Set -permitrbf to false #7388

pull sandakersmann wants to merge 1 commits into bitcoin:master from sandakersmann:patch-1 changing 1 files +2 −2
  1. sandakersmann commented at 12:55 pm on January 21, 2016: contributor

    Can’t believe that the original pull request got merged just after 3 hours. I’m leaving for work now, so will be gone for 10 hours.

    Edit: This PR will result in nodes not relaying and mining RBF transactions by default. If we merge this there will be no policy change from the last stable version which is Bitcoin Core 0.11.2.

  2. Set `-permitrbf` to false
    Can't believe that the original pull request got merged just after 3 hours. I'm leaving for work now, so will be gone for 10 hours.
    91ad15b433
  3. sandakersmann commented at 12:57 pm on January 21, 2016: contributor
    This was introduced in pull #7386
  4. btcdrak commented at 12:58 pm on January 21, 2016: contributor
    This was not “introduced” in #7386, the feature was already on by default. #7386 introduced the ability to turn it off, by popular request I might add.
  5. sandakersmann commented at 1:00 pm on January 21, 2016: contributor
    Semantics.
  6. jonasschnelli commented at 1:01 pm on January 21, 2016: contributor
    The original PR was #6871. The just merged (#7386) on does not change any policy,… it’s just a configuration option. @sandakersmann: if you care about bitcoin core and RBF, why did you not participate in #6871 (the actual change proposal)?
  7. jtoomim commented at 1:01 pm on January 21, 2016: none

    utACK.

    We will be doing something similar to this (but more thorough) in Classic. It would be nice if a git pull were enough to incorporate it. https://bitcoinclassic.consider.it/revert-opt-in-rbf

  8. wangchun commented at 1:09 pm on January 21, 2016: none

    ACK

    RBF is steal. This PR should be merged asap to prevent potential financial loss.

  9. dcousens commented at 1:11 pm on January 21, 2016: contributor
    @wangchun, although I disagree with your conclusion, I can’t help but point out that this does not stop the use of this policy, and miners who are economically rationale may likely still set -permitrbf to true.
  10. sipa commented at 1:13 pm on January 21, 2016: member

    I’m willing to consider this due to the unexpected controversy this is causing. I do however think this due to a misunderstanding:

    • It’s perfectly possible to keep accepting 0-conf transactions, if you believe they are safe for your use case. Opt-in RBF sets a non-maximum nSequence value, which causes many providers to already consider the transaction non-standard for the purpose of accepting 0-conf.
    • As a customer, you can choose to set opt-in RBF, and thus lose the ability to get your payment accepted before confirmation, but with the ability to easily change the fee afterwards or combine the transaction with others.
    • As a miner, the rational behaviour is to take the transaction with the highest fee (even for non opt-in cases). If you don’t, another miner can.

    And, no, opt-in RBF is not theft. It’s indicating that you’re not sure whether what you’re submitting is the final form of the transaction. This is the exact semantics that nSequence had since the earliest version of Bitcoin.

  11. laanwj commented at 1:24 pm on January 21, 2016: member
    NACK
  12. btcdrak commented at 1:30 pm on January 21, 2016: contributor
    NACK because the feature is already optional and #7386 did not change the existing behaviour which has been in discussion all year. The right time to argue this would have been in #6871 which was widely ACKd.
  13. jonasschnelli commented at 1:32 pm on January 21, 2016: contributor

    We have accepted the nSequence based opt-in RBF proposal in #6871. Merchants and wallets should already “listen” for the nSequence INTMAX if they rely on 0 confirmation transactions, otherwise they really should do it now.

    It safely re-enables the mempool replacement feature original implemented by Satoshi and disabled by him as a SPAM protection (http://sourceforge.net/p/bitcoin/code/140/).

    I don’t think it’s wise to limit Bitcoins potential just because some people are not willing to check if their implementation (wallets/merchants) are opt-in-RBF save.

    NACK.

  14. wangchun commented at 1:39 pm on January 21, 2016: none
    @jonasschnelli Could you please tell me which wallet has been ready to warn users for potential RBF transactions? What the average user without much Bitcoin knowledge can do when he/she see this warning?
  15. sipa commented at 1:47 pm on January 21, 2016: member

    @wangchun It’s only an issue for merchants who accept 0-conf transactions, not wallets (who typically don’t count unconfirmed transactions from the outside as spendable anyway). Several payment processors and analysis services (which aim to make 0-confirmations safer) already treat non-max nSequence as unsafe (and they should, regardless of whether opt-in RBF gets adopted or not).

    If anyone feels they need more time to deploy this, or knows of use cases that aren’t mentioned above, I’d very much like to hear this, and reconsider. I will gladly admit we could have done a better job at communicating, but please don’t claim things like “RBF is theft”; this is a well-considered and (according to many) necessary feature.

  16. sdaftuar commented at 1:51 pm on January 21, 2016: member
    @wangchun Also please note #7222 (just recently merged), which adds new RPC output fields for users of bitcoin core’s wallet that indicates whether an unconfirmed payment is BIP125-replaceable. This will be included in the next 0.12 release candidate.
  17. wangchun commented at 2:03 pm on January 21, 2016: none
    So you admit nobody has yet been ready for opt-in RBF but deploy it in the next release IMHO this is no better than force a hard fork without consensus
  18. jonasschnelli commented at 2:06 pm on January 21, 2016: contributor

    @jonasschnelli Could you please tell me which wallet has been ready to warn users for potential RBF transactions?

