š
Original date posted:2022-10-20
š Original message:Hello list,
Given that the release of 24.0 is upon us and there is little time to make a
complex decision regarding the deployment method of full-RBF, we've
documented
the different alternatives and their trade-offs. I hope this helps get to
the
best possible deployment!
Gist: https://gist.github.com/esneider/4eb16fcd959cb8c6b657c314442801ee
# Current deployment options
1. Antoine's PR #26305: leave 24.0 as is, and merge opt-out in 25.0 or
later.
2. Marco's PR #26287: revert opt-in full-RBF in 24.0, and give more time to
figure out what's next.
3. Marco's PR #26287 + Antoine's PR #26305: revert opt-in full-RBF in 24.0,
and
merge opt-out in 25.0 or later.
4. Marco's PR #26287 + Anthony's PR #26323 (just the date commitment):
revert
opt-in full-RBF in 24.0, and commit in 25.0 or later to a later date for
opt-out activation.
5. Anthony's PR #26323: revert opt-in full-RBF in 24.0, and commit in 24.0
to a
later date for opt-out activation.
Notice that once full-RBF is fully deployed, having a config option to
disable
it is mostly a foot gun: you will only hurt yourself by missing some
transactions. Maybe options 4 and 5 could remove the flag altogether
instead of
making it opt-out.
There are a few more options, but I don't think they would reasonably have
any
consensus, so I trimmed them down to make it easier to process.
# Dimensions of analysis
1. Zero-conf apps immediately affected
If we leave the flag for full-rbf in 24.0, zero-conf apps could be
immediately affected. More specifically, as Anthony explained much more
clearly [0], they would be in danger as soon as a relatively big mining
pool operator enables the full-RBF flag.
It turns out that the class of apps that could be immediately affected
(ie.
apps that were directly or indirectly relying on the first-seen policy
in an
adversarial setting) is larger than zero-conf apps, as exposed by Sergej
[1]. Namely, the apps committing to an exchange rate before on-chain
funds
are sent/finalized would start offering a free(ish) american call
option.
2. Predictable deployment date
Committing to an activation date for full-rbf on the social layer (eg.
"we'll merge the opt-out flag in 25.0") has the benefit of being
flexible in
the event of new data points but becomes less predictable (both for
applications and for full-rbf proponents).
Committing to an activation date for full-rbf on the code has the
benefit
that once node operators start deploying the code, the date is set in
stone,
and we can reason about when full-RBF will be fully deployed and usable.
3. Code complexity
Handling the commitment to a date in the code introduces further code
complexity. In particular, it's a deployment mechanism that, as far as I
know, hasn't been tried before, so we should be careful.
4. Smooth deployment
Full-RBF deployment has two distinct phases when analyzing the adoption
in
the transaction relaying layer. First, there will be multiple disjoint
connected components of full-RBF nodes. Eventually, we'll get to a
single(ish) connected component of full-RBF nodes.
The first deployment phase is a bit chaotic and difficult to reason
about:
nobody can rely on full-RBF actually working; if it coincides with a
high-fees scenario, we'll get a big mempool divergence event, causing
many
other issues and unreliability in the relaying and application layers.
I'm calling smooth deployment to a deployment that minimizes the first
phase, eg. by activating full-RBF simultaneously in as many
transaction-relaying nodes as possible.
5. Time to figure out the right deployment
Figuring out the right deployment method and timeline to activate
full-rbf
might be more time-consuming than what we are willing to wait for the
stable
release of 24.0. Decoupling the protection to zero-conf apps from
choosing a
deployment method and an activation date for opt-out might be a good
idea.
I'm probably forgetting some dimensions here, but it may be enough to grasp
the
trade-offs between the different approaches.
# Comparison
Gist:
https://gist.github.com/esneider/4eb16fcd959cb8c6b657c314442801ee#comparison
# Timeline for full-RBF activation
If we make some UX trade-offs, Muun can be production ready with the
required
changes in 6 months. Having more time to avoid those trade-offs would be
preferable, but we can manage.
The larger application ecosystem may need a bit more time since they might
not
have the advantage of having been working on the required changes for a
while
already. Ideally, there should be enough time to reach out to affected
applications and let them make time to understand the impact, design
solutions,
implement them, and deploy them.
