#bitcoin-core-dev log

18:59:45 <wumpus> #startmeeting
18:59:45 <lightningbot> Meeting started Thu Aug 11 18:59:45 2016 UTC.  The chair is wumpus. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:59:45 <lightningbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:00:25 <sipa> present
19:00:37 <wumpus> sipa proposed some topics earlier today: 1) segwit policy limits  2) can we propose a softfork to make low-s required simultaneously with segwit?  3) 3) raising mandatory script flags to include bip66 4)
19:00:41 <wumpus> eh no 4
19:01:11 <wumpus> can anyone do the giant highlight list?
19:01:44 <jonasschnelli> ping gmaxwell
19:01:47 <cfields> gmaxwell: paging bot
19:01:50 <gmaxwell> #bitcoin-core-dev Meeting: wumpus sipa gmaxwell jonasschnelli morcos luke-jr btcdrak sdaftuar jtimon cfields petertodd kanzure bluematt instagibbs phantomcircuit codeshark michagogo marcofalke paveljanik NicolasDorier
19:01:55 <kanzure> hi.
19:02:08 <instagibbs> oops, it's not wednesday, how about that
19:02:08 <wumpus> thanks
19:02:41 <luke-jr> heh
19:02:47 <wumpus> another topic would be rc3 go-ahead
19:02:48 <kanzure> not sure about priority but jtimon was asking for code review eyeballs on #8493
19:03:05 <wumpus> but let's start with sipa's topics
19:03:07 <btcdrak> hi
19:03:14 <wumpus> #topic segwit policy limits
19:03:27 <michagogo> cfields: I think last time he said it's not a bot...
19:03:48 <cfields> michagogo: was a joke :)
19:03:49 <gmaxwell> it's just an alias.
19:03:50 <wumpus> michagogo: all bots say that!
19:03:51 <sipa> jl2012 has suggested some changes to prevent DoS attacks with segwit
19:04:08 <michagogo> Also, if anyone's interested I think the KSK ceremony is starting soon
19:04:21 <sipa> do we in addition want per txin witness size limits or so
19:04:56 <wumpus> may make sense to add some initial limits, they can always be removed later
19:05:02 <wumpus> adding limits later is more controversial
19:05:14 <sipa> agree
19:05:51 <instagibbs> is this merely to offset people stuffing data for 25% the price
19:05:54 <sipa> but i'd like to know what opinions people have about this
19:06:06 <instagibbs> could you elaborate additional motivations if any
19:06:07 <jl2012> this is a conceptual PR: https://github.com/bitcoin/bitcoin/pull/8499
19:06:11 <wumpus> ofc
19:06:18 <luke-jr> a policy limit matching p2sh's consensus limit sounds uncontroversial
19:06:37 <luke-jr> but this is too small for N-of->15, so maybe slightly larger is desirable
19:07:28 <luke-jr> someone involved with Lightning probably should comment as well
19:07:58 <wumpus> yes, it would be important not to sabotage that
19:08:28 <btcdrak> ping roasbeef GreenIsMyPepper rusty ^
19:08:33 <instagibbs> could someone tell me what we're protecting against first? I can't really form an opinion
19:09:06 <jtimon> is this a new consensus rule or just policy? (looking at 8499 seems policy only, just want to confirm)
19:09:12 <sipa> jl2012: policy
19:09:16 <sipa> eh, jtimon ^
19:09:16 <kanzure> instagibbs: txin witness size bloating
19:09:20 <jtimon> thanks
19:10:05 <sipa> jl2012: 8499 does not set a size limit, right?
19:10:35 <instagibbs> 8499 I think just bans peers for bad witnesses
19:10:58 <sipa> instagibbs: also protection against the problems discussed in #8279
19:11:18 <jl2012> sipa: it's per input size limit
19:11:26 <instagibbs> sipa, yes, makes sense
19:11:37 <sipa> ok
19:12:11 <sipa> jl2012: but no limits for p2wsh
19:12:39 <sipa> (sorry, i haven't looked in detail; correct me if i'm wrong)
19:13:53 <sipa> seems there are not too many opinions; i'll propose some thing for next meeting
19:14:19 <sipa> next topic?