    Some wallets might want to add an extra warning if a RBF transaction are among the unconfirmed incoming transactions. That would be possible.

    But most (all) wallets do already treat unconfirmed transactions/balance as unconfirmed. People should really not rely on unconfirmed balance. It’s unconfirmed. As recently shown by Peter Todd, it’s quite easy to double spend your transaction, and this was without RBF being deployed. If they rely on 0-conf they should use a merchant tools which includes risk analysis.

    If you are selling services or goods after you have received a 0-conf transaction, you should be very careful with handing out the good/service while the transaction is not confirmed and you should certainly not use a standard wallet (you would take a very high risk).

  19. sipa commented at 2:10 pm on January 21, 2016: member
    @wangchun As far as I know, services for 0-conf acceptance already discard non-final nSequence values. I’d very much like to hear if this is not true.
  20. dcousens commented at 2:12 pm on January 21, 2016: contributor

    @wangchun I think there was an expectation that interested parties were keeping watch with bitcoin core development, but it seems many were relying on 3rd parties to report on core development for them; and therefore there has been this lapse in communication. @sipa as discussed on IRC:

    It’s only an issue for merchants who accept 0-conf transactions, not wallets (who typically don’t count unconfirmed transactions from the outside as spendable anyway)

    Isn’t actually true, with mycelium accepting zero conf almost 7 months ago. Another example is breadwallet, and several others.

  21. MarcoFalke commented at 2:12 pm on January 21, 2016: member

    “Everyone knows 0-conf is perfectly save and rbf will break it” … Not

    As recently shown by Peter Todd, it’s quite easy to double spend your transaction, and this was without RBF being deployed.

    Thus, NACK.

  22. dcousens commented at 2:13 pm on January 21, 2016: contributor
    tentative NACK
  23. laanwj commented at 2:19 pm on January 21, 2016: member

    It takes quite a while for a new major release to be widely deployed. It’s not like the network will all switch in one day after 0.12 release. The P2P network is a mix of various versions. There is even now a part of nodes that runs with RBF enabled (at least those running master). Even a part that does full (non opt-in) RBF (see https://en.bitcoin.it/wiki/Transaction_replacement#Peter_Todd.27s_full-RBF_patchset ).

    But it will take at least months before a large enough part of the network does replacement this feature is reliably usable from the viewpoint of a wallet user.

    No matter what happens here, you need to take nSequence into account in your risk computations even now if you accept zero-conf. If you accept only confirmed transactions, there is no need to worry about RBF at all.

  24. arsenische commented at 4:45 pm on January 21, 2016: none

    utACK

    miners who are economically rationale may likely still set -permitrbf to true.

    …in the future. But currently they are more interested in high BTC price because the block reward is much higher than the tx fees, and the amount of transactions in block is quite limited. 0-confs are unsafe but usable, breaking them may negatively affect the BTC price.

  25. petertodd commented at 6:39 pm on January 21, 2016: contributor

    @wangchun The wallets that don’t warn about the opt-in RBF flag are trivially vulnerable to multiple ways of doublespending transactions. For instance, I don’t know of any standard wallets that warn you if someone sends you a really low fee tx, even though they can be trivially doublespent with a higher fee tx. Similarly, because v0.12.0 changes what’s allowed in OP_RETURN, you’ll be able to easily doublespend by sending txs that use this new OP_RETURN format, followed by a tx that doesn’t.

    As for dedicated zeroconf providers like blockcypher, I don’t know of any who haven’t added opt-in RBF detection.

  26. skajake commented at 7:43 pm on January 21, 2016: none
    ACK
  27. seweso commented at 9:02 pm on January 21, 2016: none

    Maybe - even if we don’t agree with zero-conf - we should still create some guidelines on how to accept them as safely as possible.

    I mean it’s a bit like promoting abstinence as a way to prevent unwanted pregnancies and STD’s, it just doesn’t work. So we better also make sure it is as safe as possible.

    My personal view is that Opt-in RBF improves zero-conf by making it very clear what can and can’t be replaced. But wallet/merchant developers still need time to account for it.

  28. petertodd commented at 9:06 pm on January 21, 2016: contributor
    @seweso Again, the wallets/merchants who are not trivially vulnerable to doublespends - including new doublespend opportunities separate from opt-in RBF that have been added to v0.12.0 - are already ready for opt-in RBF. We are not increasing risk for anyone any more than every release increases risk.
  29. arsenische commented at 9:10 pm on January 21, 2016: none
    @petertodd why not to make this controversial change (‘opt-in RBF’) disabled by default and let the node operators choose?
  30. petertodd commented at 9:21 pm on January 21, 2016: contributor

    Default settings are advice from the Bitcoin Core team; I believe it is bad advice to disable a feature that helps Bitcoin users as a whole for the sake of concerns that aren’t justified by evidence.

    That would be not unlike shipping Bitcoin with transaction relaying for P2SH turned off, because of an controversy about it that wasn’t supported by the facts.

    People who still disagree are welcome to run other software.

    On 21 January 2016 16:11:09 GMT-05:00, Arsen Gasparyan notifications@github.com wrote:

    @petertodd why not to make this controversial change disabled by default and let the node operators chose?


    Reply to this email directly or view it on GitHub: #7388 (comment)

  31. maddenw commented at 10:40 pm on January 21, 2016: none
    ACK
  32. greenaddress commented at 10:55 pm on January 21, 2016: contributor
    NACK, configurable can be useful but default should be on to work reasonably well
  33. cypherdoc commented at 11:04 pm on January 21, 2016: none
    ACK
  34. h0jeZvgoxFepBQ2C commented at 11:47 pm on January 21, 2016: none
    ACK, its a new feature with a big discussions and controversy - and no real consensus, so from my point of view it’s better to set it to false in this release.
  35. roybadami commented at 11:53 pm on January 21, 2016: contributor

    @sipa “It’s only an issue for merchants who accept 0-conf transactions, not wallets (who typically don’t count unconfirmed transactions from the outside as spendable anyway).”

    I don’t buy that. A wallet user is a financial actor. The question is not whether they will spend those particular received bitcoins, but what actions they will or may take on the receipt of those bitcoins. At the ery minimum the wallet GUI should expose whether the transaction (or one of its ancestors) was opted in - this functionality shouldn’t be limited just to RPC IMHO.

  36. sipa commented at 11:59 pm on January 21, 2016: member
    @roybadami If you’re going to take an irreversible action based on an unconfirmed transaction without any further analysis, you can already very easily be ripped off; transactions with low fee, or transactions whose standardness recently changed, … are very much at risk of being double spend. Services exist that do analysis for you, however, and I know of none that don’t take nSequence value into account.
  37. jameshilliard commented at 11:59 pm on January 21, 2016: contributor
    NACK, opt-in RBF is easy to detect and handle by merchants and wallets, there’s no reason not to have it enabled by default. On another note people need to be aware that until a transaction is confirmed it can be easily changed and that 0-conf is not secure and its use should be discouraged under conditions where a double spend would cause significant damage.
  38. dgenr8 commented at 0:03 am on January 22, 2016: contributor

    Even though I believe opt-in (and only opt-in) RBF is an improvement for overall zero-conf reliability, and has other use cases, the community clearly does not want the network to honor any kind of RBF at this time. So there should be a switch (thank you #7386) and the default should be do-not-permit.

    ACK.

  39. sandakersmann commented at 0:21 am on January 22, 2016: contributor

    @sipa It is not us that should show you that services for 0-conf acceptance have implemented discard function for non-final nSequence values. This is something that you should know all about and show us before you implement such dramatic changes to policy. @petertodd You are the one implementing new policies. Because of this you are the one that must justified by evidence that this new policy helps Bitcoin users as a whole.

    I think it is really bad the way you guys are trying to force bitcoin into lightningcoin. Stealing fees from the miners will kill the long term viability of the Bitcoin network.

    You can see what the community thinks of RBF here: rbf

  40. ghost commented at 0:33 am on January 22, 2016: none

    @petertodd wrote: “Similarly, because v0.12.0 changes what’s allowed in OP_RETURN, you’ll be able to easily doublespend by sending txs that use this new OP_RETURN format, followed by a tx that doesn’t.”

    So this OP_RETURN hard fork incompatibility is now an attack vector against 0-conf spends, by someone who has already publicly defrauded Coinbase using a double spend attack.

    Nice work!

  41. kristovatlas commented at 0:41 am on January 22, 2016: none

    ACK. I suggest setting the default to false so that volume of opt-in RBF does not exceed the intentionality of the Bitcoin network. Once it has been demonstrated that a significant majority of volume has proper detection, only then does it makes to me to revisit setting the default to true.

    I know for a fact that no one has yet confirmed that a significant majority of volume has proper Opt-In RBF detection.

  42. sipa commented at 0:44 am on January 22, 2016: member

    So this OP_RETURN hard fork incompatibility is now an attack vector against 0-conf spends, by someone who has already publicly defrauded Coinbase using a double spend attack.

    Every policy change (and it’s not a hard fork or an incompatibility, just a change in what transactions get relayed) introduces an increased chance for succesfully double spending. That’s inevitable. Worse, it can’t be prevented, as anyone can change their software to modify policy.

    I’m sure you don’t want to never change policy rules, though. We used to have a minimum 0.01 BTC rule, for example. Should that never have been removed?

    Policy changes are sometimes necessary, so the temporary differences in what nodes relay too. You can however personally make the judgement that a 0-conf transaction is acceptable to you. Perhaps because you trust the sender. Perhaps because you can undo what you do in return if it fails to confirm. And perhaps because you’re doing analysis of the transaction to estimate the chances, or let someone do it for you. And if you do the latter, you should take the nSequence value into account, because it already and since Bitcoin 0.1 is used in determining whether the transaction was final.

  43. ghost commented at 1:45 am on January 22, 2016: none

    @sipa with the greatest of respect, you could close vulnerabilities like that if you weren’t all so afraid of a planned hard fork.

    What’s more important - the raw number of nodes (even with masses running on AWS, running pre-0.8, etc.) or the number of functioning nodes?

    Is there a concern that a hard fork will expose the emperor has no clothes? i.e. that planned hard forking isn’t catastrophic, and that actually the large number of nodes on the network were just illusory anyway, old machines forgotten about in university server rooms.

