summaryrefslogtreecommitdiff
path: root/d9/a46aae5f6c3b95c1421dff836aebb223713793
blob: 71d143ed3b5f0b2e87397d21064a3920df34a0f7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
Return-Path: <jameson.lopp@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id A42C9898
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 26 Feb 2017 17:35:00 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ot0-f172.google.com (mail-ot0-f172.google.com
	[74.125.82.172])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F02AA1B4
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 26 Feb 2017 17:34:58 +0000 (UTC)
Received: by mail-ot0-f172.google.com with SMTP id j38so39804516otb.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 26 Feb 2017 09:34:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to; 
	bh=JcH/QcyPj0na1Vm1KgbUtiAE/nieXUxjCaxlTrSs8KU=;
	b=h4eyKH466wqvhF1094K4jGbAxr5ixq+RFpJTIAEN+3uGyJFVnHLO+/P6/pSSx1lBF5
	HEPzHHGv93v7BZWFDlB7K6CzFQNigzUueya5BdRHMdiIkeQjjCpj2+m8uUDGyusWAinf
	bJ/m0X3iAOKdS4/ydqAJqnxsGPM0vjFafH19hoimEN71tf7U2GlMCK06gRQyEl1meAGZ
	shAKSwDrbQxOS33XV8NNH3lJ35wc+4z/tNMcufSSP8pNFZmh/mF5lWL4TRzd+ojf2+zP
	myPzy+IV8iub9xEKxc1HS9WLcM+CRBf6d/f2yrwWfKhhbGdHWEPh6AAb1sJpzkXNU4la
	LEFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to;
	bh=JcH/QcyPj0na1Vm1KgbUtiAE/nieXUxjCaxlTrSs8KU=;
	b=kX4+Itr/y/AyqdAj7NtGgaJmnMmKoHJW+7uOAMuScGMlZpUJMLyr4C6sMFmAMEIXki
	m4rxwCX2Ctdd0c+WKii08a9o0IVXz0cfznOINRD/OihGzE0bWiTYb+txhgHkKZRMS/uF
	ir4QXVr1i8Hnf37f/cxdQ1OSmMlr4rpllQuodKhwECNilc8n0e/BTE8t6/nFr2mpfAdt
	XJw9FetjsT1TrPTeWAYEcELMhqEw1EH3Q0vgAOjEzkJmZSkf1qSbH1zp/VqdWfvaX8hZ
	8mK8dfMAWIIX64ic71D/3fOJhsRVsf3vR6gEoD2cXE5rFBGGdxMttr0fVNOH3JbGVV3S
	Xelg==
X-Gm-Message-State: AMke39lLFV8MTX4QEw87IPDlOWlduVfacTWCY1wUmo6KIT7pRQaTPM2kjBN27kkAhl4kfHxjUUU/gEyRSj2+tQ==
X-Received: by 10.157.53.3 with SMTP id o3mr7179408otc.157.1488130498157; Sun,
	26 Feb 2017 09:34:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.61.71 with HTTP; Sun, 26 Feb 2017 09:34:57 -0800 (PST)
In-Reply-To: <jo5-7HCZX7tgdMpIQgK85HCPP14FWxvOIbjV_oerIfc-HOP1GbK3SxFX82Ls23yU1L7y95QsFFggddMNdo5Sxy7YhTJhRFN1f8d6PaA8b7s=@protonmail.ch>
References: <jo5-7HCZX7tgdMpIQgK85HCPP14FWxvOIbjV_oerIfc-HOP1GbK3SxFX82Ls23yU1L7y95QsFFggddMNdo5Sxy7YhTJhRFN1f8d6PaA8b7s=@protonmail.ch>
From: Jameson Lopp <jameson.lopp@gmail.com>
Date: Sun, 26 Feb 2017 12:34:57 -0500
Message-ID: <CADL_X_fUuTexNYBt=rZUXRuXpKrpyTiiXYkxTxquispLGV6ezQ@mail.gmail.com>
To: shaolinfry <shaolinfry@protonmail.ch>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a113c8cf6b8e434054972618b
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE, 
	RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Moving towards user activated soft fork activation
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Feb 2017 17:35:00 -0000

--001a113c8cf6b8e434054972618b
Content-Type: text/plain; charset=UTF-8

You've made many salient points, Shaolin, though I have a few questions:

1) How well does this model work under adversarial conditions? Fair point
about signaling not being reliable, though it seems more vague in terms of
safety given that you can't actually know what percentage of hashrate that
is /not/ signaling for the soft fork has taken the necessary precautions to
avoid mining an invalid block and potentially causing a hard fork. It's
probably safe to say that if a flag-day soft fork is activated, there will
be at least a few parties who will attempt to trigger a chain fork by
crafting transactions that are valid via non-fork rules but invalid via the
soft fork rules.

