Potential stopgap solution to removing remote quarantined media

[turt2live]

It sucks that remote media which has been subsequently quarantined/removed by the host is still cached on our end. Until Matrix truly federates media, we can plug the gap by using Matrix itself or on top of the media repo stack:

Possible solution 1: Fill a room with hashes to quarantine

Bots operated by the media repo would join a collective room set in the config and advertise their quarantined media there when it happens. It would only contain the hashes to avoid media IDs being discovered. The media repos listening in the room would search their records for that hash and quarantine it if needed.

To ensure that someone can't just pump hashes into the room, we could require the media repo be configured with a signing key (https://github.com/turt2live/matrix-media-repo/issues/118) and sign a specific media object off the repo (eg: mxc://example.org/media_repo_signature). The signature should allow for multiple homeservers to sign, giving a single user ID control over several homeservers worth of media (and also not requiring that an account be provisioned per homeserver). The media repos would use the signature to only quarantine/delete media from that host (honouring the deletion request).

Advantages:

• Global "ban" list
• Historical record of hashes to avoid in the future

Disadvantages:

• Spammy
• Requires a signing key
• Centralized (you only quarantine media if you're part of the cool kids in the room)

Possible solution 2: Fill a room, but have repos subscribe instead

Instead of signing some objects and gathering into a room, a custom API or media object could be used to advertise a room which other media repos should join to quarantine media. For example, if mxc://example.org/media_repo_quarantine_feed pointed to !abcdef:example.org, then any hashes in !abcdef:example.org could be quarantined/deleted if posted for example.org.

Advantages:

• Media repo gets to control where people get pointed to (they could fork the ban list off to a larger homeserver which is capable of handling multiple parties in the room)
• Doesn't involve complicated setup from an admin

Disadvantages:

• Historical record could be lost (admin changes room permissions, or changes the room ID entirely)
• If the room is invite only, the media repo is unable to quarantine the host's media (maybe this is a feature though? It's mostly not, but it could be?)
• Not reliant on a giant room

Possible solution 3: Polling

The media repo could poll the media and/or a well-specified hash listing to quarantine/delete media from.

Advantages:

• Super simple to add

Disadvantages:

• Polling

[turt2live]

There are legal issues with hashlists that this project can't take on at the moment. Closing until MSCs exist for this area.