The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #15481 (Restrict timestamp when mining a diff-adjustment block to prev-600 by TheBlueMatt)
• #15141 (Rewrite DoS interface between validation and net_processing by sdaftuar)
• #14954 (build: Require python 3.5 by MarcoFalke)
• #13868 (Remove unused fScriptChecks parameter from CheckInputs by Empact)
• #13541 (wallet/rpc: sendrawtransaction maxfeerate by kallewoof)
• #13533 ([tests] Reduced number of validations in tx_validationcache_tests by lucash-dev)
• #13360 ([Policy] Reject SIGHASH_SINGLE with output out of bound by jl2012)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

A small commit message typo: "eatuer_assumevalid" should be "feature_assumevalid" :-)

Given the issues with the mailing list, and the lack of a PR adding the BIP, I'm going to write some thoughts I have regarding the general idea of the proposal here. My apologies if this seems like the wrong forum.

I'm a bit surprised that the possibility of using forward blocks to achieve future scaling is not mentioned in the BIP or PR, since the absolute removal of the time-warp attack vector closes off the possibility of using the bug for forward- and backwards-compatible soft-fork scaling in the future, as I covered in my talk at Scaling Bitcoin last year.

While developing the idea of forward blocks I sent a vulnerability report email to some of the senior Bitcoin Core developers. In it I outlayed some analysis of the attack vectors, and a suggested solution which both prevents the sort of attacks which could be devastating to the network, while still allowing uses of the time-warp "feature" to achieve on-chain scaling when it becomes necessary at some point in the future. I'll quote that part of the email here:

...It turns out this is to the advantage of bitcoin users as the time warp is an integral part of how we can make a block size increase and/or PoW change without a hard fork, and thereby allow such proposals be decided on their own merits rather than as a yea or nay decision on hard forks generally.

...This is an issue that has been known about for some time and persists as unfixed because, as I understand it, the likelihood of attack was low and likelihood of coordinated user response high. And since ideas like Forward Blocks require the time-warp bug to achieve forwards-compatible scaling of settlement capacity, I would think it short sighted to advocate for "fixing" the bug now.

However in discussing forward blocks with another developer, I happened upon a solution that would allow for the worst scenarios to be avoided while not blocking off the later deployment of forward blocks: If the current block timestamp is more than 4 hours beyond the median time of the past 11 blocks, then the difficulty adjustment errors if the adjustment would exceed a smaller limiting factor than the normal +/- 4x. Specifically I recommend ensuring that the block timestamp is within the range [start + 600*2015 - 4800, start + 600*2015 + 4800]. 4800 = 80 * 60 = 1 hour 20 minutes. This would allow decreases in the inter-block time of no more than 12.6% the first year of purposeful adjustments, and is easy to implement.

(Potentially the lower limit could be removed as it would be nice for the difficulty to be able to quickly reset, but asymmetric adjustments have been a source of error in the past.)

This would prevent ... [censored bug disclosure] ... while still allowing a rate of growth for forward blocks or other proposals to that is conservative slow enough as to not cause catastrophic failure. Requiring the block timestamp to be 4 hours ahead of the median time past ensures this rule is very unlikely to be engaged during normal operation of a healthy network, for which normal [unconstrained] difficulty adjustments can still occur.

This approach additionally has the advantage of being less disruptive than what is implemented in this PR. No rule changes are engaged at all until such time as the adjustment block's timestamp is 4 hours ahead of median time past, so there is no risk to un-upgraded miners outside of a time-warp regime because a block more than 2 hours in the future is considered invalid. I think this modified rule would make it safe to switch to BIP8 instead of BIP9 for deployment.

This is not the appropriate forum for having that discussion. I'll include further motivation in the email to the mailing list, so lets wait for the mailing list to be online before we open it up further.

Ok, I hope you do (I'm not on the bitcoin mailing list).

@maaku e.a. FYI mailinglist threads:

• overall proposal
• OP_CODESEPERATOR discussion
• Sighash Type Byte

Can you split the soft-fork rules into separate commits, away from the activation logic? E.g. it's hard to spot the OP_CODESEPERATOR change if you're not familiar with #11423 that made it non-standard.

Shameless review plug for #12134, so we can test the interaction with older nodes.

Please tell me that we don’t have a bot that auto closes issues.

We do, but this one should stay open, @MarcoFalke.

I highly suggest you disable that functionality altogether. There is no circumstance where it should ever be used. Actual human maintainers need to be involved to evaluate whether issues have been fixed, or to explain a wontfix closure. Worse it drives contributors away: nothing is more frustrating and alienating than to submit an issue, have it sit for a while, then be robo-closed. There is absolutely no reason to have an issue-closing bot.

@maaku AFAIK DrahtBot does not close issues - only stale PR:s :)

I don't see the relevant difference. But anyway, this'll be my last comment on the matter.

This pull request is the wrong place for meta discussions. You can contact me directly or open a new issue if you have any concerns or suggestions for improvements.

The BIP needs cleanup, so no use leaving this open.