[bitcoin-dev] Response to Rusty Russell from Github

[Jeremy]

In response to
https://gist.github.com/michaelfolkson/92899f27f1ab30aa2ebee82314f8fe7f#gistcomment-3679489,
reproduced below.

Rusty,

I concur with the gist of what you're saying -- Speedy Trial alone is not
the final word on activation logic. There are likely better procedures for
releasing and activating updates.

Where I disagree is that I do not believe that BIP8 with LOT configuration
is the improved long term option we should ossify around either. I
understand the triumvirate model you desire to achieve, but BIP8 with an
individually set LOT configuration does not formalize how economic nodes
send a network legible signal ahead of a chain split. A regular flag day,
with no signalling, but communally released and communicated openly most
likely better achieves the goal of providing users choice.

Where I also disagree is that we are likely to come to consensus on an
improved long term process in the immediate future (e.g., within the next
year), let alone the software for it.

Do you believe that perfecting a release mechanism is a showstopping issue
for proceeding with any upgrade at this time? Or do you just want for this
problem to actively be worked on going forward?

I think it's reasonable to want to form an open ended process to
investigate, spec, and formalize a consistent and complete activation
pathway but I don't think we should force the community to wait around for
an unknown solution to release upgrades that are waiting for takeoff.


Lastly, I'll make the case that ST *does* meet your desired triumvirate at
least as well as BIP8 with configurable LOT.

1. Developers release, but do not activate
2. Miners signal
3. Users may override by compiling and releasing a patched Bitcoin with
moderate changes that activates Taproot at a later date. While this might
*seem* more complicated a procedure than configurable LOT, here are four
reasons why it may be simpler (and safer) to just do a fresh release:

A. No time-based consensus sensitivity on when LOT must be set (e.g., what
happens if mid final signal period users decide to set LOT? Do all users
set it at the same time? Or different times and end up causing nodes to ban
each other for various reasons?)
B. No "missed window" if users don't coordinate on setting LOT before the
final period -- release whenever ready.
C. ST fails fast, permitting users ample time to prepare an alternative
release
D. If miners continue to mine without signalling, and users abandon a
LOT=true setting, their node will have already marked those blocks invalid
and they will need to figure out how to re-validate the block.

RE: point 3, is it as easy as it *could* be? No, but I don't have any
genius ideas on how to make it easier either. (Note that I've previously
argued for adding configurable LOT=true on the basis that a user-run script
could emulate LOT without any software change as a harm reduction, but I
did not advocate that particular technique be formalized as a part of the
activation process)


Best,

Jeremy


> > > Taproot could be activated by a blind monkey, [...] ST avoids the
hard questions, since it will almost certainly pass; [...] But one day, a
real crisis will return. We won't have an answer, and we won't have
practiced: this will make the crisis far worse. Instead, if we codify "devs
propose, miners activate, users override" (i.e. a LOT=true option, off by
default) we'll know exactly what the process will be when miners fail to
activate. It may still be messy, of course, but we'll have all the tools at
hand, and we'll even know the date the crisis will come to a head.
> >
> >
> > I think this argument makes two major errors:
> > ```
> > * First, it tries to artificially tie two improvements together; "if
you can't solve controversial activations, you shouldn't get taproot". That
isn't the way we should do development: just as it was a mistake to try to
tie segwit and a hard-fork to double the block size together, other
improvements should also stand or fall on their own merits. If we're tying
updates together there should be good reasons for why they're better
together (eg segwit and the witness discount; and taproot, schnorr and
tapscript).
> > ```
>
> No, this is a disagreement about how _all_ changes should be activated.
This is completely germane to the current debate. Remember, segwit wasn't
"controversial" until it suddenly was, either. I believe this is not the
case here, but then, I believed that last time as well.
>
> > ```
> > * Second, it assumes that you can usefully test a weapon when play
fighting -- if taproot can be activated by a blind monkey, then having your
bodyguards activate taproot only proves they're as good as a blind monkey,
not that they're ready to protect you from a home invasion. In particular,
bip8 isn't even as ready as bip148 for a real battle; it lacks even the
limited safeguards that were included in that client (and it's also lost
the element of surprise, which might've been bip148's biggest advantage).
> > ```
>
> "BIP 8 isn't ready" is definitely a factor, but while I prefer existing
code when there are no other major factors, there are IMHO major factors
here.
>
> > I think it also probably assumes that the bip8 approach is more ready
to go than it is -- there are (IMHO) serious unresolved objections to bip8
in every possible deployment mode (eg, just lot=true: developers are
imposing decisions on miners and users; just lot=false: miners can object;
lot=true and lot=false: unnecessary chain split risk, risk of downtime for
those running lot=true, risk of reorgs/wipeout for those running
lot=false). Maybe all those objections -- even the ones from one of the
bip8 authors -- are mistaken, but personally I think it's more likely that
significant improvements are needed.
>
> "unnecessary chainsplit risk". No, that's exactly the point: if we end up
with various significant factions fighting over the rules, there will be a
chainsplit. There are no technical workarounds for this. BIP 8 has been
revised to minimize the chance of an _unnecessary_ chainsplit, and the
entire BIP-8 lot=true mechanism was designed as an explicit mining forcing
function.
>
> I remember @pwuille saying explicitly about Segwit activation that users
must decide. That has stuck with me, and my preference for a hidden
lot=true option reflects this understanding. Without such an option,
developers are saying "you can override, but you'll have to replace us."
The result in practice that users are reduced to "beg the devs" or "beg the
miners". That kinda worked last time but damn it was messy, and such
uncertainty does not help the BItcoin ecosystem.
>
> > Personally, I can think of about half a dozen soft-forks I would
like/expect to see progress on once taproot is squared away (great
consensus cleanup, anyprevout, ctv, graftroot, annex-based block
commitments, op_cat/covenants), so it's not like there aren't other
opportunities to improve activation methodologies coming up.
>
> If this approach is good enough until there's a crisis, then why would
anyone approve anything until a crisis comes?

--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20210325/5da65bbf/attachment-0001.html>