Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC1772: Matrix spaces #1772

Merged
merged 89 commits into from
May 5, 2021
Merged
Changes from 12 commits
Commits
Show all changes
89 commits
Select commit Hold shift + click to select a range
6c499db
WIP groups as rooms MSC
ara4n Jan 3, 2019
346f7ac
add hyperlinks
ara4n Jan 3, 2019
1e81fbd
md
ara4n Jan 3, 2019
a884fd8
wordwrap fix
ara4n Jan 3, 2019
43ae6ad
md
ara4n Jan 3, 2019
e00eff5
add thought about splitting events
ara4n Jan 4, 2019
cd5a842
flesh out how flair could work
ara4n Jan 6, 2019
19e9420
flesh out state events split per state-key for defining groups
ara4n Jan 6, 2019
010246e
typo
ara4n Jan 6, 2019
88ff3de
spell out deps
ara4n Jan 6, 2019
54bf339
typo
ara4n Jan 6, 2019
1bbe638
typo
ara4n Jan 6, 2019
417501d
various minor edits
richvdh Oct 20, 2020
96cd76c
remove 'one big event' proposal
richvdh Oct 20, 2020
6464e90
Merge branch 'master' into matthew/msc1772
richvdh Oct 20, 2020
0baf49a
We are not considering hidden-membership rooms yet
richvdh Oct 20, 2020
4040254
Update for new terminology and current thinking
richvdh Oct 27, 2020
52853b5
more updates
richvdh Oct 27, 2020
c145d39
Notes on propagating PLs etc
richvdh Oct 29, 2020
15f34e5
supporting trad PLs
richvdh Oct 29, 2020
e746aa3
Apply suggestions from code review
richvdh Oct 30, 2020
2f557da
Clarifications to room/space relationship
richvdh Oct 30, 2020
11bb604
add an xxx
richvdh Oct 30, 2020
d42da58
Apply suggestions from code review
richvdh Nov 9, 2020
1aede33
clarify introduction
richvdh Nov 9, 2020
e323ade
Switch to room IDs
richvdh Nov 9, 2020
a73dd9c
clarification
richvdh Nov 9, 2020
839ea0e
inheriting join rules
richvdh Nov 9, 2020
109c31c
Avoiding abuse via false `parent` claims
richvdh Nov 10, 2020
06b5c83
notes on children and recursion
richvdh Nov 10, 2020
29b07c1
update power level mappings
richvdh Nov 10, 2020
ae71a62
Restricting room membership via spaces
richvdh Nov 11, 2020
b40f7da
Record alternatives
richvdh Nov 11, 2020
4e3b0ed
add a length limit to `order`
richvdh Nov 11, 2020
3b2825f
Descope autokick and rename allowed_spaces
richvdh Nov 11, 2020
e6a6941
rename allowed_join again
richvdh Nov 11, 2020
fbad757
update dependencies links
richvdh Nov 11, 2020
1f1e3c9
MSC1840 is in
richvdh Nov 16, 2020
d4abe40
one parent per room
richvdh Nov 16, 2020
39af7f3
Update 1772-groups-as-rooms.md (#2866)
grinapo Nov 17, 2020
45f2608
No cross-room auth
richvdh Nov 19, 2020
6cc3995
explain a bit
richvdh Nov 20, 2020
51aa5e2
Update proposals/1772-groups-as-rooms.md
richvdh Nov 26, 2020
6989758
Update proposals/1772-groups-as-rooms.md
richvdh Jan 4, 2021
037894a
replace 'default' with 'auto_join'
ara4n Jan 13, 2021
803e70a
typo
ara4n Jan 13, 2021
42c332b
fix parent claiming plurality
ara4n Jan 13, 2021
2de3dc4
more plurality fixing
ara4n Jan 13, 2021
302d5d8
clarify autojoin and mention 'suggested' rooms
ara4n Jan 13, 2021
a0d06c7
factor out ACLs into a separate MSC
ara4n Jan 14, 2021
