public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Corallo <lf-lists@mattcorallo•com>
To: Michael Folkson <michaelfolkson@gmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Yesterday's Taproot activation meeting on lockinontimeout (LOT)
Date: Thu, 18 Feb 2021 09:42:58 -0500	[thread overview]
Message-ID: <7b8543c3-8ff2-3a6a-b2d4-f4a6cf150d78@mattcorallo.com> (raw)
In-Reply-To: <CAFvNmHSwRGEy-kE8OA4mcDJ+fJjO7J1ckThWY=wqv4yge-MA1Q@mail.gmail.com>

We've had several softforks in Bitcoin which, through the course of their activation, had a several-block reorg. That 
should be indication enough that we need to very carefully consider activation to ensure we reduce the risk of that as 
much as absolutely possible. Again, while I think Taproot is a huge improvement and am looking forward to being able to 
use it, getting unlucky and hitting a 4-block reorg that happens to include a double-spend and some PR around an 
exchange losing millions would be worse than having Taproot is good.

Matt

On 2/18/21 09:26, Michael Folkson wrote:
> Thanks for your response Matt. It is a fair challenge. There is always going to be an element of risk with soft forks, 
> all we can do is attempt to minimize that risk. I would argue that risk has been minimized for Taproot.
> 
> You know (better than I do in fact) that Bitcoin (and layers built on top of it) greatly benefit from upgrades such as 
> Taproot. To say we shouldn't do Taproot or any future soft forks because there is a small but real risk of chain splits 
> I think is shortsighted. Indeed I think even if we collectively decided not to do any future soft fork upgrades ever 
> again on this mailing list that wouldn't stop soft fork attempts from other people in future.
> 
> I don't think there is anything else we can do to minimize that risk for the Taproot soft fork at this point though I'm 
> open to ideas. To reiterate that risk will never be zero. I don't think I see Bitcoin as fragile as you seem to (though 
> admittedly you have a much better understanding than me of what happened in 2017).
> 
> The likely scenario for the Taproot soft fork is LOT turns out to be entirely irrelevant and miners activate Taproot 
> before it becomes relevant. And even the unlikely worst case scenario would only cause short term disruption and 
> wouldn't kill Bitcoin long term.
> 
> On Thu, Feb 18, 2021 at 2:01 PM Matt Corallo <lf-lists@mattcorallo•com <mailto:lf-lists@mattcorallo•com>> wrote:
> 
>     If the eventual outcome is that different implementations (that have material *transaction processing* userbases,
>     and I’m not sure to what extent that’s true with Knots) ship different consensus rules, we should stop here and not
>     activate Taproot. Seriously.
> 
>     Bitcoin is a consensus system. The absolute worst outcome at all possible is to have it fall out of consensus.
> 
>     Matt
> 
>>     On Feb 18, 2021, at 08:11, Michael Folkson via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org
>>     <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>>
>>     
>>     Right, that is one option. Personally I would prefer a Bitcoin Core release sets LOT=false (based on what I have
>>     heard from Bitcoin Core contributors) and a community effort releases a version with LOT=true. I don't think users
>>     should be forced to choose something they may have no context on before they are allowed to use Bitcoin Core.
>>
>>     My current understanding is that roasbeef is planning to set LOT=false on btcd (an alternative protocol
>>     implementation to Bitcoin Core) and Luke Dashjr hasn't yet decided on Bitcoin Knots.
>>
>>
>>
>>     On Thu, Feb 18, 2021 at 11:52 AM ZmnSCPxj <ZmnSCPxj@protonmail•com <mailto:ZmnSCPxj@protonmail•com>> wrote:
>>
>>         Good morning all,
>>
>>         > "An activation mechanism is a consensus change like any other change, can be contentious like any other
>>         change, and we must resolve it like any other change. Otherwise we risk arriving at the darkest timeline."
>>         >
>>         > Who's we here?
>>         >
>>         > Release both and let the network decide.
>>
>>         A thing that could be done, without mandating either LOT=true or LOT=false, would be to have a release that
>>         requires a `taprootlot=1` or `taprootlot=0` and refuses to start if the parameter is not set.
>>
>>         This assures everyone that neither choice is being forced on users, and instead what is being forced on users,
>>         is for users to make that choice themselves.
>>
>>         Regards,
>>         ZmnSCPxj
>>
>>         >
>>         > On Thu, Feb 18, 2021 at 3:08 AM Michael Folkson via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org
>>         <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>>         >
>>         > > Thanks for your response Ariel. It would be useful if you responded to specific points I have made in the
>>         mailing list post or at least quote these ephemeral "people" you speak of. I don't know if you're responding
>>         to conversation on the IRC channel or on social media etc.
>>         > >
>>         > > > The argument comes from a naive assumption that users MUST upgrade to the choice that is submitted into
>>         code. But in fact this isn't true and some voices in this discussion need to be more humble about what users
>>         must or must not run.
>>         > >
>>         > > I personally have never made this assumption. Of course users aren't forced to run any particular software
>>         version, quite the opposite. Defaults set in software versions matter though as many users won't change them.
>>         > >
>>         > > > Does no one realize that it is a very possible outcome that if LOT=true is released there may be only a
>>         handful of people that begin running it while everyone else delays their upgrade (with the very good reason of
>>         not getting involved in politics) and a year later those handful of people just become stuck at the moment of
>>         MUST_SIGNAL, unable to mine new blocks?
>>         > >
>>         > > It is a possible outcome but the likely outcome is that miners activate Taproot before LOT is even
>>         relevant. I think it is prudent to prepare for the unlikely but possible outcome that miners fail to activate
>>         and hence have this discussion now rather than be unprepared for that eventuality. If LOT is set to false in a
>>         software release there is the possibility (T2 in
>>         https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018380.html
>>         <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018380.html>) of individuals or a
>>         proportion of the community changing LOT to true. In that sense setting LOT=false in a software release
>>         appears to be no more safe than LOT=true.
>>         > >
>>         > > > The result: a wasted year of waiting and a minority of people who didn't want to be lenient with miners
>>         by default.
>>         > >
>>         > > There is the (unlikely but possible) possibility of a wasted year if LOT is set to false and miners fail
>>         to activate. I'm not convinced by this perception that LOT=true is antagonistic to miners. I actually think it
>>         offers them clarity on what will happen over a year time period and removes the need for coordinated or
>>         uncoordinated community UASF efforts on top of LOT=false.
>>         > >
>>         > > > An activation mechanism is a consensus change like any other change, can be contentious like any other
>>         change, and we must resolve it like any other change. Otherwise we risk arriving at the darkest timeline.
>>         > >
>>         > > I don't know what you are recommending here to avoid "this darkest timeline". Open discussions have
>>         occurred and are continuing and in my mailing list post that you responded to **I recommended we propose
>>         LOT=false be set in protocol implementations such as Bitcoin Core**. I do think this apocalyptic language
>>         isn't particularly helpful. In an open consensus system discussion is healthy, we should prepare for bad or
>>         worst case scenarios in advance and doing so is not antagonistic or destructive. Mining pools have pledged
>>         support for Taproot but we don't build secure systems based on pledges of support, we build them to minimize
>>         trust in any human actors. We can be grateful that people like Alejandro have worked hard on
>>         taprootactivation.com <http://taprootactivation.com> (and this effort has informed the discussion) without
>>         taking pledges of support as cast iron guarantees.
>>         > >
>>         > > TL;DR It sounds like you agree with my recommendation to set LOT=false in protocol implementations in my
>>         email :)
>>         > >
>>         > > On Thu, Feb 18, 2021 at 5:43 AM Ariel Lorenzo-Luaces <arielluaces@gmail•com
>>         <mailto:arielluaces@gmail•com>> wrote:
>>         > >
>>         > > > Something what strikes me about the conversation is the emotion surrounding the letters UASF.
>>         > > > It appears as if people discuss UASF as if it's a massive tidal wave of support that is inevitable, like
>>         we saw during segwit activation. But the actual definition is "any activation that is not a MASF".
