Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC2781: Remove the reply fallbacks from the specification #2781

Merged
merged 27 commits into from
Nov 5, 2024
Merged

MSC2781: Remove the reply fallbacks from the specification #2781

Changes from 1 commit
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
6868738
MSC2781: Down with the fallbacks
deepbluev7 Sep 18, 2020
8d8b38d
Add a note about dropping the html requirement
deepbluev7 Sep 18, 2020
94cffdc
Add an unstable prefix for removed fallbacks.
deepbluev7 Sep 18, 2020
18a2732
Add a section about fallbacks not being properly specified.
deepbluev7 Sep 18, 2020
8e7c44b
Add appendix about which clients do not support replies (and why, if …
deepbluev7 Oct 1, 2020
ff76870
Correct weechat status
deepbluev7 Oct 1, 2020
74dc8d8
Add another alternative
deepbluev7 May 10, 2021
c8e4377
Document a few more issues with fallbacks
deepbluev7 May 10, 2021
7caeb62
Update client status, remove proposal for edits and try to turn down …
deepbluev7 Jan 14, 2022
1539dcd
Remove mistaken reference to the Qt renderer
deepbluev7 Jan 14, 2022
98df79d
Try to make motivation a bit clearer in the proposal
deepbluev7 Jan 14, 2022
b05e0a2
How do anchors work?
deepbluev7 Jan 14, 2022
60c33c3
Drop reference to issues with edit fallbacks
deepbluev7 Jan 14, 2022
838f0ce
Typos
deepbluev7 Jan 14, 2022
2380162
Address review comments
deepbluev7 Jan 19, 2022
c604999
More edits
deepbluev7 Jan 19, 2022
2a55bc1
Implementation traps
deepbluev7 Jan 19, 2022
892664b
Apply suggestions from code review
deepbluev7 Jan 20, 2022
52fd929
Add dates to client status list
deepbluev7 Jan 20, 2022
6983fde
Mention pushrules proposal in the alternatives section
deepbluev7 Jan 21, 2022
1d18857
Update proposal to 2024
deepbluev7 Jun 2, 2024
cbeb4e0
Be explicit about removal
deepbluev7 Jun 2, 2024
a66f24d
Apply suggestions from code review
deepbluev7 Jun 25, 2024
23dd267
Apply suggestions from code review
deepbluev7 Jun 25, 2024
1ad224e
Update proposals/2781-down-with-the-fallbacks.md
deepbluev7 Jun 25, 2024
2da1ac7
Apply suggestions from code review
deepbluev7 Oct 1, 2024
5c9de13
Simplify wording around invalid html and potential issues
deepbluev7 Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 61 additions & 47 deletions proposals/2781-down-with-the-fallbacks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,61 +1,72 @@
# MSC2781: Remove reply fallbacks from the specification

Currently replies require clients to send and parse a fallback representation
of the replied to message. While at least in theory fallbacks should make it
simpler to start supporting replies in a new client, they actually introduce a
lot of complexity and implementation issues and block a few valuable features.
This MSC proposes to deprecate and eventually remove those fallbacks. It was an
alternative to [MSC2589](https://github.com/matrix-org/matrix-doc/pull/2589),
which chose a different representation of the reply fallback, but was
ultimately closed in favor of this proposal.
Currently the specification suggest clients should send and strip a
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved
[fallback representation](https://spec.matrix.org/v1.10/client-server-api/#fallbacks-for-rich-replies)
of a replied to message. The fallback representation was meant to simplify
supporting replies in a new client, but in practice they add complexity, are
often implemented incorrectly and block new features.

This MSC proposes to deprecate and eventually remove those fallbacks.

Some of the known issues include:
* The content of reply fallback is [untrusted](https://spec.matrix.org/v1.10/client-server-api/#stripping-the-fallback).
* Reply fallbacks may leak history. ([#368](https://github.com/matrix-org/matrix-spec/issues/368))
* Parsing reply fallbacks can be tricky. ([#350](https://github.com/matrix-org/matrix-spec/issues/350))
* It is unclear how to handle a reply to a reply. ([#372](https://github.com/matrix-org/matrix-spec/issues/372))
* Localization of replies is not possible when the content is embedded into the event.
* It is not possible to fully redact an event once it is replied to, this causes both trust & safety and right to be forgotten issues.
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved
* There are a variety of implementation bugs related to reply fallback handling.

More details and considerations are provided in the appendices, but these are
provided for convenience and aren't necessary to understand this proposal.

## Proposal

Remove the [rich reply fallback from the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking concern for FCP finish: I don't think we can jump to removal, but we can deprecate and say "Clients SHOULD NOT send fallback", for example. A later MSC would be capable of fully removing the fallback.

The spec would read something like:

Clients SHOULD NOT send fallback representation, but SHOULD attempt to parse it intelligently when provided (detected by the presence of <mx-reply />). The fallback representation is as follows: [...]

Later, when removed and clients have had a chance to fully see the transition, an MSC to remove the fallback completely can be FCP'd. The spec after that change would likely just be a note block saying "There used to be a fallback representation, but not anymore. Click [here] to see it.".

This is all as required under the deprecation policy: https://spec.matrix.org/v1.10/#deprecation-policy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree, that a separate deprecation period is necessary. The behaviour was already made optional since version 1.3. As such clients should already be able to deal with not receiving a fallback. For that reason I think just mentioning the change in an INFO box should be sufficient.

For receiving clients there is no difference between a client, that stops sending a fallback because of a "SHOULD NOT" or the spec not mentioning that clients should or should not send a fallback at all. For the sending client this only adds confusion without any substantial benefit imo.

Also on the receiving end missing fallbacks need to be supported already today (since 1.3). As such there isn't really a change in behaviour, just the frequency of such events. Again, pointing out the change in an INFO box would be helpful, but a deprecation period would just add additional process overhead.

So to summarize, I don't think the deprecation policy applies here and to respect the time of everyone involved, I deem an additional MSC to then remove the behaviour as unnecessary. The actual implementation in the specification might be a bit more sophisticated, but I do believe sending reply fallbacks should be removed now.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you may be talking about two slightly different things here: it's a given that clients need to support them not being there. The question is whether the text of the next few versions of the spec needs to describe a thing that was previously in it but is now no longer recommended.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dbkr I think the spec should stop suggesting that reply fallbacks are used in replies. I think that should just be historical information as we do for historical mxids, m.room.aliases rX.Y.Z spec versions and unamespaced tags for example, since those can still appear and client authors need to be aware of that. I don't think any of those had a deprecation period either and some of those are arguably higher impact.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of those examples are from a time before the deprecation policy was enacted in Matrix 1.1, fwiw. This MSC introduces a technically breaking change to clients, which necessitates deprecation first at a minimum. The spec instructs clients which do support rich replies on how to handle the fallback (strip it), and implies that the module is optional. By removing the fallback, we're saying that clients must support rich replies in order to maintain conversation context - something which is currently optional (and not even a SHOULD optional).

The MSC addresses the context piece a bit, but doesn't address the breaking change. As such, this needs to go through deprecation first to manage the breaking change, then removal at least 1 version later as per the policy. This does add additional overhead - feedback regarding that is best placed in a dedicated MSC which aims to change the deprecation policy.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This MSC introduces a technically breaking change to clients

..but it doesn't. Clients have to handle the fallback not being there. It does not meet the bar for a "breaking change".

I would strongly advocate a nuanced approach here, on a case-by-case basis (which honestly isn't hard given the amount of attention MSCs get). In this particular case, because the functionality was optional, there is little benefit to dragging this process out any longer than needed, particularly given the security impacts of reply fallbacks. Having them in the ecosystem any longer than necessary is just untenable, especially if it's just due to bureaucracy rather than any technical/security/social reasons.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like it's become a circular argument with no conclusion. Other members of the SCT are encouraged to weigh in on this, as I'm unconvinced that this MSC can go through as-is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since clients already need to handle the fallback not being there then I think it is fine to remove it with a historical reference to strip the content.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The question in my mind is: what are the benefits to the ecosystem by having a deprecation period? What would materially change if we marked these APIs as deprecated?

Naively I would have thought that the only action client authors would need to take was to ensure that they handled the absence of the fallback correctly. Given its has been optional since 1.3 this should be a no-op for client implementers.

However, having a deprecation policy will flag two things to client develops:

  1. They really do need to make sure they correctly handle replies without fallback. There is a difference between clients theoretically supporting lack of fallback and them actually supporting it.
  2. They may want to ensure that the UX without fallback is still good. This is a transition from being able to mostly be able to rely on there being a fallback most of the time, to there never being one.

Personally, I think if we're relatively confident that most clients already deal correctly with the above its OK to skip the deprecation period. I'm in no position to judge the client situation though.

Otherwise, the safest option would be to do a short deprecation period, though I would advocate for not requiring a new MSC and instead simply have this MSC say "fallback will be deprecated in the next release, and removed the release after (unless the SCT hear enough negative feedback to delay)". If push comes to shove we can always do a one-line MSC to change that.

In terms of getting this over the line, I'll try and poke internally to get a conclusion on this.

TL;DR: My instinct is let's skip if we're confident that the vast majority of the client ecosystem would not benefit from a deprecation period, but if not let's just do a quick deprecation period and slate the removal in this MSC.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having talked this through: the SCT believes that we should skip the deprecation period for this one. This is mainly due to the fact that reply fallbacks are already optional and we believe all the clients that are going to implement handling of proper replies have already done so, so we there is no benefit to doing a deprecation period.

specification](https://spec.matrix.org/v1.1/client-server-api/#fallbacks-for-rich-replies).
specification](https://spec.matrix.org/v1.10/client-server-api/#fallbacks-for-rich-replies).
Clients should stop sending them and should consider treating `<mx-reply>` parts
as either something to be unconditionally stripped or as something to be escaped
as invalid html. Clients may send replies without a formatted_body now using
arbitrary message events (not state events), which is currently still disallowed
by the
[specification](https://spec.matrix.org/v1.1/client-server-api/#rich-replies).
as invalid html.

