📅 Original date posted:2020-01-10
📝 Original message:There are a series of soft-fork designs which have recently been making
good progress towards implementation and future adoption. However, for
various reasons, activation methods therefor have gotten limited
discussion. I'd like to reopen that discussion here.
It is likely worth revisiting the goals both for soft forks and their
activation methods to start. I'm probably missing some, but some basic
requirements:
1) Avoid activating in the face of significant, reasonable, and directed
objection. Period. If someone has a well-accepted, reasonable use of
Bitcoin that is working today, have no reason to believe wouldn't work
long into the future without a change, and which would be made
impossible or significantly more difficult by a change, that change must
not happen. I certainly hope there is no objection on this point (see
the last point for an important caveat that I'm sure everyone will jump
to point out).
2) Avoid activating within a timeframe which does not make high
node-level-adoption likely. As with all "node" arguments, I'll note that
I mean "economically-used" nodes, not the thousand or so spy nodes on
Google Cloud and AWS. Rule changes don't make sense without nodes
enforcing them, whether they happen to be a soft fork, hard fork, or a
blue fork, so activating in a reduced timeframe that doesn't allow for
large-scale node adoption doesn't have any value, and may cause other
unintended side effects.
3) Don't (needlessly) lose hashpower to un-upgraded miners. As a part of
Bitcoin's security comes from miners, reducing the hashpower of the
network as a side effect of a rule change is a needless reduction in a
key security parameter of the network. This is why, in recent history,
soft forks required 95% of hashpower to indicate that they have upgraded
and are capable of enforcing the new rules. Further, this is why recent
soft forks have not included changes which would result in a standard
Bitcoin Core instance mining invalid-by-new-rules changes (by relying on
the standardness behavior of Bitcoin Core).
4) Use hashpower enforcement to de-risk the upgrade process, wherever
possible. As a corollary of the above, one of the primary reasons we use
soft forks is that hashpower-based enforcement of rules is an elegant
way to prevent network splits during the node upgrade process. While it
does not make sense to invest material value in systems protected by new
rules until a significant majority of "economic nodes" is enforcing said
rules, hashpower lets us neatly bridge the gap in time between
activation and then. By having a supermajority of miners enforce the new
rules, attempts at violating the new rules does not result in a
significant network split, disrupting existing users of the system. If
we aren't going to take advantage of this, we should do a hard fork
instead, with the necessarily slow timescale that entails.
5) Follow the will of the community, irrespective of individuals or
unreasoned objection, but without ever overruling any reasonable
objection. Recent history also includes "objection" to soft forks in the
form of "this is bad because it doesn't fix a different problem I want
fixed ASAP". I don't think anyone would argue this qualifies as a
reasonable objection to a change, and we should be in a place, as a
community (never as developers or purely one group), to ignore such
objections and make forward progress in spite of them. We don't make
good engineering decisions by "bundling" unrelated features together to
enable political football and compromise.
I think BIP 9 (plus a well-crafted softfork) pretty effectively checks
the boxes for #2-4 here, and when done carefully with lots of community
engagement and measurement, can effectively fulfill #1 as well. #5 is,
as I'm sure everyone is aware, where it starts to fall down pretty hard.
BIP 8 has been proposed as an alternative, largely in response to issues
with #5. However, a naive deployment of it, rather obviously, completely
fails #1, #3, and #4, and, in my view, fails #5 as well by both giving
an impression of, setting a precedent of, and possibly even in practice
increasing the ability of developers to decide the consensus rules of
the system. A BIP 8 deployment that more accurately measures community
support as a prerequisite could arguably fulfill #1 and #5, though I'm
unaware of any concrete proposals on how to accomplish that. Arguably, a
significantly longer activation window could also allow BIP 8 to fulfill
#3 and #4, but only by exploiting the "needlessly" and "wherever
possible" loopholes.
You may note that, from the point of view of achieving the critical
goals here, BIP 8 is only different from a flag-day activation in that,
if it takes the "happy-path" of activating before the flag day, it looks
like BIP 9, but isn't guaranteed to. It additionally has the
"nice-to-have" property that activation can occur before the flag-day in
the case of faster miner adoption, though there is a limit of how fast
is useful due to node adoption.
Thus, to strike a balance between the drawbacks of BIP 8 and BIP 9, the
Great Consensus Cleanup softfork proposal included this text in the
discussion section (with the spec describing a BIP 9 deployment):
> In spite of some suggestion that other activation methods be used, BIP
> 9 is proposed as ensuring miners have upgraded to enforce new rules is
> an important part of minimizing disruption. While previous BIP 9 soft-
> forks have resulted in political contention, this comparatively-
> unimportant soft-fork provides a good opportunity to attempt to return
> to utilizing BIP 9 to ensure miner upgrade prior to activation, which
> the authors believe is a critical goal. However, if there is broad
> agreement to activate these rules when the BIP 9 expiry time is
> reached, and miners have not yet signaled sufficient level of
> readiness, a later flag-day activation may be merited. For this
> reason, implementations may wish to provide a compatibility option
> which allows flag-day enforcement of these rules without an update.
