This has been moved to https://github.com/bitcoin/bips/blob/master/bip-0148.mediawiki
-
-
Save shaolinfry/743157b0b1ee14e1ddc95031f1057e4c to your computer and use it in GitHub Desktop.
Why are you using a non-zero DoS score? It's low, but it breaks in the established convention of setting DoS scores (10 for txs, 100 for blocks when a node should have, according to its own rules, not broken the relay). It seems there could be a potential network partition vulnerability here if the majority hashpower permanently rejects the fork (and some nodes continue relaying their blocks). With regards to network safety I would at the very least do one of:
- Rigorously reasoning about why a partition is impossible, in the BIP.
- Justifying the desirability of a partition and making it clear in the proposal.
- Set the DoS penalty to 0 for relaying non-compliant blocks (this seems reasonable because relaying these blocks is old nodes' honest/default behavior, and the check is cheap)
Overall though I do not like this proposal, I think it amounts to a hard fork w.r.t. the safety of its deployment as I've explained in the UASF section here: https://pdaian.com/blog/on-soft-fork-security/ , and is essentially codifying a network attack as a BIP (a very dangerous precedent to set in any event).
A partition is obviously possible in adversarial scenarios. I think that much is perfectly clear. ACK of this proposal would simply imply ACK of that strategy as an alternative to never being able to move forward.
However there must be contingency planning for the possible scenario of being left as the minority chain in hashing power for a long period. That would require drastic measures.
A partition is obviously possible in adversarial scenarios.
Aren't all scenarios we're concerned with here adversarial scenarios?
ACK of this proposal would simply imply ACK of that strategy as an alternative to never being able to move forward.
Then a strong NACK from me. Network partitions violate fundamental security assumptions in Bitcoin. A potential partition's interaction with miner attacks, malicious reorgs, and other adversarial strategies that have been analyzed in the ecosystem in the past is unstudied.
Not only that, but the proposal is created with absolutely no mention of this, or warning that "ACK of this proposal would simply imply ACK of [a potential partitioning vector]".
If you want to propose something of this sort (a completely new type of fork proposal), you need to study the risks and mechanism of this partition, and simulate or reason about adversarial scenarios far beyond what this proposal has provided.
Or just change the DoS score to 0, which removes the partitioning vector without (as far as I can tell) significantly negatively affecting the operation of the code beyond some resource exhaustion vectors.
Preferred peers would be a better strategy than this for dealing with such resource exhaustion.
This proposal is incomplete and (IMO) insecure as written.
I have to agree with @pdaian that the non-zero DoS score makes little sense and greatly increases risk. Network partitions should be avoided at any reasonable cost.
Blah political or not, not a good place to post this yet and most people looking at UASF will come here so posting my thoughts on this here:
I prefer an uncomplicated method that has been used before, rather than relying purely on signally intent. The act of voting publically when certain parties have to much power is being used as way to politically attack Bitcoin, and impend it to move forward. Hence, this has lead to the use of propaganda, fear, and gridlock with code that is nowhere near ready for production to cause damage due to relying only on miner voting which has never been nor will it ever be Bitcoin strong point.
Innovation has always come from need, and never from backing. Backing follows the lead of something that takes lead. Based on all of my knowledge, skills, and my experience in watching and using bitcoin my opinion is Segwit is they way forward and we need to take some action. At this point the damage of a change split is already happening both politically and economically. Upgrading will allow for so many types of new code and development to take place. This provides huge economic boost in Bitcoins
As soon as there is code available for flag day or something that pushes Segwit forward, I will support that in every way I can and I imagine most users will to as it allows bitcoin to move forward in terms of scalability and in terms of innovation of the network itself.
"Activation of segwit is defined by BIP9. After 15 Nov 2016 and before 15 Nov 2017 UTC, if in a full retarget cycle at least 1916 out of 2016 blocks is signaling readiness, segwit will be activated in the retarget cycle after the next one"
Just change BIP9 and the code to say "if in a full retarget cycle at least 1 out of 2016 blocks" and call it done. Wasting too much time on this.
EDIT: I mean modify the code to say: "If last block of last retarget cycle before 15 Nov 2017 has at least 1 block signalling SegWit, then activate it. Otherwise for other retarget cycle blocks in the Nov 2016-2017 range, use the 1916 threshold."
Second Edit: just hard code to activate SegWit via BIP9's process at 15 Nov 2017 or Oct 1st or whenever... no matter the number of blocks signalling support. Then no orphaning by us is guaranteed and we don't imply that miner say matters.
Editing again: So then BIP9 just becomes a way to activate SegWit before 15 Nov 2017, and: default activates it at the end, instead of currently it default just throws SegWit out
@praxeology-guy With that approach we'd end up with a chain split at some unknown point in the future, and 0.13.2/0.14.0 nodes would never activate segwit. I think it's probably better to know when the chain split is going to happen, so that the miners don't get complacent about it.
