Since GMaxwells ignore system doesn't seem to be functioning, I may address that when I have more time but in the meantime....

I have no idea what "rbtc" is. Searches yield mainly bible groups, so I've really no idea what is being referenced.

The linked document by tertius993 gives 4 benefits.

1. Wallet authors tracking spent bitcoins
According to GMaxwell no one cares, apparently.

2. Anyone spending unconfirmed transactions
This was never a good idea and has always been stated that 6 confirmations is the bare minimum and use zero at your own risk. It is an obvious area for improvement but segwit just offloads the risk to a third party like any side-chain as was intended in the original design.

3. The Lightning Network
Of course.

4. Anyone using the block chain
This is just a sales pitch. At best it is a corollary of #1 without explicit definition.

#1 & #4, if we take these as read, are saying that having an immutable txID has benefits (IMO, malleable TxID was a bug).
#3 was a design decision and the usual retort to things like that from the eminent legendaries is "go make your own alt-coin".

None of them are peculiar to SegWit but #3 requires it.

Can't we add callbacks or events to the core (like On_Receive etc) so that we can create our own filters and stream them to our applications?

Security is a trade-off between complexity and convenience. Binary arguments about security mean that your data might never get stolen but no-one uses the software - just ask PGP.

My opinion is that brain wallets aren't the most secure but they are secure enough for many non technical users. If it is a commercial service that is being offered then there are other measures to mitigate the risk of loss like insurance-an admission that it can occur and allow compensation according to risk probability.

Are you referring to
I would have gone for |r| and |s| personally so no explicit rejection would be required. I wasn't sure that N-s was negative for all values of N, though. However. If you are happy the solution then I am happy that both DER encoding and ECDSA malleability are already addressed and not usable as a "malleability fix" argument for SegWit.

I beg to differ. It would be a side-chain if the changes weren't being implemented. I do indeed know nothing about LN. I don't care how it uses SegWit in a similar way that I don't care how coloured coins use Bitcoin- I am only interested in bitcoin and its SegWit solution. The driver for SegWit seems to be purely LN so that is political rather than technical driver and that worries me. Are you going to go as far as saying LN is Bitcoin 2.0?

1. I disagree. I have already outlined (albeit vaguely) several solutions. You want a txID not fixed to a signature. This isn't rocket science.
2. It is the architecturally correct solution for outsourcing the txID generation-that's it. If you are going to do that, then make it a plugin module then it doesn't need to be in Bitcoin at all and anyone can use their own, including legacy (maybe a default module). It is a poor solution just for malleability and a straight-jacket for txID generation.
 
I agree entirely. We only disagree that SegWit is the optimal solution.

Ad hominem response that adds nothing and addresses nothing. I expect better.

Source. (My emphasis)

I knew there was more to this than a "malleability  fix".


OK. So the whole codebase has been modified to account for this one side-chain, the reason being that if affords confidentiality for LN and to no-one else. For this reason alone it is cancer.

Now. It is certainly desirable to fix malleability and even allow side-chains to use the BC for their own back end systems. The proper way would be to allow others to plug-in a module at run-time so that anyone could create their own plugin module and distribute it with their wallet software. Hell. You could even support an unlimited number of "variants" from Bitcoin Core. LN could then have created a specific plugin for their wallets. As it happens, I've wanted the reference software to go down the plugin path for quite some time (the address creation, hash used, the mining method etc) but it is clear that is just a pipe-dream.

It seems to me that should this go live, then LN will be the only side-chain worth using with guarantees of confidentiality and everyone else has to wash all their clothes in public. Is this the case?

Of course. I have already said it was an "umbrella term" to which amacilin picked one and I specifically gave him a solution to that. I also mentioned  hashing the final stack which would fix:

• Superfluous scriptSig operations
• Inputs ignored by scripts
• Sighash flags based masking
• Non-push operations in scriptSig

The DER encoding is a consensus issue since OpenSSL accepts BER and DER (DER being a subset of BER). Pre-checking before passing to OpenSSL is trivial.

The point is that malleability is an edge case symptom that can be solved without adding a lot more complexity. There is a lot more to this SegWit proposal than we are being told.

Sure, because distinguishing between  σ = (r,s) and σ'= (r,N − s) is just too hard for bitcoin, eh?  
Ripple uses (r,s) < (r,N − s)?  (r,s):(r,N − s)

You need to re-read the post.

Of course. "Malleability" is an umbrella term for multiple issues that affect corner cases. For example. The script is hashed then signed causing a different hash if the instructions are changed but, never the less, yield the same result. The solution to this aspect, I believe, is to hash the final stack instead of the current method.

OK. Lets consider a trivial example/case.....

Let our message be a terse one of:
  Where "Text" is expected to be an ASCII string and "Sig" is expected to be an MD5 hash of the message represented in hex.

1: We create a message

2. We now find the MD5 of the entire message which gives us C9D4C59A1FEBA4D1BFE1ECE1EE7269B0. (I've included the brackets and quotes just because of copy and paste)

3. We insert the code back into the message and send - yielding

To check the sig we simply replace the sig field with zeros as before, calculate the MD5, and check against the original value in the sig field.

This seems far from "impossible".

Exactly. So one can create a signed hash if the definition is as you describe - a two step process.

This argument is also used for "scriptSig" - .
Other signing protocols do exactly this by signing messages with a "placeholder" field and then inserting the hash afterwards.

I keep seeing the main justification for SegWit being that it solved the sighash problem, where it ends with a hand-wave of "The signature script contains the secp256k1 signature, which can’t sign itself"

Can someone explain to me why it can't sign itself? (preferably with an example)

Because LevelDB is not ACID compliant and prone (read, renowned for) corrupting the DB. This is why we are being told to back up the chain, make copies etc. Bitcoin should be using an ACID compliant DB and the only one that gets close to the performance of a Key/Value DB for sequential access is SQLite. Plus, one has other niceties like live backup and in memory attached DBs.

Any side-chain can do that and it wouldn't need to modify the bitcoin protocol. So. As a maleability "fix" it's a bit of a sledgehammer to crack a nut with a rather large cost in data storage and distribution. The question is then; why is the tail wagging the dog?

The fact that pruning exists at all is an admission that block chain size matters. We do indeed complain that it is not possible to run a full node on average systems. Pruning doesn't solve the problem, it just kicks it down the road.

You need the network to store the entire history - preferably with redundancy. It is not necessary for all nodes to keep all blocks. The current system is the trivial solution, not the only solution.

Oh. Boo hoo. Those poor miners starving on the streets might have to do a little more work to maximise their profits.  The difficulty will adjust to any more work required or they will just throw more hardware at it. This is a non-argument since they are just doing what miners do. Maybe more importantly, the miners will have to switch from maximising coin collection to maximising fees at some point anyway. This is a bait and switch from full nodes to miners (not the same thing at all) in an attempt to bolster the argument.

Oh You mean those not in data-centers? This is the argument against centralisation for the current mining regime  regardless of distribution mechanisms.

Complete speculation. Even an Arduino could process a block in less than 10 minutes.

No maximum limit. The trade-off between amount of fees (bigger blocks, more fees collected) and the competition to be first on the block chain (hashing efficiency and transmission) will yield an optimum block size depending on the miners' capabilities - no fixed block size! Of course. This destroys the fake scarcity introduced by the economists since all transactions can be catered for.

I propose a minimum block size of 1MB with an unbounded maximum.

This post is the epitome of arrogance and the irony is spectacular. Maybe achow101 should take you aside and teach you how to play nice with us remedial kids.

Kano raised concerns. You can allay or confirm those concerns or just not answer. I would prefer the former but would be just as happy with the latter.

Rollback is a bit of a red herring for an immutable block chain. Just store everything, good or bad, and adjust the query.

SQLite also has the ability to treat multiple, separate database files as a single database at run-time (max 64). One could create separate DB files for working DB and historical but I don't even see the need for that.

BTW. SQLite can insert 1,000,000 records in under 10 secs and wipes the floor with My/MSSQL and Postgres in terms of performance. What it doesn't have is authentication so the others are a better choice for web servers.

Thinking a little more about this. It would actually solve the block size issue.

So. Instead of an incrementing counter being used to generate a new hash of the transactions on each round. The counter is removed and the order or number of transactions is changed. Although a minimum block size of 1MB could be retained for spam protection, miners would be free to use an unlimited block size. In reality there would be an optimum based on the technology used, the fees and the method (reorg/add).

It could also be argued, that miners are incentivised to use larger than 1MB blocks to gain more fees (higher tx throughput) and the spam could become valuable, in the absence of larger paying transactions, to generate their hashes. The minimum 1MB block could no longer be required except for a guaranteed minimum throughput. Miners could become ravenous for any transaction including those that are zero fee.

Of course. This would require a hard-fork and obviate all current ASIC miners  

If it can be programmed then it is not "Application Specific". It is not a relative term at all.
FPGAs blur the boundary slightly but are still not considered ASICs. FPGAs are often used to prototype ASIC designs.

One wouldn't have to synch the whole chain. Only back to the old checkpoint (which is already verified back to the genesis block from the initial start).

The incentive is that the on-disk size is less than 1GB regardless of total chain size.