summaryrefslogtreecommitdiff
path: root/4c/0f18d997088f359faf2f19e80f5cacb3ed9f2b
blob: 287e55e3a3ae0c590a36f463e71a06e278e0d2b5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Return-Path: <aj@erisian.com.au>
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id C2411C0001
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 22 Feb 2021 16:27:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by hemlock.osuosl.org (Postfix) with ESMTP id A89338720E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 22 Feb 2021 16:27:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id kbN9lMa0d49d
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 22 Feb 2021 16:27:52 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226])
 by hemlock.osuosl.org (Postfix) with ESMTPS id AB8EE871EF
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 22 Feb 2021 16:27:52 +0000 (UTC)
Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au)
 by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian))
 id 1lEE3m-00040y-Nb; Tue, 23 Feb 2021 02:27:48 +1000
Received: by sapphire.erisian.com.au (sSMTP sendmail emulation);
 Tue, 23 Feb 2021 02:27:40 +1000
Date: Tue, 23 Feb 2021 02:27:40 +1000
From: Anthony Towns <aj@erisian.com.au>
To: Matt Corallo <lf-lists@mattcorallo.com>
Message-ID: <20210222162740.mif2uygjszupizqc@erisian.com.au>
References: <20210222101632.j5udrgtj2aj5bw6q@erisian.com.au>
 <7B0D8EE4-19D9-4686-906C-F762F29E74D4@mattcorallo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <7B0D8EE4-19D9-4686-906C-F762F29E74D4@mattcorallo.com>
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Score-int: -18
X-Spam-Bar: -
Cc: Michael Folkson <michaelfolkson@gmail.com>,
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Yesterday's Taproot activation meeting on
 lockinontimeout (LOT)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2021 16:27:53 -0000

On Mon, Feb 22, 2021 at 09:00:29AM -0500, Matt Corallo wrote:
> I think it should be clear that a UASF-style command line option to allow
> consensus rule changes in the node in the short term, immediately before a fork
> carries some risk of a fork, even if I agree it may not persist over months. We
> can’t simply ignore that.

I don't think a "-set-bip8-lockinontimeout=taproot" option on its own
would be very safe -- if we were sure it was safe, because we were sure
that everyone would eventually set lockinontimeout=true, then we would
set lockinontimeout=true from day one and not need an option. I haven't
seen/had any good ideas on how to make the option safe, or at least make
it obvious that you shouldn't be setting it if you don't really
understand what you're getting yourself into. [0]

And that's even if you assume that the code was perfectly capable of
handling forks in some theoretically optimal way.

So at least for the time being, I don't think a config param / command
line option is a good idea for bip8. IMHO, YMMV, IANABDFL etc.

>     I think the important specific case of this is something like "if a chain
>     where taproot is impossible to activate is temporarily the most work,
>     miners with lockinontimeout=true need to be well connected so they don't
>     end up competing with each other while they're catching back up".
> Between this and your above point, I think we probably agree - there is
> material  technical complexity hiding behind a “change the consensus rules“
> option. Given it’s not a critical feature by any means, putting resources into
> fixing these issues probably isn’t worth it.

For reference, the "preferentially peer with other UASF nodes" PR for
the BIP148 client was

  https://github.com/UASF/bitcoin/pull/24

List discussion was at

  https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-June/014618.html

I think I'll add playing around with that and reorgs on a signet to my
todo list to see how it goes in cases other than ones that are (hopefully)
vanishingly unlikely to ever happen in practice.

Cheers,
aj

[0] In some sense, this is exactly the opposite sentiment compared to
    earonesty's comment:

    https://github.com/bitcoin/bitcoin/pull/10900#issuecomment-317333312

    I mean, I guess could solve the unsafe-now-but-maybe-safe-later
    problem generally with a signature:

      -authorise-dangerous-options-key=XXXX
      -lockinontimeout=taproot:YYYY

    where YYYY is a signature of "dangerous:lockinontimeout=taproot" or
    similar by the key XXXX, and XXXX defaults to some (multisig?) key
    controlled by some bitcoin people, who'll only sign that when
    there's clear evidence that it will be reasonably safe, and maybe to
    "cert-transparency" or something as well. So that allows having an
    option become available by publishing a signature, without having
    to recompile the code. And it could still be overriden by people who
    know what they're doing if the default key owners are being weird. And
    maybe the "dangerous" part is enough to prevent people from randomly
    cut-and-pasting it from a website into their bitcoin.conf.

    I dunno. No bad ideas when brainstorming...