    Right, enough politics on GitHub. I’ll take it elsewhere. If it means anything - utACK.

  44. sipa commented at 1:47 am on January 22, 2016: member
    Off topic.
  45. stale2000 commented at 2:05 am on January 22, 2016: none

    @petertodd

    “People who still disagree are welcome to run other software.”

    Gotcha, so what you are saying is that you don’t care about consensus. This is a new feature that you want, and it is going to be implemented regardless if the majority of the community disagrees.

  46. sandakersmann commented at 2:07 am on January 22, 2016: contributor
    The only reason people want RBF implemented is that central planners in Core are forcing a deadweight loss in the block space market by limiting the blocksize. This is terrible because it undermines the long term viability of the Bitcoin network. We need all the adoption we can get on the main chain to ensure a healthy network in the future.
  47. dcousens commented at 2:21 am on January 22, 2016: contributor
    @sandakersmann please don’t accuse anyone actually participating in the discussion [and who has an opinion which is the opposite of yours] as “central planners”. In any case perhaps reading a set of use cases for RBF will help you understand its purpose.
  48. sandakersmann commented at 2:29 am on January 22, 2016: contributor
    @dcousens When someone interfere with the free block space market and thinks they know better, that is central planning. Enforcing artificial limits are without doubt central planning.
  49. achow101 commented at 2:42 am on January 22, 2016: member

    @stale2000 By no means is this a new feature. Replacing transactions was originally in Satoshi’s first version. Since this is node policy, not consensus (it won’t cause a fork). Where does the majority of the community disagree? Are they disagreeing because they don’t understand how Opt-In works? @sandakersmann by that logic any implementation of Bitcoin and any new feature added and any new feature planned is “central planning”. If that didn’t happen, nothing would get done and we wouldn’t see new features.

    How are they interfering with the free block space market? By not deploying a hard fork to increase the block size limit right now? Soft forks can be problematic, hard forks can be worse. They have good reason to avoid hard forks. Anyways, this is off topic.

    NACK for this PR

  50. sandakersmann commented at 2:46 am on January 22, 2016: contributor
    @achow101 Yes by enforcing the 1MB blocksize limit. I agree this went a bit off topic. Sorry about that.
  51. amacneil commented at 3:10 am on January 22, 2016: none

    NACK. Consider me as someone who absolutely opposes full-RBF, but if Core is going to support opt-in RBF semantics then it’s illogical to disable this by default.

    I think most people ACKing this PR don’t understand how the currently implemented opt-in behavior works. At the very least the OP comments on this PR don’t make any sense given that #7386 didn’t change any existing behavior.

    Maybe the flag should be renamed to -permitoptinrbf to prevent confusion?

  52. sandakersmann commented at 3:15 am on January 22, 2016: contributor
    @amacneil It changes existing behaviour from Core 0.11.2 and that is the code base that runs the network today.
  53. sdaftuar commented at 3:17 am on January 22, 2016: member
    @sandakersmann Could you please explain the change so we’re all on the same page?
  54. sandakersmann commented at 3:19 am on January 22, 2016: contributor
    @sdaftuar If we merge this pull request there will not be any policy change from Core 0.11.2 by default.
  55. amacneil commented at 3:21 am on January 22, 2016: none
    @sandakersmann right, but that change was already merged into master weeks ago, and is opt in for the sender of the transaction. How does this PR help the situation?
  56. achow101 commented at 3:24 am on January 22, 2016: member
    @sandakersmann That is completely illogical. If we don’t do anything then there won’t be any policy change by default. Your logic says that we should just not release 0.12 since it changes from what the network is currently running. By your logic, we should not do anything to change individual node policy or network consensus because it would “change existing behaviour from the code base that runs the network”. BTW, 0.11.2 doesn’t even hold the majority of nodes, only 42%, and it also had a policy change and soft fork. @amacneil It would disable RBF entirely be default and only allow it to be enabled through an option.
  57. sandakersmann commented at 3:24 am on January 22, 2016: contributor
    @amacneil I was unfortunately not aware of that initial change before it was merged. This PR helps since nodes won’t be mining and relaying RBF transactions.
  58. sandakersmann commented at 3:27 am on January 22, 2016: contributor
    @achow101 I’m not against change. Only this change.
  59. achow101 commented at 3:30 am on January 22, 2016: member
    @sandakersmann come up with a better argument then because the one you are using says that all change is bad.
  60. sandakersmann commented at 3:31 am on January 22, 2016: contributor

    Did you read this?

    #7388 (comment)

  61. amacneil commented at 3:32 am on January 22, 2016: none

    @sandakersmann you’re aware that the new behavior is opt-in right? As in, the sender of the transaction explicitly requests that they want the ability to double spend, and to the merchant/recipient it’s clear as daylight that this feature has been enabled. By default Core does not create these transactions, or even have the ability to create them currently.

    So this is just adding extra flexibility to bitcoin if some people want to use it. Is there a good reason for reducing the flexibility of bitcoin transactions?

  62. sandakersmann commented at 3:35 am on January 22, 2016: contributor
    @amacneil It does not add flexibility for the average user. It adds attack vectors and confusion.
  63. skajake commented at 3:36 am on January 22, 2016: none

    The reason this mempool policy change is so incredibly dangerous is that the entire bitcoin ecosystem is built around the assumption that the vast majority of nodes will (and are) rationally running a First-seen-safe policy. Since 99% of node operators do not change the default settings, this has been a safe-enough (not 100% safe obviously) assumption.