Ultimately, through admittedly rather limited discussion, I still like
this model (though I cannot claim it as my own, the original proposal
came from Greg Maxwell). BIP 9 only falls apart in case of unreasonable
objection, which, naturally, should carry a high bar to ignore, given we
have to have some level of agreement that it is, in fact, unreasonable
(or untargeted). While I admit this is a possibility, I both find it
less likely than in previous soft-forks, and even if it is the case, it
only slows down the process, it doesn't necessarily stop it. In the case
that it does fail, BIP 9 process, in fact, provides a good learning
opportunity as to the level of community readiness and desire for a
given change. While we can (and should, and are) learning a lot about
community readiness for, and acceptability of a change through outreach
and discussion, there is something about a change with a timeframe that
forces people to more carefully consider it.
Thus, as something a bit more concrete, I think an activation method
which sets the right precedent and appropriately considers the above
goals, would be:
1) a standard BIP 9 deployment with a one-year time horizon for
activation with 95% miner readiness,
2) in the case that no activation occurs within a year, a six month
quieting period during which the community can analyze and discussion
the reasons for no activation and,
3) in the case that it makes sense, a simple command-line/bitcoin.conf
parameter which was supported since the original deployment release
would enable users to opt into a BIP 8 deployment with a 24-month
time-horizon for flag-day activation (as well as a new Bitcoin Core
release enabling the flag universally).
This provides a very long time horizon for more standard activation,
while still ensuring the goals in #5 are met, even if, in those cases,
the time horizon needs to be significantly extended to meet the goals of
#3. Developing Bitcoin is not a race. If we have to, waiting 42 months
ensures we're not setting a negative precedent that we'll come to regret
as Bitcoin continues to grow.
Matt
Thanks also to AJ for feedback on an earlier version of this rant.
Matt Corallo [ARCHIVE] /
npub1e4…jxmcu
2023-06-07 18:22:13
in reply to nevent1q…wy9j
Author Public Key
npub1e46n428mcyfwznl7nlsf6d3s7rhlwm9x3cmkuqzt3emmdpadmkaqqjxmcuPublished at
2023-06-07 18:22:13Event JSON
{
"id": "5d7ef237815bb3a84f72c173a94febbd99367e11abee993df85365512816f9d6",
"pubkey": "cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba",
"created_at": 1686162133,
"kind": 1,
"tags": [
[
"e",
"841b1723b46d2192c57b523c3e08b52e866795609acdd0d30e830bbd3f4a039e",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2020-01-10\n📝 Original message:There are a series of soft-fork designs which have recently been making\ngood progress towards implementation and future adoption. However, for\nvarious reasons, activation methods therefor have gotten limited\ndiscussion. I'd like to reopen that discussion here.\n\nIt is likely worth revisiting the goals both for soft forks and their\nactivation methods to start. I'm probably missing some, but some basic\nrequirements:\n\n1) Avoid activating in the face of significant, reasonable, and directed\nobjection. Period. If someone has a well-accepted, reasonable use of\nBitcoin that is working today, have no reason to believe wouldn't work\nlong into the future without a change, and which would be made\nimpossible or significantly more difficult by a change, that change must\nnot happen. I certainly hope there is no objection on this point (see\nthe last point for an important caveat that I'm sure everyone will jump\nto point out).\n\n2) Avoid activating within a timeframe which does not make high\nnode-level-adoption likely. As with all \"node\" arguments, I'll note that\nI mean \"economically-used\" nodes, not the thousand or so spy nodes on\nGoogle Cloud and AWS. Rule changes don't make sense without nodes\nenforcing them, whether they happen to be a soft fork, hard fork, or a\nblue fork, so activating in a reduced timeframe that doesn't allow for\nlarge-scale node adoption doesn't have any value, and may cause other\nunintended side effects.\n\n3) Don't (needlessly) lose hashpower to un-upgraded miners. As a part of\nBitcoin's security comes from miners, reducing the hashpower of the\nnetwork as a side effect of a rule change is a needless reduction in a\nkey security parameter of the network. This is why, in recent history,\nsoft forks required 95% of hashpower to indicate that they have upgraded\nand are capable of enforcing the new rules. Further, this is why recent\nsoft forks have not included changes which would result in a standard\nBitcoin Core instance mining invalid-by-new-rules changes (by relying on\nthe standardness behavior of Bitcoin Core).\n\n4) Use hashpower enforcement to de-risk the upgrade process, wherever\npossible. As a corollary of the above, one of the primary reasons we use\nsoft forks is that hashpower-based enforcement of rules is an elegant\nway to prevent network splits during the node upgrade process. While it\ndoes not make sense to invest material value in systems protected by new\nrules until a significant majority of \"economic nodes\" is enforcing said\nrules, hashpower lets us neatly bridge the gap in time between\nactivation and then. By having a supermajority of miners enforce the new\nrules, attempts at violating the new rules does not result in a\nsignificant network split, disrupting existing users of the system. If\nwe aren't going to take advantage of this, we should do a hard fork\ninstead, with the necessarily slow timescale that entails.