVTn9Bn3Btv+t4UF5PpXrBIYBbJvnaB6BYzxxwonUjwfF80ir1ysRWU7r1dk
	Knib7upAeAFStCds8sk3K7t95JsBd/ra7iophk44KTXgCGVAbHl9je9aS8ET/VLxSpq1
	iLww==
X-Gm-Message-State: AODbwcCx8hfOCRSsf+jVepCjg+sLjqt1FyItxXHDKPunGjh4vQRJIDP4
	VHaIXAfPQcDP7QvXdbdhkABVQ1jQUQ==
X-Received: by 10.159.60.82 with SMTP id w18mr16770063uah.19.1496872218833;
	Wed, 07 Jun 2017 14:50:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.157.215 with HTTP; Wed, 7 Jun 2017 14:50:18 -0700 (PDT)
In-Reply-To: <CADvTj4rz4exYMvBEmYi=bTZDgDm0drLjpRZmZUo17inzCzCRVg@mail.gmail.com>
References: <CADvTj4qpH-t5Gx6qyn3yToyUE_GFaBE989=AWNHLKMpMNW3R+w@mail.gmail.com>
	<CAD1TkXviJouao7YoHjiDN3mTUWFEbMY9mtCqkQ8zp8JthyhT7Q@mail.gmail.com>
	<CADvTj4rz4exYMvBEmYi=bTZDgDm0drLjpRZmZUo17inzCzCRVg@mail.gmail.com>
From: Jared Lee Richardson <jaredr26@gmail.com>
Date: Wed, 7 Jun 2017 14:50:18 -0700
Message-ID: <CAD1TkXskei1gk_kungSvdWGmbdJMA8AG+-zK+Osz6u5vSCN8BQ@mail.gmail.com>
To: James Hilliard <james.hilliard1@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 07 Jun 2017 21:56:06 +0000
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] User Activated Soft Fork Split Protection
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 21:50:21 -0000

Could this risk mitigation measure be an optional flag?  And if so,
could it+BIP91 signal on a different bit than bit4?

The reason being, if for some reason the segwit2x activation cannot
take place in time, it would be preferable for miners to have a more
standard approach to activation that requires stronger consensus and
may be more forgiving than BIP148.  If the segwit2x activation is on
time to cooperate with BIP148, it could be signaled through the
non-bit4 approach and everything could go smoothly.  Thoughts on that
idea?  It may add more complexity and more developer time, but may
also address your concerns among others.

> Since this BIP
> only activates with a clear miner majority it should not increase the
> risk of an extended chain split.

The concern I'm raising is more about the psychology of giving BIP148
a sense of safety that may not be valid.  Without several more steps,
BIP148 is definitely on track to be a risky chainsplit, and without
segwit2x it will almost certainly be a small minority chain. (Unless
the segwit2x compromise falls apart before then, and even in that case
it is likely to be a minority chain)