    This change radically changes that assumption as retailers must now use wallets with advanced new RBF features. They must also come up with new workflows to deal with clientele who accidentally flag transactions as RBF. Most retailers wont bother with this hassle (at best) and potentially ignorant retailers will lose a lot of money (at worst). This policy change (and by policy i am referring to the default settings since 99% of node operators will not change the defaults) is the equivalent of a nuclear bomb on the retailer community.

  64. achow101 commented at 3:45 am on January 22, 2016: member

    @sandakersmann I have read that comment.

    It is not us that should show you that services for 0-conf acceptance have implemented discard function for non-final nSequence values. This is something that you should know all about and show us before you implement such dramatic changes to policy.

    Sipa is saying that there are no services which accept 0-conf transactions that accept non-final transactions. Since opt-in makes it non-final, they are already prepared for that. He (and everyone else on the team) has already looked at the services and have already determined that they all already deal with non-final transactions. He is saying that you would not be able to find any service that doesn’t already deal with those non-final 0-conf transactions because they all do.

    I think it is really bad the way you guys are trying to force bitcoin into lightningcoin. Stealing fees from the miners will kill the long term viability of the Bitcoin network.

    How is it stealing fees from miners? If anything, it increases fees for them.

    You can see what the community thinks of RBF here:

    How accurate is that survey? Does it accurately survey and represent the entire population? Do those who were part of that survey actually know what Opt-In RBF even means? @skajake Any service who already accepts 0-conf transactions will already check for certain things to be sure that the incoming transaction will be confirmed. One of them is the nSequence, and if it is not MAX_INT, then the transaction is non-final. Even if they do not upgrade, this code is already there because an nSequence that is not MAX_INT is already considered non-final and thus dangerous to accept 0-conf on. Thus that is irrelevant.

    Also, if they only accept transactions with confirmations (as many do), then this doesn’t matter to the retailer.

  65. sandakersmann commented at 3:55 am on January 22, 2016: contributor

    Sipa is saying that there are no services which accept 0-conf transactions that accept non-final transactions. Since opt-in makes it non-final, they are already prepared for that. He (and everyone else on the team) has already looked at the services and have already determined that they all already deal with non-final transactions. He is saying that you would not be able to find any service that doesn’t already deal with those non-final 0-conf transactions because they all do.

    I would like some documentation on that.

    How is it stealing fees from miners? If anything, it increases fees for them.

    Limiting transactions on the main chain will result in less fees. There is a limit to what people will pay before they seek alternatives.

    How accurate is that survey? Does it accurately survey and represent the entire population? Do those who were part of that survey actually know what Opt-In RBF even means?

    Those who want to change policy should provide documentation, but here is another survey: http://bitcoinocracy.com/arguments/rbf-replace-by-fee-policy-should-not-be-adopted-because-it-breaks-0-conf-transactions-and-needlessly-imposes-extra-development-costs-on-existing-merchants

  66. dcousens commented at 3:56 am on January 22, 2016: contributor

    I would like some documentation on that.

    https://bitcoin.org/en/glossary/sequence-number

    Part of all transactions. A number intended to allow unconfirmed time-locked transactions to be updated before being finalized; not currently used except to disable locktime in a transaction

    https://bitcoin.stackexchange.com/questions/2025/what-is-txins-sequence is probably a better explanation. In this case their application replacement for increased miner incentives.

  67. sandakersmann commented at 4:04 am on January 22, 2016: contributor
    @dcousens That is today’s reality. Sipa is referring to RBF that might be a part of tomorrow’s network.
  68. dcousens commented at 4:19 am on January 22, 2016: contributor
    @sandakersmann I know, we were referring to today’s reality in the perspective of any deployment/technical/economic shocks that might occur as a result of RBF right? I would base my [without further inquiry] assumptions of what merchants/wallets have deployed based on the above documented behaviours. That is, its a thing, but not-yet-enabled (except for nLockTime and CLTV, which is itself new).
  69. GIJensen commented at 4:35 am on January 22, 2016: none

    NACK, I can’t fathom why we should make this change. Opt-in RBF is already here, we’re planning on keeping it, disabling it by default just seems ridiculous. Wallet developers should update their wallets to properly make users aware of RBF when allowing 0conf.

    If people are worried about users not being educated on RBF, then there should be a proposal on making sure users are informed. Not disabling RBF by default. It’s not the boogeyman, there is a flag, and this is a useful feature.

  70. ripper234 commented at 5:14 am on January 22, 2016: none

    ACK

    RBF needs to be pot-in. Let miners make an informed decision on such a controversial topic, don’t “silently” or automatically change this behavior.

    I like the opt-in flag, don’t like that it is/was opt-out.

  71. ripper234 commented at 5:15 am on January 22, 2016: none

    @GIJensen

    Opt-in RBF is already here

    What you have right now it opt-out, not opt-in. It should be opt-in, this is what this PR is about.

  72. GIJensen commented at 5:22 am on January 22, 2016: none

    @ripper234, no the opt-in aspect is the fact that senders opt-in by flagging a transaction as RBF replaceable. The wallet owner can then choose to trust it before it gets a confirmation.