19:14:50 <wumpus> #topic softfork to make low-s required simultaneously with segwit
19:15:37 <wumpus> there was some discussion about this earliet today between sipa and jl2012
19:15:38 <luke-jr> IIRC, this just blocks transactions that can be fixed with malleation anyway. might as well.
19:15:39 <wumpus> <jl2012> sipa: why would you like to have a low-s softfork? And is it for segwit  scripts only, or for all scripts?
19:15:39 <wumpus> <sipa> jl2012: it's already nonstandard for a long time, it doesn't hurt anyone, and removes a source of malleability
19:15:39 <wumpus> <jl2012> so you want it for non-segwit scripts too?
19:15:39 <wumpus> <sipa> well to be discussed
19:15:52 <murch> Are there any downsides to that?
19:15:57 <sipa> so it was recently suggested that since low-s has been non-standard and not present on the network for over a year now, we could propose to turn it into a consensus rules
19:16:06 <wumpus> <jl2012> with low-s rule, even the wtxid of a p2wpkh tx is not malleable
19:16:13 <wumpus> <jl2012> I don't see a compelling reason to have a low-s soft fork with segwit (in 0.13.1). Non-segwit txs are hopeless and we should not spend any energy to fix them. For segwit txs, why would we need immallable wtxid?
19:16:13 <wumpus> <sipa> one reason would be avoid 3rd party relayers messing with compact block relay
19:16:41 <jl2012> sipa: limiting p2wsh is more difficult, I think it could only be done case-by-case
19:16:52 <wumpus> sipa: agreed; the thing for discussion is mostly why to combine it with segwit
19:17:13 <wumpus> a low-s softfork itself at some point is uncontroversial imo
19:17:17 <sipa> pro combining it with segwit: it may be hard to do this as a separate softfork
19:17:32 <jonasschnelli> why is it hard?
19:17:34 <luke-jr> ^
19:17:52 <sipa> miners need to upgrade software
19:18:08 <jonasschnelli> Combine it with another, later software?
19:18:12 <jonasschnelli> softfork
19:18:16 <sipa> a low-s softfork would be uncontroversial, but also very low benefit
19:18:27 <luke-jr> no reason to make it urgent; just roll it out and let miners deploy on their own time?
19:18:30 <sipa> that's possible, but i thought it would be neat to just never have anything but low-s in segwit
19:18:30 <wumpus> but rolling everything into one giant softfork is more risky
19:18:36 <GreenIsMyPepper> reading scrollback...
19:19:30 <wumpus> that is true
19:19:39 <jonasschnelli> I think it's useful to combine to low-s restriction with the SW software in 0.13.1
19:19:52 <sipa> it's literally, VersionBitsActive(pindexPrev, DEPLOYMENT_LOW_S) == ACTIVE { flags |= SCRIPT_VERIFY_LOW_S; }
19:19:56 <wumpus> well yes that would be 0.13.1
19:19:59 <GreenIsMyPepper> is the policy limit for number of sigs? (sorry for the noise)
19:20:11 <kanzure> size
19:20:13 <jtimon> a low s softfork should be also quite easy, no? it's already implemented, just make a flag mandatory for consensus
19:20:18 <luke-jr> oh, right. speaking of 0.13.1, it seems quite uncontroversial
19:20:20 <instagibbs> Oh, if the two bip9 aren't packaged, I think we should
19:20:25 <wumpus> jtimon: yes, sipa just quoted the code change :)
19:20:28 <instagibbs> (duh, bip9)
19:21:31 <sipa> jl2012 sounded like he thought this would require more testing; and i agree that if due to extra testing this would delay the segwit softfork, we should not
19:21:45 <wumpus> I like coupling an uncontroversial change to a more risky one more than the other way around at least
19:21:46 <kanzure> s/we should not/we should not bundle
19:21:53 <luke-jr> (huh, it occurs to me - not a real suggestion - that we *could* have de-bundled the block size increase from segwit into a separate BIP9 bit, so long as all deployment of segwit included support for the separate blocksize-increase bit; IMO interesting)
19:22:13 <jtimon> no strong opinion about doing the low-s sf with segwit or later
19:22:35 <jtimon> but yeah, the sf itself seems uncontroversial
19:22:41 <sipa> gmaxwell countered that if low_s requires testing, that's testing we should be doing already, as it's being enforced on every transaction on the network already, so making it consensus likely just removes the possibility for untested cases
19:23:13 <GreenIsMyPepper> seems cleaner to have low-S from the start, no?