Jared


On Wed, Jun 7, 2017 at 2:42 PM, James Hilliard
<james.hilliard1@gmail.com> wrote:
> I don't really see how this would increase the likelihood of an
> extended chain split assuming BIP148 is going to have
> non-insignificant economic backing. This BIP is designed to provide a
> risk mitigation measure that miners can safely deploy. Since this BIP
> only activates with a clear miner majority it should not increase the
> risk of an extended chain split. At this point it is not completely
> clear how much economic support there is for BIP148 but support
> certainly seems to be growing and we have nearly 2 months until BIP148
> activation. I intentionally used a shorter activation period here so
> that decisions by miners can be made close to the BIP148 activation
> date.
>
> On Wed, Jun 7, 2017 at 4:29 PM, Jared Lee Richardson <jaredr26@gmail.com> wrote:
>> I think this BIP represents a gamble, and the gamble may not be a good
>> one.  The gamble here is that if the segwit2x changes are rolled out
>> on time, and if the signatories accept the bit4 + bit1 signaling
>> proposals within BIP91, the launch will go smoother, as intended.  But
>> conversely, if either the segwit2x signatories balk about the Bit1
>> signaling OR if the timelines for segwit2mb are missed even by a bit,
>> it may cause the BIP148 chainsplit to be worse than it would be
>> without.  Given the frequent concerns raised in multiple places about
>> the aggressiveness of the segwit2x timelines, including the
>> non-hardfork timelines, this does not seem like a great gamble to be
>> making.
>>
>> The reason I say it may make the chainsplit be worse than it would
>> otherwise be is that it may provide a false sense of safety for BIP148
>> that currently does not currently exist(and should not, as it is a
>> chainsplit).  That sense of safety would only be legitimate if the
>> segwit2x signatories were on board, and the segwit2x code effectively
>> enforced BIP148 simultaneously, neither of which are guaranteed.  If
>> users and more miners had a false sense that BIP148 was *not* going to
>> chainsplit from default / segwit2x, they might not follow the news if
>> suddenly the segwit2x plan were delayed for a few days.  While any
>> additional support would definitely be cheered on by BIP148
>> supporters, the practical reality might be that this proposal would
>> take BIP148 from the "unlikely to have any viable chain after flag day
>> without segwit2x" category into the "small but viable minority chain"
>> category, and even worse, it might strengthen the chainsplit just days
>> before segwit is activated on BOTH chains, putting the BIP148
>> supporters on the wrong pro-segwit, but still-viable chain.
>>
>> If Core had taken a strong stance to include BIP148 into the client,
>> and if BIP148 support were much much broader, I would feel differently
>> as the gamble would be more likely to discourage a chainsplit (By
>> forcing the acceleration of segwit2x) rather than encourage it (by
>> strengthening an extreme minority chainsplit that may wind up on the
>> wrong side of two segwit-activated chains).  As it stands now, this
>> seems like a very dangerous attempt to compromise with a small but
>> vocal group that are the ones creating the threat to begin with.
>>
>> Jared
>>
>> On Tue, Jun 6, 2017 at 5:56 PM, James Hilliard via bitcoin-dev
>> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>> Due to the proposed calendar(https://segwit2x.github.io/) for the
>>> SegWit2x agreement being too slow to activate SegWit mandatory
>>> signalling ahead of BIP148 using BIP91 I would like to propose another
>>> option that miners can use to prevent a chain split ahead of the Aug
>>> 1st BIP148 activation date.
>>>
>>> The splitprotection soft fork is essentially BIP91 but using BIP8
>>> instead of BIP9 with a lower activation threshold and immediate
>>> mandatory signalling lock-in. This allows for a majority of miners to
>>> activate mandatory SegWit signalling and prevent a potential chain
>>> split ahead of BIP148 activation.
>>>
>>> This BIP allows for miners to respond to market forces quickly ahead
>>> of BIP148 activation by signalling for splitprotection. Any miners
>>> already running BIP148 should be encouraged to use splitprotection.
>>>
>>> <pre>
>>>   BIP: splitprotection
>>>   Layer: Consensus (soft fork)
>>>   Title: User Activated Soft Fork Split Protection
>>>   Author: James Hilliard <james.hilliard1@gmail.com>
>>>   Comments-Summary: No comments yet.
>>>   Comments-URI:
>>>   Status: Draft
>>>   Type: Standards Track
>>>   Created: 2017-05-22
>>>   License: BSD-3-Clause
>>>            CC0-1.0
>>> </pre>
>>>
>>> ==Abstract==
>>>
>>> This document specifies a coordination mechanism for a simple majority
>>> of miners to prevent a chain split ahead of BIP148 activation.
>>>
>>> ==Definitions==
>>>
>>> "existing segwit deployment" refer to the BIP9 "segwit" deployment
>>> using bit 1, between November 15th 2016 and November 15th 2017 to
>>> activate BIP141, BIP143 and BIP147.
>>>
>>> ==Motivation==
>>>
>>> The biggest risk of BIP148 is an extended chain split, this BIP
>>> provides a way for a simple majority of miners to eliminate that risk.
>>>
>>> This BIP provides a way for a simple majority of miners to coordinate
>>> activation of the existing segwit deployment with less than 95%
>>> hashpower before BIP148 activation. Due to time constraints unless
>>> immediately deployed BIP91 will likely not be able to enforce
>>> mandatory signalling of segwit before the Aug 1st activation of
>>> BIP148. This BIP provides a method for rapid miner activation of
>>> SegWit mandatory signalling ahead of the BIP148 activation date. Since
