MSC2176: Update the redaction rules #2176
Conversation
|
looks plausible to me. sounds like we should get it out there in a room v6 sooner than later |
|
We probably need to get agreement on #1996 and matrix-org/matrix-spec#357 as a prerequisite here. If people have opinions on them, perhaps they could weigh in on the relevant bugs. |
|
For completeness, there is also some ongoing discussion as part of MSC1849/2154 about preserving |
fix typo Co-Authored-By: Kitsune Ral <[email protected]>
|
A quick note on some of my thinking here. As I see it, there is a scale between properties which we absolutely must preserve on redaction, for fear of breaking the protocol (mostly those involved in event auth), and those which have very little effect on the protocol at all so can safely be redacted. Somewhere in the middle we have things like I'm trying quite hard to limit the list of things that get preserved to things which completely break the protocol, rather than just things that are a bit annoying/surprising when you redact them, mostly to keep the server-server protocol as simple as possible. The fact that we have to bump the room version to change the redaction rules also means that it's really not great to have to keep adding new rules. Rather, I see it as the job of either clients (or, possibly, the C-S API) to protect you from foot-guns. All that said, there is room for debate on where different keys sit on that scale, and where we draw the line, but I'd like each candidate to be retained to be argued on its own merits. |
| * the `notifications` key. Rationale: symmetry with the other `power_levels` | ||
| settings. (Maybe? See | ||
| https://github.com/matrix-org/matrix-doc/issues/1601#issuecomment-511237744.) | ||
|
|
There was a problem hiding this comment.
m.room.encryption's algorithm should be preserved.
There was a problem hiding this comment.
I disagree. It doesn't change the behaviour of the room at the server-server level.
There was a problem hiding this comment.
But if we eventually have two algorithms rather than one how should a client treat m.room.encryption with redacted algorithm?
There was a problem hiding this comment.
But if we eventually have two algorithms rather than one
I don't think there is a way to end up with two encryption algorithms in the room state?
how should a client treat
m.room.encryptionwith redacted algorithm?
The same way that they should treat a new m.room.encryption event which disables encryption: with great suspicion.
There was a problem hiding this comment.
How are new clients to the room meant to do encryption if they don't know the algorithm?
Can we please relax the restrictions on what goes into the algorithm? It affects client authors too, and it's ridiculous to exclude something because it doesn't affect the core protocol operation.
There was a problem hiding this comment.
@KitsuneRal: I think there might be a misunderstanding here.
there's no good way for a client to handle any readable content of the room once that state is broken
...
this room is irreparably broken along with all of its encrypted messages already in DAG.
m.room.encryption is not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated once m.room.encryption is redacted.
again - repeated encryption events are not proper
there is nothing wrong with repeated m.room.encryption events?
There was a problem hiding this comment.
m.room.encryptionis not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated oncem.room.encryptionis redacted.
That's a pretty strong statement. Then what's the purpose of algorithm there?
there is nothing wrong with repeated
m.room.encryptionevents?
Except they should be treated with great suspicion because there's no defined semantics for any m.room.encryption event except the first one?
There was a problem hiding this comment.
Then what's the purpose of algorithm there?
It indicates to clients how they should encrypt messages in this room.
there's no defined semantics for any m.room.encryption event except the first one?
I don't think that's true. I can't find anything in the spec about this, but my mental model is that clients should keep a record of rooms which are encrypted (along with the encryption algorithm), and give the user a warning if they send a message in a room which was previously encrypted and is no longer (or if the encryption is 'weaker', for some handwavey definition of weaker).
But certainly it's valid for there to be multiple encryption events in a room, changing minor settings.
There was a problem hiding this comment.
There's also the problem of clients joining a room which has a redacted encryption event: They won't have the prior knowledge that it was encrypted and will assume it's not.
ftr riot-web does exactly as you describe: it ignores changes to the encryption event it wasn't expecting.
There was a problem hiding this comment.
I've created https://github.com/matrix-org/matrix-doc/issues/2272 for clarifying the semantics of m.room.encryption events. I'd suggest ignoring m.room.encryption for the purposes of this MSC, and discussing in that issue for a future MSC, as I think that it's a larger issue that shouldn't hold this one up.
|
I've updated the MSC to (1) change the create event so that all keys are preserved, and (2) clarify that I don't think the Further input welcome... |
turt2live
added
the
unassigned-room-version
Co-Authored-By: Travis Ralston <[email protected]> Co-Authored-By: Kitsune Ral <[email protected]>
|
Nothing else seems to be happening here, so I'd like to propose FCP: @mscbot fcp merge |
|
Team member @richvdh has proposed to merge this. The next step is review by the rest of the tagged people: No concerns currently listed. Once at least 75% of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
mscbot
added
the
proposed-final-comment-period
turt2live
removed
the
unassigned-room-version
turt2live
added
the
unassigned-room-version
|
This went back to not having an assigned room version (pulled out of v10). |
turt2live
added
the
requires-room-version
turt2live
added
the
blocked
turt2live
removed
blocked
|
This is now formally assigned to room version 11: #3820 |
|
Spec PR: matrix-org/matrix-spec#1604 |
turt2live
added
spec-pr-in-review
|
Merged 🎉 |
turt2live
added
merged
Rendered.
Implementation: matrix-org/synapse#8984