MSC4013: Poll history cache

[alfogrillo]

Rendered

[uhoreg]

It seems like using /search with "types": ["m.room.poll_history"] would be an alternative.

[alfogrillo]

Do you mean an alternative to the /state?
If yes, does it make any difference?

[uhoreg]

I mean that, rather than creating a new state event and searching for relations on that state event, why not just use the /search endpoint to search for polls?

[alfogrillo]

I guess because search doesn't work on encrypted room. Poll events are actually sent as m.room.encrypted. 😕
Fwiw in the main proposal just one state event is required.

[uhoreg]

That's a good reason. It might be worth mentioning that in the MSC.

[clokep]

For unencrypted room /messages with a filter on event type would be better than /search, FWIW. But again doesn't work with encrypted events.

[FSG-Cat]

I have to ask plain and simple where in this MSC do we dismiss the problem that users do not want metadata leaks like this. Or atleast a large group of quite loud users do not want metadata leaks like this.

Now This concern could be dismissed by the fact that polls already use relations, but atleast these relations cant tell you for sure its a poll you can only tell that the events are related. I personally would argue that its somewhat dubious why we even need relations to not respect encryption considering their current use.

Still do we need to add more metadata leaks? Matrix already gets bad articles/blog posts written about it for metadata leaking and MSCs like this one doesnt help that.

[Johennes]

Encrypting the state event (#3414) would help mitigate this in future.

[FSG-Cat]

Encrypted state would mittigate a bit of the concerns but with plain text relations it would still leave a massive tell. as no other encrypted state event would be the target of this many relations, essentially undoing the whole point in encrypting the cache state event.

[alfogrillo]

I have to ask plain and simple where in this MSC do we dismiss the problem that users do not want metadata leaks like this. Or atleast a large group of quite loud users do not want metadata leaks like this.

This feature should considered optional.
In theory room's creators aren't obliged to send the m.room.poll_history state event for a room.
At the same time clients sending a poll may choose to opt out from this behaviour.
At the same time structures like this are very useful on clients that want navigate content by type (polls in this case) and willing to pay the price of a small metadata leak.

I personally would argue that its somewhat dubious why we even need relations to not respect encryption considering their current use.

I guess the may reason is the server being able to group related events together efficiently. Eg. the same problem is solved in the same way for the "threads" feature.

Encrypted state would mittigate a bit of the concerns but with plain text relations it would still leave a massive tell. as no other encrypted state event would be the target of this many relations, essentially undoing the whole point in encrypting the cache state event.

Yes, probably people could still guess what would be the m.poll_history state event could be in the end, but at least they couldn't be 100% sure I guess.

[turt2live]

If the state event is optional, the MSC should note that (I don't believe it does currently).

Aside from encrypting the whole state event though, the other option is encrypting the event relationship (like in MSC4019 or similar). I personally don't believe that encrypting the relationship on either end is a blocker for this MSC, however. Ideally we figure out how to encrypt both sides and then use both to protect metadata.

In the meantime, considering polls is quite far away from entering FCP itself, starting implementation unencrypted should be fine (as long as the client is comfortable with the risks). It may need to change in the future as other, adjacent, MSCs make forward progress though.

[turt2live]

I actually quite like how this is structured. I was concerned going in that this might end up being a m.room.pinned_events clone of sorts, and was pleasantly surprised to see relations being used like this.

Hopefully it works well in practice :)

[turt2live]

If the state event is optional, the MSC should note that (I don't believe it does currently).

Aside from encrypting the whole state event though, the other option is encrypting the event relationship (like in MSC4019 or similar). I personally don't believe that encrypting the relationship on either end is a blocker for this MSC, however. Ideally we figure out how to encrypt both sides and then use both to protect metadata.

In the meantime, considering polls is quite far away from entering FCP itself, starting implementation unencrypted should be fine (as long as the client is comfortable with the risks). It may need to change in the future as other, adjacent, MSCs make forward progress though.

[jonnyandrew]

Could it be an issue that the poll start event would no longer be a root event and therefore could not be the root of a thread?

From https://spec.matrix.org/v1.8/client-server-api/#threading

Threads [...] reference the thread root (the first event in a thread). It is not possible to create a thread from an event which itself is the child of an event relationship (i.e., one with an m.relates_to property).

[clokep]

Yes, it looks like this would preclude a poll from being a reply in a thread.

[jonnyandrew]

Yes, it looks like this would preclude a poll from being a reply in a thread.

This is also a potential problem, but I was actually referring to the fact that a thread root should not be related to any other event. What it means is that there is no way to discuss a poll in a thread, which I imagine is a natural use case for threads.

[alfogrillo]

Yes, it looks like this would preclude a poll from being a reply in a thread.

Fwiw polls aren't a supported inside threads atm on Element clients.
It doesn't seem to me interesting as a use case.

but I was actually referring to the fact that a thread root should not be related to any other event

Why is that?

[jonnyandrew]

That was my understanding from the spec which states

It is not possible to create a thread from an event which itself is the child of an event relationship (i.e., one with an m.relates_to property).

I don't see why it shouldn't be possible though. Perhaps that part of the spec could be updated to accommodate this type of use case.

[alfogrillo]

Perhaps the documentation meant that you cannot create a thread from an event having already a rel_type of type m.thread?
@clokep do you know is the home server has checks that may reject this events (events starting a thread from an event with a rel_type equal to m.reference)?

[clokep]

Perhaps the documentation meant that you cannot create a thread from an event having already a rel_type of type m.thread?

The documentation is correct AFAIK.

@clokep do you know is the home server has checks that may reject this events (events starting a thread from an event with a rel_type equal to m.reference)?

They will get rejected: https://github.com/matrix-org/synapse/blob/928e9648578d24dc9f5ed3476d629fca9a64b22a/synapse/handlers/message.py#L1382-L1386

[alfogrillo]

They will get rejected: https://github.com/matrix-org/synapse/blob/928e9648578d24dc9f5ed3476d629fca9a64b22a/synapse/handlers/message.py#L1382-L1386

Looking into the code the rejection seems to happens just if the relation type is m.thread?
If this is the case, polls having a m.reference rel_type can be still be used as root for a thread?

[clokep]

Looking into the code the rejection seems to happens just if the relation type is m.thread?

If the new event's relation is a thread then it checks that the parent event does not have any relations. I think this situation would be rejected, but I did not check it manually.

[alfogrillo]

I see, thanks for clarifying