On Thu, Mar 08, 2018 at 03:07:43PM -0500, Russell O'Connor wrote: > On Thu, Mar 8, 2018 at 1:34 PM, Peter Todd wrote: > > But that's not a good argument: whether or not normal users are trying to > > attack each other has nothing to do with whether or not you're opening up > > an > > attack by relaxing anti-DoS protections. > > > > I'm not suggesting removing the anti-DoS protections. I'm suggesting that > replaced transaction require a fee increase of at least the min-fee-rate > times the size of all the transactions being ejected (in addition to the > other proposed requirements). Fair: you're not removing them entirely, but you are weakening them compared to the status quo. > > Equally, how often are normal users who aren't attacking each other > > creating > > issues anyway? You can always have your wallet code just skip use of RBF > > > replacements in the event that someone does spend an unconfirmed output that > > you sent them; how often does this actually happen in practice? > > > Just ask rhavar. It happens regularly. > > Not many wallets let you spend unconfirmed outputs that you didn't create. > > > > The problem is with institutional wallets sweeping incoming payments. It > seems that in practice they are happy to sweep unconfirmed outputs. Pity, that does sound like a problem. :( > Setting all of the above aside for a moment. We need to understand that > rational miners are going to prefer to transactions with higher package fee > rates regardless of whatever your personal preferred RBF policy is. If we > do not bring the RBF policy to alignment with what is economically > rational, then miners are going to change their own policies anyways, > probably all in slightly different ways. It behooves everyone to develop a > reasonable standard RBF policy, that is still robust against possible DoS > vectors, and aligns with miner incentives, so that all participants know > what behaviour they can reasonably expect. It is simply a bonus that this > change in RBF policy also partially mitigates the problem of pinned > transactions. Miners and full nodes have slightly different priorities here; it's not clear to me why it matters that they implement slightly different policies. Still, re-reading your initital post, I'm convinced that the weakening of the DoS protections is probably not a huge problem, so maybe lets try this in a release and see what happens. Notably, if people actually use this new replacement behavior, the institutions doing these sweeps of unconfirmed outputs might stop doing that! That's probably a good thing, as respends of potentially conflicted unconfirmed outputs can be dangerous in reorgs; we're better off if outputs are buried deeply before being spent again. -- https://petertodd.org 'peter'[:-1]@petertodd.org