    This is different than non opt-in RBF where there would be no flag and all transactions would be replacable before a confirmation.

    If I’m understading this new option correctly, this change would actually prevent even transactions that opted in from reaching the mempool.

  73. dcousens commented at 5:27 am on January 22, 2016: contributor

    @ripper234 this PR proposes opt-in to opt-in RBF as the default.

    Without this PR, the current situation is opt-out to opt-in RBF.

  74. ripper234 commented at 5:43 am on January 22, 2016: none

    Wow this shit is complicated :)

    Ok, if I understand it correctly: What I want is opt-in to opt-in.

    • Nothing should be on by default.
    • Miners should be able to opt in to the RBF game.
    • The RBF game should allow users to opt in to replaceability.

    If I understand correctly, then ACK this.

  75. GIJensen commented at 5:53 am on January 22, 2016: none

    @ripper234, I believe this would also force nodes to opt-in manually as well. I believe this change could reduce the usefulness of RBF.

    I fail to understand the support for this change. RBF does not harm nodes or miners, at all. It makes sense for them to choose to disable it by personal preference as someone who doesn’t know or care about RBF wouldn’t be affected in the slightest.

    Wallets regardless of this change will have to still be safe, and educate about 0-conf and RBF. This change does nothing but hurt RBF, and doesn’t seem to benefit anyone.

  76. JonComer commented at 6:02 am on January 22, 2016: none

    As @skajake has stated the overwhelming reason that people oppose RBF is not lack of knowledge about it, but the potential impact it has on businessss that accept Bitcoin. The last thing we should be doing is making it harder it scarier for businesses to interact with or accept Bitcoin transactions. Of course someone with @petertodds level of skill can double spend, but businesses accept risk of counteroffer money being used for purchases but governments aren’t making a huge issue about it so they self regulate those risks. If the news cycle were to suddenly start talking about the potential risks for accepting cash if would cause China’s and confusion. Just as RBF is doing.

    This is bad for Bitcoin and having this turned on as a default is bad for Bitcoin.

    Did devs talk to merchants about this. Because a lot of people in the retail space think this is horrible.

  77. JonComer commented at 6:03 am on January 22, 2016: none
    *chaos (not China) . Sorry typing from a phone with autocorrect
  78. JonComer commented at 6:27 am on January 22, 2016: none
    *counterfeit not countoffer. Will do better job of editing next time. :/
  79. jgarzik commented at 10:23 am on January 22, 2016: contributor
    ACK. Clear consensus for this among users and businesses.
  80. laanwj commented at 10:25 am on January 22, 2016: member
    @jgarzik Clear consensus? What are you smoking? There is no clear consensus. Just read the posts here for one.
  81. JonComer commented at 11:06 am on January 22, 2016: none

    @laanwj. What businesses or retail business owners are NACKing on this thread? Or are you referring to dev consensus as consensus?

    If you are that’s fine, but I feel like consensus is a word often used by devs about devs. I think this is a problem as consensus is tossed around a lot in here. For instance devs re: RBF talk about having had consensus months ago. Should we not strive for a much more robust definition of consensus to be used going forward? Maybe that way we can avoid a separation in dev consensus and user consensus that Jeff is referring to that can be seen in the consider.it polling.

  82. laanwj commented at 11:09 am on January 22, 2016: member

    This is bad for Bitcoin and having this turned on as a default is bad for Bitcoin.

    Having the possibility of opt-in RBF does not mean that transactions are created with RBF opt-in by default. As far as I know, no wallets have this possibility at this point at all, let alone do it by default.

    However, transactions that do opt-in to RBF are distinguishable (that’s the whole point of opt-in versus full RBF), so a merchant that normally accept zero-conf can take that into account and only accept the transaction when it has confirmed. There’s no extra risk when doing so.

    It just increases flexibility to have this available. There are lots of complaints about stuck transactions that never confirm. WIth opt-in RBF it is possible to raise the fee on existing transactions (that opted in), so that transactions that initially had too little fee make it into the block chain.

    By arguing to disable this you are killing a useful feature. No one will dare touch this again one it is disabled.

  83. JonComer commented at 11:27 am on January 22, 2016: none

    “By arguing to disable this you are killing a useful feature. No one will dare touch this again one it is disabled.”

    If it is such a useful, needed, desired feature why would no one dare touch it if it was disabled??

    I seems like if there is indeed great market demand for it, it will be used.

    However, do you know for a fact that retail merchants will NOT have to do code integrations and/or updates in their systems for this? Has there been any (I really hope the answer is yes) surveying of experts in the bitcoin retail sector on how they feel about RBF and especially about it being defaulted as “on.” All I am hearing outside of devs on here is that it is not wanted. The only people saying it is useful are devs or non-retail related individuals. If I am wrong great. But I am simply looking at the evidence available.

    If you are bound and determined to make this change, isn’t it reasonable to give people the option to “opt in” (all the way around, not just on one side) instead of opting out of something they simply may not understand or want?

  84. jonasschnelli commented at 11:28 am on January 22, 2016: contributor

    Sidenote for @JonComer

    […] Maybe that way we can avoid a separation in dev consensus and user consensus that Jeff is referring to that can be seen in the consider.it polling.

