Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2015-09-30 📝 Original message:On Wed, Sep 30, 2015 at ...
📅 Original date posted:2015-09-30
📝 Original message:On Wed, Sep 30, 2015 at 9:01 PM, Mike Hearn <hearn at vinumeris.com> wrote:
> I coined the term SPV so I know exactly what it means, and bitcoinj
The term comes from the Bitcoin whitepaper.
> On the other hand, full nodes all claim they run scripts. Users expect that
> and may be relying on it. The unstated assumption here is that the nodes run
> them correctly. A soft fork breaks this assumption.
They run them correctly with respect to the rules that they implement,
nothing about a soft-fork changes that.
The system could have been designed in a way that wasn't full of nice
compatibility features. The history of bitcoin could have been that
past improvements were all performed with hard forks instead of soft
forks.
But neither of these things are true. (And I think it's very likely
that there would have been fewer improvements if that were the case).
> I'm going to ignore the rest of the stuff you wrote about "design decisions
> to lack security" or "cheaply avoidable lack of validation". When you have
> sat down and written an SPV implementation by yourself, then shipped it to a
> couple of million users, you might have better insight into basic
> engineering costs.
At the end of the day we need to deliver software to our users that
delivers on their needs and doesn't undermine their privacy or
security; even if its really hard. So when someone calls out
something that I'm working on that could use improvement, my response
isn't to tell them how much I'm not going to listen to them because
I've accomplished some long list of things that they haven't; that
software I've written runs on hundreds of millions of devices; ...
rather my response is to hear out their concerns, even when due to
extensive context I'm confident that they are probably confused or
dishonestly motivated; because there is always a potential to learn,
and always a potential to do better. I have found this to be pretty
productive, as even when both parties walk away with the same
positions they started with, I usually learn something along the way
just because I paid attention.
> Until then, I find your criticisms of code you think was
> missing due to "stonewalling" and so on to be seriously lacking real world
> experience.
BIP16 was published on 2012-01-01. Enforcement on the network began on
April 1st 2012.
Support for merely sending to P2SH addresses was merged into BitcoinJ,
Nov 30th _2013_, after it was written by Mike Belshe.
In the interim you spent considerable time arguing against
implementing it, e.g. in one example incident:
--- Day changed Thu Sep 12 2013
10:03 < TD> heck, if a recipient really really wants to receive a p2sh
payment for some reason, they can just put the p2sh output into the
payment request message
....
10:17 <@gmaxwell> TD: In any case, P2SH has been deployed for
something like two years now. Your arguement seems to be basically we
should be creating a false tying between payment protocol messages and
things like escrow usage in order to coerce people to adopt the
payment protocol in places where an address would do.
10:17 <@gmaxwell> I think thats a bit cruddy.
10:19 < TD> no, i'm saying p2sh is a feature that just isn't usable. i
did point this out at the time it was merged - gavin believed that
apps to do complicated multi-device wallets would appear before a
payment protocol did, and people wouldn't like the look of long
addresses. that was pretty much the rationale given. that didn't
happen, obviously
10:20 < TD> developing features that are used only by bitcoind
developers, isn't the right way to go, and p2sh definitely falls into
that category
...
10:35 < TD> i'm not going to do it myself because anyone who is
capable of producing and running something that uses p2sh is capable
of working with the payment protocol as well, and that gives a better
user experience overall. but if someone else wants to, go for it.
I don't think there is anything wrong about calling this stonewalling.
At least thats how it came across to myself and others. I'm sorry if I
judged too harshly there.
To be clear, by pointing out your past opposition and non-deployment
in this message I am _not_ trying to attacking you for failing to
support P2SH.
I pointing out that right or wrong..... That you actively argued
against it. That you chose not to implement it, and only accepted a
patch for it a year and a half later. From your own words it seems
clear that you didn't implement it due to actual opposition, but even
if the non-implementation was simply engineering priorities, the fact
remains that you didn't implement for a very long time.
And that is _okay_, we still got it anyways, and today tens of
thousands of transactions per day use it and P2SH secures about 10% of
all Bitcoin value. This is possible because with a soft fork users
using other software can gain functionality which might be critical to
them (As Jgarzik was saying about Bitpay in the discussion I was
quoting from) that you don't have the time or interest to implement in
your own software.