>>> the primary goal of this BIP is to reduce the chance of an extended
>>> chain split as much as possible we activate using a simple miner
>>> majority of 65% over a 504 block interval rather than a higher
>>> percentage. This BIP also allows miners to signal their intention to
>>> run BIP148 in order to prevent a chain split.
>>>
>>> ==Specification==
>>>
>>> While this BIP is active, all blocks must set the nVersion header top
>>> 3 bits to 001 together with bit field (1<<1) (according to the
>>> existing segwit deployment). Blocks that do not signal as required
>>> will be rejected.
>>>
>>> ==Deployment==
>>>
>>> This BIP will be deployed by "version bits" with a 65%(this can be
>>> adjusted if desired) activation threshold BIP9 with the name
>>> "splitprotecion" and using bit 2.
>>>
>>> This BIP starts immediately and is a BIP8 style soft fork since
>>> mandatory signalling will start on midnight August 1st 2017 (epoch
>>> time 1501545600) regardless of whether or not this BIP has reached its
>>> own signalling threshold. This BIP will cease to be active when segwit
>>> is locked-in.
>>>
>>> === Reference implementation ===
>>>
>>> <pre>
>>> // Check if Segregated Witness is Locked In
>>> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
>>> Consensus::Params& params)
>>> {
>>>     LOCK(cs_main);
>>>     return (VersionBitsState(pindexPrev, params,
>>> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
>>> THRESHOLD_LOCKED_IN);
>>> }
>>>
>>> // SPLITPROTECTION mandatory segwit signalling.
>>> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
>>> THRESHOLD_LOCKED_IN &&
>>>      !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>> // Segwit is not locked in
>>>      !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
>>> and is not active.
>>> {
>>>     bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>> VERSIONBITS_TOP_BITS;
>>>     bool fSegbit = (pindex->nVersion &
>>> VersionBitsMask(chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>     if (!(fVersionBits && fSegbit)) {
>>>         return state.DoS(0, error("ConnectBlock(): relayed block must
>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>     }
>>> }
>>>
>>> // BIP148 mandatory segwit signalling.
>>> int64_t nMedianTimePast = pindex->GetMedianTimePast();
>>> if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
>>>      (nMedianTimePast <= 1510704000) &&  // Wed 15 Nov 2017 00:00:00 UTC
>>>      (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>>  // Segwit is not locked in
>>>       !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
>>>  // and is not active.
>>> {
>>>     bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>> VERSIONBITS_TOP_BITS;
>>>     bool fSegbit = (pindex->nVersion &
>>> VersionBitsMask(chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>     if (!(fVersionBits && fSegbit)) {
>>>         return state.DoS(0, error("ConnectBlock(): relayed block must
>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>     }
>>> }
>>> </pre>
>>>
>>> https://github.com/bitcoin/bitcoin/compare/0.14...jameshilliard:splitprotection-v0.14.1
>>>
>>> ==Backwards Compatibility==
>>>
>>> This deployment is compatible with the existing "segwit" bit 1
>>> deployment scheduled between midnight November 15th, 2016 and midnight
>>> November 15th, 2017. This deployment is also compatible with the
>>> existing BIP148 deployment. This BIP is compatible with BIP91 only if
>>> BIP91 activates before it and before BIP148. Miners will need to
>>> upgrade their nodes to support splitprotection otherwise they may
>>> build on top of an invalid block. While this bip is active users
>>> should either upgrade to splitprotection or wait for additional
>>> confirmations when accepting payments.
>>>
>>> ==Rationale==
>>>
>>> Historically we have used IsSuperMajority() to activate soft forks
>>> such as BIP66 which has a mandatory signalling requirement for miners
>>> once activated, this ensures that miners are aware of new rules being
>>> enforced. This technique can be leveraged to lower the signalling
>>> threshold of a soft fork while it is in the process of being deployed
>>> in a backwards compatible way. We also use a BIP8 style timeout to
>>> ensure that this BIP is compatible with BIP148 and that BIP148
>>> compatible mandatory signalling activates regardless of miner
>>> signalling levels.
>>>
>>> By orphaning non-signalling blocks during the BIP9 bit 1 "segwit"
>>> deployment, this BIP can cause the existing "segwit" deployment to
>>> activate without needing to release a new deployment. As we approach
>>> BIP148 activation it may be desirable for a majority of miners to have
>>> a method that will ensure that there is no chain split.
>>>
>>> ==References==
>>>
>>> *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013714.html
>>> Mailing list discussion]
>>> *[https://github.com/bitcoin/bitcoin/blob/v0.6.0/src/main.cpp#L1281-L1283
>>> P2SH flag day activation]
>>> *[[bip-0009.mediawiki|BIP9 Version bits with timeout and delay]]
>>> *[[bip-0016.mediawiki|BIP16 Pay to Script Hash]]
>>> *[[bip-0091.mediawiki|BIP91 Reduced threshold Segwit MASF]]
>>> *[[bip-0141.mediawiki|BIP141 Segregated Witness (Consensus layer)]]
>>> *[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for
>>> Version 0 Witness Program]]
>>> *[[bip-0147.mediawiki|BIP147 Dealing with dummy stack element malleability]]
>>> *[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]]
>>> *[[bip-0149.mediawiki|BIP149 Segregated Witness (second deployment)]]
>>> *[https://bitcoincore.org/en/2016/01/26/segwit-benefits/ Segwit benefits]
>>>
>>> ==Copyright==
>>>
>>> This document is dual licensed as BSD 3-clause, and Creative Commons
>>> CC0 1.0 Universal.
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev