Topic: Please list arguments against the idea of taking away Gavins' alert keys (Read 3895 times)

This really is a brilliant solution.
So simple too.

Works for me.  Ultimately I think that people using native Bitcoin ought to be largely capable and invested enough to have other information channels.  A tip-off might be handy, but not worth the various risks.

Those who are using insta-upgrade SPV clients need to develop the trust in whoever authors and supports them.  If that trust is mis-placed, sad day.

This is what I'm talking about.
Thank you, G.
Now matter how long I've been here, I always learn something new from you.
Straight to the jugular.
I never considered removing it, but that seems like the best approach.
Cheers!

I suppose I see things very differently.
I don't see it as a non-issue.
I see it as having the potential to be significant in the Core vs. XT drama.
It probably won't be significant, but nor should the issue be ignored.
Frankly, I find fault in both sides, and I cannot bring myself to openly support either side.
Therefore, I cautiously continue with Core.
Core is the direct descendant of the first Bitcoin client I used in 2010, and I'm most familiar with it.
I have been around long enough to have seen the alert key message pop up from time to time, and yes, it could be abused.
It hasn't, thank god.
I'll leave it at that.

The alert functionality is nearly useless, and the usefulness it had has been outlived. No one ought to have the alert key.

At the same time, is also nearly riskless now that its already there-- anyone with the key can instantly terminate any announcement made with it and, if needed, permanently disable the alert system. Which is why when we proposed removing it, https://github.com/bitcoin/bitcoin/pull/6260 is wasn't hard for someone to argue otherwise.  In the next release of Bitcoin Core any participation at all in it will at least be optional (though default on): https://github.com/bitcoin/bitcoin/pull/6274

In the elements alpha sidechain, alerts were replaced with multisignature... but I still hope in Bitcoin we remove the system entirely.  Theymos case of wanting to warn people about serious software issues could be accomplished by things like a transaction sending a specific (high vauled) coin to fees triggering a static message to tell users to check for notices.

The functionality creates inequality, it creates attack surface, its very infrequently used-- and when used appears to do very little good. But the biggest reason I'd like to remove it is that it promotes centeralized misunderstanding of the system. It is an incredibly weak functionliaty: a small collection of people can send a little text message to a (sadly) tiny portion of Bitcoin's users. Thats it. But many people can't help but believe that every system has someone in charge of it, and the alerts give them something to latch onto. As a result of alerts we've had to deal with frequent worthless suggestions like the alerts should be able to control system parameters (like fee settings and block size limits)... people who can't see shade of grey and think that because we'll tolerate a very mild messaging functionality that all sorts of other ill conceieved centeralization is okay.

In the altcoin space this has gone further-- e.g. there are several altcoins that use code based on the alert system to allow (or in peer coin's case-- require) the developer to use their single trusted private key to pin the identity of the chain, overriding the network's consensus process. It's an ugly path, and while the first step down centeralization road is easily argued to be harmless it would certantly save a lot of misunderstanding to clearly not be going down it.

 

Because Gavin is maybe one of the satoshis that created bitcoin. He cares and he protects from the shills of Blockstream. Its good that a person holds the key that doesn't belong the blockstream crew.

It is just not a matter, that is seriously discussed, because there is no issue. The alert key, doesn't really give anybody power. It is a message, that shows up in your client. You can happily ignore it. The last alert didn't even show up on my client. I don't really know why.
Furthermore, there is also controversy around other people with alert keys, just look at the censorship of theymos regarding this forum and reddit, there are enough well-known people in the Bitcoin world, who saw that as abuse of power, unlike Gavin who hasn't abused any power.

Oh and what knightdk said:
People on this forum, take the controversy just way more serious than the dev team.

From a technical aspect, it is difficult to prevent Gavin from using the alert key. There is only one alert key, and the private key for that is distributed among a multitude of people. Since it is hard coded, changing the alert key in a future version means that the new key would only work for that version, and the old key for the older versions. This means that Gavin would be able to still send alerts to old versions if chose to do so. The other option would be to cause the alert mechanism to display the static "Alert Key Compromised" message but that would also create a lot of panic.

At this time, I don't think people are discussing the alert key and the political ramifications because of both the difficulty to change the key and the fact that there is no immediate need to do so. There is no indication that Gavin would even attempt to use the alert key and that there are ways to remove an alert put out by Gavin (or anyone else with the key). Furthermore, Gavin is still actively contributing to Bitcoin Core. He works on other fixes and is active on the development mailing list as well as the github.

You probably have to ask that to Satoshi.


Although the XT movement was wrong(at least to me), I don't think his alert key should be revoked yet(even if there is a way).

Thank you.
I understand this. Bitcoin has had hard forks in the past. Nothing changed with alert keys. I get it. I am well-versed in the technical side of bitcoin.
However, I am probably not asking my question the right way. Instead of asking dumb hypothetical questions to lead the discussion, I'll say it plain.