>>         > > > A UASF can consist of a single node, ten nodes, a thousand, half of all nodes, all business' nodes, or
>>         even all the non mining nodes. On another dimension it can have zero mining support, 51% support, 49% support,
>>         or any support right up against a miner activation threshold.
>>         > > > Hell a UASF doesn't even need code or even a single node running as long as it exists as a possibility
>>         in people's minds.
>>         > > > The only thing a UASF doesn't have is miner support above an agreed activation threshold (some number
>>         above %51).
>>         > > > I say this because it strikes me when people say that they are for LOT=true with the logic that since a
>>         UASF is guaranteed to happen then it's better to just make it default from the beginning. Words like
>>         coordination and safety are sometimes sprinkled into the argument.
>>         > > > The argument comes from a naive assumption that users MUST upgrade to the choice that is submitted into
>>         code. But in fact this isn't true and some voices in this discussion need to be more humble about what users
>>         must or must not run.
>>         > > > Does no one realize that it is a very possible outcome that if LOT=true is released there may be only a
>>         handful of people that begin running it while everyone else delays their upgrade (with the very good reason of
>>         not getting involved in politics) and a year later those handful of people just become stuck at the moment of
>>         MUST_SIGNAL, unable to mine new blocks? Or attracting a minority of miners, activating, and forking off into a
>>         minority fork. Then a lot=false could be started that ends up activating the feature now that the stubborn
>>         option has ran its course.
>>         > > > The result: a wasted year of waiting and a minority of people who didn't want to be lenient with miners
>>         by default. The chains could be called BitcoinLenient and BitcoinStubborn.
>>         > > > How is that strictly safer or more coordinated?
>>         > > > I may be in the minority, or maybe a silent majority, or maybe a majority that just hasn't considered
>>         this as a choice but honestly if there is contention about whether we're going to be stubborn or lenient with
>>         miners for Taproot and in the future then I prefer to just not activate anything at all. I'm fine for calling
>>         bitcoin ossified, accepting that segwit is Bitcoin's last network upgrade. Taproot is amazing but no new
>>         feature is worth a network split down the middle.
>>         > > > Maybe in 10 or 20 years, when other blockchains implement features like Taproot and many more, we will
>>         become envious enough to put aside our differences on how to behave towards miners and finally activate Taproot.
>>         > > > An activation mechanism is a consensus change like any other change, can be contentious like any other
>>         change, and we must resolve it like any other change. Otherwise we risk arriving at the darkest timeline.
>>         > > > Cheers
>>         > > > Ariel Lorenzo-Luaces
>>         > > > On Feb 17, 2021, at 7:05 AM, Michael Folkson via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org
>>         <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>>         > > >
>>         > > > > Yesterday (February 16th) we held a second meeting on Taproot
>>         > > > > activation on IRC which again was open to all. Despite what appeared
>>         > > > > to be majority support for LOT=false over LOT=true in the first
>>         > > > > meeting I (and others) thought the arguments had not been explored in
>>         > > > > depth and that we should have a follow up meeting almost entirely
>>         > > > > focused on whether LOT (lockinontimeout) should be set to true or
>>         > > > > false.
>>         > > > >
>>         > > > > The meeting was announced here:
>>         > > > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018380.html
>>         <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018380.html>
>>         > > > >
>>         > > > > In that mailing list post I outlined the arguments for LOT=true (T1 to
>>         > > > > T6) and arguments for LOT=false (F1 to F6) in their strongest form I
>>         > > > > could. David Harding responded with an additional argument for
>>         > > > > LOT=false (F7) here:
>>         > > > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018415.html
>>         <https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-February/018415.html>
>>         > > > >
>>         > > > > These meetings are very challenging given they are open to all, you
>>         > > > > don’t know who will attend and you don’t know most people’s views in
>>         > > > > advance. I tried to give time for both the LOT=true arguments and the
>>         > > > > LOT=false arguments to be discussed as I knew there was support for
>>         > > > > both. We only tried evaluating which had more support and which had
>>         > > > > more strong opposition towards the end of the meeting.
