public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Ben Woosley <ben.woosley@gmail.com>
To: Keagan McClelland <keagan.mcclelland@gmail.com>,
	Jeremy <jlrubin@mit.edu>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Yesterday's Taproot activation meeting on lockinontimeout (LOT)
Date: Tue, 23 Feb 2021 15:14:33 -0800	[thread overview]
Message-ID: <CAC5gnOxeaFZh8gCs0h0f+5P=4FU-4HyfyUAZ0JTYcVc0Yf5G+Q@mail.gmail.com> (raw)
In-Reply-To: <CALeFGL1UbXx14aX7RK7nh7b4jwvmfF6AXrvqPJpriSB4ZvYT2A@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 12574 bytes --]

Relative to your arguments, Keagan and Jeremy, and speaking in favor of
LOT=false, from my limited perspective:

> As Jeremy points out, the LOT=true possibility always exists here, and we
have multiple high profile people saying they will be running that
regardless of how things turn out. It seems to me that in this scenario,
LOT=false does less to prevent a chain split.
> So if the goal is to prevent a chain split, and the soft fork is benign
and essentially "annexing unoccupied territory" with respect to script
versions, and no one actually has opposed Taproot itself, then I fail to
see how LOT=false is safer in the presence of a grenade defense by the
LOT=true crowd.

I don't believe the goal is to avoid a chain split, nor to activate
Taproot. Over the long term it will not have been important when exactly
Taproot activated, or whether a minority forked off, but what culture and
norms we adopted in putting forward this change. A culture of deference to
the network makes Core worthy of remaining the reference implementation of
Bitcoin.

Given Core's special position in the client ecosystem, I see these outcomes
are asymmetric:
a) If an intolerant minority signals LOT=true in contradiction to core,
they are splitting consensus / forking off consensus, which is their right
to do in our open ecosystem.
b) If Core ships LOT=true, we are in fact imposing a change on the network.
This may be justified in the end, but it should be used with discretion.

If LOT=false fails to activate, then the failure will have revealed
information about sentiments and elements of the network, and we will have
an opportunity then to address that information before proceeding with
LOT=true.

To adopt b) as a pre-emptive defense against a) is to express will without
evidence of necessity or opportunity for justification.

Finally, as others have said, I think this option is likely to be moot -
let's not act defensively out of SEGWIT trauma, but with trust in the
network.

