MSC2176: Update the redaction rules#2176
Conversation
|
looks plausible to me. sounds like we should get it out there in a room v6 sooner than later |
|
We probably need to get agreement on #1996 and matrix-org/matrix-spec#357 as a prerequisite here. If people have opinions on them, perhaps they could weigh in on the relevant bugs. |
|
For completeness, there is also some ongoing discussion as part of MSC1849/2154 about preserving |
turt2live
left a comment
turt2live
left a comment
There was a problem hiding this comment.
lgtm - I'm more torn on whether notifications on power levels should be kept though.
fix typo Co-Authored-By: Kitsune Ral <Kitsune-Ral@users.sf.net>
|
A quick note on some of my thinking here. As I see it, there is a scale between properties which we absolutely must preserve on redaction, for fear of breaking the protocol (mostly those involved in event auth), and those which have very little effect on the protocol at all so can safely be redacted. Somewhere in the middle we have things like I'm trying quite hard to limit the list of things that get preserved to things which completely break the protocol, rather than just things that are a bit annoying/surprising when you redact them, mostly to keep the server-server protocol as simple as possible. The fact that we have to bump the room version to change the redaction rules also means that it's really not great to have to keep adding new rules. Rather, I see it as the job of either clients (or, possibly, the C-S API) to protect you from foot-guns. All that said, there is room for debate on where different keys sit on that scale, and where we draw the line, but I'd like each candidate to be retained to be argued on its own merits. |
| * the `notifications` key. Rationale: symmetry with the other `power_levels` | ||
| settings. (Maybe? See | ||
| https://github.com/matrix-org/matrix-doc/issues/1601#issuecomment-511237744.) | ||
|
|
There was a problem hiding this comment.
m.room.encryption's algorithm should be preserved.
There was a problem hiding this comment.
I disagree. It doesn't change the behaviour of the room at the server-server level.
There was a problem hiding this comment.
But if we eventually have two algorithms rather than one how should a client treat m.room.encryption with redacted algorithm?
There was a problem hiding this comment.
But if we eventually have two algorithms rather than one
I don't think there is a way to end up with two encryption algorithms in the room state?
how should a client treat
m.room.encryptionwith redacted algorithm?
The same way that they should treat a new m.room.encryption event which disables encryption: with great suspicion.
There was a problem hiding this comment.
How are new clients to the room meant to do encryption if they don't know the algorithm?
Can we please relax the restrictions on what goes into the algorithm? It affects client authors too, and it's ridiculous to exclude something because it doesn't affect the core protocol operation.
There was a problem hiding this comment.
@KitsuneRal: I think there might be a misunderstanding here.
there's no good way for a client to handle any readable content of the room once that state is broken
...
this room is irreparably broken along with all of its encrypted messages already in DAG.
m.room.encryption is not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated once m.room.encryption is redacted.
again - repeated encryption events are not proper
there is nothing wrong with repeated m.room.encryption events?
There was a problem hiding this comment.
m.room.encryptionis not supposed to define how you interpret received events, so I don't agree that the existing messages are invalidated oncem.room.encryptionis redacted.
That's a pretty strong statement. Then what's the purpose of algorithm there?
there is nothing wrong with repeated
m.room.encryptionevents?
Except they should be treated with great suspicion because there's no defined semantics for any m.room.encryption event except the first one?
There was a problem hiding this comment.
Then what's the purpose of algorithm there?
It indicates to clients how they should encrypt messages in this room.
there's no defined semantics for any m.room.encryption event except the first one?
I don't think that's true. I can't find anything in the spec about this, but my mental model is that clients should keep a record of rooms which are encrypted (along with the encryption algorithm), and give the user a warning if they send a message in a room which was previously encrypted and is no longer (or if the encryption is 'weaker', for some handwavey definition of weaker).
But certainly it's valid for there to be multiple encryption events in a room, changing minor settings.
There was a problem hiding this comment.
There's also the problem of clients joining a room which has a redacted encryption event: They won't have the prior knowledge that it was encrypted and will assume it's not.
ftr riot-web does exactly as you describe: it ignores changes to the encryption event it wasn't expecting.
There was a problem hiding this comment.
I've created https://github.com/matrix-org/matrix-doc/issues/2272 for clarifying the semantics of m.room.encryption events. I'd suggest ignoring m.room.encryption for the purposes of this MSC, and discussing in that issue for a future MSC, as I think that it's a larger issue that shouldn't hold this one up.
|
I've updated the MSC to (1) change the create event so that all keys are preserved, and (2) clarify that I don't think the Further input welcome... |
turt2live
added
the
unassigned-room-version
KitsuneRal
left a comment
KitsuneRal
left a comment
There was a problem hiding this comment.
Typo fixing - however, might be entirely unnecessary if we keep algorithm around :)
Co-Authored-By: Travis Ralston <travpc@gmail.com> Co-Authored-By: Kitsune Ral <Kitsune-Ral@users.sf.net>
|
Nothing else seems to be happening here, so I'd like to propose FCP: @mscbot fcp merge |
|
Team member @richvdh has proposed to merge this. The next step is review by the rest of the tagged people: No concerns currently listed. Once at least 75% of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
mscbot
added
the
proposed-final-comment-period
turt2live
added
unassigned-room-version
turt2live
added
the
unassigned-room-version
|
This went back to not having an assigned room version (pulled out of v10). |
turt2live
added
the
requires-room-version
turt2live
added
the
blocked
turt2live
removed
blocked
|
This is now formally assigned to room version 11: #3820 |
|
Spec PR: matrix-org/matrix-spec#1604 |
turt2live
added
spec-pr-in-review
|
Merged 🎉 |
turt2live
added
merged
Synapse 1.26.0 (2021-01-27) =========================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. No significant changes since 1.26.0rc2. Synapse 1.26.0rc2 (2021-01-25) ============================== Bugfixes -------- - Fix receipts and account data not being sent down sync. Introduced in v1.26.0rc1. ([\#9193](matrix-org/synapse#9193), [\#9195](matrix-org/synapse#9195)) - Fix chain cover update to handle events with duplicate auth events. Introduced in v1.26.0rc1. ([\#9210](matrix-org/synapse#9210)) Internal Changes ---------------- - Add an `oidc-` prefix to any `idp_id`s which are given in the `oidc_providers` configuration. ([\#9189](matrix-org/synapse#9189)) - Bump minimum `psycopg2` version to v2.8. ([\#9204](matrix-org/synapse#9204)) Synapse 1.26.0rc1 (2021-01-20) ============================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. Features -------- - Add support for multiple SSO Identity Providers. ([\#9015](matrix-org/synapse#9015), [\#9017](matrix-org/synapse#9017), [\#9036](matrix-org/synapse#9036), [\#9067](matrix-org/synapse#9067), [\#9081](matrix-org/synapse#9081), [\#9082](matrix-org/synapse#9082), [\#9105](matrix-org/synapse#9105), [\#9107](matrix-org/synapse#9107), [\#9109](matrix-org/synapse#9109), [\#9110](matrix-org/synapse#9110), [\#9127](matrix-org/synapse#9127), [\#9153](matrix-org/synapse#9153), [\#9154](matrix-org/synapse#9154), [\#9177](matrix-org/synapse#9177)) - During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. ([\#9091](matrix-org/synapse#9091)) - Give the `public_baseurl` a default value, if it is not explicitly set in the configuration file. ([\#9159](matrix-org/synapse#9159)) - Improve performance when calculating ignored users in large rooms. ([\#9024](matrix-org/synapse#9024)) - Implement [MSC2176](matrix-org/matrix-spec-proposals#2176) in an experimental room version. ([\#8984](matrix-org/synapse#8984)) - Add an admin API for protecting local media from quarantine. ([\#9086](matrix-org/synapse#9086)) - Remove a user's avatar URL and display name when deactivated with the Admin API. ([\#8932](matrix-org/synapse#8932)) - Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users. ([\#8948](matrix-org/synapse#8948)) - Add experimental support for handling to-device messages on worker processes. ([\#9042](matrix-org/synapse#9042), [\#9043](matrix-org/synapse#9043), [\#9044](matrix-org/synapse#9044), [\#9130](matrix-org/synapse#9130)) - Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes. ([\#9068](matrix-org/synapse#9068)) - Add experimental support for handling `/devices` API on worker processes. ([\#9092](matrix-org/synapse#9092)) - Add experimental support for moving off receipts and account data persistence off master. ([\#9104](matrix-org/synapse#9104), [\#9166](matrix-org/synapse#9166)) Bugfixes -------- - Fix a long-standing issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL. ([\#9023](matrix-org/synapse#9023)) - Fix a long-standing bug where some caches could grow larger than configured. ([\#9028](matrix-org/synapse#9028)) - Fix error handling during insertion of client IPs into the database. ([\#9051](matrix-org/synapse#9051)) - Fix bug where we didn't correctly record CPU time spent in `on_new_event` block. ([\#9053](matrix-org/synapse#9053)) - Fix a minor bug which could cause confusing error messages from invalid configurations. ([\#9054](matrix-org/synapse#9054)) - Fix incorrect exit code when there is an error at startup. ([\#9059](matrix-org/synapse#9059)) - Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers. ([\#9070](matrix-org/synapse#9070)) - Fix "Failed to send request" errors when a client provides an invalid room alias. ([\#9071](matrix-org/synapse#9071)) - Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0. ([\#9114](matrix-org/synapse#9114), [\#9116](matrix-org/synapse#9116)) - Fix corruption of `pushers` data when a postgres bouncer is used. ([\#9117](matrix-org/synapse#9117)) - Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login. ([\#9128](matrix-org/synapse#9128)) - Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large. ([\#9108](matrix-org/synapse#9108)) - Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0. ([\#9145](matrix-org/synapse#9145)) - Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. ([\#9161](matrix-org/synapse#9161)) Improved Documentation ---------------------- - Add some extra docs for getting Synapse running on macOS. ([\#8997](matrix-org/synapse#8997)) - Correct a typo in the `systemd-with-workers` documentation. ([\#9035](matrix-org/synapse#9035)) - Correct a typo in `INSTALL.md`. ([\#9040](matrix-org/synapse#9040)) - Add missing `user_mapping_provider` configuration to the Keycloak OIDC example. Contributed by @chris-ruecker. ([\#9057](matrix-org/synapse#9057)) - Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters. ([\#9151](matrix-org/synapse#9151)) Deprecations and Removals ------------------------- - Remove broken and unmaintained `demo/webserver.py` script. ([\#9039](matrix-org/synapse#9039)) Internal Changes ---------------- - Improve efficiency of large state resolutions. ([\#8868](matrix-org/synapse#8868), [\#9029](matrix-org/synapse#9029), [\#9115](matrix-org/synapse#9115), [\#9118](matrix-org/synapse#9118), [\#9124](matrix-org/synapse#9124)) - Various clean-ups to the structured logging and logging context code. ([\#8939](matrix-org/synapse#8939)) - Ensure rejected events get added to some metadata tables. ([\#9016](matrix-org/synapse#9016)) - Ignore date-rotated homeserver logs saved to disk. ([\#9018](matrix-org/synapse#9018)) - Remove an unused column from `access_tokens` table. ([\#9025](matrix-org/synapse#9025)) - Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies. ([\#9030](matrix-org/synapse#9030)) - Fix running unit tests when optional dependencies are not installed. ([\#9031](matrix-org/synapse#9031)) - Allow bumping schema version when using split out state database. ([\#9033](matrix-org/synapse#9033)) - Configure the linters to run on a consistent set of files. ([\#9038](matrix-org/synapse#9038)) - Various cleanups to device inbox store. ([\#9041](matrix-org/synapse#9041)) - Drop unused database tables. ([\#9055](matrix-org/synapse#9055)) - Remove unused `SynapseService` class. ([\#9058](matrix-org/synapse#9058)) - Remove unnecessary declarations in the tests for the admin API. ([\#9063](matrix-org/synapse#9063)) - Remove `SynapseRequest.get_user_agent`. ([\#9069](matrix-org/synapse#9069)) - Remove redundant `Homeserver.get_ip_from_request` method. ([\#9080](matrix-org/synapse#9080)) - Add type hints to media repository. ([\#9093](matrix-org/synapse#9093)) - Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung. ([\#9098](matrix-org/synapse#9098)) - Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`. ([\#9106](matrix-org/synapse#9106)) - Improve `UsernamePickerTestCase`. ([\#9112](matrix-org/synapse#9112)) - Remove dependency on `distutils`. ([\#9125](matrix-org/synapse#9125)) - Enforce that replication HTTP clients are called with keyword arguments only. ([\#9144](matrix-org/synapse#9144)) - Fix the Python 3.5 / old dependencies build in CI. ([\#9146](matrix-org/synapse#9146)) - Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`. ([\#9157](matrix-org/synapse#9157))
12 participants
Rendered.
Implementation: matrix-org/synapse#8984