>>         > > > >
>>         > > > > The conversation log is here:
>>         > > > > http://gnusha.org/taproot-activation/2021-02-16.log <http://gnusha.org/taproot-activation/2021-02-16.log>
>>         > > > >
>>         > > > > (If you are so inclined you can watch a video of the meeting here.
>>         > > > > Thanks to the YouTube account “Bitcoin” for setting up the livestream:
>>         > > > > https://www.youtube.com/watch?v=vpl5q1ovMLM <https://www.youtube.com/watch?v=vpl5q1ovMLM>)
>>         > > > >
>>         > > > > A summary of the meeting was provided by Luke Dashjr on Mastodon here:
>>         > > > > https://bitcoinhackers.org/@lukedashjr/105742918779234566
>>         <https://bitcoinhackers.org/@lukedashjr/105742918779234566>
>>         > > > >
>>         > > > > Today's #Bitcoin #Taproot meeting was IMO largely unproductive, but we
>>         > > > > did manage to come to consensus on everything but LockinOnTimeout.
>>         > > > >
>>         > > > > Activation height range: 693504-745920
>>         > > > >
>>         > > > > MASF threshold: 1815/2016 blocks (90%)
>>         > > > >
>>         > > > > Keep in mind only ~100 people showed for the meetings, hardly
>>         > > > > representative of the entire community.
>>         > > > >
>>         > > > > So, these details remain JUST a proposal for now.
>>         > > > >
>>         > > > > It seems inevitable that there won't be consensus on LOT.
>>         > > > >
>>         > > > > Everyone will have to choose for himself. :/
>>         > > > >
>>         > > > > Personally I agree with most of this. I agree that there wasn’t
>>         > > > > overwhelming consensus for either LOT=true or LOT=false. However, from
>>         > > > > my perspective there was clearly more strong opposition (what would
>>         > > > > usually be deemed a NACK in Bitcoin Core review terminology) from
>>         > > > > Bitcoin Core contributors, Lightning developers and other community
>>         > > > > members against LOT=true than there was for LOT=false. Andrew Chow
>>         > > > > tried to summarize views from the meeting in this analysis:
>>         > > > > https://gist.github.com/achow101/3e179501290abb7049de198d46894c7c
>>         <https://gist.github.com/achow101/3e179501290abb7049de198d46894c7c>
>>         > > > >
>>         > > > > I am also aware of other current and previous Bitcoin Core
>>         > > > > contributors and Lightning developers who didn’t attend the meeting in
>>         > > > > person who are opposed to LOT=true. I don’t want to put them in the
>>         > > > > spotlight for no reason but if you go through the conversation logs of
>>         > > > > not only the meeting but the weeks of discussion prior to this meeting
>>         > > > > you will see their views evaluated on the ##taproot-activation
>>         > > > > channel. In addition, on taprootactivation.com <http://taprootactivation.com> some mining pools
>>         > > > > expressed a preference for lot=false though I don’t know how strong
>>         > > > > that preference was.
>>         > > > >
>>         > > > > I am only one voice but it is my current assessment that if we are to
>>         > > > > attempt to finalize Taproot activation parameters and propose them to
>>         > > > > the community at this time our only option is to propose LOT=false.
>>         > > > > Any further delay appears to me counterproductive in our collective
>>         > > > > aim to get the Taproot soft fork activated as early as possible.
>>         > > > >
>>         > > > > Obviously others are free to disagree with that assessment and
>>         > > > > continue discussions but personally I will be attempting to avoid
>>         > > > > those discussions unless prominent new information comes to light or
>>         > > > > various specific individuals change their minds.
>>         > > > >
>>         > > > > Next week we are planning a code review of the Bitcoin Core PR #19573
>>         > > > > which was initially delayed because of this LOT discussion. As I’ve
>>         > > > > said previously that will be loosely following the format of the
>>         > > > > Bitcoin Core PR review club and will be lower level and more
>>         > > > > technical. That is planned for Tuesday February 23rd at 19:00 UTC on
>>         > > > > the IRC channel ##taproot-activation.
