regression: Policy server signatures are applied too aggressively #1815

New issue

Closed

opened 2026-05-26 09:11:15 +00:00 by nex · 1 comment

nex commented 2026-05-26 09:11:15 +00:00

Owner

Copy link

As of #1487, policy server checks are applied too aggressively. In #offtopic, my server has resolved the current policy server state event to the one pointing at asgard.chat, not correctly continuwuity.org. ellis.link is getting signatures from continuwuity.org, but my server doesn't care, since as far as it is concerned, .org isn't the policy server. It is then asking asgard.chat for a signature on the fly, which is correct behaviour, and doesn't get one back as the room is not protected by that server anymore. However, the unexpected behaviour is that this then fails a signature check, which is weird, because there isn't a signature to check? This then results in the event being soft-failed and/or not upgraded from an outlier to timeline event.

2026-05-26T09:01:45.176921Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}: conduwuit_api::server::send: Processing transaction pdus=1 edus=0
2026-05-26T09:01:45.181945Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_outlier_pdu: Fetching 2 missing auth events for outlier event $OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34
2026-05-26T09:01:45.182026Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_outlier_pdu: Checking based on auth events
2026-05-26T09:01:45.182864Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_incoming_pdu: Handling previous events events=["$3w28C6ZNJ9S206zmkOIC78RUhqNKLuj8hMPcLD0Ji6k", "$eRz86zXxS9sGorB-x_aTXz3crfka9yrdQ8mmZunrXy4", "$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q", "$I6HOAFM1WWkZ85lMuqrEo7UYh7uESHPRTSlusAfOCmE", "$9uscgr0ri5qdcd8fuwxS2KFWmV3Rw_03vET8i0ZZeMg"]
2026-05-26T09:01:45.184115Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Upgrading PDU from outlier to timeline event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.184135Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Resolving state at event event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.515072Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Performing auth check to upgrade event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.515110Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Running initial auth check event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.516786Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Gathering auth events event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.516823Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth types for event auth_types=[("m.room.power_levels", ""), ("m.room.member", "@jade:ellis.link")]
2026-05-26T09:01:45.517004Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth events to fetch sauthevents={17994135: ("m.room.member", "@jade:ellis.link"), 17: ("m.room.power_levels", "")}
2026-05-26T09:01:45.517070Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth events found in state state_keys=[("m.room.power_levels", ""), ("m.room.member", "@jade:ellis.link")] event_ids=[195625637, 219223386]
2026-05-26T09:01:45.517318Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Running auth check with claimed state auth event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.517382Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Performing soft-fail check event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.540422Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Checking policy server for event event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q
2026-05-26T09:01:45.541818Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: No (valid) policy server signature present on event
2026-05-26T09:01:45.541837Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: Event is incoming but does not have a valid policy server signature; asking policy server to sign it now via=asgard.chat
2026-05-26T09:01:45.541935Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: Asking policy server to sign event ps.via=asgard.chat
2026-05-26T09:01:45.541956Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Requesting policy server signature
2026-05-26T09:01:45.542727Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}:request:fed{dest="asgard.chat"}: conduwuit_service::federation::execute: Sending request method=POST url=https://matrix.asgard.chat/_matrix/policy/v1/sign
2026-05-26T09:01:45.669977Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}:request:fed{dest="asgard.chat"}: conduwuit_service::federation::execute: Got 404 for POST https://matrix.asgard.chat/_matrix/policy/v1/sign
2026-05-26T09:01:45.670022Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Error from policy server: Answer from asgard.chat: [404 / M_NOT_FOUND] Policy server error: room is not protected
2026-05-26T09:01:45.670030Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Policy server is not actually a policy server or is not protecting this room: Answer from asgard.chat: [404 / M_NOT_FOUND] Policy server error: room is not protected via=asgard.chat event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk
2026-05-26T09:01:45.670055Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: No (valid) policy server signature present on event
2026-05-26T09:01:45.670106Z  WARN process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_incoming_pdu: Prev $u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q failed: Unknown: Policy server signature was made with a different key to the one advertised

---

potential problem area: handle_policy_server_error returns a fail-open Ok(()), indicating that the request was "allowed" by the policy server:

src/service/rooms/event_handler/policy_server.rs

Lines 267 to 275 in 5f95943

	| StatusCode::NOT_FOUND => {
	debug_info!(
	via = %via,
	event_id = %pdu.event_id(),
	%room_id,
	"Policy server is not actually a policy server or is not protecting this room: {}",
	error.message()
	);
	Ok(())

