From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E4A32BDE for ; Wed, 7 Jun 2017 21:50:20 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ua0-f180.google.com (mail-ua0-f180.google.com [209.85.217.180]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D952716C for ; Wed, 7 Jun 2017 21:50:19 +0000 (UTC) Received: by mail-ua0-f180.google.com with SMTP id q15so12088207uaa.2 for ; Wed, 07 Jun 2017 14:50:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3QC8Yad2NXx2AU57GOtYBNVZztEFq2ZT7qHlxdmNcpY=; b=qwZ81ykIgvdESU3AFsioy23TjC4n76/aSvgIOPk05Vy6NPfh3wUawppSLW022u6FzM ALMX0dlQALrRuPKFUd+Ky97NhXm1X2NH9jTipemcPq79Z57LMT+hdquLAkjQmqL0lcJv sO54aRh42duJqtHg9UTpI455GWaP45IepsOKBU/ZhUQvwlrehNWX3nx0EB38WftsvZpT RteCkUhQk6hHK7HQWEmW1iUbB3wVusDfTSd1HlFgaYzgAijop1aSOgiuz2+lkuN/q/qk n3ab1jTFjdOpFU7IteGR81KVhdoijaaixXduX6VucB9uBBObAPB3FbS0BNCcyE8gA+n/ XIlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3QC8Yad2NXx2AU57GOtYBNVZztEFq2ZT7qHlxdmNcpY=; b=MF0zh0IuzuW3jqLBXoqxT/LM8FcDissyzj6MT86B9G8DAj26GEcyl5I+PVv1khzAFW /rvveth/rPIaIRaYQFX0D1wZCYABVSxsRWoqe3pZU9qzWXOeGI2N1ObFPtbZeVu7BVym Z0RUa4DOWzF7Ca4RFAq1J+Rb45DNknbKuVMlGzV+UxmlDBfhGiXbeZPZWDaUi/Sjjty0 F0gaMdVukVTn9Bn3Btv+t4UF5PpXrBIYBbJvnaB6BYzxxwonUjwfF80ir1ysRWU7r1dk Knib7upAeAFStCds8sk3K7t95JsBd/ra7iophk44KTXgCGVAbHl9je9aS8ET/VLxSpq1 iLww== X-Gm-Message-State: AODbwcCx8hfOCRSsf+jVepCjg+sLjqt1FyItxXHDKPunGjh4vQRJIDP4 VHaIXAfPQcDP7QvXdbdhkABVQ1jQUQ== X-Received: by 10.159.60.82 with SMTP id w18mr16770063uah.19.1496872218833; Wed, 07 Jun 2017 14:50:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.157.215 with HTTP; Wed, 7 Jun 2017 14:50:18 -0700 (PDT) In-Reply-To: References: From: Jared Lee Richardson Date: Wed, 7 Jun 2017 14:50:18 -0700 Message-ID: To: James Hilliard Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 07 Jun 2017 21:56:06 +0000 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] User Activated Soft Fork Split Protection X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2017 21:50:21 -0000 Could this risk mitigation measure be an optional flag? And if so, could it+BIP91 signal on a different bit than bit4? The reason being, if for some reason the segwit2x activation cannot take place in time, it would be preferable for miners to have a more standard approach to activation that requires stronger consensus and may be more forgiving than BIP148. If the segwit2x activation is on time to cooperate with BIP148, it could be signaled through the non-bit4 approach and everything could go smoothly. Thoughts on that idea? It may add more complexity and more developer time, but may also address your concerns among others. > Since this BIP > only activates with a clear miner majority it should not increase the > risk of an extended chain split. The concern I'm raising is more about the psychology of giving BIP148 a sense of safety that may not be valid. Without several more steps, BIP148 is definitely on track to be a risky chainsplit, and without segwit2x it will almost certainly be a small minority chain. (Unless the segwit2x compromise falls apart before then, and even in that case it is likely to be a minority chain) Jared On Wed, Jun 7, 2017 at 2:42 PM, James Hilliard wrote: > I don't really see how this would increase the likelihood of an > extended chain split assuming BIP148 is going to have > non-insignificant economic backing. This BIP is designed to provide a > risk mitigation measure that miners can safely deploy. Since this BIP > only activates with a clear miner majority it should not increase the > risk of an extended chain split. At this point it is not completely > clear how much economic support there is for BIP148 but support > certainly seems to be growing and we have nearly 2 months until BIP148 > activation. I