[Standards] MAM: Conflicting storage prefs behaviour

Ruslan N. Marchenko me at ruff.mobi
Sun Feb 19 13:48:10 UTC 2017


Good afternoon,


I'm preparing implementation of the mam and since there're very few 
details in the XEP-0313 about actual archiving, mostly about querying - 
i believe the archiving process is then left at the discretion of the 
implementers.


Now, to avoid storing multiple copies of the message for given server to 
me it makes sense storing message while it is being routed. Certain 
central server archiving. Probably not blindly archive everything but 
rather as a _union all_ of all user prefs. And retrieval will just query 
that central db and wrap message to necessary xml layers. Since there's 
no archive modification in the MAM scope - there's no reason not to do 
it and it should be quite efficient.

And here where the _potential_ conflict comes.

Romeo at montague.lit informs server it should only archive messages to 
Juliet at capulet.lit because he doesn't want to miss a thing by losing it 
in tonnes of interactions, or perhaps he wants certain privacy in his 
archive, who knows:

<iq type='set' id='romeo1'>
   <prefs xmlns='urn:xmpp:mam:1' default='never'>
     <always>
       <jid>juliet at capulet.lit</jid>
     </always>
   </prefs>
</iq>

_Note: in the above I've missed <never/> because xep does not require it. It says server must return it in the "result" but nothing about client sending full prefs bucket in "set"._

However Mercutio at montague.lit informs server to store roster and probably some other prefs

<iq type='set' id='mercut1'>
   <prefs xmlns='urn:xmpp:mam:1' default='roster'>
     <always>
       <jid>romeo at montague.lit</jid>
     </always>
     <never>
       <jid>tybalt at capulet.lit</jid>
     </never>
   </prefs>
</iq>

Now, server will apparently store conversation between Romeo and Mercutio, the question is then - should server keep silent to Romeo that it has his other conversations?
If Romeo later changes his preferences to include those of Mercutio - should server reveal it actually has some messages to consume?
If yes - it exposes certain privacy risk: If I didn't ask to store message, and server stores them - then the other side requested them to be stored.
If no - it would require tracking storage prefs windows and apply them all the way through the time, or add metadata listing who was eligible user of the stored message at the time of storing it. Which still is a bit cumbersome.

Or the best practices here should be to never mix archives and keep a separate copy for each user according to his current preferences at any given time? Could user request to purge the archive?

On the other hands whole XEP says it's up to server what to store hence it may return absolutely different comparing to what it was asked for - prefs are rather hints (may/should) not orders (must).
Then perhaps in this particular implementation it would make sense to disable prefs and store everything instead to avoid the conflict/leak?

Regards,
Ruslan



More information about the Standards mailing list