However, policy_server_allows_event expects an error to be returned if there was no signature. This would cause the event to be soft-failed as it was "rejected" as "spam", however when it does not receive an error, it assumes the event was signed, and always calls verify_policy_signature with the expected policy server data (which we have established isn't correct in this scenario):

src/service/rooms/event_handler/policy_server.rs

Lines 207 to 220 in 5f95943

	self.fetch_policy_server_signature(pdu, pdu_json, &ps.via, outgoing, room_id, ps_key, 0)
	.await?;
	// Verify that the policy server signature was made with the same public key as
	// is in the state event, not just that it was signed.
	if verify_policy_signature(&ps.via, ps_key, pdu_json, &room_version_rules.redaction) {
	Ok(())
	} else {
	Err(Error::Request(
	ErrorKind::Unknown,
	"Policy server signature was made with a different key to the one advertised".into(),
	StatusCode::BAD_GATEWAY,
	))
	}

As of #1487, policy server checks are applied too aggressively. In #offtopic, my server has resolved the current policy server state event to the one pointing at `asgard.chat`, not correctly `continuwuity.org`. ellis.link is getting signatures from continuwuity.org, but my server doesn't care, since as far as it is concerned, .org isn't the policy server. It is then asking asgard.chat for a signature on the fly, which is correct behaviour, and doesn't get one back as the room is not protected by that server anymore. However, the unexpected behaviour is that this then fails a *signature check*, which is weird, because there isn't a signature to check? This then results in the event being soft-failed and/or not upgraded from an outlier to timeline event. ``` 2026-05-26T09:01:45.176921Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}: conduwuit_api::server::send: Processing transaction pdus=1 edus=0 2026-05-26T09:01:45.181945Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_outlier_pdu: Fetching 2 missing auth events for outlier event $OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34 2026-05-26T09:01:45.182026Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_outlier_pdu: Checking based on auth events 2026-05-26T09:01:45.182864Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_incoming_pdu: Handling previous events events=["$3w28C6ZNJ9S206zmkOIC78RUhqNKLuj8hMPcLD0Ji6k", "$eRz86zXxS9sGorB-x_aTXz3crfka9yrdQ8mmZunrXy4", "$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q", "$I6HOAFM1WWkZ85lMuqrEo7UYh7uESHPRTSlusAfOCmE", "$9uscgr0ri5qdcd8fuwxS2KFWmV3Rw_03vET8i0ZZeMg"] 2026-05-26T09:01:45.184115Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Upgrading PDU from outlier to timeline event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.184135Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Resolving state at event event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.515072Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Performing auth check to upgrade event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.515110Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Running initial auth check event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.516786Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Gathering auth events event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.516823Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth types for event auth_types=[("m.room.power_levels", ""), ("m.room.member", "@jade:ellis.link")] 2026-05-26T09:01:45.517004Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth events to fetch sauthevents={17994135: ("m.room.member", "@jade:ellis.link"), 17: ("m.room.power_levels", "")} 2026-05-26T09:01:45.517070Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::state: Auth events found in state state_keys=[("m.room.power_levels", ""), ("m.room.member", "@jade:ellis.link")] event_ids=[195625637, 219223386] 2026-05-26T09:01:45.517318Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Running auth check with claimed state auth event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.517382Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Performing soft-fail check event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.540422Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}: conduwuit_service::rooms::event_handler::upgrade_outlier_pdu: Checking policy server for event event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q 2026-05-26T09:01:45.541818Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: No (valid) policy server signature present on event 2026-05-26T09:01:45.541837Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: Event is incoming but does not have a valid policy server signature; asking policy server to sign it now via=asgard.chat 2026-05-26T09:01:45.541935Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: Asking policy server to sign event ps.via=asgard.chat 2026-05-26T09:01:45.541956Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Requesting policy server signature 2026-05-26T09:01:45.542727Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}:request:fed{dest="asgard.chat"}: conduwuit_service::federation::execute: Sending request method=POST url=https://matrix.asgard.chat/_matrix/policy/v1/sign 2026-05-26T09:01:45.669977Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}:request:fed{dest="asgard.chat"}: conduwuit_service::federation::execute: Got 404 for POST https://matrix.asgard.chat/_matrix/policy/v1/sign 2026-05-26T09:01:45.670022Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Error from policy server: Answer from asgard.chat: [404 / M_NOT_FOUND] Policy server error: room is not protected 2026-05-26T09:01:45.670030Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}:fetch_policy_server_signature{event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q via=asgard.chat}: conduwuit_service::rooms::event_handler::policy_server: Policy server is not actually a policy server or is not protecting this room: Answer from asgard.chat: [404 / M_NOT_FOUND] Policy server error: room is not protected via=asgard.chat event_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk 2026-05-26T09:01:45.670055Z DEBUG process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}:prev{prev_id=$u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q}:policy_server_allows_event{room_id="!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk" incoming=true}: conduwuit_service::rooms::event_handler::policy_server: No (valid) policy server signature present on event 2026-05-26T09:01:45.670106Z WARN process_inbound_transaction{id="q4GV23zJpNoS6i8i6I5HgPWgP-Ro6kiIEXKpZWkFoDE" origin="ellis.link"}:pdu{room_id=!c10y-fNiMx5ijtgGFibzPUfNs9hpQvnJYPTV-fD2KPk event_id=$OmA9hkUECYORczpvkqbZgyhBaJuQgFI34N6U89ERZ34}: conduwuit_service::rooms::event_handler::handle_incoming_pdu: Prev $u8LyF1CFTVGyYyc81o_xA-fI4CWwzoF7A87eZnrCU2Q failed: Unknown: Policy server signature was made with a different key to the one advertised ``` --- potential problem area: `handle_policy_server_error` returns a fail-open `Ok(())`, indicating that the request was "allowed" by the policy server: https://forgejo.ellis.link/continuwuation/continuwuity/src/commit/5f9594363dce1df851773e8bca9753d656c2abd2/src/service/rooms/event_handler/policy_server.rs#L267-L275 However, `policy_server_allows_event` expects an error to be returned if there was no signature. This would cause the event to be soft-failed as it was "rejected" as "spam", however when it does not receive an error, it assumes the event was signed, and always calls `verify_policy_signature` with the *expected* policy server data (which we have established isn't correct in this scenario): https://forgejo.ellis.link/continuwuation/continuwuity/src/commit/5f9594363dce1df851773e8bca9753d656c2abd2/src/service/rooms/event_handler/policy_server.rs#L207-L220