19:24:22 <luke-jr> wumpus: coupling an uncontroversial change to a more controversial one, could be taken as pressure to activate the controversial one; so for that reason, it may be best to keep them separate (like how we don't do softforks in .0 releases)
19:24:34 <luke-jr> (separate in the BIP9 sense, not necessarily a different release)
19:24:53 <instagibbs> luke-jr, my assumption would be a different bit
19:24:54 <btcdrak> I think lowS softfork is a nobrainer, it's also easy and uncomplicated since it's already policy.
19:25:04 <wumpus> luke-jr:that would be if it is uncontroverial *and* attractive, but there's no one really waiting for low-s enforcement, it's just a cleanup
19:25:05 <jtimon> I mean, we can also deploy low-s in, say 0.12.2 before segwit (oh, wait, backport bip9)
19:25:24 <jtimon> if they go in the same release, why separate them in the bip9 sense?
19:25:29 <kanzure> luke-jr: that's at best an argument for your segwit bip9 activation decoupling idea.
19:25:39 <wumpus> I don't think we should deploy anything before segwit
19:25:50 <sipa> wumpus: agree
19:25:58 <jonasschnelli> agree
19:26:27 <wumpus> it's time for segwit now, we should try to move ahead with things instead of introducing more things in between
19:26:35 <luke-jr> kanzure: well, it's almost certainly too late for that (it definitely would add to testing required)
19:26:45 <jtimon> wumpus: just saying that together is not the only option for having low-s from the start of segwit, no strong opinion
19:26:54 <wumpus> so, yeah, let's get 0.13.0 out asap then decide on a timeframe etc for segwit and do 0.13.1
19:27:02 <sipa> ok
19:27:08 <GreenIsMyPepper> luke-jr: to follow up with the above ping, we're presuming a policy limit to be the same as P2SH constraints with the redeemScript size
19:27:22 <luke-jr> GreenIsMyPepper: thanks
19:27:57 <wumpus> adding LOW_S is fine with me, it's simple to do and not risky and not controversial, indeed is a lot of overhead to do a seperate softfork for it
19:28:32 <instagibbs> also segwit could activate first, in some universe
19:28:33 <sipa> GreenIsMyPepper: oh sure - no reason why segwit would be able to do less than what is currently possible with P2SH
19:29:26 <wumpus> next topic?
19:29:41 <wumpus> #topic raising mandatory script flags to include bip66
19:29:53 <btcdrak> I would prefer we combine lowS with segwit.
19:29:58 <jtimon> regarding luke-jr's argument, I don't think segwit is controversial either, but if segwit+low-s deployment fails, you can always try again with them separated
19:29:59 <sipa> so, we have 3 sets of flags currently
19:30:00 <luke-jr> what node versions does this result in cutting off from the network? pre-0.8, I think?
19:30:16 <sipa> 1) mandatory flags 2) consensus flags 3) standardness
19:30:26 <wumpus> luke-jr: no one is 'cut off' from the network?
19:30:39 <luke-jr> then I am misunderstanding
19:30:42 <jtimon> sipa: how are mandatory flags different from consensus flags?
19:30:50 <sipa> luke-jr is not misunderstanding
19:31:00 <wumpus> luke-jr: it's a softfork so 0.8 nodes should still be able to verify?
19:31:14 <sipa> wumpus: i'm explaining
19:31:27 <instagibbs> Mandatory script verification flags that all new blocks must comply with for
19:31:28 <instagibbs> * them to be valid. (but old blocks may not comply with) Currently just P2SH,
19:31:34 <sipa> the reason why mandatory flags are different from consensus is because old nodes are not guaranteed to not send us currently-invalid transactions
19:31:50 <sipa> and we would ban them if they send a BIP66-invalid transaction, for example
19:31:55 <instagibbs> "Failing one of these tests may trigger a DoS ban" I see
19:32:01 <sipa> so that's why BIP66 is not part of mandatory flags
19:32:18 <sipa> i just wanted to bring up the topic, not necessarily for anytime soon
19:32:20 <wumpus> right, so they would not be cut off the network, but only if they actually generate or relay something invalid by new rules
19:32:28 <luke-jr> note we have a fork of 0.5.3 that is actively "maintained" and used
19:32:33 <jtimon> instagibbs: also bip66, bip65 and bip112, no?
19:32:34 <sipa> wumpus: it could partition the network, though
19:32:41 <luke-jr> s/we/someone else on the network/
19:32:55 <wumpus> sipa: ok, let's look at it from the other side then
19:32:57 <instagibbs> jtimon, oh, the comment is straight from master
19:33:00 <wumpus> sipa: what would be the advantage?
19:33:01 <sipa> wumpus: if there is a large group of pre-0.8 nodes connected to eachother, and they get an invalid transactions relayed to eachother
19:33:23 <jtimon> but all new blocks must comply with those too
19:33:45 <wumpus> does it cost a node a lot of resources to verify BIP66 compliance? if not, why does it warrant DoS banning?
19:33:58 <sipa> wumpus: good point
19:34:22 <sipa> perhaps the policy should just be to never extend mandatory flags
19:34:31 <sipa> unless there is a DoS attack that needs it to be fixed
19:34:39 <wumpus> I remember a previous discussion about being less trigger happy regarding DoS banning
19:34:49 <wumpus> right, if there is DoS risk it is the appropriate measure
19:35:04 <sipa> i just noticed that this is something we've been ignoring the value of mandatory flags
19:35:20 <wumpus> yes, sure, it's confusing
19:35:25 <sipa> yes, indeed, i remember reducing dos banning flags
19:35:50 <wumpus> but adding a comment explaining this rationale would do just as well as extending the mandatory flags
19:36:08 <sipa> fair enough
19:36:45 <jtimon> sipa: I'm not sure I follow, why aren't SCRIPT_VERIFY_CHECKLOCKTIMEVERIFY and SCRIPT_VERIFY_CHECKSEQUENCEVERIFY in MANDATORY_SCRIPT_VERIFY_FLAGS ?
19:37:18 <sipa> jtimon: because pre-0.11.2 nodes could get banned by us if they'd send a CSV-violating transaction
19:37:25 <wumpus> jtimon: for the same reason, probably, it would be harmful to DoS ban on them
19:37:45 <luke-jr> jtimon: if a 0.5.3 node sends you a transaction violating those rules, you don't want to ban them, just reject it; if you banned them, you partition such nodes off the network and they stop getting blocks
19:37:55 <wumpus> (to not accidentally partition the network)
19:38:01 <jtimon> ok, so it's all about the DoS score
19:38:06 <wumpus> yes
19:38:23 <instagibbs> so why is it ok to ban a misbehaving p2sh transaction (probably veering off the path here)
19:38:44 <jtimon> why SCRIPT_VERIFY_P2SH is different from other softforks for this again?
19:38:48 <wumpus> validation overhead?
19:39:06 <sipa> jtimon: it was very old at the time mandatory flags was introduced, so nobody cared, i guess
19:39:13 <gmaxwell> We can't reasonably support old versions forever; We're not testing them, and certantly not testing weirdo transactions with them.  perhaps we should have a program of making links to sufficiently old versions blocks-only after some point.
19:39:43 <wumpus> well people run them on their own risk
19:40:04 <jtimon> wumpus: well they risk being banned, no?
19:40:17 <gmaxwell> yes, though if we blocks only them we won't risk partitioning them do to weirdness with txn handling. Much more likely to be reliable.
19:41:12 <sipa> i think it's more a philosophical issue... another implementation may have different policy, and it's not our place to trigger happy ban them
19:41:12 <sipa> i like the idea of reducing dos banning where possible
19:41:14 <wumpus> sure, but would be best to not DoS ban in the first place for non DoS offenses
19:41:45 <jtimon> sipa: for SCRIPT_VERIFY_P2SH too?
19:41:57 <luke-jr> gmaxwell: would blocks-only treatment break their wallet broadcasts, though?
19:42:07 <gmaxwell> Sending a consensus invalid transaction is a prefectly reasonable thing to ban for ... ignoring that the consensus rules change over time.
19:42:09 <wumpus> I don't think we should make the one-sided decision to make lower version nodes blocks-only
19:42:28 <gmaxwell> luke-jr: yes but nodes that old already have wallet broadcast problems because of high-S enforcement as standardness.
19:42:28 <wumpus> e.g. something may report a low network version but be perfectly able to handle new transactions
19:42:44 <wumpus> they're not really coupled the same way in other software than bitcoin core
19:42:50 <gmaxwell> probablity of their txn not relaying already is exponential in the number of signatures.
19:42:51 <luke-jr> gmaxwell: consider that there's a crowd who insist on using 0.5.3 :/
19:43:06 <wumpus> in any case I don't think this is a very urgent topic
19:43:08 <luke-jr> I guess they must have patched that
19:43:31 <jtimon> luke-jr: who insists in using 0.5.3 ?
19:43:48 <luke-jr> jtimon: therealbitcoin.org people
19:43:58 <gmaxwell> luke-jr: they have to apply a small pile of fixes in any case.
19:44:25 <gmaxwell> presumably they're fixed to produce high-S signatures (or not transacting at all... :P )
19:45:20 <luke-jr> I suppose the BIP 66 patch is fairly trivial to add to that pile if they care; but sipa is right about the principle of not cutting them off IMO
19:45:27 <wumpus> they probably write raw transactions in their head instead of using the bitcoin core wallet
19:45:30 <jtimon> I guess I can ask after the meeting, but why don't they want to upgrade?
19:45:51 <sipa> jtimon: yes, let's discuss that after the meeting
19:45:58 <luke-jr> ^+1
19:46:02 <jtimon> sipa: sure, np
19:46:07 <sipa> i think this is getting too abstract
19:46:21 <sipa> i just wanted to raise attention to the neglected mandatory flags :)
19:46:29 <wumpus> in any case, not our problem, we should not do anything to sabotage use of old clients, but we're also not responsible for making sure all old versions still work, they'll have to do with a pile of patches on top
19:46:33 <wumpus> yes, next topic?
19:46:39 <btcdrak> I dont see any 0.5.3 useragents
19:46:58 <sipa> wumpus: you had rc3 as topic?
19:47:04 <wumpus> #topic rc3 go-ahead
19:47:30 <btcdrak> luke-jr: are you sure there are 0.5.3 nodes on the network? https://bitnodes.21.co/nodes/?q=0.5.3
19:47:32 <wumpus> yes, quick question, anything that still needs to be merged/backported for 0.13.0 apart from release notes?
19:48:09 <wumpus> not seeing anything here https://github.com/bitcoin/bitcoin/milestone/20
19:48:11 <luke-jr> on the off-chance there's no objection, I'd like to PR https://github.com/bitcoin/bitcoin/commit/5a716a3bc6621e4d2e2c1de5b6b5596d6877d589 for 0.13.0 mostly just to make #8459 uncontroversial
19:48:28 <wumpus> so I'm going to tag rc3 in a very short while, after the usual translation updates and such
19:48:49 <luke-jr> btcdrak: 1) those are just listening nodes, 2) 7 nodes show as 99999 "/therealbitcoin.org:0.9.99.99/"
19:49:23 <wumpus> yes they don't report as 0.5.3
19:49:40 <jtimon> sipa: so should we get  SCRIPT_VERIFY_P2SH out of mandatory too?
19:49:57 <btcdrak> luke-jr: ok so there are 5 nodes out of 5000, I really dont think we have to be concerned.
19:50:01 <sipa> jtimon: out of topic :)
19:50:15 <jtimon> sipa: ok, later too, whatever
19:50:26 <wumpus> btcdrak: it's not a concern
19:50:29 <btcdrak> wumpus: rc3 looks good to go.
19:50:59 <wumpus> foss gives that freedom to run your own stack of weird hacks if you want for whatever reason
19:51:15 <wumpus> btcdrak: ok!
19:51:37 <sipa> ack rc3
19:51:44 <jonasschnelli> ready to build
19:51:52 <cfields> sipa: as discussed yesterday, any need to try to get default_witness_commitment added to gbt with no witness data for 0.13.0? So miners can start easily adding commitments even before activation?
19:52:00 <btcdrak> There's also a blog post being written about 0.13.0 if some eyes could review and comment https://github.com/bitcoin-core/bitcoincore.org/pull/199
19:52:38 <sipa> cfields: fine be me
19:53:18 <sipa> btcdrak: great
19:53:30 <wumpus> cfields: eh, so that means holding up rc3?
19:53:32 <cfields> wumpus: opinion ^^? Not critical, we have testnet.
19:53:55 <wumpus> if it's not critical I'd say not do it, at this point
19:54:03 <sipa> cfields: 0.13.0 has no activation, so it would not produce a default_witness_commitment?
19:54:10 <wumpus> unless you want to be that person holding up the release :)
19:54:13 <sipa> i think there is no need for that in 0.13.0
19:54:22 <luke-jr> sipa: the subject was commitments pre-activation
19:54:40 <sipa> i'm confused about that
19:55:01 <wumpus> #link review blog post https://github.com/bitcoin-core/bitcoincore.org/pull/199
19:55:13 <sipa> i think a miner on 0.13.0 should never produce a segwit commitment, and a 0.13.1 one (assuming it has a defined start date) should always (regardless of whether it is before or after the start time)
19:55:35 <gmaxwell> ^ thats my expectation
19:55:38 <sipa> there is no problem if people choose to diverge from that
19:56:08 <wumpus> cfields: to be honest I'm not sure what the advantage or disadvantage of that is
19:56:56 <gmaxwell> The reason I believe we should do that is so that we don't hae sudden behavior changes at times which are far away from updating the software which might break downstream mining infrastructure.
19:56:57 <cfields> works for me. i was only considering it as a way to see that pools had begun adding valid structures. obviously it wouldn't be actually checked/used
19:57:32 <gmaxwell> e.g. if you update your bitcoin node and then days/weeks later it starts doing thing with segwit commitments that breaks your miners or pooling software, that is preferable. You would prefer the break to happen at upgrade time.
19:57:44 <sipa> cfields: 0.13.0 for all intents and purposes behaves identical to older nodes wrt segwit behaviour
19:58:03 <sipa> cfields: so i think there is no point in using witness commitments as a signalling mechanism for anything in 0.13.0 already
19:58:05 <cfields> sipa: understood
19:58:44 <sipa> so, ack rc3?
19:58:50 <gmaxwell> as far as 0.13 vs 0.13.1 I think 0.13 should not change behavior, because it won't ever activate. so there is no problem of behavior suddenly changing with it.
19:58:55 <gmaxwell> rc3 sounds good to me.
19:59:19 <cfields> works for me
19:59:41 <jtimon> yay 0.13.0!
19:59:54 <gmaxwell> jtimon: careful, you're going to trigger some confused reddit posts.
20:00:12 <wumpus> roughly one minute to go
20:00:20 <jtimon> oops, sorry, yay ack rc3
20:00:24 <gmaxwell> I think someone's clock is off.
20:00:31 <gmaxwell> Time to die.
20:00:37 <wumpus> jtimon: yes, let's not get ahead of ourselves
20:00:39 <wumpus> #endmeeting