intentionally used a shorter activation period here so > that decisions by miners can be made close to the BIP148 activation > date. > > On Wed, Jun 7, 2017 at 4:29 PM, Jared Lee Richardson wrote: >> I think this BIP represents a gamble, and the gamble may not be a good >> one. The gamble here is that if the segwit2x changes are rolled out >> on time, and if the signatories accept the bit4 + bit1 signaling >> proposals within BIP91, the launch will go smoother, as intended. But >> conversely, if either the segwit2x signatories balk about the Bit1 >> signaling OR if the timelines for segwit2mb are missed even by a bit, >> it may cause the BIP148 chainsplit to be worse than it would be >> without. Given the frequent concerns raised in multiple places about >> the aggressiveness of the segwit2x timelines, including the >> non-hardfork timelines, this does not seem like a great gamble to be >> making. >> >> The reason I say it may make the chainsplit be worse than it would >> otherwise be is that it may provide a false sense of safety for BIP148 >> that currently does not currently exist(and should not, as it is a >> chainsplit). That sense of safety would only be legitimate if the >> segwit2x signatories were on board, and the segwit2x code effectively >> enforced BIP148 simultaneously, neither of which are guaranteed. If >> users and more miners had a false sense that BIP148 was *not* going to >> chainsplit from default / segwit2x, they might not follow the news if >> suddenly the segwit2x plan were delayed for a few days. While any >> additional support would definitely be cheered on by BIP148 >> supporters, the practical reality might be that this proposal would >> take BIP148 from the "unlikely to have any viable chain after flag day >> without segwit2x" category into the "small but viable minority chain" >> category, and even worse, it might strengthen the chainsplit just days >> before segwit is activated on BOTH chains, putting the BIP148 >> supporters on the wrong pro-segwit, but still-viable chain. >> >> If Core had taken a strong stance to include BIP148 into the client, >> and if BIP148 support were much much broader, I would feel differently >> as the gamble would be more likely to discourage a chainsplit (By >> forcing the acceleration of segwit2x) rather than encourage it (by >> strengthening an extreme minority chainsplit that may wind up on the >> wrong side of two segwit-activated chains). As it stands now, this >> seems like a very dangerous attempt to compromise with a small but >> vocal group that are the ones creating the threat to begin with. >> >> Jared >> >> On Tue, Jun 6, 2017 at 5:56 PM, James Hilliard via bitcoin-dev >> wrote: >>> Due to the proposed calendar(https://segwit2x.github.io/) for the >>> SegWit2x agreement being too slow to activate SegWit mandatory >>> signalling ahead of BIP148 using BIP91 I would like to propose another >>> option that miners can use to prevent a chain split ahead of the Aug >>> 1st BIP148 activation date. >>> >>> The splitprotection soft fork is essentially BIP91 but using BIP8 >>> instead of BIP9 with a lower activation threshold and immediate >>> mandatory signalling lock-in. This allows for a majority of miners to >>> activate mandatory SegWit signalling and prevent a potential chain >>> split ahead of BIP148 activation. >>> >>> This BIP allows for miners to respond to market forces quickly ahead >>> of BIP148 activation by signalling for splitprotection. Any miners >>> already running BIP148 should be encouraged to use splitprotection. >>> >>>
>>>   BIP: splitprotection
>>>   Layer: Consensus (soft fork)
>>>   Title: User Activated Soft Fork Split Protection
>>>   Author: James Hilliard 
>>>   Comments-Summary: No comments yet.