nex added the

Bug

Matrix/Core

Priority

High

Status

Confirmed

Matrix/T&S

labels 2026-05-26 09:11:15 +00:00

nex self-assigned this 2026-05-26 09:11:15 +00:00

nex commented 2026-05-26 09:27:27 +00:00

Author

Owner

Copy link

to further note: policy_server_allows_event probably shouldn't return that differing-key error when checking incoming events, it should return forbidden instead, so that the event gets soft failed instead of left as an outlier, per server-server § 27.2 Validating Policy Server signatures. The "key differs" M_UNKNOWN is meant to prevent us creating events that fail that check, not persisting incoming ones.

to further note: `policy_server_allows_event` probably shouldn't return that differing-key error when checking incoming events, it should return forbidden instead, so that the event gets soft failed instead of left as an outlier, per [server-server § 27.2 Validating Policy Server signatures](https://spec.matrix.org/v1.18/server-server-api/#validating-policy-server-signatures:~:text=if%20the%20Policy%20Server%20rotates%20its%20key%20without%20the%20room%20also%20updating%20the%20state%20event%2C%20events%20will%20be%20flagged%20as%20not%20recommended%20for%20inclusion.%20This%20is%20expected%20behaviour.). The "key differs" M_UNKNOWN is meant to prevent us *creating* events that fail that check, not persisting incoming ones.

nex referenced this issue from a pull request that will close it, 2026-05-26 15:17:29 +00:00

fix: Don't be so aggressive when validating policy server signatures #1816

nex closed this issue 2026-05-26 18:01:09 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/rust-non-major

renovate/rust-zerover-patch-updates

renovate/ruma-digest

aranje/illegal-car-mods

nex/perf/get-missing-events

ginger/oauth

nex/feat/admin-api

renovate/serde-saphyr-0.x

ginger/kill-sync-tokens

renovate/rand_core-0.x

nex/feat/deprecated-room-versions

release/v0.5.9

nex/feat/enable-debug-log-release-builds

nex/feat/room-purging

nex/feat/room-shutdown

ginger/ruma-upstreaming

jade/tls-backends

ginger/email-fixes

jade/changelog-labels

nex/fix/v12-publishing

jade/build-info

jade/purge-sync-tokens

ginger/terms-and-conditions

ginger/remove-sliding-sync-proxy

nex/fix/pusher-association

ginger/email-support

jade/community-guidelines

nex/fix/federation-format

jade/git-deps-updates

jade/changelog-check

jade/rust-1-92

ginger/password-reset

nex/experiment/push-gateway-logs

ginger/msc3575-obliteration

nex/feat/block-busted-rooms

nex/fix/informative-startup-errs

ginger/no-left-room-initial-sync

jade/docker-entrypoint

jade/dehydrated-devices

ginger/complement-fixes

nex/fix/stale-destination-cache

nex/experiment/sync-mutex

tcpipuk/docker-docs

jade/snafu

jade/rand-update

nex/stateres-refactor

ginger/779-in-troubleshooting

jade/liveit-guide

jade/http3

nex/feat/admin-hide-empty-rooms

ginger/oobe

nex/fix/debian-thingy

jade/ldap-admin-check

nex/fix/remote-restricted-joins

nex/feat/msc4406-sender-ignored

jade/deadlock-detection

jade/get-started

jade/docs-guide

ginger/fix-local-invites

nex/fix/tpi

nex/feat/room-deletion

nex/feat/msc4322-media-redaction

ginger/stitched-order

ginger/deps/update-rspress

jade/admin-announce-improvements

ginger/xtask-improvements

jade/improve-admin-config-display

nex/fix/better-stateres-error-logs

jade/sender-timeouts

nex/feat/custom-v12-room-ids

ginger/update-metadata

nex/feat/admin-force-logout

tom/max-perf-docs

nex/fix/invalid-appservice-reg

nex/feat/antispam

nex/feat/account-locking

jade/logging-cleanup

jade/remove-legacy-appservice-auth

nex/fix/key-query

jade/update-prek

nex/fix/room-summaries

ginger/restrict-admin-commands

ginger/enable-console-by-default

jade/tag-fixes

jade/otlp

nex/meta/pull-req-template

nex/fix/fed-invite-compliance

nex/feat/build-commit

nex/feat/join-logging

jade/mailmap-updates

jade/hack-ci-tmp

jade/v12-stable

jade/relations

ginger/database-refactor

jade/fix-ldap-uiaa

nex/fix/validation

ginger/nuke-invalid-msc4133-fields-in-migration

ginger/downgrade-artifact-actions

oddlid/reload-fix

jade/fix-assert

ginger/sync-v3-cleanup

ginger/remove-absolute-action-urls

jade/website

nex/fix/backoff

ginger/fix-mdbook-for-0.5

ginger/no-docker-on-prs

backport/v0.5.0-rc.8-1

nex/fed-improvements

jade/rust-1.90

jade/mirror-dockerhub

jade/clippy-fixes

jade/fix-support

jade/clean-images

jade/wal-compression-type

jade/flake-clone

ginger/upload-rpms-on-schedule

nex/fix/incoming-fetch

nex/fix/upgrade

tom/ci-fedora-rpm

jade/ci-release-fix

jade/rocksdb-10-5

ginger/fix-msc4133-migration

ginger/migrate-busted-tz

hydra/public

nex/feat/manual-extremities

nex/feat/async-media

nex/feat/fast-joins-hack-do-not-use-DO-NOT-USE

nex/feat/better-logging

trigger-ci-so-latest-isnt-on-illegal-car-mods

nex/feat/pins-backfill

jade/tuwunel-2025-06-old

jade/ai-slop-db-docs

nex/fix-create-auth

jade/version-stats

jade/read-receipts

jade/rust-toolchain-no-targets

jade/logging-features

jade/syncv5-typing

jade/msc2815

morguldir/see-eye

jade/css-small-screen

nex/wip-751

tuwunel-rebase

test

oddlid/rename-admin-room-bot

strawberry/nix-ci-stuff

strawberry/valgrind

phonemain

strawberry/morgs-snake-sync-jason-main

newer-media-endpoints

folly-coroutines-async-io

federation-retry-timer-port

bad-attempt-at-extracting-homeserver-signing-key

room-deletion-attempt-do-not-use

v0.5.9

v0.5.8

v0.5.7

v0.5.7-alpha.2

v0.5.7-alpha.1