b8e3a0b
include invite state notes
ara4n Jan 14, 2021
f8fb325
replace m.room.parent with m.space.parent for symmetry
ara4n Jan 14, 2021
343e1f6
incorporate @joepie91's clarification on secret rooms
ara4n Jan 14, 2021
97103c4
clarify that auto-joins are not force joins
ara4n Jan 14, 2021
91fe7a7
switch to allowing multiple parents
ara4n Jan 14, 2021
b10856d
let's create spaces with `events_default` PL100
ara4n Jan 14, 2021
a0f89bd
add XXX about via propagation
ara4n Jan 14, 2021
a709671
tie break on multiple parents
ara4n Jan 14, 2021
ff85e61
fix dev identifier
ara4n Jan 15, 2021
1cfe6bc
MSC1840 is out again.
richvdh Mar 16, 2021
bc14662
related MSCs
richvdh Mar 16, 2021
62b9154
Remove lost footnotes
richvdh Mar 16, 2021
469b64c
rip out m.room.description
richvdh Mar 16, 2021
dcb18f0
Move security consideration to MSC2962
richvdh Mar 17, 2021
7d757ce
minor wording tweaks
richvdh Mar 17, 2021
acdb6f1
Move "auto-join" out to "future extensions"
richvdh Mar 17, 2021
2e6d7d1
spaces are *primarily* referred to by their room ID.
richvdh Mar 17, 2021
0bdbec2
Accept m.space.parent links if there is a reverse link
richvdh Mar 17, 2021
6c9d469
add an issue about lost parent links
richvdh Mar 17, 2021
8a61ce9
remove 'present' flag
richvdh Mar 17, 2021
c0c5138
Move "via" problem to a "potential issue"
richvdh Mar 17, 2021
9ca9423
Suggested rooms
richvdh Mar 17, 2021
5e7ed2b
Tweak wording about lexicographic ordering
richvdh Mar 22, 2021
065b099
Update proposals/1772-groups-as-rooms.md
richvdh Mar 23, 2021
e704152
Include `create` in invite_room_state
richvdh Mar 26, 2021
6d007e8
Defer a TODO to the future.
clokep Apr 14, 2021
12d08ca
Consistency and update links.
clokep Apr 14, 2021
00912f9
clarify how to deterministically cut cycles
ara4n Apr 29, 2021
f07e82e
clarify the charsets of our lexicographic orderings
ara4n Apr 29, 2021
37e04f7
tiebreak ordered spaces sensibly
ara4n Apr 29, 2021
1e2ed52
add more justification for immutable room types
ara4n Apr 29, 2021
0d71150
remove confusing mention of peeking & dependent MSCs
ara4n Apr 29, 2021
7432d25
incorporate travis feedback
ara4n Apr 29, 2021
2981baa
Update proposals/1772-groups-as-rooms.md
ara4n Apr 29, 2021
acdf985
incorporate uhoreg feedback
ara4n Apr 29, 2021
413e346
note the rationale behind using the # sigil
ara4n Apr 29, 2021
757218c
relax requirements on cycle-cutting and link to valere's alg
ara4n Apr 30, 2021
c2d0d1e
include m.room.create in knock_state (will be overtaken by MSC3173)
ara4n May 3, 2021
9773759
Remove cycle breaking algorithm to be specced in the future, if neces…
clokep May 4, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
233 changes: 233 additions & 0 deletions proposals/1772-groups-as-rooms.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
# Proposal for groups as rooms (take 2)
ara4n marked this conversation as resolved.
Show resolved Hide resolved
richvdh marked this conversation as resolved.
Show resolved Hide resolved

richvdh marked this conversation as resolved.
Show resolved Hide resolved
This obsoletes [MSC1215](https://github.com/matrix-org/matrix-doc/issues/1215).
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## Problem

The current groups API has some serious issues:
* It is a large API surface to implement, maintain and spec - particularly for
all the different clients out there.
* Much of the API overlaps significantly with mechanisms we already have for
managing rooms:
* Tracking membership identity
* Tracking membership hierarchy
* Inviting/kicking/banning user
* Tracking key/value metadata
* There are membership management features which could benefit rooms which
would also benefit groups and vice versa (e.g. "auditorium mode")
* The current implementations on Riot Web/iOS/Android all suffer bugs and
issues which have been solved previously for rooms.
* no local-echo of invites
* failures to set group avatars
* ability to specify multiple admins
* It doesn't support pushing updates to clients (particularly for flair
membership): https://github.com/vector-im/riot-web/issues/5235
* It doesn't support third party invites.
* Groups could benefit from other features which already exist today for rooms
* e.g. Room Directories
* Groups are centralised, rather than being replicated across all
participating servers.

## Solution

Represent groups by rooms rather than a custom first-class entity.

We reserve aliases which begin with a `+` to represent groups - e.g. the room
for group `+test:example.com` is `#+test:example.com`.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

We introduce a `m.room.groups` state event which defines how a room should
behave as a group - i.e. the rooms which it groups together, and any subgroups
richvdh marked this conversation as resolved.
Show resolved Hide resolved
nested within it.

```json
{
"type": "m.room.groups",
"contents": {
"rooms": [
{
"room": "#room1:example.com",
},
{
"room": "#room2:example.com",
"autojoin": true
richvdh marked this conversation as resolved.
Show resolved Hide resolved
},
{
"room": "#room3:example.com",
},
],
"subgroups": [
{
"group": "+something:example.com",
},
{
"group": "+otherthing:example.com",
},
]
},
}
```

XXX: alternatively, perhaps all the rooms and subgroups should be their own
state event with a unique state key, ensuring that this can scale to large
groups and doesn't have to be edited atomically. A key like `present: true`
would be needed to distinguish from a deleted state event. Something like:
richvdh marked this conversation as resolved.
Show resolved Hide resolved

```json
{
"type": "m.room.group",
richvdh marked this conversation as resolved.
Show resolved Hide resolved
"state_key": "#room1:example.com",
richvdh marked this conversation as resolved.
Show resolved Hide resolved
"contents": {
"present": true
richvdh marked this conversation as resolved.
Show resolved Hide resolved
}
}

{
"type": "m.room.group",
"state_key": "#room2:example.com",
"contents": {
"present": true,
"autojoin": true
}
}

richvdh marked this conversation as resolved.
Show resolved Hide resolved
{
"type": "m.room.subgroup",
"state_key": "+something:example.com",
"contents": {
"present": true
}
}
{
"type": "m.room.subgroup",
"state_key": "+otherthing:example.com",
"contents": {
"present": true
}
richvdh marked this conversation as resolved.
Show resolved Hide resolved
}
```

Name, Topic, Membership etc share the same events as a normal room.

The flair image for a group is given by the room avatar.
ara4n marked this conversation as resolved.
Show resolved Hide resolved

Long description requires a new event: `m.room.description`. This can also be
used for rooms as well as groups.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Groups may be nested, and membership of groups is defined as the union of the
members of the group room and its subgroups. If `+top:example.com` has two
subgroups, the user membership of `+top:example.com` is the union of the
subgroups and the group itself. This allows hierarchies of groups & users to be
defined.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Clients peek in rooms (recursing into subgroups as needed) in order to determine
ara4n marked this conversation as resolved.
Show resolved Hide resolved
group membership.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Invites, 3PID invites, Power Levels etc all work as for a normal room.

Normal messages within the room could be showed and used as a 'lobby' area for
the given group.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

This requires no server changes at all, other than better support for peeking
(see Dependencies below), and could allow the existing /groups API to be
deprecated and removed outright.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## ACLs
richvdh marked this conversation as resolved.
Show resolved Hide resolved
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Currently the group server has total control over specifying the list of users
who may be present in a group, as seen by a given querying user. In other words,
arbitrary users can see entirely different views of a group at the server's
discretion.

Whilst this is very powerful for mapping arbitrary group structures into Matrix,
it may be overengineered.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Instead, the common case is wanting to define a group where some users are
publicly visible as members, and others are not. This is what the current use
cases require today. A simple way of achieving would be to create a subgroup
for the private members - e.g. have `+sensitive:matrix.org` and
`+sensitive-private:matrix.org`. The membership of
`+sensitive-private:matrix.org` is set up with `m.room.join_rules` to not to
allow peeking; you have to be joined to see the members, and users who don't
want to be seen by the public to be member of the group are added to the
subgroup.

XXX: is there a use case today for having a group where users are unaware of the
richvdh marked this conversation as resolved.
Show resolved Hide resolved
other users' membership? e.g. if I am a member of `+scandalous:matrix.org`
should i have a way to stop other members knowing that I am? One solution here
could be "auditorium mode", where users cannot see other users' identities
(unless they speak). This could be added later, however, and would also be
useful for normal rooms.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## Flair

A proposal for how to safely determine user flair is:

* User publishes the groups they wish to announce on their profile
([MSC1769](https://github.com/matrix-org/matrix-doc/issues/1769)
as a m.flair state event: it lists the groups which they are advertising.

* When a client wants to know the current flair for a set of users (i.e.
those which it is currently displaying in the timeline), it peeks the
profile rooms of those users. However, we can't trust the flair which the
users advertise on the profile - it has to be cross-referenced from the
memberships of the groups in question.

To do this cross-referencing, options are:

1. The client checks the group membership (very inefficient, given the server
could/should do it for them), or...
2. The server checks the group membership by peeking the group and somehow
decorates the `m.flair` event as validated before sending it to the client.
This is also inefficient, as it forces the server to peek a potentially large
group (unless we extend federation to allow peeking specific state events)
3. The origin `m.flair` event includes the event_id of the user's
`m.room.membership` event in the group. The server performing the check can
then query this specific event from one of the servers hosting the group-room,
and we perhaps extend the S2S API to say whether a given state event is current
considered current_state or not. If the `m.room.membership` event is confirmed
as current, then the `m.flair` is decorated as being confirmed.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

Of these, option 3 feels best?
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## Dependencies
richvdh marked this conversation as resolved.
Show resolved Hide resolved

This needs peeking to work effectively on CS API.
([MSC1776](https://github.com/matrix-org/matrix-doc/issues/1776))

This needs peeking to work effectively over federation (e.g. by having servers
join remote rooms as @null:example.com in order to participate in them for
peeking purposes) - ([MSC1777](https://github.com/matrix-org/matrix-doc/issues/1777))

These dependencies are shared with profiles-as-rooms
([MSC1769](https://github.com/matrix-org/matrix-doc/issues/1769)).

## Security considerations

XXX: how do we stop cycles & recursion abuse of the subgroups?
richvdh marked this conversation as resolved.
Show resolved Hide resolved
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## Tradeoffs

This consciously sacrifices the ability to delegate group lookups through
to a centralised group server. However, group data can already be stale as we
richvdh marked this conversation as resolved.
Show resolved Hide resolved
rely on cached attestations from federated servers to apply ACLs even if the
remote server is not available. So this isn’t much worse than eventually
consistent group membership as you’d find in a room.

It also means that large groups have to be bridged in their entirety into the
room, rather than querying/searching incrementally. This is something we should
fix for bridged rooms in general too, however.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

This also consciously sacrifices the ability for a group server to provide
different 'views' of groups to different querying users, as being
overengineered. Instead, all common use cases should be modellable by modelling
group memnbership as room membership (nesting if required).
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## Issues

How does this work with
[MSC1228](https://github.com/matrix-org/matrix-doc/issues/1228) (removing MXIDs)?
richvdh marked this conversation as resolved.
Show resolved Hide resolved

## History

* This replaces MSC1215: https://docs.google.com/document/d/1ZnAuA_zti-K2-RnheXII1F1-oyVziT4tJffdw1-SHrE
* Other thoughts that led into this are at: https://docs.google.com/document/d/1hljmD-ytdCRL37t-D_LvGDA3a0_2MwowSPIiZRxcabs