2) If the flag day soft fork is activated with only a minority of hashrate
support + safely opted-out hashrate, isn't it possible for the rest of
miners to coordinate orphaning any soft fork compatible blocks to kill the
soft fork chain? This would be a major difference from a miner-activated
soft fork, correct? Unless perhaps many miners colluded to signal soft fork
support while not actually supporting it...

3) In terms of complexity for mining pool operators, how well does this
model scale if there are N soft forks and the pool doesn't want to opt-in
to any of them? Couldn't this result in those pool operators having to run
not just one border node, but a multitude of "chained" border nodes if the
soft forks are spread across different software implementations?

It seems to me that this type of user-driven approach would preferably be
coupled with assurances from major Bitcoin wallets / exchanges / payment
processors that they will not honor coins from a chain fork that results
from invalid spends of outputs encumbered by soft fork rules. Though on the
other hand, I don't see such an assurance being possible given that
exchanges have an incentive to take the first mover advantage in listing a
new coin.

- Jameson

On Sat, Feb 25, 2017 at 6:55 PM, shaolinfry via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Some thoughts about the activation mechanism for soft forks. In the past
> we used IsSuperMajority and currently use BIP9 as soft fork activation
> methods, where a supermajority of hashrate triggers nodes to begin
> enforcing new rules. Hashrate based activation is convenient because it is
> the simplest and most straightforward process. While convenient there are a
> number limitations with this method.
>
> Firstly, it requires trusting the hash power will validate after
> activation. The BIP66 soft fork was a case where 95% of the hashrate was
> signaling readiness but in reality about half was not actually validating
> the upgraded rules and mined upon an invalid block by mistake[1].
>
> Secondly, miner signalling has a natural veto which allows a small
> percentage of hashrate to veto node activation of the upgrade for everyone.
> To date, soft forks have taken advantage of the relatively centralised
> mining landscape where there are relatively few mining pools building valid
> blocks; as we move towards more hashrate decentralization, it's likely that
> we will suffer more and more from "upgrade inertia" which will veto most
> upgrades.
>
> Upgrade inertia in inevitable for widely deployed software and can be seen
> for example, with Microsoft Windows. At the time of writing 5.72% of all
> Microsoft Windows installations are still running Windows XP, despite
> mainstream support ending in 2009 and being superseded by 4 software
> generations, Vista, 7, 8 and 10.
>
> Thirdly, the signaling methodology is widely misinterpreted to mean the
> hash power is voting on a proposal and it seems difficult to correct this
> misunderstanding in the wider community. The hash powers' role is to select
> valid transactions, and to extend the blockchain with valid blocks. Fully
> validating economic nodes ensure that blocks are valid. Nodes therefore
> define validity according to the software they run, but miners decide what
> already valid transactions gets included in the block chain.
>
> As such, soft forks rules are actually always enforced by the nodes, not
> the miners. Miners of course can opt-out by simply not including
> transactions that use the new soft fork feature, but they cannot produce
> blocks that are invalid to the soft fork. The P2SH soft fork is a good
> example of this, where non-upgraded miners would see P2SH as spendable
> without a signature and consider them valid. If such an transaction were to
> be included in a block, the block would be invalid and the miner would lose
> the block reward and fees.
>
> So-called "censorship" soft forks do not require nodes to opt in, because
> >51% of the hash power already have the ability to orphan blocks that
> contain transactions they have blacklisted. Since this is not a change in
> validity, nodes will accept the censored block chain automatically.
>
> The fourth problem with supermajority hash power signaling is it draws
> unnecessary attention to miners which can become unnecessarily political.
> Already misunderstood as a vote, miners may feel pressure to "make a
> decision" on behalf of the community: who is and isn't signalling becomes a
> huge public focus and may put pressures onto miners they are unprepared