As a result of this, you would be able to reply with an image. New clients
would also be able to implement edits and replies more easily, as they can
sidestep a lot of pitfalls.
Clients are not required to include a fallback in a reply since version 1.3 of
the
[specification](https://spec.matrix.org/v1.10/client-server-api/#rich-replies).
For this reason the reply fallbck can be removed from the specification without
any additional deprecation period.
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved

An info box should be included to mention the historical use of the reply
fallback, suggesting that clients may encounter such events sent by other
clients and that clients may need to strip out such fallbacks.
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved

Given clients have had enough time to implement replies completely, the
overall look & feel of replies should be unchanged or even improved by this
proposal.
proposal. Implementing replies in a client should also be a bit easier with this
change.

An extended motivation is provided at [the end of this document](#user-content-appendix-b-issues-with-the-current-fallbacks).

## Potential issues

Obviously you can't remove the fallback from old events. As such clients would
still need to do something with them in the near future. I'd say just not
handling them in a special way should be okay after some unspecified period of
time.

Clients not implementing rich replies or edits may show some slightly more
confusing messages to users as well. I'd argue though that in most cases, the
reply is close enough to the replied to message, that you would be able to guess
the correct context. Replies would also be somewhat easier to implement and
worst case, a client could very easily implement a little "this is a reply"
marker to at least mark replies visually. Not having a reply fallback might also
prompt some clients to implement support for rich replies sooner. Users will now
complain about no context. Previously there was some context for replies to text
messages, which made it easy to accept the solution as good enough. However the
experience with replies to images was not acceptable. Motivating clients to
implement rich replies is a good thing in the long run and will improve the
Matrix experience overall.

You might not get notifications any more for replies to your messages. This was
a feature of the reply fallback, because it included the username, but users had
no control over it. Notifications can be added back by an MSC like
[MSC3664](https://github.com/matrix-org/matrix-doc/pull/3664) or a similar
proposal and give the user more control over the notifications while also being
an explicit solution.
Old events and events sent by clients implementing an older version of the
Matrix specification might still contain a reply fallback. So for at least some
period of time clients will still need to strip reply fallbacks from messages.

Clients which don't implement rich replies or edits may see messages
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved
without context, confusing users. However, most replies and edits are
in close proximity to the original message, making context likely to be
nearby. Clients should also have enough information in the event to
render helpful indications to users while they work on full support.

Clients which aren't using
[intentional mentions](https://spec.matrix.org/v1.7/client-server-api/#mentioning-the-replied-to-user)
may cause some missed notifications on the receiving side.
[MSC3664](https://github.com/matrix-org/matrix-doc/pull/3664) and similar aim to
address this issue, as
deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved
[MSC4142](https://github.com/matrix-org/matrix-spec-proposals/pull/4142) tries
to improve the intentional mentions experience for replies generally.
Because intentional mentions are already part of the Matrix specification since
version 1.7, clients can be expected to implement those first, which should make
the impact on notifications minimal in practice.

## Alternatives

Expand Down Expand Up @@ -84,6 +95,12 @@ other cases this should **reduce** security issues (see
https://github.com/vector-im/element-web/releases/tag/v1.7.3 or the appendix for
examples).

## Unstable prefix

No unstable prefix should be necessary as clients aren't required to send reply
fallbacks for all messages since version 1.3 of the Matrix specification, which
changed the wording from "MUST" to "SHOULD".

## Appendix A: Support for rich replies in different clients

### Clients without rendering support for rich replies
Expand Down Expand Up @@ -210,6 +227,9 @@ leak data to users, that joined this room at a later point, but shouldn't be
able to see the event because of visibility rules or encryption. While this
isn't a big issue, there is still an issue about it: https://github.com/matrix-org/matrix-doc/issues/1654

deepbluev7 marked this conversation as resolved.
Show resolved Hide resolved
This history leak can also cause abusive or redacted messages to remain visible
to other room members, depending on the client implementation of replies.

Historically clients have also sometimes localized the fallbacks. In those cases
they leak the users language selection for their client, which may be personal
information.
Expand Down Expand Up @@ -259,9 +279,3 @@ experience for casual users in non-english speaking countries. The specification
currently requires them to not be translated (although some clients don't follow
that), but not sending a fallback at all completely sidesteps the need for the
spec to specify that and clients relying on an english only fallback.

## Unstable prefix

Clients should use the prefix `im.nheko.msc2781.` for all their event types, if
they implement this MSC in a publicly available release or events may otherwise
bleed into public rooms.