Finally, if a smooth deployment (as previously defined) is desired, we can
lock
an activation date in the code and give relaying nodes enough time to
upgrade
before activation. Assuming that the adoption of future releases remains
similar
to previous ones [2], one release cycle should get us to 22% adoption, two
release cycles to 61% adoption, and three release cycles to 79% adoption.
Assuming a uniform adoption distribution, the probability of an 8-connection
relaying node not being connected to any full-RBF node after one release
cycle
will be 0.14. After two cycles, it will be 0.00054, and after three cycles,
it
will be 0.0000038. Looking at these numbers, it would seem that a single
release
cycle will be too little time, but two release cycles may be enough.
Cheers,
Dario
[0]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021031.html
[1]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021056.html
[2] https://luke.dashjr.org/programs/bitcoin/files/charts/software.html
[Marco's PR #26287] https://github.com/bitcoin/bitcoin/pull/26287
[Antoine's PR #26305] https://github.com/bitcoin/bitcoin/pull/26305
[Anthony's PR #26323] https://github.com/bitcoin/bitcoin/pull/26323
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20221020/d44995aa/attachment.html>;
Dario Sneidermanis [ARCHIVE] /
npub1c3ā¦2aw73
2023-06-07 23:15:46
in reply to nevent1qā¦4flk
Author Public Key
npub1c3j2v4ws7hf9sj2xkr4dale0z4htw7lup37qeh2wxll4pcvlg03qe2aw73Published at
2023-06-07 23:15:46Event JSON
{
"id": "8f072c0091b6cc664dd3dca0696478becafbe383f66dbf200f45ca7794069567",
"pubkey": "c464a655d0f5d2584946b0eadeff2f156eb77bfc0c7c0cdd4e37ff50e19f43e2",
"created_at": 1686179746,
"kind": 1,
"tags": [
[
"e",
"3795f3a167ddc677a05bc3ff9bc217954a3d96cf274c2b4948cecfe3f1259034",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "š
Original date posted:2022-10-20\nš Original message:Hello list,\n\nGiven that the release of 24.0 is upon us and there is little time to make a\ncomplex decision regarding the deployment method of full-RBF, we've\ndocumented\nthe different alternatives and their trade-offs. I hope this helps get to\nthe\nbest possible deployment!\n\nGist: https://gist.github.com/esneider/4eb16fcd959cb8c6b657c314442801ee\n\n# Current deployment options\n\n1. Antoine's PR #26305: leave 24.0 as is, and merge opt-out in 25.0 or\nlater.\n2. Marco's PR #26287: revert opt-in full-RBF in 24.0, and give more time to\n figure out what's next.\n3. Marco's PR #26287 + Antoine's PR #26305: revert opt-in full-RBF in 24.0,\nand\n merge opt-out in 25.0 or later.\n4. Marco's PR #26287 + Anthony's PR #26323 (just the date commitment):\nrevert\n opt-in full-RBF in 24.0, and commit in 25.0 or later to a later date for\n opt-out activation.\n5. Anthony's PR #26323: revert opt-in full-RBF in 24.0, and commit in 24.0\nto a\n later date for opt-out activation.\n\nNotice that once full-RBF is fully deployed, having a config option to\ndisable\nit is mostly a foot gun: you will only hurt yourself by missing some\ntransactions. Maybe options 4 and 5 could remove the flag altogether\ninstead of\nmaking it opt-out.\n\nThere are a few more options, but I don't think they would reasonably have\nany\nconsensus, so I trimmed them down to make it easier to process.\n\n\n# Dimensions of analysis\n\n1. Zero-conf apps immediately affected\n\n If we leave the flag for full-rbf in 24.0, zero-conf apps could be\n immediately affected. More specifically, as Anthony explained much more\n clearly [0], they would be in danger as soon as a relatively big mining\n pool operator enables the full-RBF flag.\n\n It turns out that the class of apps that could be immediately affected\n(ie.\n apps that were directly or indirectly relying on the first-seen policy\nin an\n adversarial setting) is larger than zero-conf apps, as exposed by Sergej\n [1]. Namely, the apps committing to an exchange rate before on-chain\nfunds\n are sent/finalized would start offering a free(ish) american call\noption.\n\n2. Predictable deployment date\n\n Committing to an activation date for full-rbf on the social layer (eg.