public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Michael Folkson <michaelfolkson@protonmail.com>
To: micaroni@gmail.com,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] On the regularity of soft forks
Date: Sat, 16 Oct 2021 11:02:08 +0000	[thread overview]
Message-ID: <1HjQQw-RXvEW5i73Hjx_QqDms44sQMnNWWl9oQ_SwIoYGpog6LzGK4M_omAEMXxgXIID37V7sdyG_AW8WkaNByppB2EJ7wlzOZgrDloMv2c=@protonmail.com> (raw)
In-Reply-To: <CAHvMVPQ8jtfdbLg8NJv7bNM3a_nhF_aUfD2gwSdxpfgXQomn3A@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 6043 bytes --]

> Interesting discussion.Correct me if I'm wrong: but putting too many features together in one shot just can't make things harder to debug in production if something very unexpected happens.It's a basic principle of software engineering.

Soft fork features can (and should) obviously be tested thoroughly on testnet, signet, custom signets, sidechains etc on a standalone basis and a bundled basis. But whether or not it is a basic principle of general software engineering kind of misses the point. Security critical software clearly isn't engineered in the same way as a new social media app. Bugs are easily reverted in a new social media app. A consensus change is extremely hard to revert and probably requires a hard fork, a level of central coordination we generally attempt to avoid and a speed of deployment that we also attempt to avoid. On top of that we aren't just dealing with security critical software. One of the most important objectives is to keep all the nodes on the network in consensus. Introducing a consensus change before we are comfortable there is community consensus for it is a massive effective bug in itself. The network can split in multiple ways e.g. part of the network disagrees on whether to activate the consensus change, part of the network disagrees on how to resist that consensus change, part of the network disagrees on how to activate that consensus change etc

In addition, a social media app can experiment in production whether Feature A works, whether Feature B works or whether Feature A and B work best together. In Bitcoin if we activate consensus Feature A, later decide we want consensus Feature B but find out that by previously activating Feature A we can't have Feature B (it is now unsafe to activate it) or its design now has to be suboptimal because we have to ensure it can safely work in the presence of Feature A we have made a mistake by activating Feature A in the first place. Decentralized security critical consensus changes are an emerging field in itself and really can't be treated like any other software project. This will become universally understood I'm sure over time.

--

Michael Folkson
Email: michaelfolkson at protonmail.com
Keybase: michaelfolkson
PGP: 43ED C999 9F85 1D40 EAF4 9835 92D6 0159 214C FEE3

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 15th, 2021 at 1:43 AM, Felipe Micaroni Lalli via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

> Interesting discussion.Correct me if I'm wrong: but putting too many features together in one shot just can't make things harder to debug in production if something very unexpected happens. It's a basic principle of software engineering.
>
> Change. Deploy. Nothing bad happened? Change it a little more. Deployment.
>
> Or:Change, change, change. Deploy. Did something bad happen? What change caused the problem?
>
> On Thu, Oct 14, 2021 at 8:53 PM Anthony Towns via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> On Mon, Oct 11, 2021 at 12:12:58PM -0700, Jeremy via bitcoin-dev wrote:
>>> > ... in this post I will argue against frequent soft forks with a single or
>>> minimal
>>> > set of features and instead argue for infrequent soft forks with batches
>>> > of features.
>>> I think this type of development has been discussed in the past and has been
>>> rejected.
>>
>>> AJ: - improvements: changes might not make everyone better off, but we
>>> don't want changes to screw anyone over either -- pareto
>>> improvements in economics, "first, do no harm", etc. (if we get this
>>> right, there's no need to make compromises and bundle multiple
>>> flawed proposals so that everyone's an equal mix of happy and
>>> miserable)
>>
>> I don't think your conclusion above matches my opinion, for what it's
>> worth.
>>
>> If you've got two features, A and B, where the game theory is:
>>
>> If A happens, I'm +100, You're -50
>> If B happens, I'm -50, You're +100
>>
>> then even though A+B is +50, +50, then I do think the answer should
>> generally be "think harder and come up with better proposals" rather than
>> "implement A+B as a bundle that makes us both +50".
>>
>> _But_ if the two features are more like:
>>
>> If C happens, I'm +100, You're +/- 0
>> If D happens, I'm +/- 0, You're +100
>>
>> then I don't have a problem with bundling them together as a single
>> simultaneous activation of both C and D.
>>
>> Also, you can have situations where things are better together,
>> that is:
>>
>> If E happens, we're both at +100
>> If F happens, we're both at +50
>> If E+F both happen, we're both at +9000
>>
>> In general, I think combining proposals when the combination is better
>> than the individual proposals were is obviously good; and combining
>> related proposals into a single activation can be good if it is easier
>> to think about the ideas as a set.
>>
>> It's only when you'd be rejecting the proposal on its own merits that
>> I think combining it with others is a bad idea in principle.
>>
>> For specific examples, we bundled schnorr, Taproot, MAST, OP_SUCCESSx
>> and CHECKSIGADD together because they do have synergies like that; we
>> didn't bundle ANYPREVOUT and graftroot despite the potential synergies
>> because those features needed substantially more study.
>>
>> The nulldummy soft-fork (bip 147) was deployed concurrently with
>> the segwit soft-fork (bip 141, 143), but I don't think there was any
>> particular synergy or need for those things to be combined, it just
>> reduced the overhead of two sets of activation signalling to one.
>>
>> Note that the implementation code for nulldummy had already been merged
>> and were applied as relay policy well before activation parameters were
>> defined (May 2014 via PR#3843 vs Sep 2016 for PR#8636) let alone becoming
>> an active soft fork.
>>
>> Cheers,
>> aj
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[-- Attachment #2: Type: text/html, Size: 14223 bytes --]

  reply	other threads:[~2021-10-16 11:02 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-11 12:24 [bitcoin-dev] On the regularity of soft forks Michael Folkson
2021-10-11 19:12 ` Jeremy
2021-10-11 19:53   ` ZmnSCPxj
2021-10-14 23:52   ` Anthony Towns
2021-10-15  0:43     ` micaroni
2021-10-16 11:02       ` Michael Folkson [this message]
2021-12-31  3:10         ` Keagan McClelland
2021-10-11 16:03 Prayank
2021-10-12 19:04 ` Jorge Timón
2022-01-01 15:45 vjudeu
2022-01-18 16:00 ` Billy Tetrud
2022-01-18 17:22 Prayank
2022-01-19  2:26 ` Billy Tetrud

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='1HjQQw-RXvEW5i73Hjx_QqDms44sQMnNWWl9oQ_SwIoYGpog6LzGK4M_omAEMXxgXIID37V7sdyG_AW8WkaNByppB2EJ7wlzOZgrDloMv2c=@protonmail.com' \
    --to=michaelfolkson@protonmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=micaroni@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox