Comments (11)
I think "Make params configurable/not hardcoded params" should be under "critical conceptual discussion". Not the part about flexibility, which I agree is low priority.
What's more fundamental is the question of whether these parameters should be "blessed" by the Bitcoin Core project.
One could argue that there is no "blessing", because these snapshots can be objectively assessed. A snapshot hash is valid if and only if background validation yields the same result. Any other snapshot, if it somehow makes into the code, is either a bug or an exploit.
This makes this feature different from checkpoints in a fundamental way. A checkpoint can be abused to override the most-work valid chain. Once enough people honor it, it becomes a fait accompli because miners are incentivised to work on it - eventually making it the most-work chain. (after which it can be deleted, and people can pretend it never happened)
The same can't be achieved with an invalid snapshot. Such forgery can always be demonstrated as long as a single person has an archive of the blockchain all the way back to genesis.
Still, in a far future where perhaps few users actually perform the background validation, a technically sound argument may not matter in the political reality.
A thought experiment to clarify this. The US Treasury finally issues their one trillion dollar coin. They do so by creating their own UTXO snapshot and forcing maintainers to include it. To avoid a chain split existing nodes on the network, they don't actually move the coin, but borrow against it. A few generations go by, more and more nodes will have be reinstalled and synced based on this new snapshot.
In this particular scenario I don't think it matters at all if the hash is part of chainparams or if it's flexible. But there may be a less extreme scenario's where it does. Which is why I think some discussion is warranted.
Meanwhile there is a major downside to not hardcoding the parameters, in that it makes the feature much harder to use. A user would have to find some place to download it, verify a hash and a PGP signature. It's less obvious how we could add p2p snapshot functionality later, because we have no hash to ask for and check against.
So on balance, because of the difference with checkpoints I explained above, my current thinking is that it's alright to include these params.
How frequently should we update testnet/signet params
Imo those params are only there to test the functionality. They don't need to be fresh. If the are nuked, we can add new params a year after the new genesis block (it's hard to test this feature if the snapshot is too close to the start of the chain).
from bitcoin.
Not sure about your "optional" issues. The nTx violations currently may lead to a crash of the node (#29261 (comment)). A crash doesn't seem "optional" to fix, no?
from bitcoin.
That PR also gives us a clean way to drop the BLOCK_ASSUMED_VALID
flag, because it was never used on a mainnet node.
from bitcoin.
Moved #29370 to the critical category
from bitcoin.
Thanks @Sjors , I added some thoughts inline, then deleted most of it again because it was way too convoluted :) I think the tldr for me is: You ask if including the params in the code open up any new attack vectors. And in my mind the answer is no, because if an attacker can influence the code that users are actually running, then they have unlimited options to profit from that. For the alternative, configurable params, I am not so sure that it doesn't introduce new attack vectors and I think this hasn't been thought through enough because there was consensus to add the code with chainparams.
I think "Make params configurable/not hardcoded params" should be under "critical conceptual discussion". Not the part about flexibility, which I agree is low priority.
My thinking is that we can have that discussion afterwards when the feature sees some adoption and there is interest in not relying on the params. In my mind it would only be critical if hardcoding for now would prevent us from moving away from it in the future. But this isn't consensus, so there is no issue with doing this :) I am happy to have such discussion now but I don't think we need a resolution before anyone can use au on mainnet. If there is consensus for moving away from hardcoded params before we are done with the "critical" section here, then there will be PR that is added to the critical list that implements that functionality and the mainnet params PR will be removed from the list. If we merge the params first and then agree on not hardcoding them anymore, the params will simply be removed with that PR later.
Can you say what you mean with "the part about flexibility" that is different from configurable params? I am not sure we are thinking of the same thing there.
What's more fundamental is the question of whether these parameters should be "blessed" by the Bitcoin Core project.
One could argue that there is no "blessing", because these snapshots can be objectively assessed. A snapshot hash is valid if and only if background validation yields the same result. Any other snapshot, if it somehow makes into the code, is either a bug or an exploit.