v0.5.6

v0.5.6-alpha

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.5.0-rc.8.1

v0.5.0-rc.8

v0.5.0-rc.7

v0.5.0-rc.6

v0.5.0-rc.5

v0.5.0-rc4

v0.5.0-rc3

v0.5.0-rc2

v0.5.0-rc

v0.4.7-rc

v0.4.6

v0.4.6-rc

v0.4.5-rc

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

Labels

Clear labels   

Blocked

This pull request or issue is currently blocked from being merged/closed

  

Bug

Something isn't working as intended

  

Changelog

Added

Changelog entry added

  

Changelog

Missing

No changelog when one is needed

  

Changelog

None

Changelog is unnecesary for this change

  

Cherry-picking

Commits picked from other conduit projects

  

Database

This requires or includes changes to the database

  

Dependencies

Something dependency related

  

Dependencies/Renovate

Automatic dependency upgrades by Renovate

  

Difficulty

Easy

Low difficulty to implement - touches few parts of the codebase, low complexity

  

Difficulty

Hard

High difficulty to implement - touches many parts of the codebase, high complexity

  

Difficulty

Medium

Medium difficulty to implement - touches more parts of the codebase, higher complexity

  

Documentation

Improvements or additions to documentation

  

Enhancement

New feature or request

  

Good first issue

Good for newcomers

  

Help wanted

Additional eyes and keyboards are required for this one

  

Inherited

Issues that have been inhereted from the project pre-fork

  

Matrix/Administration

Features pertaining to homeserver administration

  

Matrix/Appservices

Features pertaining to the appservice API

  

Matrix/Auth

Features pertaining to authentication

  

Matrix/Client

Features pertaining to client-to-server interactions

  

Matrix/Core

Issues relating to core matrix functionality, such as state resolution and PDU formats

  

Matrix/E2EE

Issues related to end to end encryption

  

Matrix/Federation

Features pertaining to server-to-server interactions

  

Matrix/Hydra

Issues related to room version 12 and related changes (temporary label)

  

Matrix/MSC

Features pertaining to unstable matrix features

  

Matrix/Media

Features pertaining to media interactions

  

Matrix/T&S

Changes or issues related to trust & safety tooling

  

Merge

This PR is ready to be merged

  

Merge/Manual

This PR should be manually merged

  

Merge/Squash

This PR should be squashed when it is merged

  

Meta

Related to housekeeping, maintenance, or other repo-meta.

  

Meta/CI

Issues related to CI changes

  

Meta/Packaging

Packaging

  

Priority

Blocking

This issue is blocking the next release

  

Priority

High

This issue is very important

  

Priority

Low

This issue is of a rather low priority

  

Security

This item is related to general security

  

Status

Confirmed

This issue has enough information and is confirmed

  

Status

Duplicate

This issue or pull request already exists

  

Status

Invalid

This issue doesn't seem right

  

Status

Needs Investigation

This issue needs further investigation

  

Support

Questions or support requests

  

Wont fix

This will not be worked on

  

old/ci/cd

Ci/CD

Archived

  

old/rust

Pull requests that update Rust code

Archived

No labels

Blocked

Bug

Changelog

Added

Changelog

Missing

Changelog

None

Cherry-picking

Database

Dependencies

Dependencies/Renovate

Difficulty

Easy

Difficulty

Hard

Difficulty

Medium

Documentation

Enhancement

Good first issue

Help wanted

Inherited

Matrix/Administration

Matrix/Appservices

Matrix/Auth

Matrix/Client

Matrix/Core

Matrix/E2EE

Matrix/Federation

Matrix/Hydra

Matrix/MSC

Matrix/Media

Matrix/T&S

Merge

Merge/Manual

Merge/Squash

Meta

Meta/CI

Meta/Packaging

Priority

Blocking

Priority

High

Priority

Low

Security

Status

Confirmed

Status

Duplicate

Status

Invalid

Status

Needs Investigation

Support

Wont fix

old/ci/cd

old/rust

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

nex

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

continuwuation/continuwuity#1815

No description provided.