> for. Some miners may not be in a position to upgrade, or may prefer not to
> participate in the soft fork which is their right. However, that miner may
> now become a lone reason that vetoes activation for everyone, where the
> soft fork is an opt-in feature! This situation seems to be against the
> voluntary nature of the Bitcoin system where participation at all levels is
> voluntary and kept honest by well balanced incentives.
>
> Since miners already have the protocol level right to select whatever
> transaction they prefer (and not mine those they don't), it would be better
> if a miner could chose to not participate in triggering activation of
> something they won't use, but, without being a veto to the process (and all
> the ire they may have to experience as a consequence).
>
> The alternative discussed here is "flag day activation" where nodes begin
> enforcement at a predetermined time in the future. This method needs a
> longer lead time than a hash power based activation trigger, but offers a
> number of advantages and perhaps provides a better tradeoff.
>
> Soft forks are still entirely optional to use post activation. For
> example, with P2SH, many participants in the Bitcoin ecosystem still do not
> use P2SH. Only 11% of bitcoins[2] are stored in P2SH addresses at the time
> of writing. Miners are free to not mine P2SH transactions, however, the
> incentives are such that miners should still validate transactions so they
> don't accidentally include invalid transactions and cause their block to be
> rejected. As an additional safety measure for well designed soft forks,
> relay policy rules prevent non-standard and invalid transactions from being
> relayed and mined by default; a miner would have to purposefully mine an
> invalid transaction, which is against their own economic interest.
>
> Since the incentives of the Bitcoin system rely on self validation,
> economic nodes (miners and users) should always remain safe by ensuring
> their nodes either validate the current rules, or, they can place their
> network behind a full node that will filter out invalid transactions and
> blocks at the edge of their network (so called firewall or border nodes).
>
> A user activated soft fork is permissive. Miners do not have to produce
> new version blocks and non-upgraded miners' blocks will not be orphaned as
> was the case with IsSuperMajority soft forks (e.g. BIP34, BIP66,
> BIP65-CLTV) which made it a compulsory upgrade for miners.
>
> BIP9 "versionbits" soft fork activation method is also permissive in so
> far as non-upgraded miners are not forced to upgrade after activation
> because their blocks wont be orphaned. A recent case was the "CSV" soft
> fork that activated BIP68, BIP112 and BIP113. As such, the CSV soft fork
> allows non-upgraded miners to continue mining so long as they didn't
> produce invalid blocks.
>
> Miners always retain discretion on which transactions to mine. However,
> regardless of whether they actively include transactions using the new soft
> fork feature, or not, the incentive for hash power to upgrade in order to
> validate is strong: if they do not, they could be vulnerable to a rogue
> miner willing to waste 12.5BTC to create an invalid block, which may cause
> non-validating miners to build on an invalid chain similar to the BIP66
> incident. Validation has always had a strong requirement.
>
> A user activated soft fork is win-win because it adds an option that some
> people want that does not detract from other peoples' enjoyment. Even if
> only 10% of users ever wanted a feature, so long as the benefit outweighed
> the technical risks, it would not be rational to deny others the ability to
> opt-in.
>
> My suggestion is to have the best of both worlds. Since a user activated
> soft fork needs a relatively long lead time before activation, we can
> combine with BIP9 to give the option of a faster hash power coordinated
> activation or activation by flag day, whichever is the sooner. In both
> cases, we can leverage the warning systems in BIP9. The change is
> relatively simple, adding an activation-time parameter which will
> transition the BIP9 state to LOCKED_IN before the end of the BIP9
> deployment timeout.
>
> You can find the proposal here https://gist.github.com/shaolinfry/
> 0f7d1fd22743bb966da0c0b1682ea2ab
>
> References:
>
> [1]: https://bitcoin.org/en/alert/2015-07-04-spv-mining
> [2]: http://p2sh.info/dashboard/db/p2sh-statistics?from=
> 1472043312917&to=1488030912918
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
>

