summaryrefslogtreecommitdiff
path: root/03/b1dd8442bfc1f91ad5ebf1933b63286961ffda
blob: 22e5c723274d3f86bf92d2f948233d235656d2d6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
Return-Path: <aj@erisian.com.au>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id BD154C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 18 Oct 2022 07:00:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id A4DEB40A49
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 18 Oct 2022 07:00:56 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A4DEB40A49
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OFdDYQ5gLxVX
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 18 Oct 2022 07:00:55 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 115424031E
Received: from azure.erisian.com.au (azure.erisian.com.au [172.104.61.193])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 115424031E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 18 Oct 2022 07:00:54 +0000 (UTC)
Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au)
 by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian))
 id 1okgan-0008Bu-UX; Tue, 18 Oct 2022 17:00:52 +1000
Received: by sapphire.erisian.com.au (sSMTP sendmail emulation);
 Tue, 18 Oct 2022 17:00:45 +1000
Date: Tue, 18 Oct 2022 17:00:45 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Antoine Riard <antoine.riard@gmail.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <Y05PHYtrNmA0vg7U@erisian.com.au>
References: <Y0ZTtlRSBihNN9+v@erisian.com.au>
 <0hpdGx-1WbZdG31xaMXGHKTCjJ2-0eB5aIXUdsp3bqI1MlCx6TMZWROwpl1TVI5irrBqRN2-ydM6hmf3M5L-7ZQfazbx66oameiWTHayr6w=@wuille.net>
 <Y0d/e2sEoNRgD7KP@erisian.com.au> <Y0u8Ee2Ao375z8UD@erisian.com.au>
 <CALZpt+GSYBFxajSyZS19sQi4_6zHjkA5sP00V-pR=_NEVVUnkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALZpt+GSYBFxajSyZS19sQi4_6zHjkA5sP00V-pR=_NEVVUnkg@mail.gmail.com>
X-Spam-Score-int: -18
X-Spam-Bar: -
Subject: Re: [bitcoin-dev] [Opt-in full-RBF] Zero-conf apps in immediate
 danger
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2022 07:00:56 -0000

On Mon, Oct 17, 2022 at 05:41:48PM -0400, Antoine Riard via bitcoin-dev wrote:
> >  1) Continue supporting and encouraging accepting unconfirmed "on-chain"
> >     payments indefinitely
> >  2) Draw a line in the sand now, but give people who are currently
> >     accepting unconfirmed txs time to update their software and business
> >     model
> >  3) Encourage mainnet miners and relay nodes to support unconditional
> >     RBF immediately, no matter how much that increases the risk to
> >     existing businesses that are still accepting unconfirmed txs
> To give more context, the initial approach of enabling full RBF through
> #25353 + #25600 wasn't making the assumption the enablement itself would
> reach agreement of the economic majority or unanimity. 

Full RBF doesn't need a majority or unanimity to have an impact; it needs
adoption by perhaps 10% of hashrate (so a low fee tx at the bottom of
a 10MvB mempool can be replaced before being mined naturally), and some
way of finding a working path to relay txs to that hashrate.

Having a majority of nodes/hashrate support it makes the upsides better,
but doesn't change the downsides to the people who are relying on it
not being available.

> Without denying that such equilibrium would be unstable, it was designed to
> remove the responsibility of the Core project itself to "draw a hard line"
> on the subject.

Removing responsibility from core developers seems like it's very much
optimising for the wrong thing to me.

I mean, I guess I can understand wanting to reduce that responsibility
for maintainers of the github repo, even if for no other reason than to
avoid frivolous lawsuits, but where do you expect people to find better
advice about what things are a good/bad idea if core devs as a whole
are avoiding that responsibility?

Core devs are supposedly top technical experts at bitcoin -- which means
they're the ones that should have the best understanding of all the
implications of policy changes like this. Is opt-in RBF only fine? If
you look at the network today, it sure seems like it; it takes a pretty
good technical understanding to figure out what problems it has, and
an even better one to figure out whether those problems can be solved
while keeping an opt-in RBF regime, or if full RBF is needed.

At that point, the technical experts *should* be coming up with a
specific recommendation, and, personally, I think that's exactly what
happened with [0] [1] and [2].

[0] https://lists.linuxfoundation.org/pipermail/lightning-dev/2021-May/003033.html
[1] https://github.com/bitcoin/bitcoin/pull/25353
[2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-June/020557.html

That did draw hard line in the sand: it said "hey, opt-in RBF had a good
run, but it's time to switch over to full RBF, for these reasons".

It's a bit disappointing that the people that's a problem for didn't
engage earlier -- though looking back, I guess there wasn't all that
much effort made to reach out, either. There were two mentions in the
optech newsletter [3] [4] but it wasn't called out as an "action item"
(maybe those aren't a thing anymore), so it may have been pretty missable,
especially given RBF has been discussed on and off for so long. And the
impression I got from the PR review club discussion more seemed like
devs making assumptions about businesses rather than having talked to
them (eg "[I] think there are fewer and fewer businesses who absolutely
cannot survive without relying on zeroconf. Or at least hope so").