> What? This is nonsensical. P2SH was added to the full verification code
> quite quickly,
Yes, Matt Corallo added it to code which by your admission no one was
using. I agree this is not relevant.
> resolve. Like I said - write the amount of code I've written, unpaid in your
> evenings and weekends, and then you can criticise bitcoinj for lacking
> features.
I think it's likely that I've spent significant more time unpaid on my
evenings and weekends creating software for others than you have (and
continue to do so; as well as having donated years worth of income
supporting other people's Free Software work), but it's a bit of an
unfair comparison: I'm a fair bit older than you. :)
And yet, I think that is all irrelevant here because I'm not current
criticizing bitcoinj for lacking features! Quite the opposite, I am
pointing out that the advantage of soft-forks is that its OKAY for
software to lack soft-fork features, which means that participants
who code only on evenings and weeks are free to continue participating
with the priorities they choose!
Forcing _all_ upgrades to be via hard-fork takes away the freedom to
make that trade-off; and concurrently reduces the collection of fixes
upgrades we could potentially deploy; because will always be
implementations out there like BitcoinJ in 2012 that didn't have the
resources (or interest) to fully implement this feature or that
feature, at least not right away.
And for many things, they simply don't have to, and that should be okay.
> Yes, a hypothetical full node could fork on the version bits. I would be
> quite happy with the version number in the header being an enforced
> consensus rule: it'd make hard forks easier to trigger. But it hasn't been
> done that way, and wishing away the behaviour of existing software in the
> field is no good. Luckily, for introducing a new opcode, the same effect can
> be achieved by using a non-allocated opcode number.
We handle this in Bitcoin Core. Our chosen and intentional way to
handle this is setting a notice. This gives users the freedom to do
what they like, while also behaving in a reasonably sane way by
default.
You don't have to like it, you can behave differently in your own
software or on your own hosts-- all the data is available to you.
(I wouldn't object out of principle to a default config option to take
more aggressive action on unexpected versions... but no one has ever
asked for one... and I'm doubtful anyone would ever do so.)
> The rest of your argument boils down to "people don't have to upgrade if
> they don't want to", which is addressed in the article I wrote already, and
> multiple responses on this thread. Yes, they do, otherwise they aren't
> getting the security level they were before.
They continue to enforce all the same rules as before. With the soft
fork Bitcoin Core users are informed that unexpected things are going
on, and they are free to look at whats going on and decide how to
handle it, or just accept that the new thing is almost certainly
something they don't care about (after all, the rules they signed up
for before are all still in effect, and at any time miners could be
silently imposing new 'soft fork' like rules without their knowledge--
having a big reaction to ones the network was kind enough to tell them
about doesn't seem that reasonable).
For many users and many soft-forks there is no substantial security
implication, and you cannot say that they were not getting the
security level they were getting before. But regardless, even what it
is different, they're free to decide on the cost tradeoff with
upgrading, and they're not forced onto an upgrade hamsterwheel that
disenfranchises their role in the system.
If you have a specific generalized security implication in mind,
you're failing to state it. In your writings you like to assert that I
"did not respond" or were "not convincing"-- that is not generally my
style, I don't usually think anyone owes me point by point answers,
but I think on this point it seems clear that there is some
implication which is in your head that is a mystery to at least myself
and Jgarzik.
> 75% is a fine activation threshold. By definition if support is at 75% then
> bigger blocks is "winning", but if support fell, then the SPV wallets would
> just reorg back onto the 1mb-blocks chain.
A 75% measurement doesn't actually mean 75% support, due to variance.
Even ignoring that-- you recognize the acceptability of reorgs. The
situation is no worse for an SPV client for a soft-fork; and it's
better because (1) convergence is still guaranteed with exponential
probability (a hard fork can be mutual and no convergence may be
possible-- as is the case for more conceivable hard forks), and (2)
for BIP65 (and current soft forks generally) a _much_ more
conservative threshold is set (because in Bitcoin Core and the general
community around here considers 75% to be too low to achieve high
stability, based on our past experience).
