Bitcoin Governance

Remark 33.1 (Power Distribution)

No single stakeholder group can unilaterally change Bitcoin:

• Developers: Write code but cannot force adoption
• Miners: Produce blocks but users can reject them
• Users: Can reject rules by choosing validating software, but the power is effective only when coordinated with economically meaningful counterparties
• Economic nodes: Exchanges, custodians, merchants, and payment processors, whose validation choices determine which chain carries market liquidity
• Businesses: Influence but do not control rule changes

Durable consensus-rule changes require at least passive acceptance across the economically relevant parts of the network.

Remark 33.2 (Three Senses of "Consensus")

Before going further, a warning about the chapter's central word. In Bitcoin discourse "consensus" carries three incompatible meanings, and this book has already used two of them:

1. Consensus rules (the technical sense): the validation predicate of Definition 13.18, the rules of Definition 16.1 and Appendix D. A precise, falsifiable property of software.
2. Near-unanimity (the social sense): no significant stakeholder objects. This is what "rough consensus" (Definition 33.4 below) approximates.
3. General agreement (the loose sense): most participants, perhaps weighted by some unstated notion of expertise or stake, are in favor.

The ambiguity is exploitable. The claim "we don't have consensus" can block a proposal while committing to nothing: it may mean the rules forbid it (sense 1, checkable), that identified stakeholders object (sense 2, answerable), or merely that someone, somewhere disagrees (sense 3, unfalsifiable). A speaker who never specifies which sense is meant cannot be refuted, which gives the unqualified word much of its rhetorical force. The remedy is terminological discipline: say consensus rules for sense 1, non-contentious for sense 2, and general agreement for sense 3. When someone asserts that consensus exists or is lacking, the first question is which kind is meant. This book uses "consensus" unqualified only in the technical sense.

Remark 33.3 (Social Consensus Signals)

Social consensus is observed through:

• Mailing list discussion: bitcoin-dev list debates
• Implementation: Multiple independent implementations
• Testing: Deployment on testnet/signet
• Support statements: Companies and developers
• Futures markets: Price signals for contentious forks (where liquid markets exist)

Each of these signals is read off a venue, and every venue has an operator: mailing lists are moderated, conference programs are curated, and platform feeds are ranked. An observation of social consensus therefore inherits the admission rules of the channel through which it was observed.

Remark 33.4 (The "Ossification" Debate)

A growing tension in Bitcoin governance:

• Pro-change (common among application and Layer 2 developers): Bitcoin needs features (covenants, etc.) to remain competitive
• Pro-stability (common among long-term holders and some senior contributors): Changes risk breaking what works; ossification protects value
• Middle ground: Only changes with near-unanimous support

Participants across the debate describe the threshold for activating changes as having risen since 2017 (four years between SegWit and Taproot; none since).

Remark 33.5 (MASF vs UASF)

Two philosophical approaches to activation:

Miner Activated Soft Fork (MASF):

• Miners signal readiness
• Activation at threshold (e.g., 95%)
• Risk: miners can block upgrades

User Activated Soft Fork (UASF):

• Users set flag day activation
• Miners must comply or risk invalid blocks
• Risk: chain split if miners resist

Remark 33.6 (The Developer-Power Critique)

Critics, from legal scholars such as Angela Walch to veterans of the block size war, argue that the formal power map of Remark 33.1 understates developer influence. Maintainers control commit access to the software the economy runs by default, and, they argue, defaults are sticky: "users can reject a release" is true in principle but rarely exercised. On this account, agenda setting (which proposals receive review at all) is itself a form of power, and contributor funding is concentrated among a handful of sponsors. On this view, Section 33.9's code-as-specification argument cuts against the standard rebuttal (Remark 33.7) rather than for it: if the rules are the code, those who write the code write the rules. Walch presses the point furthest, arguing that core developers function as de facto fiduciaries, exercising trusted power without accountability. The rebuttals follow.

Remark 33.7 (Core is Not Bitcoin)

The standard rebuttal holds that Bitcoin Core has significant influence but not control: users can run alternative implementations, fork the code, or reject a release, and core contributors cannot unilaterally change the consensus rules. The rejection option is not merely theoretical: forks of Core carrying contested consensus changes (the clients of Examples 27.1–27.3) failed to attract economic adoption despite substantial miner and business support, and the 2025 relay-policy migration (Example 33.6) shows node operators switching implementations over a default.

Remark 33.8 (Core Development Process)

Bitcoin Core changes require:

• Pull request with clear rationale
• Review by multiple contributors
• Testing and QA
• Concept ACK → Approach ACK → Code review ACK
• Merge by maintainer after sufficient review

Consensus changes require much more scrutiny than other PRs.

The Release Pipeline

Between the repository and the network sits one further mechanism: releases are built reproducibly (the Guix build system), so that anyone can compile the source and verify that the published binaries match it, and release binaries are signed by multiple parties whose keys are public. Verification is open to anyone; it is one of the few checks in this chapter that requires trusting no group at all, only performing the check.

Properties Bitcoin Governance Tends to Protect

Observation across the episodes of this chapter: Bitcoin governance tends to protect a small set of properties:

• 21 million cap: Fixed supply, no inflation
• Censorship resistance: Anyone can transact
• Permissionless: No gatekeepers
• Decentralized: No single point of control
• Sound money: Predictable monetary policy

Remark 33.9 (Schelling Point Preservation)

Bitcoin's value partially derives from being a Schelling point:

• The default choice for "cryptocurrency"
• The coordination point for sound money
• Changes risk disrupting this coordination

This creates strong pressure toward conservatism.

Remark 33.10 (Open Questions)

Bitcoin governance faces unresolved challenges:

• Covenant activation: CTV/CAT debate ongoing
• Developer funding: How to sustain contributors
• Quantum resistance: Future necessity, timing unclear
• Fee market: Long-term security budget
• Ossification: When/if to "freeze" the protocol

Remark 33.11 (Governance Evolution)

Bitcoin's governance has evolved:

• 2009-2014: Satoshi-led, then core developers
• 2015-2017: Contested, stakeholder conflict
• 2017-present: Higher bar for changes after the contested SegWit activation
• Future: Contested (Remark 33.4)

Remark 33.12 (Code as Specification)

Section 13.10 defined validation as a pure predicate V(C, B). The specification problem is that no canonical statement of V exists apart from implementations of it. The BIPs describe individual rule changes, but no BIP, and no combination of BIPs, describes the complete predicate; large parts of it (the original rules, accumulated bug-for-bug behaviors, serialization edge cases) are documented nowhere except in code. The practical consequence: "valid" means "accepted by the software the economy runs," and a consensus bug, once economically relied upon, can become indistinguishable from a rule.

Remark 33.13 (The Client Diversity Dilemma)

The specification problem shapes the debate over implementation diversity. With a single dominant implementation, its bugs are uniform: everyone accepts and rejects the same blocks, so latent rule-defects do not split the network, but the project inherits a monoculture's fragility and concentrates de facto rule-setting power (Section 33.5). With many independent implementations, no single codebase defines the rules, but any disagreement between them, however obscure, is a chain split waiting for an adversary to trigger it. Without an authoritative specification to converge on, diversity trades one systemic risk for another.

Remark 33.14 (Toward Executable Specifications)

The emerging response is to make the specification executable: a statement of V precise enough to run, so that "spec" and "implementation" cannot drift apart. Efforts span a spectrum. Bitcoin Core's libbitcoinkernel project extracts the consensus engine from the rest of the node, so that one well-reviewed artifact can serve many clients. Declarative approaches, such as the Hornet DSL (Sharp, 2025), go further, restating the validation pipeline of Definition 13.19 as pure, deterministic, height-tagged rule functions with no side effects, verified against existing implementations by large-scale differential testing rather than formal proof. Whether any such artifact ever becomes normative is itself a governance question: a specification only specifies if the economy treats divergence from it as a bug rather than a rule change.