Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3757: Restricting who can overwrite a state event #3757

Open
wants to merge 39 commits into
base: main
Choose a base branch
from

Conversation

andybalaam
Copy link
Member

@andybalaam andybalaam commented Mar 25, 2022

@andybalaam andybalaam changed the title Restricting who can overwrite a state event MSC3757: Restricting who can overwrite a state event Mar 25, 2022
@turt2live turt2live added requires-room-version An idea which will require a bump in room version proposal-in-review proposal A matrix spec change proposal s2s Server-to-Server API (federation) client-server Client-Server API unassigned-room-version Remove this label when things get versioned. kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Mar 25, 2022
@gleachkr

This comment was marked as duplicate.

Copy link
Contributor

@ShadowJonathan ShadowJonathan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit, else this looks sound.

@jplatte jplatte mentioned this pull request Apr 4, 2022
@mscbot
Copy link
Collaborator

mscbot commented Oct 7, 2024

That concern has already been raised.

@clokep
Copy link
Member

clokep commented Oct 7, 2024

@mscbot resolve Does not work with all MXIDs

@mscbot concern Alternatives insufficient explored.

@mscbot
Copy link
Collaborator

mscbot commented Oct 7, 2024

That concern has already been raised.

@AndrewFerr
Copy link
Member

@mscbot concern Alternatives insufficient explored.

deba3b82..e16482ab re-examines the alternative of the m.peer_unwritable flag.

@turt2live
Copy link
Member

This proposal requires re-review from several SCT members and adjacent folks. The priority is a bit unclear to me, but that is a different problem (see room).

@clokep
Copy link
Member

clokep commented Dec 10, 2024

On the Apache voting scale, I'm at a -1.0 for how the MSC is currently written. A stronger rationale for why this is needed now and strong discounting of a top-level ACL structure would change this to a -0.9 (sorry, I'm just not in favour of string packing here).

This is still the crux of this proposal and I'm in agreement with @turt2live that I'm a -1 for the string packing.

@clokep clokep removed their request for review December 10, 2024 20:09
@AndrewFerr
Copy link
Member

Maybe it's worth having a new MSC to explore one of the top-level field alternatives:

@clokep
Copy link
Member

clokep commented Dec 10, 2024

Maybe it's worth having a new MSC to explore one of the top-level field alternatives:

* [Event ownership flag](https://github.com/matrix-org/matrix-spec-proposals/blob/andybalaam/owner-state-events/proposals/3757-restricting-who-can-overwrite-a-state-event.md?rgh-link-date=2024-12-10T20%3A16%3A47Z#event-ownership-flag)

* [Owning user ID field](https://github.com/matrix-org/matrix-spec-proposals/blob/andybalaam/owner-state-events/proposals/3757-restricting-who-can-overwrite-a-state-event.md?rgh-link-date=2024-12-10T20%3A16%3A47Z#owning-user-id-field)

Maybe MSC3760 or MSC3779 was supposed to be that? (3760 appears to be very similar to this.)

@andybalaam
Copy link
Member Author

Maybe MSC3760 or MSC3779 was supposed to be that? (3760 appears to be very similar to this.)

Yes, MSC3760 was an alternative without string-packing. MSC3779 is different: it is intended to allow low-power users to create these state events.

Comment on lines +39 to +43
The size of a state key suffix after a leading user ID and the separator character is limited to
**255 bytes** so that any such suffix may follow any user ID without the complete state key
ever surpassing the total state key size limit.
Similarly, the size of a state key without a leading user ID is limited to **255 bytes** so that any
state key without a leading user ID may be given one without ever surpassing the total size limit.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this conversion between prefixed and unprefixed state keys a real requirement? It seems to lead to a lot of complexity.

If we're doing this, I'd be inclined to just increase max state key length to (say) 512 bytes, and be done with it.

Comment on lines +45 to +48
Users with a higher power level than a state event's original sender may overwrite the event
despite their user ID not matching the one in event's `state_key`. This fixes an abuse
vector where a user can immutably graffiti the state within a room
by sending state events whose `state_key` is their user ID.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say there's a strong argument for making this a separate MSC, rather than trying to fix two things at once.

@@ -0,0 +1,118 @@
# MSC3757: Restricting who can overwrite a state event.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revisiting this a few months later (sorry), I still find my suggestion clearer.

@richvdh
Copy link
Member

richvdh commented Dec 17, 2024

@mscbot resolve concern changes to auth rules are unclear

@mscbot
Copy link
Collaborator

mscbot commented Dec 17, 2024

Unknown concern 'concern changes to auth rules are unclear'.

@richvdh
Copy link
Member

richvdh commented Dec 17, 2024

@mscbot resolve changes to auth rules are unclear
@mscbot resolve issue of state event proliferation requires discussion

@turt2live
Copy link
Member

Concerns-I-have-raised update:

@mscbot resolve Alternatives section is missing some alternatives.
@mscbot resolve Specific alternative of top-level access control is not sufficiently discounted.

Introduction does not sufficiently list benefiting MSCs/features.

The introduction currently relies on location sharing to drive it, which is a deprioritized feature at the spec level. I highly suggest adding the VoIP impact to the introduction to naturally drive this MSC up the list.

Insufficient implementation - Complement tests are required for this MSC.

This still appears to be the case.

@turt2live turt2live removed their request for review December 17, 2024 20:12
@AndrewFerr
Copy link
Member

Introduction does not sufficiently list benefiting MSCs/features.

The introduction currently relies on location sharing to drive it, which is a deprioritized feature at the spec level. I highly suggest adding the VoIP impact to the introduction to naturally drive this MSC up the list.

2a77266

Insufficient implementation - Complement tests are required for this MSC.

This still appears to be the case.

Is matrix-org/complement#733 not sufficient?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
client-server Client-Server API disposition-merge kind:core MSC which is critical to the protocol's success needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. requires-room-version An idea which will require a bump in room version s2s Server-to-Server API (federation) unassigned-room-version Remove this label when things get versioned. unresolved-concerns This proposal has at least one outstanding concern
Projects
Status: Ready for FCP ticks
Development

Successfully merging this pull request may close these issues.