Best,
Ben

On Tue, Feb 23, 2021 at 12:09 PM Keagan McClelland via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I wanted to follow up on what Jeremy and others are saying regards finding
> consensus on LOT. I've seen a few other opinions saying that finding
> consensus on the LOT value is far more important than what the LOT value
> actually is. This makes sense because if 100% of economic activity is
> running the same rule set, there is no divergence, regardless of which
> value is picked.
>
> It is my understanding that those who oppose LOT=true are mostly opposed
> on the grounds of it *appearing* "unnecessarily coercive" and that this
> lack of consensus can precipitate a chain split at the
> "brinksmanship period" as Jeremy refers to it. I don't think that we can
> say that LOT=true is coercive at all unless there is some opposition to
> Taproot itself. Opposition on the grounds that it *may* be opposed by
> others and Core does not want to assert control over the protocol is a
> conservative view but ultimately contingent upon opposition to Taproot for
> more fundamental reasons. If no one opposes it, then by definition you have
> consensus, and in that case I also don't think that the LOT=true (or false)
> in that regard sets meaningful precedent, as I would expect precedents to
> only be meaningful if they were established during a contentious scenario.
> As it stands we have precedents for both MASF's and UASF's to execute soft
> forks in Bitcoin.
>
> Of course it seems intractable to ascertain the views of ~100% of the
> Bitcoin constituency, and therefore it gives credibility to the argument
> that by coming to consensus on LOT=false among those who *are* speaking
> up is safer with the embedded assumptions that modifying consensus beyond
> what core ships is an active choice, presumably by those who know what they
> are doing. However, the simple act of Core choosing to ship an
> unconfigurable LOT=false value does not *prevent* the forking and
> creation of a UASF client. As Jeremy points out, the LOT=true possibility
> always exists here, and we have multiple high profile people saying they
> will be running that regardless of how things turn out. It seems to me that
> in this scenario, LOT=false does less to prevent a chain split.
>
> In regards to precedent, there may be good reasons to force that minority
> to fork themselves off the network, as would be the case if a hypothetical
> soft fork was a consensus action to blacklist some UTXO's or something else
> that weaponizes consensus against some subset of Bitcoin's user base, but I
> haven't heard a single person who advocates for LOT=false on the grounds
> that they *themselves* oppose the consensus change that is being proposed
> here. So if the goal is to prevent a chain split, and the soft fork is
> benign and essentially "annexing unoccupied territory" with respect to
> script versions, and no one actually has opposed Taproot itself, then I
> fail to see how LOT=false is safer in the presence of a grenade defense by
> the LOT=true crowd.
>
> I personally *prefer* LOT=true for these reasons, but I am NOT going to
> be joining the ranks of the intolerant minority if Core ultimately ships
> LOT=false. I think it is more important to stay in consensus, and as a
> result I am able to be convinced that false is the right answer. My
> question to everyone else (true AND false advocates) is this: what would
> you have to observe, in order to change your mind or is it immutably made
> up? If we have a significant portion of the community that is immutably
> made up to go false, and another portion that is going to go true, the
> asymmetry of the fork almost *requires* that those of us whose opinions
> are malleable to break for true.
>
> If social consensus is what drives technical consensus and not the other
> way around it seems as if there cannot exist a valid (rational?) reason to
> oppose Taproot itself, and then by extension with the arguments laid out
> above, LOT=true seems to be the logical conclusion of all of this, even if
> Core ships LOT=false at the outset.
>
> Where am I wrong here?
>
> Keagan
>
> On Mon, Feb 22, 2021 at 7:11 PM Jeremy via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Not responding to anyone in particular, but it strikes me that one can
>> think about the case where a small minority (let's say H = 20%?) of nodes
>> select the opposite of what Core releases (LOT=false, LOT=true). I'm
>> ignoring the case where a critical bug is discovered in Taproot for reasons
>> I could expand on if anyone is interested (I don't think LOT=true/false has
>> much of a diff in that regard).
>>
>> You'll note an asymmetry with LOT=true / false analysis. LOT=true nodes
>> are clearly updated (or lying), LOT=false nodes may be un-upgraded (or
>> however you want to interpret it).
>>
>>
>> *# 80% on LOT=false, 20% LOT=True*
>>
>> - Case 1: Activates ahead of time anyways
>>
>> No issues.
>>
>> - Case 2: Fails to Activate before timeout...
>>
>> 20% *may* fork off with LOT=true. Bitcoin hashrate reduced, chance of
>> multi block reorgs at time of fork relatively high, especially if network
>> does not partition.
>>
>> Implication is that activation % being 90%, then X% fewer than 70% of
>> miners are signaling for Taproot at this time.  If X% is small the
>> increased orphan rate caused by the LOT=true miners will cause it to
>> activate anyways. If X% is larger, then there will be a consensus split.
>>
>>
>>
>> *# 80% on LOT=true, 20% LOT=False*
>> - Case 1: Activates ahead of time Anyways
>>
>> No issues.
>>
>> - Case 2: Fails to Activate before timeout...
>>
>> A% + B% + C% = 20%
>>
>> A% (upgraded, signal activate) remain on majority chain with LOT=false,
>> blocks mined universally valid.
>>
>> B% (upgraded, not signaling) succeeds in activating and maintaining
>> consensus, blocks are temporarily lost during the final period, but
>> consensus re-emerges.
>>
>> C% (not upgraded/not signalling) both fail to activate (not upgraded) and
>> blocks are rejected (not signaling) during mandatory signalling.
>> Essentially becomes an SPV miner, should still not select transactions
>> improperly given mempool policy, but may mine a bad tip.
>>
>> (I argue that group B is irrational entirely, as in this case the
>> majority has upgraded, inevitably winning, and is orphaning their blocks so
>> B should effectively be 0% or can be combined with group C as being somehow
>> not upgraded if they are unable to switch once it becomes clear after say
>> the first 100 blocks in the period that LOT > 50%. The only difference in
>> lumping B with C is that group C SPV mines after the fork and B should, in
>> theory, have full validation.).
>>
>>
>>
>> Apologies if my base analysis is off -- happy to take corrections.
>>
>>
>> My overall summary is thus:
>>
>> 1) People care what Core releases because we assume the majority will
>> likely run it. If core were a minority project, we wouldn't really care
>> what core released.
>> 2) People are upset with LOT=true being suggested as release parameters
>> because of the *narrative* that it puts devs in control.
>> 3) LOT=true having a sizeable minority running it presents major issues
>> to majority LOT=false in terms of lost blocks during the final period and
>> in terms of a longer term fork.
>> 4) Majority LOT=true has no long term instability on consensus (majority
>> LOT=true means the final period always activates, any instability is short
>> lived + irrational).
>> 5) On the balance, the safer parameter to release *seems* to be LOT=true.
>> But because devs are sensitive to control narrative, LOT=false is preferred
>> by devs.
>> 6) Almost paradoxically, choosing a *less safe* option for a narrative
>> reason is more of a show of dev control than choosing a more safe option
>> despite appearances.
>> 7) This all comes down to if we think that a reasonable number of
>> important nodes will run LOT=true.
>> 8) This all doesn't matter *that much* because taproot will have many
>> opportunities to activate before the brinksmanship period.
>>
>> As a plan of action, I think that means that either:
>>
>> A) Core should release LOT=true, as a less disruptive option given stated
>> community intentions to do LOT=true
>> B) Core  community should vehemently anti-advocate running LOT=true to
>> ensure the % is as small as possible
>> C) Do nothing
>> D) Core community should release LOT=false and vehemently advocate
>> manually changing to LOT=true to ensure the % is supermajority, but leaving
>> it as a user choice.
>>
>>
>> Overall, I worry that plan B has a mild Streissand effect and would
>> result in boosting LOT=true (which could be OK, so long as LOT=true +
>> LOT=false+signal yes becomes the large majority, but would be not fun for
>> anyone if LOT=true + LOT=false+signal yes are a small majority). Plan C
>> most likely ends up with some % doing LOT=true anyways. D feels a little
>> silly, but maybe a good tradeoff.
>>
>> If I had to summarize the emotional dynamic among developers around
>> LOT=true, I think devs wish it didn't exist because it is clear LOT=true
>> *creates* the issues here. LOT=false would be fine if the LOT=true strategy
>> didn't exist at all. But unfortunately the cat is out of the bag and cannot
>> be put back in. To validate the emotions, I think it is fine to be angry
>> about LOT=true and not like it, but we should either accept that it is most
>> likely to create consensus OR we should find a new game theoretic
>> activation strategy with better pro-social equilibriums.
>>
>> Personally, I think with either plan the ultimate risk of forking is low
>> given probability to activate before timeout, so we should just pick
>> something and move on, accepting that we aren't setting a precedent by
>> which all future forks should abide. Given my understanding of the
>> tradeoffs, I believe that the safest choice is LOT=true, but I wouldn't
>> move to hold back a plan of LOT=false (but would probably take mitigative
>> steps on community advocacy if it looks like there is non majority but non
>> negligible LOT=true uptake).
>>
>> Cheers,
>>
>> Jeremy
>>
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 20078 bytes --]

