MSC2176: Update the redaction rules #2176
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| # MSC2176: Update the redaction rules | ||
|
uhoreg marked this conversation as resolved.
|
||
|
|
||
| The current [redaction | ||
| algorithm](https://matrix.org/docs/spec/client_server/r0.5.0#redactions) is now | ||
| somewhat dated. This MSC proposes a number of changes to the rules which will | ||
| improve the security and reliability of the Matrix protocol. | ||
|
|
||
| ## Proposal | ||
|
|
||
| The following changes will require a new room version, since changes to the | ||
| redaction algorithm also change the way that [event | ||
| hashes](https://matrix.org/docs/spec/server_server/r0.1.2#calculating-the-reference-hash-for-an-event) | ||
| (and hence event IDs) are calculated. | ||
|
|
||
| The following *event* keys should be *removed* from the list of those to be | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
| preserved by a redaction: | ||
|
|
||
| * `membership` | ||
| * `prev_state` | ||
|
|
||
| (Note this refers to the *event-level* `membership` property, rather than the | ||
|
richvdh marked this conversation as resolved.
|
||
| similarly-named sub-property under the `content` key.) | ||
|
|
||
| Ratinale: neither of the above properties have defined meanings in the Matrix | ||
|
richvdh marked this conversation as resolved.
Outdated
richvdh marked this conversation as resolved.
Outdated
|
||
| protocol, so there is no reason for them to be special-cased in this way. | ||
|
|
||
| The following should be added to the list of subkeys of the content property | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
| which should be preserved: | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
|
|
||
| * `m.room.redaction` should allow the `redacts` key (assuming | ||
| [MSC2174](https://github.com/matrix-org/matrix-doc/pull/2174) is merged). | ||
| Rationale: currently, redacting a redaction can lead to inconsistent results | ||
| among homservers, depending on whether they receive the `m.room.redaction` | ||
| result before or after it is redacted (and therefore may or may not redact | ||
| the original event). | ||
|
|
||
| * `m.room.create` should allow the `room_version` key. Currently, redacting an | ||
| `m.room.create` event will make the room revert to a v1 room. | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
|
|
||
| * `m.room.power_levels` should allow the `notifications` key. Rationale: | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
| symmetry with the other `power_levels` settings. (Maybe? See | ||
| https://github.com/matrix-org/matrix-doc/issues/1601#issuecomment-511237744.) | ||
|
|
||
|
Member
There was a problem hiding this comment.
Member
Author
There was a problem hiding this comment. I disagree. It doesn't change the behaviour of the room at the server-server level.
Member
There was a problem hiding this comment. But if we eventually have two algorithms rather than one how should a client treat
Member
Author
There was a problem hiding this comment.
I don't think there is a way to end up with two encryption algorithms in the room state?
The same way that they should treat a new
Member
There was a problem hiding this comment. How are new clients to the room meant to do encryption if they don't know the algorithm? Can we please relax the restrictions on what goes into the algorithm? It affects client authors too, and it's ridiculous to exclude something because it doesn't affect the core protocol operation.
Member
Author
There was a problem hiding this comment. @KitsuneRal: I think there might be a misunderstanding here.
there is nothing wrong with repeated
Member
There was a problem hiding this comment.
That's a pretty strong statement. Then what's the purpose of
Except they should be treated with great suspicion because there's no defined semantics for any
Member
Author
There was a problem hiding this comment.
It indicates to clients how they should encrypt messages in this room.
I don't think that's true. I can't find anything in the spec about this, but my mental model is that clients should keep a record of rooms which are encrypted (along with the encryption algorithm), and give the user a warning if they send a message in a room which was previously encrypted and is no longer (or if the encryption is 'weaker', for some handwavey definition of weaker). But certainly it's valid for there to be multiple encryption events in a room, changing minor settings.
Member
There was a problem hiding this comment. There's also the problem of clients joining a room which has a redacted encryption event: They won't have the prior knowledge that it was encrypted and will assume it's not. ftr riot-web does exactly as you describe: it ignores changes to the encryption event it wasn't expecting.
Member
There was a problem hiding this comment. I've created https://github.com/matrix-org/matrix-doc/issues/2272 for clarifying the semantics of |
||
|
|
||
| ## Potential issues | ||
|
|
||
| What if there is spam in sub-properties of the `notifications` property of | ||
| power-levels? Should we not be able to redact it? | ||
|
richvdh marked this conversation as resolved.
Outdated
|
||
Uh oh!
There was an error while loading. Please reload this page.