[3] https://bitcoinops.org/en/newsletters/2022/06/22/
[4] https://bitcoinops.org/en/newsletters/2022/07/13/

If we're happy to not get feedback until we start doing rcs, that's fine;
but if we want to say "oops, we're into release candidates, you should
have something earlier, it's too late now", that's a pretty closed-off
way of doing things.

And I mean: all this is only about drawing a line in *sand*; if people
think core devs are wrong, they can still let that line blow away in
the wind, by running different software, configuring core differently,
patching core, or whatever else.

> Moreover, relying on node operators turning on the setting
> provides a smoother approach offering time to zero-conf services to react
> in consequence.

I don't think that's remotely true: take a look at taproot activation:
it took two months between releasing code that supported signalling and
having 98% of hashrate signalling; with 40% of blocks signalling within
the first two weeks.

> So the current path definitely belongs more to a 3) approach.

> >  3) Encourage mainnet miners and relay nodes to support unconditional
> >     RBF immediately, no matter how much that increases the risk to
> >     existing businesses that are still accepting unconfirmed txs

Yes, that's how it appears to me, too. It's not my preference (giving
people clear warning of changes seems much better to me), but I can
certainly live with it.

But if the line in the sand is "we're doing this, no matter how much that
increases the risk to existing businesses that weren't expecting it" then
it seems *very* disingenuous not to make those risks very clear so that
people who weren't expecting it actually take action to avoid those risks.

That is, it seems to me that Dario was exactly right in titling this
thread "Zero-conf apps in immediate danger", and our co-developers who
are dismissing the risk by saying things along the lines of "probably
nothing will change anytime soon" are exactly wrong.

(More generally, that's similar to one of the things I've hated
watching in mainstream economics over the past few years: "doing this
will cause massive inflation" "no it won't, there's no inflation risk"
"oops, inflation magically appeared, how did that happen? oh well, too
bad, we have to live with it now". This looks pretty similar to me: "do
something risky, deny the risk, make sure nobody can hold us accountable
when the risk eventuates later" so it makes me really uncomfortable)

> While this
> way cannot be denied to be a zero-risk deployment for business accepting
> unconfirmed transactions, it should be weighed in face of multi-party
> contracting protocols encumbering an annoying pinning vector.

Sure; that's a fine reason to draw the line in the sand. But it's not
a good reason to have it happen immediately, rather than giving people
time to react, and it's not a good reason to understate the risk of
it happening now. Maybe there are good reasons for either or both of
those, though?

> Since Dario's mail, I think we have learnt new data points, a) on the long
> term full RBF to align miner incentives is acknowledged and b) a clear
> timeline based on e.g a block height is favored over the pollination
> deployment.

Using the passive voice there doesn't seem helpful. Who learnt these
things? You, I and Dario all seem to agree with (a), but John Carvalho
certainly appears not to, for instance. I'm not sure who agrees with
(b) -- I know I do, and I think Dario does; but multiple people seem
opposed to the clear timeline offered in #26323, and your #26305 seems
more likely to encourage a "pollination" approach rather than discourage
it ("oh, this will be the default option for 25.0, might as well enable
it now like all the cool kids are").

For what it's worth, my guess is that releasing core with full rbf
support and having you and Murch and others advocating for people to
try it out, will mean that full RBF is usable on mainnet within two
or three months, supported by perhaps 5%-20% hashpower, but probably
still requiring special effort to actually find a peer that can relay
full rbf txs to that hashpower (probably doing an addnode, despite the
privacy implications). Even if that happens, I'm not super confident
that it would mean people would actively steal from zeroconf businesses
in any volume, though. It's not something I'd risk happening to me,
but accepting zeroconf from strangers isn't something I'd risk anyway.

Slowing that down from January-ish to May seems like it ought to be a
big win for anyone who has been doing zeroconf, and having it be easy
to find a path to miners when it is supported seems like a big win even
given a cost of a few months delay.

OTOH, if we're really not expecting full rbf to be available for many
months, then I would have expected the "disable this for mainnet,
reconsider after the release" PR (#26287) to have gone ahead already.

> Tie-breaking between
> both, I believe I would favor something like #26323 though only post 24.0
> to avoid introducing a bikeshedding precedent in terms of release process,

Doing something like #26323 only after 24.0 is out does nothing to
mitigate whatever immediate risk there is to bitcoin businesses/users...

And if the choice is between "bikeshedding" and "merge a PR, then ignore
feedback that it's harmful", I'd much rather the bikeshedding. What's
the point of having rcs if you're going to ignore negative feedback?

I mean, if you think the feedback is wrong, that's different: maybe we
shouldn't care that zeroconf apps are in immediate danger, and maybe
bitcoin would be better if any that don't adapt immediately all die
horribly as a lesson to others not to make similarly bad assumptions.

But saying "we don't want them to be in danger" and also refusing to do
anything to avoid it?

Cheers,
aj