Expire bitcoind & bitcoin-qt 7-8 years after its last change #10282

pull luke-jr wants to merge 1 commits into bitcoin:master from luke-jr:timebomb changing 6 files +37 −0
  1. luke-jr commented at 2:12 PM on April 26, 2017: member

    COPYRIGHT_YEAR + 8 years is used as the basis for expiration, to achieve a constantly-moving-forward expiration date.

    It is assumed that within 7 years, the software will become obsolete beyond any reasonable person's continuing to use it. If not hardforks, then at least softforks will occur during this time rendering it insecure. Not to mention an almost certainty of exploits.

    Furthermore, this enables a sort of certainty of old nodes ending by a deadline, turning any hardfork into a de facto softfork provided it is planned 8 years out.

    As a precaution against abuse, the expiration can be disabled or extended with a debug-visibility "softwareexpiry" configuration option.

    (Thanks to Wang Chun for suggesting a similar proposal this is based on.)

    Previous discussion: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013822.html

    It is unclear to me if this needs a BIP.

  2. Expire bitcoind & bitcoin-qt 7-8 years after its last change
    COPYRIGHT_YEAR + 8 years is used as the basis for expiration, to achieve a constantly-moving-forward expiration date.

It is assumed that within 7 years, the software will become obsolete beyond any reasonable person's continuing to use it.
If not hardforks, then at least softforks will occur during this time rendering it insecure. Not to mention an almost certainty of exploits.

Furthermore, this enables a sort of certainty of old nodes ending by a deadline, turning any hardfork into a de facto softfork provided it is planned 8 years out.

As a precaution against abuse, the expiration can be disabled or extended with a debug-visibility "softwareexpiry" configuration option.

(Thanks to Wang Chun for suggesting a similar proposal this is based on.)
    21f123db98
  3. luke-jr commented at 2:14 PM on April 26, 2017: member

    (7-8 year target can be adjusted if an earlier expiration is generally acceptable)

  4. in src/consensus/consensus.h:33 in 21f123db98 
      29 | @@ -28,4 +30,8 @@ enum {
  30 |      LOCKTIME_MEDIAN_TIME_PAST = (1 << 1),
  31 |  };
  32 |  
  33 | +static const int64_t SECONDS_PER_YEAR = 31558060;
    wangchun commented at 2:21 PM on April 26, 2017:

    Orbital period of the Earth == mean solar year != mean tropical year; 1 Earth year = 365.242199 days, or 365.2425 days in Gregorian calendar

    luke-jr commented at 3:00 PM on April 26, 2017:

    For some reason, that gets ctime(47*(31556952)) => 'Sat Dec 31 09:32:24 2016'

    I agree your math looks more correct, but for some reason there are more seconds to get the desired result.

    dcousens commented at 3:05 PM on April 26, 2017:

    Maybe a block height would be better?

    luke-jr commented at 3:10 PM on April 26, 2017:

    Can't compare a block height to system clock, unfortunately. :p

    yinyunqiao commented at 1:31 AM on April 27, 2017:

    EPOCH seconds are not calculated by years * seconds_per_year, there are time tweak gaps, leap years, historical time change reasons etc.

  5. wangchun commented at 2:30 PM on April 26, 2017: none

    static const int64_t SECONDS_PER_YEAR = 31556952;

  6. gmaxwell commented at 4:44 AM on April 27, 2017: contributor

    I think something like this is fine, so long as its easily user overridden and very clear whats happening.. why use the block headers rather than system date.

    Rather than debating what an acceptable time frame would be, I think it might be interesting to first conduct a sealed poll among developers, to see what people think before we influence each other too much.

  7. laanwj commented at 2:13 PM on April 27, 2017: member

    I don't really like planned obsolescence. But being able to plan hard forks years ahead is certainly a nice feature, it's how I always imagined long-term protocol changes would work. So as long as the expiration stays significant time ahead (the current value is good imo) I'm okay with it.

  8. luke-jr commented at 2:30 PM on April 27, 2017: member

    @gmaxwell So how about interested parties all hash a nonce + statement on preferred obsolescence timeframe(s), and post the hash on https://github.com/bitcoin-core/bitcoin-devwiki/wiki/PR10282-Hashes ?

  9. jnewbery commented at 1:30 PM on April 28, 2017: member

    I'd be much happier if this just alarmed and warned the user rather than shutdown the node, but even then I don't really see much benefit.

    Furthermore, this enables a sort of certainty of old nodes ending by a deadline, turning any hardfork into a de facto softfork provided it is planned 8 years out.

    Slicing old nodes off the network doesn't magically turn a hard fork into a soft fork. Users either have to upgrade, or run the old node and fall out of consensus. It's still a hard fork.

    If this proposal is simply to protect users from running an old, insecure version, then:

    1. why does this need to automatically shut down the node rather than alarm and warn the user;
    2. why pick an arbitrary time frame like 7 years? If a soft-fork is activated 6 months after a release which makes the release insecure, then the node will stop working 6.5 years after it became insecure. Doesn't seem like much of a benefit to me.

    I'm struggling to see what problem this solves.

  10. MarcoFalke commented at 2:07 PM on April 28, 2017: member

    Not sure why the node must shut down. Note that there is already a state "safe_mode", which can trigger automatically after the node "aged" more than X years instead of shutting down.

  11. kallewoof commented at 8:13 AM on May 1, 2017: member

    I think shutdown with an option to forcibly keep it running has benefits. Specifically, it prevents node runners who are assuming their node is safe and sound but aren't touching it from fooling themselves. Maybe because they're scared it might break if they do anything or they're just plain lazy.

    Forcing them to go in and set a parameter to keep it running is a good incentive for them to upgrade the software, as they now no doubt realize they're running a node that is too old to be recommended by the developers.

    In contrast, a warning message would most likely not only be ignored, but probably never be seen by the type of node runner mentioned above. Turning safe mode off may be a great middle ground, though.

  12. TheBlueMatt commented at 3:57 PM on May 1, 2017: member

    As discussed on IRC extensively and at the last meeting, should probably tweak this to only fail to startup after 7 years with a clear error message noting the temporary workaround option.

  13. laanwj commented at 5:45 AM on May 3, 2017: member

    As discussed on IRC extensively and at the last meeting, should probably tweak this to only fail to startup after 7 years with a clear error message noting the temporary workaround option.

    Agree. Any other solution is too controversial and divisive, we should either do that or we should forget about this completely.

  14. NicolasDorier commented at 12:57 PM on May 3, 2017: contributor

    I don't agree on this PR on a matter of principle: We should not be in charge to tell the user when he should update.

    I disagree also because it might be a systemic risk: A non negligeable number of node will start crashing almost at the same time.

    Moreover, some nodes might not need to validate soft fork rules as they are internal nodes, and their blocks are already validated by a gateway node.

    In a big architecture where Bitcoin core is only one of many components, and where the original developers got away, there would be nothing more frustrating than a component crashing when no update has been done for several years to it.

  15. laanwj commented at 9:01 AM on June 25, 2017: member

    Closing this, seems there is no agreement to do this as part of bitcoin core.

  16. laanwj closed this on Jun 25, 2017
  17. DrahtBot locked this on Sep 8, 2021
Contributors
luke-jrwangchundcousensyinyunqiaogmaxwelllaanwjjnewberyMarcoFalkekallewoofTheBlueMattNicolasDorier
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me