> Re: demonstrated track record. They "work" only if you ignore the actual
> problems that have resulted. P2SH-invalid blocks were being mined for weeks
> after the flag day. That's not good no matter how you slice it: even if you
> didn't hear about any fraud resulting, it is still risk that can be avoided.
A couple points:
That same invalid blocks for weeks (actually months) from BIP16 is the
behavior you will get with a hard fork, for at least the same reasons
(miners asleep at the switch). Much more for a controversial hard-fork
as there will be principled objections.
Blocks get produced that get orphaned every day and this is
unavoidable, so users already must deal with occasional cases where
confirmations get undone.
More recent soft-forks have reduced the incidence of invalid blocks by
substantially increasing the threshold, including better notification
in Bitcoin core, communicating directly with miners more, and making
non-conforming transactions non-standard in advance. These mitigations
have been effective in practice; and we have not seen the same
behavior (which, as, noted is not known to have enabled any fraud in
any case -- in part because to non-upgraded wallets it looks just like
the orphaning that normally happens but with somewhat increased
frequency.). I think it's unfortunate that people proposing hard
forks have not learned the same lessons, even though the stakes are
higher and the self-resolution of the system is greatly diminished.
Published at
2023-06-07 17:41:42Event JSON
{
"id": "fe8ea7cb17914f010742ac1b82ceb556a45b8ecf9eab3da7e3abea43608df60e",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686159702,
"kind": 1,
"tags": [
[
"e",
"f5bb1bf208994917ac3ec4154383520df2a8573df815c54d28bae4e41ef024c8",
"",
"root"
],
[
"e",
"551ad9c3dcae91fddae2d1571ca6226ef4601cd0345f92041fae896a1f765dd7",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "📅 Original date posted:2015-09-30\n📝 Original message:On Wed, Sep 30, 2015 at 9:01 PM, Mike Hearn \u003chearn at vinumeris.com\u003e wrote:\n\u003e I coined the term SPV so I know exactly what it means, and bitcoinj\n\nThe term comes from the Bitcoin whitepaper.\n\n\u003e On the other hand, full nodes all claim they run scripts. Users expect that\n\u003e and may be relying on it. The unstated assumption here is that the nodes run\n\u003e them correctly. A soft fork breaks this assumption.\n\nThey run them correctly with respect to the rules that they implement,\nnothing about a soft-fork changes that.\n\nThe system could have been designed in a way that wasn't full of nice\ncompatibility features. The history of bitcoin could have been that\npast improvements were all performed with hard forks instead of soft\nforks.\n\nBut neither of these things are true. (And I think it's very likely\nthat there would have been fewer improvements if that were the case).\n\n\u003e I'm going to ignore the rest of the stuff you wrote about \"design decisions\n\u003e to lack security\" or \"cheaply avoidable lack of validation\". When you have\n\u003e sat down and written an SPV implementation by yourself, then shipped it to a\n\u003e couple of million users, you might have better insight into basic\n\u003e engineering costs.\n\nAt the end of the day we need to deliver software to our users that\ndelivers on their needs and doesn't undermine their privacy or\nsecurity; even if its really hard. So when someone calls out\nsomething that I'm working on that could use improvement, my response\nisn't to tell them how much I'm not going to listen to them because\nI've accomplished some long list of things that they haven't; that\nsoftware I've written runs on hundreds of millions of devices; ...\nrather my response is to hear out their concerns, even when due to\nextensive context I'm confident that they are probably confused or\ndishonestly motivated; because there is always a potential to learn,\nand always a potential to do better. I have found this to be pretty\nproductive, as even when both parties walk away with the same\npositions they started with, I usually learn something along the way\njust because I paid attention.\n\n\u003e Until then, I find your criticisms of code you think was\n\u003e missing due to \"stonewalling\" and so on to be seriously lacking real world\n\u003e experience.\n\nBIP16 was published on 2012-01-01. Enforcement on the network began on\nApril 1st 2012.\n\nSupport for merely sending to P2SH addresses was merged into BitcoinJ,\nNov 30th _2013_, after it was written by Mike Belshe.\n\nIn the interim you spent considerable time arguing against\nimplementing it, e.g. in one example incident:\n\n--- Day changed Thu Sep 12 2013\n10:03 \u003c TD\u003e heck, if a recipient really really wants to receive a p2sh\npayment for some reason, they can just put the p2sh output into the\npayment request message\n....