I would call it a "temporary blessing" if anything because it's really all about the time window before the background sync finishes. If users could wait for the background validation to complete, they would just be doing IBD.
It should be kept in mind that this was always the fundamental assumption (pun intended) of the project: the parameters in the code are a blessing just like the code itself is a blessing. If you trust the developers with a bitcoin core release and the code in it you can also trust them with the included chain params.
This makes this feature different from checkpoints in a fundamental way. A checkpoint can be abused to override the most-work valid chain. Once enough people honor it, it becomes a fait accompli because miners are incentivised to work on it - eventually making it the most-work chain. (after which it can be deleted, and people can pretend it never happened)
The same can't be achieved with an invalid snapshot. Such forgery can always be demonstrated as long as a single person has an archive of the blockchain all the way back to genesis.
Still, in a far future where perhaps few users actually perform the background validation, a technically sound argument may not matter in the political reality.
A thought experiment to clarify this. The US Treasury finally issues their one trillion dollar coin. They do so by creating their own UTXO snapshot and forcing maintainers to include it. To avoid a chain split existing nodes on the network, they don't actually move the coin, but borrow against it. A few generations go by, more and more nodes will have be reinstalled and synced based on this new snapshot.
If the government can force core developers to include any code they like, assumeutxo params or something else, the project is kind of lonst and people should resort to running forks instead. Creating coins out of thin air should still be easily detectable if some check the snapshot against their own node at a specific height, even if nobody has the full chain anymore. So I don't think assumeutxo itself adds a new attack vector here.
In this particular scenario I don't think it matters at all if the hash is part of chainparams or if it's flexible. But there may be a less extreme scenario's where it does. Which is why I think some discussion is warranted.
Meanwhile there is a major downside to not hardcoding the parameters, in that it makes the feature much harder to use. A user would have to find some place to download it, verify a hash and a PGP signature. It's less obvious how we could add p2p snapshot functionality later, because we have no hash to ask for and check against.
So on balance, because of the difference with checkpoints I explained above, my current thinking is that it's alright to include these params.
How frequently should we update testnet/signet params
Imo those params are only there to test the functionality. They don't need to be fresh. If the are nuked, we can add new params a year after the new genesis block (it's hard to test this feature if the snapshot is too close to the start of the chain).
Ok, that would work for me.
from bitcoin.
#28598 should be in critical
from bitcoin.
#28598 should be in critical
I considered this but so far it seems to me that all other reviewers of #28616 didn't see it as critical (myself included) or even doubted a fix was needed at all. Examples: #28616 (comment) and #28616 (comment). If there are more reviews/comments added that are in support of making it critical, or if I have missed comments in that direction from other contributors, please let me know and I will move it.
from bitcoin.
Related Issues (20)
- Standardize v0 witness outputs of any length HOT 2
- Testnet fixed seeds don't work HOT 6
- migratewallet: backup file has inconvenient name HOT 4
- Distinguish between bad-txns-inputs-missingorspent HOT 2
- .
- Current default settings are broken, some fix is needed HOT 8
- Sparrow Wallet Version 1.8.4 and Bitcoin Core: Issues Connecting HOT 3
- V2 Only Option HOT 15
- test: Intermittent issue in p2p_leak_tx.py in test_notfound_on_replaced_tx HOT 4
- none address HOT 3
- getrawtransaction returns data with no address for scriptPubkey HOT 1
- Disallow certain message types under BIP324 v2 transport HOT 2
- feature_asmap.py intermittent fail ( AssertionError: [node 0] Expected messages "['CheckAddrman: new 2, tried 2, total 4 started', 'CheckAddrman: completed']" does not partially match log:) HOT 4
- valgrind: Conditional jump or move depends on uninitialised value(s) HOT 20
- [tests] Race between test code and code in net thread HOT 2
- util-{util,wallet}: undefined reference to `evhttp_uridecode' HOT 2
- CFilters reject and disconnect peers with a valid block hash HOT 4
- 100,000โฏแนฉ/vB is excessive as a sanity check on feerate HOT 2
- More control of maintenance processes at startup/restart HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bitcoin.