We've recently seen serious spam attacks against Matrix, so we're introducing Policy Servers to recommend whether servers should accept or discard events before they get synced to clients. If your server participates in public rooms, see https://matrix.org/blog/2025/04/introducing-policy-servers to keep it safe.
Last week, we shared details about ongoing attacks on Matrix. Over the past week or so, we’ve tested some new tooling to help combat abuse on matrix.org.
If you run your own Synapse server and your users are present in the Foundation’s community rooms, you can benefit from this tooling by installing an experimental Synapse module. You can find the code and installation instructions here. We’re deliberately taking the bold step of announcing a tool and also announcing its deprecation in the same post. This is experimental work, and we are iterating quickly. We expect to have an implementation in Synapse shortly, so the module will be discontinued around May 21.
Policy servers are an overlapping layer of protection with existing community moderation tools such as Draupnir, Mjolnir and Meowlnir. Rooms can opt-in to this new layer of protection, recommending that servers participating in the room check events with a given policy server before they are sent to their clients. The policy server will pass an opinion on each event, recommending servers in the room to accept the event, or to reject it. For people in the room, this should be effectively invisible. Events which pass the check will be shown as normal, while ones which don’t will never make it through to their clients.
The Foundation intends to offer a policy server to room admins, but we hope that in time other providers will offer alternative policy servers. The Foundation is already running an experimental implementation for some of its public rooms, which we will release once we have confidence in the approach. We also expect that for many rooms, a policy server isn’t necessary, or spends most of the time in a low-power or disabled state. Element and the Foundation are exploring these ideas over the coming weeks.
MSC4284 is now open to support this work. Please get involved in the MSC, and help us to improve this addition to safety tooling for the network. We’d especially like to see implementations for non-Synapse servers.
Folks who run communities on Matrix who would like to test our policy server, reach out to us at [email protected], using the subject policy-server-alpha.
We're thrilled to announce that the migration of matrix.org to the Matrix Authentication Service (MAS) is complete and went according to plan - having been running for over 24h in our brave new world, we’re declaring the migration a success! As of Monday April 7th 07:30 UTC, matrix.org is running on Matrix’s next-generation auth system based on OAuth 2.0/OpenID Connect.
This is no mean feat - the migration shifted all 45M access tokens and 110M users from Synapse to MAS in under 30 minutes (thanks in part to MAS’s cheeky use of the x86-64-v2 architecture; who knew that database migrations can be SIMD-accelerated?) - and represents the culmination of over 4 years of work to move Matrix to a modern authentication standard. Many thanks go to Element for funding, Hugh, Olivier and many other contributors who helped me make Next Gen Auth happen!
Whilst the official docs are very good, perhaps this may be useful as a happy path guide for those who want to use docker compose, MAS, and the Element Call backend, together with Synapse.
On Monday 7th of April 2025 at 7am UTC, we will migrate the Matrix.org homeserver's authentication system over to MAS (Matrix Authentication Service) in order to benefit from Next-generation authentication.
The migration will involve up to one hour of downtime.
MSC3861 (Next-generation auth for Matrix, based on OAuth 2.0/OpenID Connect (OIDC)) and its dependent MSCs have progressed sufficiently that the Foundation is confident in MAS and the new next-generation auth APIs. Specifically, all the MSCs are now in or have passed Final Comment Period (FCP) with disposition to merge! 🎉
We expect the MSCs to finish FCP and get merged into the next spec release. The full list of core Next-gen Auth MSCs is:
This is incredibly exciting, reflecting 4 years of work on next-generation auth, and brings with it a new account management interface, additional security, and a better registration experience.
The Matrix.org Foundation is proud to join likeminded organisations in endorsing the United Nations Open Source Principles, a set of guidelines to promote collaboration and adoption of open source around the globe.
Please join me in welcoming the newest Silver Member of the Matrix.org Foundation: SSH Communications Security! We're grateful to SSH for stepping up to support the Foundation's mission and stewardship of the Matrix protocol.
Does your organization rely on Matrix? We're working hard to close our budget gap, and we need your help. Join the Foundation to ensure Matrix has robust stewardship well into the future.
We're right at the end of Q1 2025 with a new spec release: Matrix 1.14! Our original plan was to cut this release around FOSDEM with some Matrix 2.0 functionality, but ended up needing to push the release out due to those MSCs not quite being ready. As we're cutting this release though, several of the Next Generation Authentication MSCs are progressing through FCP and could do with a release once written up as spec PRs. We anticipate that Matrix 1.15 will be that release, and go out early in Q2 2025.
This release brings just 3 MSCs to the world, largely because the SCT has been focusing so much on Matrix 2.0 objectives. The only feature introduced is the report user endpoint, to complement last release's report room endpoint - everything else is primarily maintenance of the spec. The full changelog is below, as always.
As part of my work for the Trust and Safety Committee I am trying to establish a working group to help with researching and documenting the state of T&S across the ecosystem. If that sounds interesting to you, please poke your head into #governing-board-office:matrix.org and tell us!
To summarize what the group is about, the current proposal looks like this:
To make appropriate decisions, the T&S committee needs to know about the state of T&S in the wider ecosystem. It needs to have insights into current challenges, solutions and initiatives.
On the other hand the community can also benefit from having some of that information documented.
The T&S R&D WG is a tool to help with that. It includes a wider set of individuals and reports their research results to the T&S committee. In some cases the WG is also encouraged to enhance the documentation on matrix.org to help communities and users on Matrix moderate their rooms.
The T&S committee might sometimes ask the WG for help in researching specific topics in more detail to guide their decisions.
The WG will sometimes have to deal or come in contact with confidential data, possibly
because of legal reasons, possibly because of active abuse concerns. While the
WG is encouraged to be open, there
will be times where the WG should keep certain information
confidential and only share it with specific individuals. As the WG we pledge
to keep information confidential when necessary while still being transparent
and open where possible.
The T&S committee may decide to remove members from the WG if it sees a member abusing their access to information or not acting in a trustworthy manner by sharing information the group agreed to keep confidential. This should be a last resort, needs a majority in the T&S committee and should be preceded by appropriate communication and warnings.
A few weeks ago the Governing Board brought you news of a Working Group process, and the first ones had been proposed using it. I'm happy to report that we now have our first two active Working Groups!
Firstly, we have the Website Working Group, which (from their charter) has "responsibility for editorial and technical oversight of the main Matrix websites and social media channels.
This includes the main matrix.org website, conference website, and the various social media channels". They've already had their first meetings, and you can find them in #matrix.org-website:matrix.org
Secondly, we have the Events Working Group, which (again from the charter) is "the main organising team of the official events hosted by the Foundation, such as the Matrix Conference or co-hosting FOSDEM Fringe". They are just spinning up their processes, and you can find them in #events-wg:matrix.org
We want to see many more groups! We have a couple of new groups under consideration by the Board which I hope to bring you news of soon, but in the meantime, discussion and/or volunteering for potential new groups is very welcome in #governing-board-office:matrix.org ! (And yes, I still want to get the Docs and UX groups running, speak to me in that room if you wish to volunteer 😛)
Thanks for your efforts & work, on behalf of your Governing Board!