>>         > > > >
>>         > > > > Thanks to the meeting participants (and those who joined the
>>         > > > > discussion on the channel prior and post the meeting) for engaging
>>         > > > > productively and in good faith.
>>         > >
>>         > > --
>>         > > Michael Folkson
>>         > > Email: michaelfolkson@gmail•com <mailto:michaelfolkson@gmail•com>
>>         > > Keybase: michaelfolkson
>>         > > PGP: 43ED C999 9F85 1D40 EAF4 9835 92D6 0159 214C FEE3
>>         > > _______________________________________________
>>         > > bitcoin-dev mailing list
>>         > > bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>
>>         > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>         <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
>>
>>
>>
>>
>>     -- 
>>     Michael Folkson
>>     Email: michaelfolkson@gmail•com <mailto:michaelfolkson@gmail•com>
>>     Keybase: michaelfolkson
>>     PGP: 43ED C999 9F85 1D40 EAF4 9835 92D6 0159 214C FEE3
>>     _______________________________________________
>>     bitcoin-dev mailing list
>>     bitcoin-dev@lists•linuxfoundation.org <mailto:bitcoin-dev@lists•linuxfoundation.org>
>>     https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>     <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>
> 
> 
> 
> -- 
> Michael Folkson
> Email: michaelfolkson@gmail•com <mailto:michaelfolkson@gmail•com>
> Keybase: michaelfolkson
> PGP: 43ED C999 9F85 1D40 EAF4 9835 92D6 0159 214C FEE3


  reply	other threads:[~2021-02-18 14:43 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-17 12:51 Michael Folkson
2021-02-18  5:43 ` Ariel Lorenzo-Luaces
2021-02-18 11:01   ` Michael Folkson
2021-02-18 11:11     ` Samson Mow
2021-02-18 11:52       ` ZmnSCPxj
2021-02-18 12:20         ` Michael Folkson
2021-02-18 14:01           ` Matt Corallo
2021-02-18 14:26             ` Michael Folkson
2021-02-18 14:42               ` Matt Corallo [this message]
2021-02-18 14:51                 ` Michael Folkson
2021-02-18 14:53                   ` Matt Corallo
2021-02-18 15:01                     ` Matt Corallo
2021-02-18 15:04                 ` Keagan McClelland
2021-02-18 15:18                   ` Matt Corallo
2021-02-19  2:20                     ` Ariel Luaces
2021-02-19 11:30                     ` ZmnSCPxj
2021-02-19 12:05                       ` Adam Back
2021-02-19 14:13                         ` Matt Corallo
2021-02-19 17:48                           ` Matt Corallo
2021-02-20  2:55                             ` ZmnSCPxj
2021-02-20 17:20                               ` Ariel Lorenzo-Luaces
2021-02-21 14:30                                 ` Matt Corallo
2021-02-22  5:16                             ` Anthony Towns
2021-02-22  6:44                               ` Matt Corallo
2021-02-22 10:16                                 ` Anthony Towns
2021-02-22 14:00                                   ` Matt Corallo
2021-02-22 16:27                                     ` Anthony Towns
2021-02-22 16:31                                     ` Jorge Timón
2021-02-22 16:48                                       ` Jorge Timón
2021-02-23  2:10                                         ` Jeremy
2021-02-23 19:33                                           ` Keagan McClelland
2021-02-23 23:14                                             ` Ben Woosley
2021-02-24 22:37                                             ` Ariel Luaces
2021-03-01 13:54                                               ` Erik Aronesty
2021-03-02 18:32                                                 ` Ariel Lorenzo-Luaces
2021-02-24  7:18                                           ` Anthony Towns
2021-02-18 13:59         ` Matt Corallo
2021-02-21 16:21 ` Erik Aronesty
2021-02-19 22:12 Matt Hill
2021-02-19 23:30 ` Matt Corallo
2021-02-19 23:42   ` Bryan Bishop
2021-02-21 10:10 Prayank

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7b8543c3-8ff2-3a6a-b2d4-f4a6cf150d78@mattcorallo.com \
    --to=lf-lists@mattcorallo$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=michaelfolkson@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox