MSC3676: Transitioning away from reply fallbacks

proposals/3676-transitioning-away-from-reply-fallbacks.md

@@ -0,0 +1,89 @@
+# MSC3676: Transitioning away from reply fallbacks.
+
+## Problem
+
+As per [MSC2781](https://github.com/matrix-org/matrix-doc/pull/2781)
+(Remove reply fallbacks), the current reply fallback implementation is very
+problematic:
+ * Its quotes leak history which may not be visible to the user
+ * The quoted sections may trigger unexpected notifications
+ * `<mx-reply/>` tags are hard and dangerous to manipulate, and have caused
+   multiple vulnerabilities in clients
+ * They don't localise.
+
+[MSC2781](https://github.com/matrix-org/matrix-doc/pull/2781) proposes
+removing them entirely.  However, this triggers a relatively large cascade of
+additional dependent work:
+ * Some users rely on their mxid existing in fallbacks to notified when
+   someone replies to their messages.  So we'd need to create and implement
+   new push rules to recreate this feature ([MSC3664](https://github.com/matrix-org/matrix-doc/pull/3664)).
+ * The push rules are even more complicated than expected for this, because
+   they also would need to stop replies which are used as fallback for
+   threads (as per [MSC3440](https://github.com/matrix-org/matrix-doc/pull/3440))
+   from firing notifications.
+ * In the absence of fallbacks, in order to render replies simple clients will
+   now have to parse `m.in_reply_to` objects and fish around for the missing
+   events (or ask the server to bundle the replies, which is not yet a
+   thing).
+
+Meanwhile, [MSC3440](https://github.com/matrix-org/matrix-doc/pull/3440)
+(Threads) uses replies as a fallback representation for threads (which is
+very desirable to support clients while the threads transition is happening,
+or to support simpler clients which support replies but not threads).
+However, currently `m.in_reply_to` is only allowed on `m.room.message` events
+of msgtype `m.text`, which means it cannot currently be used as a fallback
+for arbitrary threaded events.
+
+## Proposal
+
+As a transitional step towards removing reply fallbacks entirely, instead: we
+make reply fallbacks best effort.  Specifically:
+
+ * `m.in_reply_to` is relaxed to apply to any event type
+ * In practice only `m.room.message` events with msgtype `m.text` or similar
+   (`m.emote`, `m.notice`) would be able to express reply fallbacks (using the
+   `m.body`, `format` and `formatted_body` fields).
+ * Thread events using replies as a fallback representation for threads should
+   not include a textual reply fallback at all (and so avoid threaded messages
+   triggering notifications).  The same would apply for any other usage which uses
+   replies as a fallback.
+
+This means that we can still use reply fallbacks for notification purposes
+until that is properly fixed by [MSC2781](https://github.com/matrix-org/matrix-doc/pull/2781)
+and [MSC3664](https://github.com/matrix-org/matrix-doc/pull/3664) - decoupling this
+additional work from landing threads in
+[MSC3440](https://github.com/matrix-org/matrix-doc/pull/3440).
+Replying to a message with an attachment won't trigger a notification, but
+this is no worse than the behaviour today.
+
+## Alternatives
+
+We could remove fallbacks entirely and do all the subsequent work needed to
+support that ([MSC2781](https://github.com/matrix-org/matrix-doc/pull/2781),
+[MSC3664](https://github.com/matrix-org/matrix-doc/pull/3664) and whatever
+MSC handles thread+fallback notification interaction).  However,
+we believe that adding threads to Matrix is (much) higher priority and
+value for Matrix than cleaning up edge cases around reply fallbacks, and
+given the two can be decoupled, they should be.  The importance of threads is
+based on the fact that we're seeing Matrix repeatedly fail to be selected as
+a collaboration technology thanks to other alternatives supporting
+Slack-style threads.
+
+We could not use `m.in_reply_to` as a fallback for clients which don't
+understand `m.thread`, but this would result in an unnecessarily
+terrible fallback for older/transitional/WIP/simple clients.
+
+## Security 
+
+By temporarily keeping reply fallbacks around on a best effort basis, we're
+still vulnerable to their security risks.  Client implementors should read
+the [security issues highlighted in MSC2781](https://github.com/deepbluev7/matrix-doc/blob/drop-the-fallbacks/proposals/2781-down-with-the-fallbacks.md#appendix-b-issues-with-the-current-fallbacks)
+if implementing reply fallbacks. 
+
+## Unstable prefix
+
+None needed.
+
+## Dependencies
+
+None. (MSC3440 will depend on this, however)