\n10:17 \u003c@gmaxwell\u003e TD: In any case, P2SH has been deployed for\nsomething like two years now. Your arguement seems to be basically we\nshould be creating a false tying between payment protocol messages and\nthings like escrow usage in order to coerce people to adopt the\npayment protocol in places where an address would do.\n10:17 \u003c@gmaxwell\u003e I think thats a bit cruddy.\n10:19 \u003c TD\u003e no, i'm saying p2sh is a feature that just isn't usable. i\ndid point this out at the time it was merged - gavin believed that\napps to do complicated multi-device wallets would appear before a\npayment protocol did, and people wouldn't like the look of long\naddresses. that was pretty much the rationale given. that didn't\nhappen, obviously\n10:20 \u003c TD\u003e developing features that are used only by bitcoind\ndevelopers, isn't the right way to go, and p2sh definitely falls into\nthat category\n...\n10:35 \u003c TD\u003e i'm not going to do it myself because anyone who is\ncapable of producing and running something that uses p2sh is capable\nof working with the payment protocol as well, and that gives a better\nuser experience overall. but if someone else wants to, go for it.\n\nI don't think there is anything wrong about calling this stonewalling.\nAt least thats how it came across to myself and others. I'm sorry if I\njudged too harshly there.\n\nTo be clear, by pointing out your past opposition and non-deployment\nin this message I am _not_ trying to attacking you for failing to\nsupport P2SH.\n\nI pointing out that right or wrong..... That you actively argued\nagainst it. That you chose not to implement it, and only accepted a\npatch for it a year and a half later. From your own words it seems\nclear that you didn't implement it due to actual opposition, but even\nif the non-implementation was simply engineering priorities, the fact\nremains that you didn't implement for a very long time.\n\nAnd that is _okay_, we still got it anyways, and today tens of\nthousands of transactions per day use it and P2SH secures about 10% of\nall Bitcoin value. This is possible because with a soft fork users\nusing other software can gain functionality which might be critical to\nthem (As Jgarzik was saying about Bitpay in the discussion I was\nquoting from) that you don't have the time or interest to implement in\nyour own software.\n\n\n\u003e What? This is nonsensical. P2SH was added to the full verification code\n\u003e quite quickly,\n\nYes, Matt Corallo added it to code which by your admission no one was\nusing. I agree this is not relevant.\n\n\u003e resolve. Like I said - write the amount of code I've written, unpaid in your\n\u003e evenings and weekends, and then you can criticise bitcoinj for lacking\n\u003e features.\n\nI think it's likely that I've spent significant more time unpaid on my\nevenings and weekends creating software for others than you have (and\ncontinue to do so; as well as having donated years worth of income\nsupporting other people's Free Software work), but it's a bit of an\nunfair comparison: I'm a fair bit older than you. :)\n\nAnd yet, I think that is all irrelevant here because I'm not current\ncriticizing bitcoinj for lacking features! Quite the opposite, I am\npointing out that the advantage of soft-forks is that its OKAY for\nsoftware to lack soft-fork features, which means that participants\nwho code only on evenings and weeks are free to continue participating\nwith the priorities they choose!\n\nForcing _all_ upgrades to be via hard-fork takes away the freedom to\nmake that trade-off; and concurrently reduces the collection of fixes\nupgrades we could potentially deploy; because will always be\nimplementations out there like BitcoinJ in 2012 that didn't have the\nresources (or interest) to fully implement this feature or that\nfeature, at least not right away.\n\nAnd for many things, they simply don't have to, and that should be okay.\n\n\u003e Yes, a hypothetical full node could fork on the version bits. I would be\n\u003e quite happy with the version number in the header being an enforced\n\u003e consensus rule: it'd make hard forks easier to trigger. But it hasn't been\n\u003e done that way, and wishing away the behaviour of existing software in the\n\u003e field is no good. Luckily, for introducing a new opcode, the same effect can\n\u003e be achieved by using a non-allocated opcode number.\n\nWe handle this in Bitcoin Core. Our chosen and intentional way to\nhandle this is setting a notice. This gives users the freedom to do\nwhat they like, while also behaving in a reasonably sane way by\ndefault.