>>>   Comments-URI:
>>>   Status: Draft
>>>   Type: Standards Track
>>>   Created: 2017-05-22
>>>   License: BSD-3-Clause
>>>            CC0-1.0
>>> 
>>> >>> ==Abstract== >>> >>> This document specifies a coordination mechanism for a simple majority >>> of miners to prevent a chain split ahead of BIP148 activation. >>> >>> ==Definitions== >>> >>> "existing segwit deployment" refer to the BIP9 "segwit" deployment >>> using bit 1, between November 15th 2016 and November 15th 2017 to >>> activate BIP141, BIP143 and BIP147. >>> >>> ==Motivation== >>> >>> The biggest risk of BIP148 is an extended chain split, this BIP >>> provides a way for a simple majority of miners to eliminate that risk. >>> >>> This BIP provides a way for a simple majority of miners to coordinate >>> activation of the existing segwit deployment with less than 95% >>> hashpower before BIP148 activation. Due to time constraints unless >>> immediately deployed BIP91 will likely not be able to enforce >>> mandatory signalling of segwit before the Aug 1st activation of >>> BIP148. This BIP provides a method for rapid miner activation of >>> SegWit mandatory signalling ahead of the BIP148 activation date. Since >>> the primary goal of this BIP is to reduce the chance of an extended >>> chain split as much as possible we activate using a simple miner >>> majority of 65% over a 504 block interval rather than a higher >>> percentage. This BIP also allows miners to signal their intention to >>> run BIP148 in order to prevent a chain split. >>> >>> ==Specification== >>> >>> While this BIP is active, all blocks must set the nVersion header top >>> 3 bits to 001 together with bit field (1<<1) (according to the >>> existing segwit deployment). Blocks that do not signal as required >>> will be rejected. >>> >>> ==Deployment== >>> >>> This BIP will be deployed by "version bits" with a 65%(this can be >>> adjusted if desired) activation threshold BIP9 with the name >>> "splitprotecion" and using bit 2. >>> >>> This BIP starts immediately and is a BIP8 style soft fork since >>> mandatory signalling will start on midnight August 1st 2017 (epoch >>> time 1501545600) regardless of whether or not this BIP has reached its >>> own signalling threshold. This BIP will cease to be active when segwit >>> is locked-in. >>> >>> === Reference implementation === >>> >>>
>>> // Check if Segregated Witness is Locked In
>>> bool IsWitnessLockedIn(const CBlockIndex* pindexPrev, const
>>> Consensus::Params& params)
>>> {
>>>     LOCK(cs_main);
>>>     return (VersionBitsState(pindexPrev, params,
>>> Consensus::DEPLOYMENT_SEGWIT, versionbitscache) ==
>>> THRESHOLD_LOCKED_IN);
>>> }
>>>
>>> // SPLITPROTECTION mandatory segwit signalling.
>>> if ( VersionBitsState(pindex->pprev, chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SPLITPROTECTION, versionbitscache) ==
>>> THRESHOLD_LOCKED_IN &&
>>>      !IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>> // Segwit is not locked in
>>>      !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus()) ) //
>>> and is not active.
>>> {
>>>     bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>> VERSIONBITS_TOP_BITS;
>>>     bool fSegbit = (pindex->nVersion &
>>> VersionBitsMask(chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>     if (!(fVersionBits && fSegbit)) {
>>>         return state.DoS(0, error("ConnectBlock(): relayed block must
>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>     }
>>> }
>>>
>>> // BIP148 mandatory segwit signalling.