    Users consensus is very hard to measure. Did you know I can buy 1'000 twitter followers for 10USD? I’m pretty sure you can do something similar with consider.it or with github ACKs.

    We should not start public voting for high complex technical discussions unless every bitcoin users must vote and must spend two days reading and studying the technical topic. Otherwise we start something that is called political parties. And this would be really bad for Bitcoin IMO.

  85. laanwj commented at 11:32 am on January 22, 2016: member

    I seems like if there is indeed great market demand for it, it will be used.

    Opt-in RBF is a compromise that can’t be used if the network doesn’t support it. It is not very useful if only a few nodes support it. @petertodd’s full-RBF patch solves this by adding a version bits so that nodes that support full RBF can find each other. That’s the other path. It allows some users to use RBF without marking transactions in a way that opt-in RBF does.

    Opt-in RBF is a compromise that keeps the sanity. Users that want to use RBF can do so without harming users that don’t want to use it. Full RBF on the other hand allows full double spending and (absent other precautions) makes zero-conf completely useless.

    It’s naive to think that keeping back opt-in RBF will also discourage full RBF. If anything, some users and miners have got so annoyed by this political maneuvering that they’ve started to support full RBF.

  86. JonComer commented at 11:32 am on January 22, 2016: none

    @jonasschnelli I nowhere said we should “vote”. However business analyst exist in this world because they act as bridges between user/consumer/client desires and demands and engineers/technicians/coders. Otherwise “innovation” is done in a vacuum. We are, in my opinion, seriously lacking in the equivalent of business analysts in the bitcoin community. Right now we seem to be operating by the sole principal that “devs know best.” In the real world this is simply not true. Does it not concern you at all that there is so much “potential” push back on this subject?

    Or are devs just the smartest people in the room and the rest of us have not the intelligence to count as opinions?

  87. seweso commented at 11:40 am on January 22, 2016: none
    @petertodd What are these “new doublespend opportunities separate from opt-in RBF that have been added to v0.12.0”?
  88. JonComer commented at 11:40 am on January 22, 2016: none

    @laanwj

    A couple of questions just to clarify where you stand on this topic.

    Do you support RBF because you think its important to give people the option to “move to the front of the line” by paying more fees or is it more (or equal) to try and “protect” retailers from double spends?

    If you only think the former is a case for then ignore this next part. But if you think the latter is a case for, then why do you think it is that no one is double spending? (outside of @petertodd)? And can you possible see how people feel that there is a solution looking for a problem? In other words, “if it ain’t broke, don’t fix it.”?

  89. greenaddress commented at 11:42 am on January 22, 2016: contributor

    @JonComer I know for a fact that those using zero conf will have to update regardless of opt-in RBF because virtually any release introduces some network changes (min relay fee, min dust, mem pool limiting, OP_RETURN updates isStandard changes, etc) which can and will be exploited for double spends.

    I’m not even the first one to say this in this very page, you should probably read what the others already said before contributing your opinion as we otherwise further confuse people.

    Dealing with zero conf has always been a catch up game. opt-in rbf gives us the best of both worlds.

    The changes to detect opt-in RBF should be already implemented since originally Satoshi has designed the nSequence number to mean that a transaction can either be final or non final. Even if not, it is pretty much a trivial change, sometimes a one liner.

    People that do zero conf professionally seem to already take into account this (as they should!)

  90. jonasschnelli commented at 11:43 am on January 22, 2016: contributor

    @JonComer: I totally agree with you. But we are discussing on a technical platform (the heart of the technical project management of Bitcoin Core).

    Business analysts may help write BIPs (bitcoin improve proposals) or help people choosing which bitcoin software they should run.

    But this is the wrong place for analyst level discussions.

  91. ripper234 commented at 11:46 am on January 22, 2016: none

    I opened a consider.it page.

    https://bitcoin.consider.it/set-permitrbf-to-false

    If anyone has a better description for this feature, let me know. I used:

    RBF: Miners opt-in (config) to allow tx opted-in by users to be Replaced-By-Fee.

  92. JonComer commented at 11:47 am on January 22, 2016: none

    @jonasschnelli

    This is fortunately or unfortunately the most and only direct root to most devs. “This is not the place” is not true in my opinion. Those anaylst level discussions just are not being held other places. I think you can expect more people like myself looking to speak directly to the source in the future. And I think that communication is valuable both ways. If you can point out the best place (or a much better place) then I will do my best to spread the word to the community.

    But the truth is decisions that effect the community are being ACKed and NACKed right here on github. And up to recently a large majority of the bitcoin eco system didn’t even know it was happening.

  93. jonasschnelli commented at 11:52 am on January 22, 2016: contributor

    @JonComer: See https://bitcoincore.org/en/contribute/ and https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md#decision-making-process

    But the truth is decisions that effect the community are being ACKed and NACKed right here on github.

    IMO not true. Decisions are made by people who run the new (or old) software. Miners, merchants or user (node operators).

  94. laanwj commented at 11:52 am on January 22, 2016: member

    Do you support RBF because you think its important to give people the option to “move to the front of the line” by paying more fees or is it more (or equal) to try and “protect” retailers from double spends?

    Both:

    I support RBF because I want wallets to be able to ‘unstuck’ transactions that have already been sent. This is a clear solution for a clear problem, but it is not all. There are also more advanced contracts/applications that require RBF.

