public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Anthony Towns <aj@erisian.com.au>
To: Yosef <asix@disroot.org>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Modern Soft Fork Activation
Date: Tue, 14 Jan 2020 13:20:26 +1000	[thread overview]
Message-ID: <20200114032026.33ft2qsjk72citpr@erisian.com.au> (raw)
In-Reply-To: <415e793656ab4326b48d9dc050a85eb8@disroot.org>

On Mon, Jan 13, 2020 at 08:34:24AM +0000, Yosef via bitcoin-dev wrote:
> tl;dr How about 80% ?

The point of having hashpower upgraded is that it means that there's low
liklihood of long chains of blocks that are invalid per the new rules, so
that if you haven't upgraded your node but wait for a few confirmations,
you'll still (with very high liklihood) only see blocks valid per the
new rules.

If you have 80% of miners enforcing the rules, then if someone produces
a block that violates the new rules (but is valid for the old ones),
then you've got a 20% chance of one of the non-enforcing miners getting
the next block, and a 4% chance of non-enforcing miners getting both
the next blocks, giving 3 confirmations to invalid transactions. That
seems a bit high.

3 confirmations isn't unrealistic, eg Coinbase apparently recently
dropped its requirement to that apparently:

https://blog.coinbase.com/announcing-new-confirmation-requirements-4a5504ba8d81

I could maybe see a 90% threshold though?

> 95% can prove difficult to achieve. Some % of negligent miners that forget to upgrade is expected.

Is it? We went from 59% to 54% to 28% to 0% (!!) of blocks not signalling
for segwit during consecutive two-week blocks in the BIP-91/148
period; and from 100% of blocks not signalling for BIP-91 to 99.4%,
48%, 15%, and 11% during consecutive 2.3 day periods targeting an 80%
threshold. Certainly that was a particularly high-stakes period, but
they were both pretty short. For comparison, for CSV, we went from 100%
not signalling to 61%, to 54% to 3.4% in consecutive two-week periods.

> Completing that to 5% is not too difficult for a small malicious minority trying to delay the activation. This is the issue Matt's goal #5 aims to prevent, and while the fallback to BIP-8 helps, BIP-9’s 95% requirement makes it worse by allowing quite a neglected minority to force a dramatic delay. Also note how in such case it would have been better to skip BIP-9 altogether and maybe save 1.5 years.

I don't think you can really skip steps if you need a flag day:

 - the first 12 months is for *really seriously* making sure there's no
   problems with the proposed upgrade; you can't that because people
   might not look for problems until the code's out there and ready for
   actual use

 - the next 6 months is for updating the software to lock in the flag
   day; you can't skip that because it takes time to get new releases out

 - the next 24 months is to ensure everyone's upgraded their nodes so
   that they won't be at risk of thinking they've received bitcoins when
   those coins aren't in compliance with the new rules; and you can't
   skip that because if we don't have hashpower reliably enforcing the
   rules, *everybody* needs to upgrade, which can take a lot of time.

Times could be tweaked, but the "everyone has to upgrade their node
software" is almost the same constraint that hard forks have, so I think
you want to end up with a long overall lead time any which way. For
comparison, 0.12.1 came out about 45 months ago and 0.13.2 came out
about 36 months ago -- about 0.5% of nodes are running 0.12 or earler,
and about 4.9% of nodes are running 0.13 or earlier, at least per [0],
so the overall timeline of 42 months seems plausible to me...

[0] https://luke.dashjr.org/programs/bitcoin/files/charts/software.html

I think (especially if we attempt BIP-91/BIP-148-style compulsory
signalling again) it's worth also considering the failure case if miners
false-signal: that is they signal support of the new soft-fork rules,
but then don't actually enforce them. If you end up with, say, 15% of
hashpower not upgraded or signalling, 25% of hashpower not upgraded but
signalling so their blocks don't get orphaned, and only 65% of hashpower
upgraded, you have a 1% chance of 5 blocks built on top of a block
that's invalid according to the new rules, giving those transactions 6
confirmations as far as non-upgraded nodes are concerned.

Cheers,
aj



  reply	other threads:[~2020-01-14  3:20 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-13  8:34 [bitcoin-dev] Modern Soft Fork Activation Yosef
2020-01-14  3:20 ` Anthony Towns [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-01-10 21:30 Matt Corallo
2020-01-10 22:21 ` Jorge Timón
2020-01-10 22:43   ` Matt Corallo
2020-01-10 23:07     ` Jorge Timón
2020-01-10 23:37 ` Luke Dashjr
2020-01-11  0:54   ` Jeremy
2020-01-14 19:22   ` Matt Corallo
2020-01-11 14:42 ` Anthony Towns
2020-01-12  5:58   ` Luke Dashjr
2020-01-14 19:42   ` Matt Corallo
2020-01-16  3:46     ` Anthony Towns

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200114032026.33ft2qsjk72citpr@erisian.com.au \
    --to=aj@erisian.com.au \
    --cc=asix@disroot.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox