-
Notifications
You must be signed in to change notification settings - Fork 385
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC2176: Update the redaction rules #2176
Conversation
looks plausible to me. sounds like we should get it out there in a room v6 sooner than later |
We probably need to get agreement on #1996 and matrix-org/matrix-spec#357 as a prerequisite here. If people have opinions on them, perhaps they could weigh in on the relevant bugs. |
For completeness, there is also some ongoing discussion as part of MSC1849/2154 about preserving |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm - I'm more torn on whether notifications
on power levels should be kept though.
fix typo Co-Authored-By: Kitsune Ral <[email protected]>
A quick note on some of my thinking here. As I see it, there is a scale between properties which we absolutely must preserve on redaction, for fear of breaking the protocol (mostly those involved in event auth), and those which have very little effect on the protocol at all so can safely be redacted. Somewhere in the middle we have things like I'm trying quite hard to limit the list of things that get preserved to things which completely break the protocol, rather than just things that are a bit annoying/surprising when you redact them, mostly to keep the server-server protocol as simple as possible. The fact that we have to bump the room version to change the redaction rules also means that it's really not great to have to keep adding new rules. Rather, I see it as the job of either clients (or, possibly, the C-S API) to protect you from foot-guns. All that said, there is room for debate on where different keys sit on that scale, and where we draw the line, but I'd like each candidate to be retained to be argued on its own merits. |
* the `notifications` key. Rationale: symmetry with the other `power_levels` | ||
settings. (Maybe? See | ||
https://github.com/matrix-org/matrix-doc/issues/1601#issuecomment-511237744.) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
m.room.encryption
's algorithm
should be preserved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree. It doesn't change the behaviour of the room at the server-server level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But if we eventually have two algorithms rather than one how should a client treat m.room.encryption
with redacted algorithm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But if we eventually have two algorithms rather than one
I don't think there is a way to end up with two encryption algorithms in the room state?
how should a client treat
m.room.encryption
with redacted algorithm?
The same way that they should treat a new m.room.encryption
event which disables encryption: with great suspicion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are new clients to the room meant to do encryption if they don't know the algorithm?
Can we please relax the restrictions on what goes into the algorithm? It affects client authors too, and it's ridiculous to exclude something because it doesn't affect the core protocol operation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KitsuneRal: I think there might be a misunderstanding here.
there's no good way for a client to handle any readable content of the room once that state is broken
...
this room is irreparably broken along with all of its encrypted messages already in DAG.
m.room.encryption
is not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated once m.room.encryption
is redacted.
again - repeated encryption events are not proper
there is nothing wrong with repeated m.room.encryption
events?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
m.room.encryption
is not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated oncem.room.encryption
is redacted.
That's a pretty strong statement. Then what's the purpose of algorithm
there?
there is nothing wrong with repeated
m.room.encryption
events?
Except they should be treated with great suspicion because there's no defined semantics for any m.room.encryption
event except the first one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then what's the purpose of algorithm there?
It indicates to clients how they should encrypt messages in this room.
there's no defined semantics for any m.room.encryption event except the first one?
I don't think that's true. I can't find anything in the spec about this, but my mental model is that clients should keep a record of rooms which are encrypted (along with the encryption algorithm), and give the user a warning if they send a message in a room which was previously encrypted and is no longer (or if the encryption is 'weaker', for some handwavey definition of weaker).
But certainly it's valid for there to be multiple encryption events in a room, changing minor settings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's also the problem of clients joining a room which has a redacted encryption event: They won't have the prior knowledge that it was encrypted and will assume it's not.
ftr riot-web does exactly as you describe: it ignores changes to the encryption event it wasn't expecting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've created https://github.com/matrix-org/matrix-doc/issues/2272 for clarifying the semantics of m.room.encryption
events. I'd suggest ignoring m.room.encryption
for the purposes of this MSC, and discussing in that issue for a future MSC, as I think that it's a larger issue that shouldn't hold this one up.
I've updated the MSC to (1) change the create event so that all keys are preserved, and (2) clarify that I don't think the Further input welcome... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo fixing - however, might be entirely unnecessary if we keep algorithm
around :)
Co-Authored-By: Travis Ralston <[email protected]> Co-Authored-By: Kitsune Ral <[email protected]>
Nothing else seems to be happening here, so I'd like to propose FCP: @mscbot fcp merge |
Team member @richvdh has proposed to merge this. The next step is review by the rest of the tagged people: No concerns currently listed. Once at least 75% of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
This went back to not having an assigned room version (pulled out of v10). |
This is now formally assigned to room version 11: #3820 |
Spec PR: matrix-org/matrix-spec#1604 |
Merged 🎉 |
Rendered.
Implementation: matrix-org/synapse#8984