\n \"we'll merge the opt-out flag in 25.0\") has the benefit of being\nflexible in\n the event of new data points but becomes less predictable (both for\n applications and for full-rbf proponents).\n\n Committing to an activation date for full-rbf on the code has the\nbenefit\n that once node operators start deploying the code, the date is set in\nstone,\n and we can reason about when full-RBF will be fully deployed and usable.\n\n3. Code complexity\n\n Handling the commitment to a date in the code introduces further code\n complexity. In particular, it's a deployment mechanism that, as far as I\n know, hasn't been tried before, so we should be careful.\n\n4. Smooth deployment\n\n Full-RBF deployment has two distinct phases when analyzing the adoption\nin\n the transaction relaying layer. First, there will be multiple disjoint\n connected components of full-RBF nodes. Eventually, we'll get to a\n single(ish) connected component of full-RBF nodes.\n\n The first deployment phase is a bit chaotic and difficult to reason\nabout:\n nobody can rely on full-RBF actually working; if it coincides with a\n high-fees scenario, we'll get a big mempool divergence event, causing\nmany\n other issues and unreliability in the relaying and application layers.\n\n I'm calling smooth deployment to a deployment that minimizes the first\n phase, eg. by activating full-RBF simultaneously in as many\n transaction-relaying nodes as possible.\n\n5. Time to figure out the right deployment\n\n Figuring out the right deployment method and timeline to activate\nfull-rbf\n might be more time-consuming than what we are willing to wait for the\nstable\n release of 24.0. Decoupling the protection to zero-conf apps from\nchoosing a\n deployment method and an activation date for opt-out might be a good\nidea.\n\nI'm probably forgetting some dimensions here, but it may be enough to grasp\nthe\ntrade-offs between the different approaches.\n\n\n# Comparison\n\nGist:\nhttps://gist.github.com/esneider/4eb16fcd959cb8c6b657c314442801ee#comparison\n\n# Timeline for full-RBF activation\n\nIf we make some UX trade-offs, Muun can be production ready with the\nrequired\nchanges in 6 months. Having more time to avoid those trade-offs would be\npreferable, but we can manage.\n\nThe larger application ecosystem may need a bit more time since they might\nnot\nhave the advantage of having been working on the required changes for a\nwhile\nalready. Ideally, there should be enough time to reach out to affected\napplications and let them make time to understand the impact, design\nsolutions,\nimplement them, and deploy them.\n\nFinally, if a smooth deployment (as previously defined) is desired, we can\nlock\nan activation date in the code and give relaying nodes enough time to\nupgrade\nbefore activation. Assuming that the adoption of future releases remains\nsimilar\nto previous ones [2], one release cycle should get us to 22% adoption, two\nrelease cycles to 61% adoption, and three release cycles to 79% adoption.\nAssuming a uniform adoption distribution, the probability of an 8-connection\nrelaying node not being connected to any full-RBF node after one release\ncycle\nwill be 0.14. After two cycles, it will be 0.00054, and after three cycles,\nit\nwill be 0.0000038. Looking at these numbers, it would seem that a single\nrelease\ncycle will be too little time, but two release cycles may be enough.\n\nCheers,\nDario\n\n\n[0]\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021031.html\n[1]\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-October/021056.html\n[2] https://luke.dashjr.org/programs/bitcoin/files/charts/software.html\n[Marco's PR #26287] https://github.com/bitcoin/bitcoin/pull/26287\n[Antoine's PR #26305] https://github.com/bitcoin/bitcoin/pull/26305\n[Anthony's PR #26323] https://github.com/bitcoin/bitcoin/pull/26323\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20221020/d44995aa/attachment.html\u003e",
"sig": "b096c18ab466d34a6ff9d99b296bf134074b9176782f24f88b16553f8ecbadb5a8885d6e0b9a53fce6ea1231199d1aca5442d0dfe53ead6db03a043a1a2939ee"
}