>>> int64_t nMedianTimePast = pindex->GetMedianTimePast();
>>> if ( (nMedianTimePast >= 1501545600) &&  // Tue 01 Aug 2017 00:00:00 UTC
>>>      (nMedianTimePast <= 1510704000) &&  // Wed 15 Nov 2017 00:00:00 UTC
>>>      (!IsWitnessLockedIn(pindex->pprev, chainparams.GetConsensus()) &&
>>>  // Segwit is not locked in
>>>       !IsWitnessEnabled(pindex->pprev, chainparams.GetConsensus())) )
>>>  // and is not active.
>>> {
>>>     bool fVersionBits = (pindex->nVersion & VERSIONBITS_TOP_MASK) ==
>>> VERSIONBITS_TOP_BITS;
>>>     bool fSegbit = (pindex->nVersion &
>>> VersionBitsMask(chainparams.GetConsensus(),
>>> Consensus::DEPLOYMENT_SEGWIT)) != 0;
>>>     if (!(fVersionBits && fSegbit)) {
>>>         return state.DoS(0, error("ConnectBlock(): relayed block must
>>> signal for segwit, please upgrade"), REJECT_INVALID, "bad-no-segwit");
>>>     }
>>> }
>>> 
>>> >>> https://github.com/bitcoin/bitcoin/compare/0.14...jameshilliard:splitprotection-v0.14.1 >>> >>> ==Backwards Compatibility== >>> >>> This deployment is compatible with the existing "segwit" bit 1 >>> deployment scheduled between midnight November 15th, 2016 and midnight >>> November 15th, 2017. This deployment is also compatible with the >>> existing BIP148 deployment. This BIP is compatible with BIP91 only if >>> BIP91 activates before it and before BIP148. Miners will need to >>> upgrade their nodes to support splitprotection otherwise they may >>> build on top of an invalid block. While this bip is active users >>> should either upgrade to splitprotection or wait for additional >>> confirmations when accepting payments. >>> >>> ==Rationale== >>> >>> Historically we have used IsSuperMajority() to activate soft forks >>> such as BIP66 which has a mandatory signalling requirement for miners >>> once activated, this ensures that miners are aware of new rules being >>> enforced. This technique can be leveraged to lower the signalling >>> threshold of a soft fork while it is in the process of being deployed >>> in a backwards compatible way. We also use a BIP8 style timeout to >>> ensure that this BIP is compatible with BIP148 and that BIP148 >>> compatible mandatory signalling activates regardless of miner >>> signalling levels. >>> >>> By orphaning non-signalling blocks during the BIP9 bit 1 "segwit" >>> deployment, this BIP can cause the existing "segwit" deployment to >>> activate without needing to release a new deployment. As we approach >>> BIP148 activation it may be desirable for a majority of miners to have >>> a method that will ensure that there is no chain split. >>> >>> ==References== >>> >>> *[https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013714.html >>> Mailing list discussion] >>> *[https://github.com/bitcoin/bitcoin/blob/v0.6.0/src/main.cpp#L1281-L1283 >>> P2SH flag day activation] >>> *[[bip-0009.mediawiki|BIP9 Version bits with timeout and delay]] >>> *[[bip-0016.mediawiki|BIP16 Pay to Script Hash]] >>> *[[bip-0091.mediawiki|BIP91 Reduced threshold Segwit MASF]] >>> *[[bip-0141.mediawiki|BIP141 Segregated Witness (Consensus layer)]] >>> *[[bip-0143.mediawiki|BIP143 Transaction Signature Verification for >>> Version 0 Witness Program]] >>> *[[bip-0147.mediawiki|BIP147 Dealing with dummy stack element malleability]] >>> *[[bip-0148.mediawiki|BIP148 Mandatory activation of segwit deployment]] >>> *[[bip-0149.mediawiki|BIP149 Segregated Witness (second deployment)]] >>> *[https://bitcoincore.org/en/2016/01/26/segwit-benefits/ Segwit benefits] >>> >>> ==Copyright== >>> >>> This document is dual licensed as BSD 3-clause, and Creative Commons >>> CC0 1.0 Universal. >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev