What is the value in federation if people can come away with different opinions as to what was said in a conversation? Eg. for example a $$ contract negotiation and an attacker using something like a msg replay attack that gives different sides different views of what the contract value is.
Edit: Or does federation mean proxying & replication in this case?
I don't think you've understood the design decision.
Matrix isn't a distributed ledger, and doesn't provide transactional guarantees. For unencrypted conversation, the user trusts their server not to spoof their messages. Other servers cannot spoof history as messages are signed into a room DAG. The worst scenario is that a malicious server could indeed withhold messages from a room DAG, and this would be indistinguishable from a network partition or a slow server.
The way we mitigate your own server attacking your conversations is at the E2EE layer - ensuring the messages are encrypted by the right user and spotting replay attacks based on signed E2EE metadata
There's no mitigation to servers dropping your messages, however, but practically that has little value - you're not going to be able to use it to give different sides of a $$ contract negotiation different views of what the contract value is.
I don't understand the distinction you are making between a distributed ledger and distributed consistency.
I suspect it will be easy to create a byzantine error avalanche with your current design - or break consistency (eg. different views).
I'd be keen to see what aphyr could do with a jepsen test. Perhaps you could run an open hack matrix contest to see what people can achieve. It might surprise you.
I'm saying that Matrix does not aim to be globally consistent within a room, or even seek consensus.
It's perfectly valid and indeed desirable for the network to partition, and for one side of the network to go off talking amongst itself, and the other side to continue, and then for the conversation to join up again afterwards.
Different views are a feature. Imagine you're using P2P Matrix to stay in touch while hiking - you fire up adhoc wifi, use mDNS to discover other peers, and get chatting away. Some people drift in and out of contact, and perhaps even the party splits. But the conversation continues fine for those still present in it. Nobody can spoof each other's messages; nobody can replay each other's messages; nobody can reorder messages; the worst that can happen is for messages to get withheld, maliciously or otherwise.
> I'd be keen to see what aphyr could do with a jepsen test.
Me too. We're overdue an audit, and we'll reach out (assuming he's not too fiendishly expensive).
> Perhaps you could run an open hack matrix contest to see what people can achieve. It might surprise you.
There's already quite a high incentive on the open network to show off by exploiting bugs in Matrix - which is what helped accelerate the v2 of the state resolution algorithm that I tried to link earlier.
Separately, the French government maintains a bounty for their Matrix deployment over at https://yeswehack.com/programs/tchap - and we're also looking forward to an academic paper being published in the coming weeks which is a super deep dive into analysing and auditing our state resolution alg. It might surprise you.
What is the value in federation if people can come away with different opinions as to what was said in a conversation? Eg. for example a $$ contract negotiation and an attacker using something like a msg replay attack that gives different sides different views of what the contract value is.
Edit: Or does federation mean proxying & replication in this case?