The responsibility of knowing the alert key and the political ramifications thereof seems to be off the radar in this discussion of XT vs Core.
I'm pressing the issue of alert keys, because I see them as a potential object of a further power struggle between the two factions. The person who gives an alert key agency should be one whom the bitcoin community, devs, and merchants trust. To many people, Gavin has betrayed that trust. Further, although potential brinksmanship, retaliation, or retribution seems improbable, this is a 4 billion dollar market we're dealing with, as well as people's livlihoods, families, and egos.

Moreover, is this not a good time to establish clear criteria regarding the mechanism by which one is entrusted with the alert key?
And why does Gavin still have such authority?

There is no new alert mechanism in XT.
The alert is for the bitcoin network not a specific client. A fork doesn't change anything about that(unless it is a fork, exactly for that and I am not aware of any fork proposal for that)

Thank you.
I understand all of this except for the XT part. If there is a hard fork, perforce creating two separate chains and thus two competing cryptocurrencies, will the alert key remain the same for both, such that Theymos could issue an alert on XT? Surely there's code in XT that creates a new alert key or alert mechanism. I understand that presently both Core and XT are the same blockchain, but if there is a hard fork, then what? Both parties have mutual access to each other's alert keys?

The alert key for the entire bitcoin network is the same, so that includes XT.

Confirmed to have the alert key: Gavin Andresen, Theymos, Satoshi Nakamoto, Gregory Maxwell
Not confirmed but probably have the key: Wladimir J. van der Laan, Jeff Garzik, Pieter Wuille

Also, please note that there will not be a definitive list of everyone who has the alert key for their own personal safety as well as to prevent attempts to coerce key holders.

I could see an alert key being abused in a time of crisis.  Say, for instance, that XT forked.  An alert could dampen down use to the advantage of one strategy or another.  Probably the biggest risk of abuse would be to induce upgrades of Multibitch-class clients to a version which would split a users coins between forks in such a way that was not to the user's advantage (by formulating spends in a certain way.)

Alert keys seem like a likely place for a broad range of participants to exercise some control.  I could imagine, say, half a dozen of them chosen from a pool of core contributors as well as other actors.  Some by user vote even.  When an alert is issues, each key would be represented as being pro, con, abstaining, or absent.  This could be represented compactly in a GUI as a little color widget or some such.  In this way users could see at a glance if there were universal consensus about the nature of any alert.

I've heard it said that this is a non-problem because alerts have not been abused to date.  To this I would say that certain very possible attacks have also not been seen to date so it is not a totally valid argument.

Gavin currently holds the alert key to Bitcoin Core.
Am I correct to presume he also holds the alert key to XT?
So both?

Who is confirmed/unconfirmed having the alert keys to Core?

I want to press this issue since it seems to have fallen through the cracks, especially since Gavin's allegiance is clearly with XT. Also, I wouldn't put it past Hearn to try to get the Core alert key from Gavin.

Nope. The code for bitcoin.org is open source and has multiple committers just like Bitcoin does. It is also hosted from github.
Actually, I don't think Gavin has commit access to Bitcoin.org, but I'm not sure.

See this page: https://bitcoin.org/en/about-us

Thank you for this information.

--

--

I guess this would mean that whomever owns the domain bitcoin.org is the ruling controller of Bitcoin.

He may have sent most, but I don't think he has sent all of the alerts

He cannot override the failsafe. The alert key compromised alert has a fixed message and cannot be canceled. The message is specifically
From this code block at line 178 in alert.cpp
Even if he did send out this failsafe alert, it wouldn't do him any good. People would check the bitcoin.org website where they got the client and not go to Gavin for the client. If Gavin committed code to change the alert key and put the new client on the bitcoin.org website, other committers can revert that change and remove his commit privileges thus preventing Gavin from changing the alert key to something that only he has. The other core devs can then change the alert key, put up the message about alert key compromised on the network status page (don't need to send the message, Gavin already did it) and put up the new client on bitcoin.org without Gavin's interference.

Yes. I just found this: http://www.reddit.com/r/Bitcoin/comments/2dz9ri/why_in_the_world_does_theymos_have_the_private/cjuu360

But since Gavin sends out all alerts, he could also send out an override making that failsafe a double-edged sword. Didn't Gavin send out the alert yesterday?

In my view, the entire alert system should be stripped from the client. It is a point of unnecessary centralization with abuse potential.

Your knowledge is quite wrong. There are most certainly people on the core dev team that have the key. I'm pretty sure that gmaxwell has the alert key because he said thisabout the recent blockchain fork. He is referring to the alert sent out. Note the "I"

There is in fact an override option that makes an alert cancel proof. Go look in the code. alert.cpp, line 178 https://github.com/bitcoin/bitcoin/blob/master/src/alert.cpp
gmaxwell said it too.