When we redact events, any mxc content they refer to should be redacted too (SYN-216)

[matrixbot]

It's a bit of a disasterous thinko that we can redact events which point to stuff in the media repo, and that content is subsequently preserved even though the event is nuked. We should rm it and its caches too (assuming the HS is honouring redactions).

(Imported from https://matrix.org/jira/browse/SYN-216)

(Reported by @ara4n)

[matrixbot]

Jira watchers: @ara4n

[matrixbot]

Links exported from Jira:

relates to SYN-576

[ara4n]

We just had a minor disaster with this happening (the MXC URL was bridged to IRC, so redacting the content on Matrix was achieving nothing). This should be trivial to fix...

[erikjohnston]

We should make sure the content isn't completed deleted, for moderation purposes.

…

On Fri, 6 Jan 2017, 19:08 Matthew Hodgson, ***@***.***> wrote: We just had a minor disaster with this happening (the MXC URL was bridged to IRC, so redacting the content on Matrix was achieving nothing). This should be trivial to fix... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1263 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AICaWKhfOgyL8L1dg3CnQXGgt_Jiuv1Lks5rPozFgaJpZM4Lc_jV> .

[ara4n]

I wonder whether a good enough compromise would be for HSes purge redacted data after a few days (Windows Recycle Bin stylee), albeit with the option of configuring the retention per HS. The idea that sensitive data can be left visible to HS admins (and clogging up diskspace) indefinitely, after being redacted, feels undesirable and unintuitive.

[jfrederickson]

This came up in #matrix:matrix.org earlier today - as an HS admin, I would really really like to be able to configure my HS to purge redacted content. At the very least, I don't want my HS to continue to serve requests for it from the media repo.

Specifically in reference to illicit content, continuing to serve it from my HS could put me in a really tough spot, legally. And if it's redacted and therefore not easy to find in the first place...

[uhoreg]

Of course, you have to be careful that the mxc content isn't referred to by a different event (possibly including an encrypted event).

[rkfg]

This is absolutely needed to keep the homeserver storage relatively small. I set it up on a VPS and it's growing constantly. It'll become a problem in several months. At the same time we should preserve some content and maybe events from deletion like avatars of users and rooms. It would not be nice to suddenly lose them after a maintenance cycle.