I appreciate your feedback. What are the different options and possibilities of what could happen?
-
If we UASF via orphaning blocks, then we are causing the fork to happen, unless they are ok with getting orphaned. If they are not ok with getting orphaned, and decide to fork due to our action in this manner, then I feel like we'd be responsible for the fork, and we would have to implement the replay attack protection. But yes then we would know exactly when the fork would happen. And orphaning their blocks could be considered a kind of rude way to go about the fork, when my proposal or other date-activating UASF proposals are possible.
-
Sure its true that with a soft fork you cannot know when or if a chain split will ever happen... especially when they are threatening to fork/refusing to adopt our soft fork. It is foolish for us to wait for miners to adopt policy change when they are refusing not by reason of merit, instead to strong arm. Without > 50% hash power a split is more likely yes.
-
The other option is maybe we can convince them to activate SegWit in the future. That does not seem likely to me. At least not in a reasonable time frame.
Uh... are there any other options?
===========
Let me go more into detail of what could happen if we adopt my UASF proposal:
-
Chain split due to Unlimited nodes actively rejecting SegWit blocks?
That's a conflicting soft fork. I'm perfectly happy w/ them doing such. Sooner they fork the better. -
Chain split due to someone making an invalid SegWit block, and then non-upgrading nodes mining on it? They would have to chose to:
A. Pre-filter their blocks by connecting to their own instance of a SegWit node
B. Upgrade
C. Manually enter in checkpoints
D. Fork. I'm perfectly happy w/ them doing such. Sooner they fork the better.
Pretty sure they would pretty rapidly do A or B in preparation for activation. Maybe some lazy people would do C/fail to do A/B and then scramble to do them. That's just a temporary problem for them where they waste some resources.
============
The strategy to strong-arm-delay-SegWit is long term ineffective in accomplishing their goal (which comprises our goal). I'm not going to compromise on bitcoin's distributed nature (end user synchronization). SegWit is good and we should activate it. Its a bluff for them to act like they won't accept SegWit. They will. Lets call them on it, 15 Nov 2017.
I don't really care about the short term economic consequences of their decision to perform a: conflicting soft fork/hard fork/build on invalid segwit block fork. It will just be fools losing money, temporary price variance. Long term we need to keep on making good policy changes and upgrades to bitcoin so that we can have better money... and as long as we are in overwhelming agreeing on a feature being good: sooner rather than later.
I know gmaxwell is uncertain to whether we should also bundle the effective block size to increase to 2MB in this update.
==============
We could propose that we release and use such a UASF. We run bitcoin nodes that use such a UASF. And then Unlimited/Classic can respond with what they are going to do in response. Then exchanges etc can prepare on how they want to handle what will happen. So then most every important party would be prepared for a fork if it happens.
Re: your enumerations of possible outcomes to orphaning USAF:
The Low-cost failure and Costly failure options are not possible long term... unless Bitcoin the invention has some problem not identified by you or anyone else yet. They can only be short term problems in marketing/price. Because we engineers and technical people who understand Bitcoin and why its valuable will maintain good policy... and we will also maintain the coin's price floor. Confidence will eventually be restored and more induction investors and herd investors will come back to our coin as they see how efficiently it moves money.
"Optsegwit and nonsegwit miners hold out indefinitely. Bitcoin remains split into two currencies, both of them a sad mockery of what once was. Crypto-currencies are deemed non-viable by the general public for decades afterwards. CATASTROPHIC FAILURE"
If Bitcoin technology is better than say monopoly enforced fiat money... and works in the long term, then this split is only a problem in the short. Long term Bitcoin technology will become a success in creating competing money choices. Its not true that the core branch would be a "sad mockery", instead it is an excellent technology full of great features and economic policy. The duration that the general public who doesn't use bitcoin for technical analysis reasons is only a short term problem that will be quickly resolved by intelligent thinking for self entrepreneurs who maintain Bitcoin's price floor.
I would agree that the short term effects of orphaning could likely be significantly worse than other proposals to UASF by hardcoded date on (or after) Nov 15. But I'd disagree that it will matter much in the long term... say 2-5 years out we'll have market confidence again. After the MtGox failure, it only took about 2 years for the market to realize it found the price floor and begin to build in price again.
Thinking about this some more:
GetMedianTimePast()
is used for both the segwit activation criteria and this BIP's block validity criteria, rather than block height. Doesn't that set us up to potentially cause a permanent chain split and fail to activate segwit on our side if not enough mining power adopts this? If we end up with 10% hash power, we'll only find about 600 blocks between October 1st and November 15th; not enough to activate segwit.I'm not a Bitcoin dev, so let me know if there's some major detail I'm missing, or if I'm otherwise not being helpful here.