    I support opt-in RBF because it allows those parties which prefer the old status quo to still do their thing. It is clear that there is a group of people that want RBF for legitimate reasons, and as said, opt-in provides a compromise where both groups can co-exist peacefully.

    But if you think the latter is a case for, then why do you think it is that no one is double spending?

    I suspect that’s due to social factors. Maybe no one wants to screw you. Maybe the (perceived) cost of doing so is much higher than what is to be gained. Maybe bitcoin users, despite being universally portrayed as criminals in the media, aren’t that bad and just want this to work. Do I know?

    In any case allowing opt-in RBF won’t change this. For transactions not opting in you can treat them as before, for transactions opting in you accept them after 1 confirm.

  95. jtimon commented at 1:23 pm on January 22, 2016: contributor

    As noted by other people, it is fine if the feature is controversial because this is just rlay policy and not a consensus rule. But I really don’t understand how can opt-in RBF be possibly controversial. Maybe there is a lesson to learn here: full RBF has been implemented for years but never merged because it was “controversial”. After long, the more complex opt-in RBF was developed, with the goal to remove those “controversies”, but it turns out it is unexplicably “controversial anyway. Maybe we should have just deployed full RBF years ago…

    That, plus changing defaults for configurable values is usually a waste of time that mostly just generates noise and long discussion threads like this one. Nobody is forced to use the default values. Anybody can make a parallel release (analogous to @petertodd’s RBF parallel release) with the “right defaults” to promote whatever relay policy they like more instead of bike-shedding defaults here.

    NACK.

  96. skajake commented at 1:42 pm on January 22, 2016: none

    Maybe we should have just deployed full RBF years ago…

    So when a dangerous policy change is faced with controversy, your solution is to force a more radical version down the throats of your users? I sincerely hope you are trolling

  97. laanwj commented at 1:52 pm on January 22, 2016: member

    So when a dangerous policy change is faced with controversy, your solution is to force a more radical version down the throats of your users? I sincerely hope you are trolling

    You’ve been fed a false history. Full RBF was the original proposal, which was too controversial to be widely adapted. Opt-in RBF was proposed as a compromise to make both RBF supporters and the status quo happy. If the compromise fails, both groups go back to their extremes. People that want to use RBF will do so, by the means available (the full RBF patch). In contrast to this compromise, that doesn’t need to be widely adapted (or “forced down the throats of users”, who’s trolling?) to be useful. But it is much more “dangerous” as it contains no flagging of transactions that can be replaced.

  98. jtimon commented at 2:15 pm on January 22, 2016: contributor
    To me themost dangerous policy is always accepting 0-conf as irreversible transactions. Some people were operating under the assumption that first seen policy can be a consensus rule or is universally deployed as policy. That’s false and extremely dangerous. Also what @laanwj said abot the history. All I’m saying is that if opt-in RBF doesn’t solve the only problem full RBF had IMO (being controversial ) then we could have as well not gone through the effort of removing all potential sources of controversy (that’s why I understand optin does compared to full) because although the logic has changed the policy still contains “RBF” in its name whic is (from what I can read in this PR) the real reason why opt-in RBF is controversial (haven’t all other on-topic concerns risen here been refuted?).
  99. pointbiz commented at 5:55 pm on January 22, 2016: none

    ACK

    All rules don’t fall under block chain enforced consensus. Some things depend on honest nodes and altruism. Relaying transactions is one such thing. The context here is that irreversibility is a feature. Double spending is the problem and the block chain is that solution.

    What is the block chain confirming? The first payment of the spender. Hence, it solving the double spend problem.

    Satoshi was clear on the first-seen-safe policy as a risk reducer. The context of a violation of that rule is that the minor confirming a double spent transaction either did not see the first one OR the minor is dishonest. Those are the only two options. Discovery of dishonesty is a deterrent. In an ideal mining context there are thousands of nodes creating blocks and their operators run honest code. In today’s mining context with so few nodes creating blocks we can identify the dishonest nodes who are accepting a bribe to assist in theft. Bitcoin is designed to prevent double spends anyone participating in undermining that is a dishonest actor (by definition).

  100. TheBlueMatt commented at 6:56 pm on January 22, 2016: member

    Can we close this? I have seen a bunch of complaints from people who have never contributed to Bitcoin in any significant way and no complaints from any wallets, anywhere. On the other side, I’ve seen several wallets desperately asking for this feature. This issue is not going anywhere.

    Worse, the submitter cant even be bothered to fix the tests. Not sure if this was meant to be political bullshit or a serious suggestion, but it has turned into political bullshit.

  101. GIJensen commented at 8:27 pm on January 22, 2016: none

    I agree with @TheBlueMatt, this discussion isn’t going anywhere. Many in support of this change are simply against RBF, and this PR isn’t about whether RBF will stay in core. Nobody has addressed exactly what benefits this change will have (regardless if this changes goes in, wallets and merchants will be at roughly the same risk for 0-conf), we seem to only downsides.

    There’s always opportunity to discuss the merits of opt-in RBF somewhere else.

  102. jonasschnelli commented at 8:28 pm on January 22, 2016: contributor
    Closing.
  103. jonasschnelli closed this on Jan 22, 2016

  104. laanwj locked this on Jan 22, 2016

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-22 15:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me