\n\nYou don't have to like it, you can behave differently in your own\nsoftware or on your own hosts-- all the data is available to you.\n\n(I wouldn't object out of principle to a default config option to take\nmore aggressive action on unexpected versions... but no one has ever\nasked for one... and I'm doubtful anyone would ever do so.)\n\n\u003e The rest of your argument boils down to \"people don't have to upgrade if\n\u003e they don't want to\", which is addressed in the article I wrote already, and\n\u003e multiple responses on this thread. Yes, they do, otherwise they aren't\n\u003e getting the security level they were before.\n\nThey continue to enforce all the same rules as before. With the soft\nfork Bitcoin Core users are informed that unexpected things are going\non, and they are free to look at whats going on and decide how to\nhandle it, or just accept that the new thing is almost certainly\nsomething they don't care about (after all, the rules they signed up\nfor before are all still in effect, and at any time miners could be\nsilently imposing new 'soft fork' like rules without their knowledge--\nhaving a big reaction to ones the network was kind enough to tell them\nabout doesn't seem that reasonable).\n\nFor many users and many soft-forks there is no substantial security\nimplication, and you cannot say that they were not getting the\nsecurity level they were getting before. But regardless, even what it\nis different, they're free to decide on the cost tradeoff with\nupgrading, and they're not forced onto an upgrade hamsterwheel that\ndisenfranchises their role in the system.\n\nIf you have a specific generalized security implication in mind,\nyou're failing to state it. In your writings you like to assert that I\n \"did not respond\" or were \"not convincing\"-- that is not generally my\nstyle, I don't usually think anyone owes me point by point answers,\nbut I think on this point it seems clear that there is some\nimplication which is in your head that is a mystery to at least myself\nand Jgarzik.\n\n\u003e 75% is a fine activation threshold. By definition if support is at 75% then\n\u003e bigger blocks is \"winning\", but if support fell, then the SPV wallets would\n\u003e just reorg back onto the 1mb-blocks chain.\n\nA 75% measurement doesn't actually mean 75% support, due to variance.\nEven ignoring that-- you recognize the acceptability of reorgs. The\nsituation is no worse for an SPV client for a soft-fork; and it's\nbetter because (1) convergence is still guaranteed with exponential\nprobability (a hard fork can be mutual and no convergence may be\npossible-- as is the case for more conceivable hard forks), and (2)\nfor BIP65 (and current soft forks generally) a _much_ more\nconservative threshold is set (because in Bitcoin Core and the general\ncommunity around here considers 75% to be too low to achieve high\nstability, based on our past experience).\n\n\u003e Re: demonstrated track record. They \"work\" only if you ignore the actual\n\u003e problems that have resulted. P2SH-invalid blocks were being mined for weeks\n\u003e after the flag day. That's not good no matter how you slice it: even if you\n\u003e didn't hear about any fraud resulting, it is still risk that can be avoided.\n\nA couple points:\n\nThat same invalid blocks for weeks (actually months) from BIP16 is the\nbehavior you will get with a hard fork, for at least the same reasons\n(miners asleep at the switch). Much more for a controversial hard-fork\nas there will be principled objections.\n\nBlocks get produced that get orphaned every day and this is\nunavoidable, so users already must deal with occasional cases where\nconfirmations get undone.\n\nMore recent soft-forks have reduced the incidence of invalid blocks by\nsubstantially increasing the threshold, including better notification\nin Bitcoin core, communicating directly with miners more, and making\nnon-conforming transactions non-standard in advance. These mitigations\nhave been effective in practice; and we have not seen the same\nbehavior (which, as, noted is not known to have enabled any fraud in\nany case -- in part because to non-upgraded wallets it looks just like\nthe orphaning that normally happens but with somewhat increased\nfrequency.). I think it's unfortunate that people proposing hard\nforks have not learned the same lessons, even though the stakes are\nhigher and the self-resolution of the system is greatly diminished.",
"sig": "0580b7d8a49bb494af8445529c2dbde7968ce382a0f9c45dc49ce2ce35512f8fb9d1c979b557afbc51bbde5403bd197145aa13c714367e100c2984c1beecefbf"
}