Topic: On BIP-8 and chain split (Read 196 times)

Sorry, I didn't mean to offend anyone with a question! But whenever I see a risk of disruption in bitcoin my alarms go off.

Thanks, this and specially the link answers my question and addresses the concerns I have.

Yeah, apart from a PR in core I haven't found anything.

As one of the authors of BIP 9, I have to take a little offence at your assertion that details of its behaviour are inviolate properties of Bitcoin's consensus.  BIP 9 is just a tool-- one created a couple years ago to address a specific environment and specific expectations that we had about that environment.  From its very first usage it has turned out to be a bit of a let down, and so changes to activation should absolutely be expected.  It is absolutely and positively not a integral part of the consensus system and I'd like to ask you to not make this claim again.

[Sorry if that's too blunt, but there are far too many things I wrote as an off the cuff remark years ago that I'm tired of hearing turned around as some kind of unquestionable gospel.]


Rejected status mostly means a proposal has stopped being advanced without being adopted.  In a decentralized system there is literally no mechanism to actually "reject" anything in the conventional sense. BIP-8 isn't rejected because its still being maintained.  An example of that is that the lockinontimeout was made optional so that BIP-8 could be used in place of BIP-9 which has some specific (minor) technical flaws which are fixed in BIP-8.

I expect that lockinontimeout is a feature that would never be used, and if used only used on an extended timeframe along with a lot of other measures to mitigate the potential for disruption of which everyone is well aware and which few people take particularly lightly. Take a look at the "modern softfork activation" post for a framework on how that sort of thing might be used if it ever were used. It's specified largely to make it unambiguous that attempts to maliciously move against the neigh-universal will of the users would ultimately be futile, so best for no one to waste their time trying.  You shouldn't get worked up about it just because someone added it to a spec,  worry about it if there is any specific plan to use lockinontimeout. There isn't currently, nor is there any activation bip that proposes using it or (AFAIK) code for it in any implementation, and I don't expect there to become one in part because its specification will likely eliminate the need to actually use it.

About activation thresholds:  One thing we learned from the use of BIP9 is that too high a threshold lowers the hashrate enforcing at activation time compared to prior mechanisms because the high threshold eliminates urgency.  But it might put your mind a little at ease to consider that BIP-9 (and by inheritance BIP-8) are designed so that regardless of what the activation percentage is the actual enforcement at activation time can be ~100% -- that is why there is a substantial delay, so there is time for miners to become aware and act.  Now there is no guarantee that they will act-- they might be asleep at the switch, or indifferent to causing disruption. But there is similarly no guarantee that even if there were 100% signalling to activate that all of them would enforce.  The best we can collectively do is strike a balance between risks.

Those BIPs are marked as "rejected", this isn't.

I get that but my concern is that I believe that the dangers of splitting bitcoin network and the damage the end result would do to bitcoin outweighs the benefits of the upgrades the forks activate. I could have understood if this were reducing the threshold to a lower but still reasonable value like from 95% to 90% or maybe even 85% but not when it removes it entirely.

Not to mention that Bitcoin will never work if we start adding such ideas to it that remove this integral part of consensus system.

BIP 8 as it currently stands makes the activate on timeout optional.  Otherwise it's like BIP9 but with a height instead of time based timeout.  I think everyone agrees the hight based timeout is better.

Given that >>50% hashrate is currently indicating that it's willing to deploy I think there won't be much insistence on using BIP8 with activate on timeout.

IIUC, the BIP8 parameters can specify _not_ to activate the soft fork on timeout? Which is identical to BIP9 behavior?

Bitcoin Core does not implement BIP 8 and no node software that I know of actually implements it. It was introduced during segwit when people were pushing for a User Activated Soft Fork, and the method suggested to do that was BIP 8.

Keep in mind that just because a BIP exists and has a number does not mean that it is a good idea. After all, there are several block size increase BIPs.

---

The purpose of BIP 8 is to make a soft fork occur in the event that the vast majority of users support the fork but not enough miners do. It is to prevent the scenario where miners prevent a consensus change to the detriment of the wider community, as was happening in 2017 around Segwit's activation. It could cause a chain split but the express purpose is to use the threat of a chain split to force miners to upgrade. Or at least to not upgrade but also not include any transaction the use the new consensus rules.

Whether BIP 8 will actually be used for any soft fork is up for debate. It has been discussed for use in Taproot, but AFAIK, only as a last resort option. From proposals that I have heard, BIP 8 would be used if a BIP 9 activation failed and only after a period of evaluation of why that activation failed.

According to that BIP, if a node does not implement BIP8 then it will not honor the lockinontimeout flag and will continue to accept the supposedly invalid blocks even after the target height.


I am not sure whether BIP8 signaling has even been added to Core. If not then the above exception applies to all the nodes in the network presently. It is still on Draft and nothing has been deployed with it yet.

BIP-8 states that "If the {95%} threshold hasn't been met, lockinontimeout is true, and we are at the last period before the timeout, then we transition to MUST_SIGNAL." then it states that "During the MUST_SIGNAL ... phases, blocks that fail to signal are invalid.".

This seems like a recipe for a disastrous chain split, since for example if a lower than 95% of the hashrate which is the only thing that makes sense in a decentralized network (say something like 30%) were signalling and the rest (70%) weren't it will reject the rest of the blocks as invalid.
If my understanding is correct, then why is this even a thing in bitcoin?!!!
If not, then what am I missing?

Link: https://github.com/bitcoin/bips/blob/master/bip-0008.mediawiki