From: Anthony Towns <aj@erisian•com.au>
To: Yosef <asix@disroot•org>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Modern Soft Fork Activation
Date: Tue, 14 Jan 2020 13:20:26 +1000 [thread overview]
Message-ID: <20200114032026.33ft2qsjk72citpr@erisian.com.au> (raw)
In-Reply-To: <415e793656ab4326b48d9dc050a85eb8@disroot.org>
On Mon, Jan 13, 2020 at 08:34:24AM +0000, Yosef via bitcoin-dev wrote:
> tl;dr How about 80% ?
The point of having hashpower upgraded is that it means that there's low
liklihood of long chains of blocks that are invalid per the new rules, so
that if you haven't upgraded your node but wait for a few confirmations,
you'll still (with very high liklihood) only see blocks valid per the
new rules.
If you have 80% of miners enforcing the rules, then if someone produces
a block that violates the new rules (but is valid for the old ones),
then you've got a 20% chance of one of the non-enforcing miners getting
the next block, and a 4% chance of non-enforcing miners getting both
the next blocks, giving 3 confirmations to invalid transactions. That
seems a bit high.
3 confirmations isn't unrealistic, eg Coinbase apparently recently
dropped its requirement to that apparently:
https://blog.coinbase.com/announcing-new-confirmation-requirements-4a5504ba8d81
I could maybe see a 90% threshold though?
> 95% can prove difficult to achieve. Some % of negligent miners that forget to upgrade is expected.
Is it? We went from 59% to 54% to 28% to 0% (!!) of blocks not signalling
for segwit during consecutive two-week blocks in the BIP-91/148
period; and from 100% of blocks not signalling for BIP-91 to 99.4%,
48%, 15%, and 11% during consecutive 2.3 day periods targeting an 80%
threshold. Certainly that was a particularly high-stakes period, but
they were both pretty short. For comparison, for CSV, we went from 100%
not signalling to 61%, to 54% to 3.4% in consecutive two-week periods.
> Completing that to 5% is not too difficult for a small malicious minority trying to delay the activation. This is the issue Matt's goal #5 aims to prevent, and while the fallback to BIP-8 helps, BIP-9’s 95% requirement makes it worse by allowing quite a neglected minority to force a dramatic delay. Also note how in such case it would have been better to skip BIP-9 altogether and maybe save 1.5 years.
I don't think you can really skip steps if you need a flag day:
- the first 12 months is for *really seriously* making sure there's no
problems with the proposed upgrade; you can't that because people
might not look for problems until the code's out there and ready for
actual use
- the next 6 months is for updating the software to lock in the flag
day; you can't skip that because it takes time to get new releases out
- the next 24 months is to ensure everyone's upgraded their nodes so
that they won't be at risk of thinking they've received bitcoins when
those coins aren't in compliance with the new rules; and you can't
skip that because if we don't have hashpower reliably enforcing the
rules, *everybody* needs to upgrade, which can take a lot of time.
Times could be tweaked, but the "everyone has to upgrade their node
software" is almost the same constraint that hard forks have, so I think
you want to end up with a long overall lead time any which way. For
comparison, 0.12.1 came out about 45 months ago and 0.13.2 came out
about 36 months ago -- about 0.5% of nodes are running 0.12 or earler,
and about 4.9% of nodes are running 0.13 or earlier, at least per [0],
so the overall timeline of 42 months seems plausible to me...
[0] https://luke.dashjr.org/programs/bitcoin/files/charts/software.html
I think (especially if we attempt BIP-91/BIP-148-style compulsory
signalling again) it's worth also considering the failure case if miners
false-signal: that is they signal support of the new soft-fork rules,
but then don't actually enforce them. If you end up with, say, 15% of
hashpower not upgraded or signalling, 25% of hashpower not upgraded but
signalling so their blocks don't get orphaned, and only 65% of hashpower
upgraded, you have a 1% chance of 5 blocks built on top of a block
that's invalid according to the new rules, giving those transactions 6
confirmations as far as non-upgraded nodes are concerned.
Cheers,
aj
next prev parent reply other threads:[~2020-01-14 3:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-13 8:34 Yosef
2020-01-14 3:20 ` Anthony Towns [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-01-10 21:30 Matt Corallo
2020-01-10 22:21 ` Jorge Timón
2020-01-10 22:43 ` Matt Corallo
2020-01-10 23:07 ` Jorge Timón
2020-01-10 23:37 ` Luke Dashjr
2020-01-11 0:54 ` Jeremy
2020-01-14 19:22 ` Matt Corallo
2020-01-11 14:42 ` Anthony Towns
2020-01-12 5:58 ` Luke Dashjr
2020-01-14 19:42 ` Matt Corallo
2020-01-16 3:46 ` Anthony Towns
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200114032026.33ft2qsjk72citpr@erisian.com.au \
--to=aj@erisian$(echo .)com.au \
--cc=asix@disroot$(echo .)org \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox