MSC 1501: Room version upgrades #1502
Conversation
|
Alongside muting the room (demote and set default level for events to subzero), I wonder if it's a good idea to have capable servers reject events for the old room. This would give the server the ability to essentially stop bothering to try and spend resources on the room given it has been effectively frozen. Joining users to the room is a hard problem to solve, and is yet another case of element-hq/element-web#2925. Assuming aliases are also brought over to the new room, the servers could use those to get in. However as mentioned in the proposal the case of private chats does lead to the high probability of rooms becoming unroutable. Although using the sender of the tombstone event would work shortly after the upgrade, there's no guarantee that the server is still participating in the room by the time someone tries to join the new room. This could be solved by mandating that the server stay in the room somehow, potentially scope creeping to #499. |
|
|
Could I suggest that people comment on a relevant bit of the PR, where possible, so that we can maintain some semblance of threading? |
yes, this sounds sensible. We can always give that a go once the other bits land.
Yeah; this is a more general problem. Let's try to avoid scope-creeping it for now and consider the more general problem separately. |
Indeed. Done.
Yes, this is fair: the doc probably talks too strongly about things which are really client-side choices, and which shouldn't be part of the final C-S spec. Really we were just trying to make sure there was at least one plausible implementation on the client side. I think this is basically https://github.com/matrix-org/matrix-doc/blob/rav/room_upgrades/proposals/1501-room-version-upgrades.md#have-clients-merge-old-and-new-rooms - which, as per that doc, we dismissed for Riot. There'd be nothing stopping different clients making different choices.
Auto-joining: in short we dismissed this because of the high chance of remote joins failing, and it being hard to handle. This is alluded to in the spec: do you think it needs clarifying? Merging: assuming you mean trying to merge the rooms on the server side, https://github.com/matrix-org/matrix-doc/blob/256ad01fd231945be01e1d2e18fb597e2780c595/proposals/1501-room-version-upgrades.md#have-servers-merge-old-and-new-rooms-together talks about this. Can you say what further explanation is needed? |
|
Although I don't want to scope creep, I think it's important that people can get into the new room post-upgrade. Whether that be autojoining (accepting remote failure as non-fatal) or figuring out the routing problem in matrix. |
|
|
||
| * Also the ability for an op to see what versions the servers in the current | ||
| room supports (nb via a cap API) and so how many users will get locked out | ||
| [XXX: really? this sounds like a pita] |
There was a problem hiding this comment.
Aside from knowing what versions other server in the room support, how does a client know what the latest version its own server supports / when to suggest to an admin that a room ought to be upgraded?
There was a problem hiding this comment.
when discussing this with @lampholder when working through the client UX, our suggestion was that a server admin could inject room account data into the accounts of the room ops to nag them to upgrade the room to a newer version, with an optional severity and reason.
There was a problem hiding this comment.
having discussed this with @lampholder more this week, we agreed to put a pin in this topic for now. Certainly we may want to consider how we will advise room ops to do their upgrades, but I think that it's not something we should delay this proposal for.
| hits a new C-S api: | ||
|
|
||
| ``` | ||
| POST /_matrix/client/r0/room/{roomId}/upgrade |
I perceived "It's worth noting" as some kind of "by the way" consideration rather than a blocking argument - especially with the workaround presented in the end. The current text leaves me under impression that it wouldn't be so bad to combine the primary proposal with auto-joining (that will work on the best-effort basis but the obvious fallback will be the user clicking that link to the new room displayed for the tombstone event and trying to join the room manually). For end users the difference between the primary case and the fall-back would be being routed to the new room at once vs. a click on the link to upgrade the room.
The current text is not quite clear on what becomes the showstopper; now that I think more about it. The sheer amount of duplication in the sync as the number of upgrades increases (basically, it's another batch duplicating some other for each upgrade) is the primary problem, right? Maybe that previous sentence could be added to the dismissed proposal, for clarity. |
|
|
||
| ```json | ||
| { | ||
| "replacement_room": "!QtykxKocfsgujksjgd:matrix.org" |
There was a problem hiding this comment.
Shouldn't this be 'successor' to match m.room.create's 'predecessor'?
There was a problem hiding this comment.
possibly. It's worth noting that predecessor is a dict (with room_id and event_id) whereas this is just a room_id, so the similarity is only partial.
I'm not particularly fussed either way. WDYT?
There was a problem hiding this comment.
@dbkr: I'm taking the lack of response to mean that you don't care that much either, and have implemented this as replacement_room.
|
One more comment: do we want to require |
|
Also, a nitpick: in one place the endpoint is defined as |
We're hoping to use this for recreating existing rooms. Since versions numbers are strings, it would be hard to enforce anyway. |
Fixed, thanks |
|
@KitsuneRal : please can you make any future comments via comments on the diff rather than on the whole issue? I'm finding the lack of threading here makes it impossible to keep track of what remains to be addressed. |
| auto-join Bob to the new room, and updates any aliases it may have to point to | ||
| the new room. | ||
|
|
||
| It's worth noting that the join may not be successful: for example, because |
There was a problem hiding this comment.
@KitsuneRal wrote:
I perceived "It's worth noting" as some kind of "by the way" consideration rather than a blocking argument - especially with the workaround presented in the end. The current text leaves me under impression that it wouldn't be so bad to combine the primary proposal with auto-joining (that will work on the best-effort basis but the obvious fallback will be the user clicking that link to the new room displayed for the tombstone event and trying to join the room manually). For end users the difference between the primary case and the fall-back would be being routed to the new room at once vs. a click on the link to upgrade the room.
I am not in favour of things that work 80% of the time and need a completely different solution for the remaining 20%: they tend to confuse users and lead to them thinking things are buggy. (Of course, joins are buggy, but I'm reluctant to build more functionality on top of them instead of taking the time to fix that.)
I'm still in favour of leaving auto-joins out for now. Obviously, this behaviour of "try an auto-join, and otherwise fall back to having the user rejoin" could be implemented later.
|
|
||
| #### Have servers merge old and new rooms together | ||
|
|
||
| Instead of expecting clients to interpret tombstone events, servers could merge |
There was a problem hiding this comment.
@KitsuneRal wrote:
The current text is not quite clear on what becomes the showstopper; now that I think more about it. The sheer amount of duplication in the sync as the number of upgrades increases (basically, it's another batch duplicating some other for each upgrade) is the primary problem, right? Maybe that previous sentence could be added to the dismissed proposal, for clarity.
The showstopper is as per https://github.com/matrix-org/matrix-doc/pull/1502/files#diff-ce167b1ac0f01d8c81d7d9718f396207R218: the server ends up having to do the mapping forever for all rooms and for all users, which is an overhead we don't really want to support.
No problem; I wasn't sure what was better after all the strong words about GitHub's inline comments. |
|
@mujx Will do, sorry! |
| "state_key": "", | ||
| "room_id": "!cURbaf:matrix.org", | ||
| "content": { | ||
| "body": "This room has been replaced", |
There was a problem hiding this comment.
Is this always expected to be this string? can clients influence the description here?
There was a problem hiding this comment.
for now, it's up to the server.
| upgrade (ie, security problems due to state resets and the like) do not apply | ||
| as strongly to invite-only rooms, and we have descoped them for now. | ||
|
|
||
| In future, we will most likely deal with them as follows: |
There was a problem hiding this comment.
Could we somehow deal with it by sending a join event to the new room, and stick a reference to the user's membership event in the old room an the auth_events?
There was a problem hiding this comment.
maybe, but I'm wary of tying too much auth in the new room to auth in the old (broken, possibly completely insecure) room.
| * Displays, at the very bottom of the timeline of the old room: "This room | ||
| has been upgraded. Click here to follow the conversation to the new room". | ||
| The link is simply a permalink to the new room. When Bob opens it, he will | ||
| get joined to the new room. |
There was a problem hiding this comment.
Is it worth saying that if the new room is also tombstoned, then the client should (may?) automatically keep following the chain until it reaches a room that isn't dead?
There was a problem hiding this comment.
yes, I guess that is something worth spelling out.
|
Following up on #1502 (comment):
On reflection, I'm still a bit hesitant to recommend this:
There are probably valid answers to both of those points, but I'm keen that we don't derail this MSC with something that we can equally well consider down the line, with better experience of how things work in practice. I just wanted to jot down a couple of thoughts here for future reference, but let's park this for now. |
- the body of the tombstone is defined by the server. - the client can follow tombstones until it finds a live room
| we are not already a member, and then switches to a view on the new room. | ||
|
|
||
| The client should supply the name of the server which sent the tombstone | ||
| event as the `server_name` for the `/join` request. |
|
|
||
| * I think they'll just show you two separate rooms (both with the same | ||
| name), and you won't be able to talk in one of them. It's not great but it | ||
| will probably do. |
There was a problem hiding this comment.
can we mitigate this by recommending (not mandating) that an m.room.message as well as an m.room.tombstone is sent into the old room (at least until we have fallback events for tombstones) so dumb clients can tell their users what's going on via a plain old IM?
There was a problem hiding this comment.
I guess so. Are you expecting the message to be sent by the client or the server?
|
this lgtm; might be nice to address the two minor q's i had. |
|
🔔 This is now entering its final comment period, as per the review above. 🔔 psst @richvdh, I wasn't able to add the |
|
The final comment period, with a disposition to merge, as per the review above, is now complete. psst @richvdh, I wasn't able to add the |
anoadragon453
added
finished-final-comment-period
and removed
final-comment-period
labels
richvdh
added
spec-pr-missing
richvdh
removed
the
spec-pr-missing
| "state_key": "", | ||
| "room_id": "!QtykxKocfsgujksjgd:matrix.org", | ||
| "content": { | ||
| "version": "2", |
There was a problem hiding this comment.
Post-MSC note: This is actually supposed to be room_version as per MSC1425. Implementation of upgrades appears to use room_version as well.
Proposal for #1501
Rendered: https://github.com/matrix-org/matrix-doc/blob/main/proposals/1501-room-version-upgrades.md
Discussion room: #msc-1501:sw1v.org
(For reference: this doc superceded https://docs.google.com/document/d/1UdXG0grQsS4vhn28yquj79wZqBcFrTWvf3PoFXaKBaY)