--001a113c8cf6b8e434054972618b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">You&#39;ve made many salient points, Shaolin, though I hav=
e a few questions:<div><br></div><div>1) How well does this model work unde=
r adversarial conditions? Fair point about signaling not being reliable, th=
ough it seems more vague in terms of safety given that you can&#39;t actual=
ly know what percentage of hashrate that is /not/ signaling for the soft fo=
rk has taken the necessary precautions to avoid mining an invalid block and=
 potentially causing a hard fork. It&#39;s probably safe to say that if a f=
lag-day soft fork is activated, there will be at least a few parties who wi=
ll attempt to trigger a chain fork by crafting transactions that are valid =
via non-fork rules but invalid via the soft fork rules.</div><div><br></div=
><div>2) If the flag day soft fork is activated with only a minority of has=
hrate support + safely opted-out hashrate, isn&#39;t it possible for the re=
st of miners to coordinate orphaning any soft fork compatible blocks to kil=
l the soft fork chain? This would be a major difference from a miner-activa=
ted soft fork, correct? Unless perhaps many miners colluded to signal soft =
fork support while not actually supporting it...</div><div><br></div><div>3=
) In terms of complexity for mining pool operators, how well does this mode=
l scale if there are N soft forks and the pool doesn&#39;t want to opt-in t=
o any of them? Couldn&#39;t this result in those pool operators having to r=
un not just one border node, but a multitude of &quot;chained&quot; border =
nodes if the soft forks are spread across different software implementation=
s?</div><div><br></div><div>It seems to me that this type of user-driven ap=
proach would preferably be coupled with assurances from major Bitcoin walle=
ts / exchanges / payment processors that they will not honor coins from a c=
hain fork that results from invalid spends of outputs encumbered by soft fo=
rk rules. Though on the other hand, I don&#39;t see such an assurance being=
 possible given that exchanges have an incentive to take the first mover ad=
vantage in listing a new coin.</div><div><br></div><div>- Jameson</div></di=
v><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sat, Feb 25,=
 2017 at 6:55 PM, shaolinfry via bitcoin-dev <span dir=3D"ltr">&lt;<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>&gt;</span> wrote:<br><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex"><div>Some thoughts about the activation mechanism for soft fo=
rks. In the past we used IsSuperMajority and currently use BIP9 as soft for=
k activation methods, where a supermajority of hashrate triggers nodes to b=
egin enforcing new rules. Hashrate based activation is convenient because i=
t is the simplest and most straightforward process.   While convenient ther=
e are a number limitations with this method.<br></div><div><br></div><div>F=
irstly, it requires trusting the hash power will validate after activation.=
 The BIP66 soft fork was a case where 95% of the hashrate was signaling rea=
diness but in reality about half was not actually validating the upgraded r=
ules and mined upon an invalid block by mistake[1].<br></div><div><br></div=
><div>Secondly, miner signalling has a natural veto which allows a small pe=
rcentage of hashrate to veto node activation of the upgrade for everyone. T=
o date, soft forks have taken advantage of the relatively centralised minin=
g landscape where there are relatively few mining pools building valid bloc=
ks; as we move towards more hashrate decentralization, it&#39;s likely that=
 we will suffer more and more from &quot;upgrade inertia&quot; which will v=
eto most upgrades.<br></div><div><br></div><div>Upgrade inertia in inevitab=
le for widely deployed software and can be seen for example, with Microsoft=
 Windows. At the time of writing 5.72% of all Microsoft Windows installatio=
ns are still running Windows XP, despite mainstream support ending in 2009 =
and being superseded by 4 software generations, Vista, 7, 8 and 10.<br></di=
v><div><br></div><div>Thirdly, the signaling methodology is widely misinter=
preted to mean the hash power is voting on a proposal and it seems difficul=
t to correct this misunderstanding in the wider community. The hash powers&=
#39; role is to select valid transactions, and to extend the blockchain wit=
h valid blocks. Fully validating economic nodes ensure that blocks are vali=
d. Nodes therefore define validity according to the software they run, but =
miners decide what already valid transactions gets included in the block ch=
ain.<br></div><div><br></div><div>As such, soft forks rules are actually al=
ways enforced by the nodes, not the miners. Miners of course can opt-out by=
 simply not including transactions that use the new soft fork feature, but =
they cannot produce blocks that are invalid to the soft fork. The P2SH soft=
 fork is a good example of this, where non-upgraded miners would see P2SH a=
s spendable without a signature and consider them valid. If such an transac=
tion were to be included in a block, the block would be invalid and the min=
er would lose the block reward and fees.<br></div><div><br></div><div>So-ca=
lled &quot;censorship&quot; soft forks do not require nodes to opt in, beca=
use &gt;51% of the hash power already have the ability to orphan blocks tha=
t contain transactions they have blacklisted. Since this is not a change in=
 validity, nodes will accept the censored block chain automatically.<br></d=
iv><div><br></div><div>The fourth problem with supermajority hash power sig=
naling is it draws unnecessary attention to miners which can become unneces=