\n\n5) Follow the will of the community, irrespective of individuals or\nunreasoned objection, but without ever overruling any reasonable\nobjection. Recent history also includes \"objection\" to soft forks in the\nform of \"this is bad because it doesn't fix a different problem I want\nfixed ASAP\". I don't think anyone would argue this qualifies as a\nreasonable objection to a change, and we should be in a place, as a\ncommunity (never as developers or purely one group), to ignore such\nobjections and make forward progress in spite of them. We don't make\ngood engineering decisions by \"bundling\" unrelated features together to\nenable political football and compromise.\n\nI think BIP 9 (plus a well-crafted softfork) pretty effectively checks\nthe boxes for #2-4 here, and when done carefully with lots of community\nengagement and measurement, can effectively fulfill #1 as well. #5 is,\nas I'm sure everyone is aware, where it starts to fall down pretty hard.\n\nBIP 8 has been proposed as an alternative, largely in response to issues\nwith #5. However, a naive deployment of it, rather obviously, completely\nfails #1, #3, and #4, and, in my view, fails #5 as well by both giving\nan impression of, setting a precedent of, and possibly even in practice\nincreasing the ability of developers to decide the consensus rules of\nthe system. A BIP 8 deployment that more accurately measures community\nsupport as a prerequisite could arguably fulfill #1 and #5, though I'm\nunaware of any concrete proposals on how to accomplish that. Arguably, a\nsignificantly longer activation window could also allow BIP 8 to fulfill\n#3 and #4, but only by exploiting the \"needlessly\" and \"wherever\npossible\" loopholes.\n\nYou may note that, from the point of view of achieving the critical\ngoals here, BIP 8 is only different from a flag-day activation in that,\nif it takes the \"happy-path\" of activating before the flag day, it looks\nlike BIP 9, but isn't guaranteed to. It additionally has the\n\"nice-to-have\" property that activation can occur before the flag-day in\nthe case of faster miner adoption, though there is a limit of how fast\nis useful due to node adoption.\n\nThus, to strike a balance between the drawbacks of BIP 8 and BIP 9, the\nGreat Consensus Cleanup softfork proposal included this text in the\ndiscussion section (with the spec describing a BIP 9 deployment):\n\n\u003e In spite of some suggestion that other activation methods be used, BIP\n\u003e 9 is proposed as ensuring miners have upgraded to enforce new rules is\n\u003e an important part of minimizing disruption. While previous BIP 9 soft-\n\u003e forks have resulted in political contention, this comparatively-\n\u003e unimportant soft-fork provides a good opportunity to attempt to return\n\u003e to utilizing BIP 9 to ensure miner upgrade prior to activation, which\n\u003e the authors believe is a critical goal. However, if there is broad\n\u003e agreement to activate these rules when the BIP 9 expiry time is\n\u003e reached, and miners have not yet signaled sufficient level of\n\u003e readiness, a later flag-day activation may be merited. For this\n\u003e reason, implementations may wish to provide a compatibility option\n\u003e which allows flag-day enforcement of these rules without an update.\n\nUltimately, through admittedly rather limited discussion, I still like\nthis model (though I cannot claim it as my own, the original proposal\ncame from Greg Maxwell). BIP 9 only falls apart in case of unreasonable\nobjection, which, naturally, should carry a high bar to ignore, given we\nhave to have some level of agreement that it is, in fact, unreasonable\n(or untargeted). While I admit this is a possibility, I both find it\nless likely than in previous soft-forks, and even if it is the case, it\nonly slows down the process, it doesn't necessarily stop it. In the case\nthat it does fail, BIP 9 process, in fact, provides a good learning\nopportunity as to the level of community readiness and desire for a\ngiven change. While we can (and should, and are) learning a lot about\ncommunity readiness for, and acceptability of a change through outreach\nand discussion, there is something about a change with a timeframe that\nforces people to more carefully consider it.\n\nThus, as something a bit more concrete, I think an activation method\nwhich sets the right precedent and appropriately considers the above\ngoals, would be:\n\n1) a standard BIP 9 deployment with a one-year time horizon for\nactivation with 95% miner readiness,\n2) in the case that no activation occurs within a year, a six month\nquieting period during which the community can analyze and discussion\nthe reasons for no activation and,\n3) in the case that it makes sense, a simple command-line/bitcoin.conf\nparameter which was supported since the original deployment release\nwould enable users to opt into a BIP 8 deployment with a 24-month\ntime-horizon for flag-day activation (as well as a new Bitcoin Core\nrelease enabling the flag universally).\n\nThis provides a very long time horizon for more standard activation,\nwhile still ensuring the goals in #5 are met, even if, in those cases,\nthe time horizon needs to be significantly extended to meet the goals of\n#3. Developing Bitcoin is not a race. If we have to, waiting 42 months\nensures we're not setting a negative precedent that we'll come to regret\nas Bitcoin continues to grow.\n\nMatt\n\nThanks also to AJ for feedback on an earlier version of this rant.",
"sig": "740950275730cf7486a4ae91494a644433b4e5471446076953f13f44d99466839490a9d53038fec0c0173db93f9496e0d9d518d22ba5c69cda2c9a4a3038f383"
}