archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 621095732e into d6edcbd946

Browse Source
Jonathan de Jong 2 weeks ago committed by GitHub
parent d6edcbd946 621095732e
commit e0f45dee50
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 197 additions and 0 deletions
Show Stats Download Patch File Download Diff File

197
proposals/3468-mxc-hash.md
Unescape Escape View File

@ -0,0 +1,197 @@
# MSC3468: MXCs to Hashes
Currently, matrix media/content repositories work with a MXC to blob mapping, fetching the media
from the domain embedded in the MXC to present it to the user.
However, this becomes a problem when media retention, redaction, and resiliency come into play,
the singular MXC URI becoming a point of failure once the backing server retracts the URI, either
deliberately (aforementioned redaction), or accidentally (via server reset, or losing the backing media).
This is in opposition to how MXCs are used in matrix today, much like Discord media URLs;
immutable and always online, links are copied and reused across rooms.
## Proposal
I propose for MXCs to be reworked into being a pointer to hashes.
This gives the extra benefit of decoupling aliasing pointers (such as the MXC is) with the underlying media.
Alongside this change, I also propose for an additional client-side endpoint which can quickly "clone"
a MXC. This being done by having the server look up the MXC's hash,
and then creating a new MXC also referencing that hash.
The client-server content API would expose a method for the client to retrieve the hash of a
particular MXC, alongside aforementioned method to clone it.
The server-server content API would add a dedicated fetch method for fetching the hash to a MXC, and
fetching the media to a hash.
### Specification
#### Client-Server
This proposal would like to add the following two methods to CS;
```
POST _matrix/media/v1/clone/{serverName}/{mediaId}
Rate-limited: Yes
Authentication: Yes
Responses:
200: JSON (see below)
429: Ratelimited
503: Could not fetch remote MXC-to-hash mapping
```
200 response:
```json
{
"m.clone.mxc": "mxc://local.server/media_id"
}
```
```
GET _matrix/media/v1/hash/{serverName}/{mediaId}
Rate-limited: Yes
Authentication: Yes
Responses:
200: JSON (see below)
429: Ratelimited
503: Could not fetch remote MXC-to-hash mapping
```
200 response:
```json5
{
"m.mxc.hash": "1234567890abcdef" // hex-encoded hash
}
```
#### Server-Server
This proposal would like to add the following two endpoints to S2S;
```
GET _matrix/federation/v1/media/hash
Rate-limited: No
Authentication: Yes
Query parameters:
media_id: string, the local part of an MXC for which the hash is queried
Responses:
200: Pure-binary encoding of corresponding hash
404: Media ID does not exist
```
```
GET _matrix/media/v1/media/fetch/{hash}
Rate-limited: Yes
Authentication: Yes
Responses:
200: Blob of data corresponding to hash
404: Hash-media not found
429: Ratelimited
```
### "Which hash?"
*Note: this is an area of feedback, this'll be removed in the final draft*
So far, the definition of "hash" has been vague. I think converging on a specific hash function
could be a lock-in for future expansion.
So, i'd like to propose using [`multihash`](https://github.com/multiformats/multihash) for these
purposes, this would allow a common format self-describing the hashes used.
For now, only a set series of hashes would be included (see
[here](https://github.com/multiformats/multicodec/blob/master/table.csv) for a full table), which
can be expanded/deprecated with subsequent matrix spec releases, without changing up the format of
the hash, or documenting checks to differentiate the types of hash used, or to reinvent multihash.
However, this is up for debate.
## Motivation
This MSC wishes to unblock efforts for media retention and redaction;
- https://github.com/matrix-org/synapse/issues/6832
- https://github.com/matrix-org/matrix-doc/issues/701
By addition of the `/clone` endpoint, any client wishing to preserve media, can do so by simply
fetching/storing media locally, reducing the linkrot effect that remote servers redacting media
could have.
This MSC would also wish to make matrix more flexible for diverse media delivery systems.
Mapping MXCs to hashes could allow the hashes themselves to become self-verifying keys in any
(centralized or distributed) KV store.
This, in turn, could prepare matrix better for P2P efforts.
This MSC also wishes to make matrix content delivery more resilient, with the exception of mapping a
MXC alias to a hash, a hash could be retrieved from anywhere, and still be self-verifying,
considerably lessening the bus factor, and allowing for better distributed load (see the first
"future extension" in below section)
## Potential issues
This could have a slight performance hit, as an extra RTT between servers is needed to fetch the
media actual, after fetching the hash corresponding to that bit of media.
I think this is a more acceptable tradeoff, an alternative would be to side-channel the hash in a
header, in an endpoint fetching directly from a MXC.
## Future extensions
*Note: this is free-form speculation, and serves to illustrate how future MSCs can extend the
behavior this MSC is enabling.*
A possible extension would be a server-server endpoint which requests what recommended content
endpoints would be to fetch hashes from.
(I.e. a server would ask `/media/endpoints`, and the server can respond with
`["https://common.caching.server", "https://matrix.org"]`, in decreasing order of priority)
This can be helpful when servers share a common "media server", as is the case today with
[matrix-media-repo](https://github.com/turt2live/matrix-media-repo), which "tricks" federation by
redirecting any request for media to itself. This future extension would formalize this process.
This would also be helpful with dealing with "thundering herds", as servers can be redirected to
multiple servers to fetch media from a hash from.
(However, as-is, this could have security problems with DoS-ing, issues with cache invalidation
after redacting media, and possibly more. This is only to illustrate flexibility.)
Another possible extension could be to allow to tap in natively to decentralized media stores, which
often key their data to hashes. This could make media P2P easier to implement and work with.
One last possible extension is to add `410` to every endpoint pertaining fetching media, this could
help with communicating that media has been deleted to servers and clients.
## Security considerations
A big part of this MSC's motivation is to unblock media redaction/retention efforts. However, that
does not mean this MSC should be blind to the struggle of containing unsavory media across
federation.
This MSC adds a `/clone` endpoint, by which a client, on any server, could easily "copy" media,
seemingly making containment efforts useless.
However, at a room-level, and possibly a server-level, hashes themselves could be banned. This can
be implementation-specific, or be built-into bots like mjolnir.
## Unstable prefix
This MSC uses the unstable prefix `nl.automatia.msc3468`;
- `_matrix/media/nl.automatia.msc3468/clone/{serverName}/{mediaId}`
- `_matrix/media/nl.automatia.msc3468/hash/{serverName}/{mediaId}`
- `_matrix/federation/nl.automatia.msc3468/media/hash`
- `_matrix/media/nl.automatia.msc3468/media/fetch/{hash}`
- `nl.automatia.msc3468.clone.mxc`
- `nl.automatia.msc3468.mxc.hash`
Write Preview
Loading…
Cancel
Save