Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC2244: Mass redactions #2244

Open
wants to merge 9 commits into
base: master
from

Conversation

@tulir
Copy link

commented Aug 23, 2019

Rendered

Proposal to allow multiple targets for one redaction event
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@ara4n

This comment has been minimized.

Copy link
Member

commented Aug 23, 2019

I really like this ftr; unsure why we've not thought of it before. The auth rule stuff definitely needs a sanity check from @richvdh & @erikjohnston & co though. It feels like the redaction should apply to all the targets events that it can rather than be soft-failed if any of the targets fail, but am not sure what the implications of that are for DAG consistency.

@tulir

This comment has been minimized.

Copy link
Author

commented Aug 23, 2019

Yeah, this is mostly a draft so the auth rule stuff can be figured out before reviewing

@auscompgeek

This comment has been minimized.

Copy link

commented Aug 24, 2019

This could be useful for GDPR erasure as well perhaps?

@turt2live

This comment has been minimized.

Copy link
Member

commented Aug 24, 2019

GDPR erasure is a concern for MSC1228 because redactions do not remove metadata.

@ara4n

This comment has been minimized.

Copy link
Member

commented Aug 24, 2019

I think @auscompgeek’s point is that this could help GDPR data erasure (not metadata erasure). however, our position is that when someone sends you a message on matrix you own a copy of that message (much like email) and they do not have the right to mutilate your copy of that conversation under GDPR. if we did support this, it would need to be a different feature (that we’ve dubbed megaredact in the past) which would be a redaction that says “please redact everything you ever saw from this user”, rather than a list of event IDs as is proposed here. So: i don’t think we should consider this MSC in terms of GDPR.

@KitsuneRal
Copy link
Member

left a comment

From the client perspective I very much like the idea. I have left some comments on the current text.

proposals/2244-mass-redactions.md Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved

@turt2live turt2live self-requested a review Aug 26, 2019

@turt2live
Copy link
Member

left a comment

Looks like this is heading in a sensible direction - thank you!

proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
proposals/2244-mass-redactions.md Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
proposals/2244-mass-redactions.md Outdated Show resolved Hide resolved
tulir and others added 4 commits Aug 24, 2019
Re-word auth rule section on handling each target separately
Co-authored-by: Jason Volk <jason@zemos.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Jason Volk <jason@zemos.net>
Fix authenticity/authorization terminology
Co-authored-by: Kitsune Ral <Kitsune-Ral@users.sf.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Add potential issue with redacted_because field
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Fix typos, inline links and move image into tree
Signed-off-by: Tulir Asokan <tulir@maunium.net>

@tulir tulir force-pushed the tulir:mass_redactions branch from 383805f to 79a5663 Aug 28, 2019

@tulir

This comment has been minimized.

Copy link
Author

commented Aug 28, 2019

Force pushed to fix commit co-authors and signoffs

## Proposal
This proposal builds upon [MSC2174](https://github.com/matrix-org/matrix-doc/pull/2174)
and suggests making the `redacts` field in the content of `m.room.redaction`
events an array of event ID strings instead of a single event ID string.

This comment has been minimized.

Copy link
@ara4n

ara4n Aug 29, 2019

Member

Having thought about this some more, I think one of the most common use cases for mass redactions is to handle brigading scenarios where a user joins a room solely in order to post abuse. I think we should bite the bullet and consider putting user_ids as well as event_ids in the redaction target to make it easier for moderators to handle this scenario.

This comment has been minimized.

Copy link
@tulir

tulir Aug 29, 2019

Author

Yeah, although that should be a separate proposal. Finding and redacting everything from a user probably needs some new auth rules that aren't related to just redacting many events at once.

to this is omitting the list of redacted event IDs from the data in the
`redacted_because` field.

## Security considerations

This comment has been minimized.

Copy link
@ara4n

ara4n Aug 29, 2019

Member

The biggest concern here is presumably that all the servers in the room could have to do quite a lot of work, churning through all the listed event IDs trying to redact them, with the associated cache impact etc depending on the implementation specifics. I suggest we at least mention that the implementation should process the redactions in the background in such a way to avoid large malicious redaction events from being an easy way to DoS a server.

This comment has been minimized.

Copy link
@KitsuneRal

KitsuneRal Aug 30, 2019

Member

Rapid fire of individual redaction events is not really better in this regard, is it? Events can be rate-limited, and megaredactions can be rate-limited more aggressively.

tulir added 2 commits Aug 29, 2019
Move omitting redacted_because into proposal and add security conside…
…ration

Signed-off-by: Tulir Asokan <tulir@maunium.net>
Remove soft fail auth rule option
Signed-off-by: Tulir Asokan <tulir@maunium.net>

@tulir tulir marked this pull request as ready for review Aug 31, 2019

@turt2live

This comment has been minimized.

Copy link
Member

commented Aug 31, 2019

in the interest of not delaying this more than it needs to be, and beating @ara4n to the punch:

@mscbot fcp merge

@mscbot

This comment has been minimized.

Copy link
Collaborator

commented Aug 31, 2019

Team member @turt2live has proposed to merge this. The next step is review by the rest of the tagged people:

No concerns currently listed.

Once a majority of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.