  reply	other threads:[~2021-02-23 23:15 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-17 12:51 [bitcoin-dev] Yesterday's Taproot activation meeting on lockinontimeout (LOT) Michael Folkson
2021-02-18  5:43 ` Ariel Lorenzo-Luaces
2021-02-18 11:01   ` Michael Folkson
2021-02-18 11:11     ` Samson Mow
2021-02-18 11:52       ` ZmnSCPxj
2021-02-18 12:20         ` Michael Folkson
2021-02-18 14:01           ` Matt Corallo
2021-02-18 14:26             ` Michael Folkson
2021-02-18 14:42               ` Matt Corallo
2021-02-18 14:51                 ` Michael Folkson
2021-02-18 14:53                   ` Matt Corallo
2021-02-18 15:01                     ` Matt Corallo
2021-02-18 15:04                 ` Keagan McClelland
2021-02-18 15:18                   ` Matt Corallo
2021-02-19  2:20                     ` Ariel Luaces
2021-02-19 11:30                     ` ZmnSCPxj
2021-02-19 12:05                       ` Adam Back
2021-02-19 14:13                         ` Matt Corallo
2021-02-19 17:48                           ` Matt Corallo
2021-02-20  2:55                             ` ZmnSCPxj
2021-02-20 17:20                               ` Ariel Lorenzo-Luaces
2021-02-21 14:30                                 ` Matt Corallo
2021-02-22  5:16                             ` Anthony Towns
2021-02-22  6:44                               ` Matt Corallo
2021-02-22 10:16                                 ` Anthony Towns
2021-02-22 14:00                                   ` Matt Corallo
2021-02-22 16:27                                     ` Anthony Towns
2021-02-22 16:31                                     ` Jorge Timón
2021-02-22 16:48                                       ` Jorge Timón
2021-02-23  2:10                                         ` Jeremy
2021-02-23 19:33                                           ` Keagan McClelland
2021-02-23 23:14                                             ` Ben Woosley [this message]
2021-02-24 22:37                                             ` Ariel Luaces
2021-03-01 13:54                                               ` Erik Aronesty
2021-03-02 18:32                                                 ` Ariel Lorenzo-Luaces
2021-02-24  7:18                                           ` Anthony Towns
2021-02-18 13:59         ` Matt Corallo
2021-02-21 16:21 ` Erik Aronesty
2021-02-19 22:12 Matt Hill
2021-02-19 23:30 ` Matt Corallo
2021-02-19 23:42   ` Bryan Bishop
2021-02-21 10:10 Prayank

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAC5gnOxeaFZh8gCs0h0f+5P=4FU-4HyfyUAZ0JTYcVc0Yf5G+Q@mail.gmail.com' \
    --to=ben.woosley@gmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=jlrubin@mit.edu \
    --cc=keagan.mcclelland@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox