m.room.aliases
tries to be a list of possible aliases for a given room; useful
for discovering alternative routes into a room (for those already in the
room), and for educating users about how Matrix works by illustrating multiple
aliases per room. It also helps give a perception of the size of the network
(look how many people found it useful to set an alias for this room!).
However, it has problems:
- Anyone can create aliases for rooms, which are unilaterally added to
m.room.aliases
and cannot be removed by the room admin, allowing abuse. m.room.aliases
can get out of sync if server admins remove aliases from their server, or add new ones without updating them.room.aliases
for that room.
We let users define aliases for their rooms, but empower room admins to curate
the alisaes which are advertised in m.room.aliases
. This means:
- Anyone can create/delete aliases in their server's room directory (modulo any implementation-specific restrictions the server imposes)
- If the user has the PL required to set the m.room.aliases event for the
room, these aliases get added to the room's state by the server on behalf of
the user. Users can only set aliases event(s) for their own server.
- (The user could also try to set this manually and deliberately desync the event, which is considered acceptable risk. In theory the client could weed these out by refusing to display aliases which don't point to the room. In practice, we could consider malicious aliases like these to be abusive and solve this problem via moderation, as per below).
- To moderate the alias list, admins can redact malicious aliases, or set the
PL for
m.room.aliases
to prevent randoms publishing addresses to their rooms in the first place. - When an alias is deleted on the server directory, that server should remove
it from the
m.room.aliases
event (on behalf of that user) to keep the aliases event in sync with the directory.
Sadly I don't think github lets you do inline comments on gists, so...
It sounds plausible, but I think a key thing to my understanding of the proposal is that I'm not quite sure what you envisage the auth rules will look like. Are you suggesting that we remove the special-case on
m.room.aliases
and auth it as a normal state event, or something more subtle than that?In other words, I'm not clear if you're proposing something different to (my) msc2260, or just looking to express it in a different way. That's probably my fault for failing to make msc2260 legible, but either way, I'm afraid I'm not quite following this.