sarily political. Already misunderstood as a vote, miners may feel pressure=
 to &quot;make a decision&quot; on behalf of the community: who is and isn&=
#39;t signalling becomes a huge public focus and may put pressures onto min=
ers they are unprepared for. Some miners may not be in a position to upgrad=
e, or may prefer not to participate in the soft fork which is their right. =
However, that miner may now become a lone reason that vetoes activation for=
 everyone, where the soft fork is an opt-in feature! This situation seems t=
o be against the voluntary nature of the Bitcoin system where participation=
 at all levels is voluntary and kept honest by well balanced incentives.<br=
></div><div><br></div><div>Since miners already have the protocol level rig=
ht to select whatever transaction they prefer (and not mine those they don&=
#39;t), it would be better if a miner could chose to not participate in tri=
ggering activation of something they won&#39;t use, but, without being a ve=
to to the process (and all the ire they may have to experience as a consequ=
ence).<br></div><div><br></div><div>The alternative discussed here is &quot=
;flag day activation&quot; where nodes begin enforcement at a predetermined=
 time in the future. This method needs a longer lead time than a hash power=
 based activation trigger, but offers a number of advantages and perhaps pr=
ovides a better tradeoff.<br></div><div><br></div><div>Soft forks are still=
 entirely optional to use post activation. For example, with P2SH, many par=
ticipants in the Bitcoin ecosystem still do not use P2SH. Only 11% of bitco=
ins[2] are stored in P2SH addresses at the time of writing. Miners are free=
 to not mine P2SH transactions, however, the incentives are such that miner=
s should still validate transactions so they don&#39;t accidentally include=
 invalid transactions and cause their block to be rejected. As an additiona=
l safety measure for well designed soft forks, relay policy rules prevent n=
on-standard and invalid transactions from being relayed and mined by defaul=
t; a miner would have to purposefully mine an invalid transaction, which is=
 against their own economic interest.<br></div><div><br></div><div>Since th=
e incentives of the Bitcoin system rely on self validation, economic nodes =
(miners and users) should always remain safe by ensuring their nodes either=
 validate the current rules, or, they can place their network behind a full=
 node that will filter out invalid transactions and blocks at the edge of t=
heir network (so called firewall or border nodes).<br></div><div><br></div>=
<div>A user activated soft fork is permissive. Miners do not have to produc=
e new version blocks and non-upgraded miners&#39; blocks will not be orphan=
ed as was the case with IsSuperMajority soft forks (e.g. BIP34, BIP66, BIP6=
5-CLTV) which made it a compulsory upgrade for miners.<br></div><div><br></=
div><div>BIP9 &quot;versionbits&quot; soft fork activation method is also p=
ermissive in so far as non-upgraded miners are not forced to upgrade after =
activation because their  blocks wont be orphaned. A recent case was the &q=
uot;CSV&quot; soft fork that activated BIP68, BIP112 and BIP113. As such, t=
he CSV soft fork allows non-upgraded miners to continue mining so long as t=
hey didn&#39;t produce invalid blocks.<br></div><div><br></div><div>Miners =
always retain discretion on which transactions to mine. However, regardless=
 of whether they actively include transactions using the new soft fork feat=
ure, or not, the incentive for hash power to upgrade in order to validate i=
s strong: if they do not, they could be vulnerable to a rogue miner willing=
 to waste 12.5BTC to create an invalid block, which may cause non-validatin=
g miners to build on an invalid chain similar to the BIP66 incident. Valida=
tion has always had a strong requirement.<br></div><div><br></div><div>A us=
er activated soft fork is win-win because it adds an option that some peopl=
e want that does not detract from other peoples&#39; enjoyment. Even if onl=
y 10% of users ever wanted a feature, so long as the benefit outweighed the=
 technical risks, it would not be rational to deny others the ability to op=
t-in.<br></div><div><br></div><div>My suggestion is to have the best of bot=
h worlds. Since a user activated soft fork needs a relatively long lead tim=
e before activation, we can combine with BIP9 to give the option of a faste=
r hash power coordinated activation or activation by flag day, whichever is=
 the sooner. In both cases, we can leverage the warning systems in BIP9. Th=
e change is relatively simple, adding an activation-time parameter which wi=
ll transition the BIP9 state to LOCKED_IN before the end of the BIP9 deploy=
ment timeout.<br></div><div><br></div><div>You can find the proposal here <=
a href=3D"https://gist.github.com/shaolinfry/0f7d1fd22743bb966da0c0b1682ea2=
ab" target=3D"_blank">https://gist.github.com/<wbr>shaolinfry/<wbr>0f7d1fd2=
2743bb966da0c0b1682ea2<wbr>ab</a><br></div><div><br></div><div>References:<=
br></div><div><br></div><div>[1]: <a href=3D"https://bitcoin.org/en/alert/2=
015-07-04-spv-mining" target=3D"_blank">https://bitcoin.org/en/alert/<wbr>2=
015-07-04-spv-mining</a><br></div><div>[2]: <a href=3D"http://p2sh.info/das=
hboard/db/p2sh-statistics?from=3D1472043312917&amp;to=3D1488030912918" targ=
et=3D"_blank">http://p2sh.info/dashboard/db/<wbr>p2sh-statistics?from=3D<wb=
r>1472043312917&amp;to=3D1488030912918</a><br></div><br>___________________=
___________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
<br></blockquote></div><br></div>

--001a113c8cf6b8e434054972618b--