We've been chatting with Denis about the vulnerabilities disclosed by Element this Monday.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
- MSC3395: Synthetic appservice events
- MSC3394: New auth rule that only allows someone to post a message in relation to another message
MSCs with proposed Final Comment Period:
MSCs in Final Comment Period:
- No MSCs are in FCP.
- No MSCs were merged this week.
If MSC2918 above is giving you feelings of déjà vu, don't worry. It already had FCP proposed, but due to a resolved concern being incorrectly processed by mscbot on github, a new FCP proposal was carried out.
In other news, MSC3381 (Polls - mk II) receive a fair amount of attention this week. It implements inline polls via a new
m.polltype and makes use of the concept of extensible events. Do check it out if you're interested in voting through means other than message reactions!
Otherwise Alexandre Franke and myself will be looking at cleaning up the CI of the matrix-org/matrix-doc repo next week, as well as continue to move the infrastructure for the new spec release forwards.
The random spec of the week is... MSC1235: Proposal for Calendar Events.
This one is entirely new to me, and has some slight overlap with some work for MSC2762: Allowing widgets to send/receive events, where we were thinking about how a widget could act as a calendar using Matrix rooms and events as a calendar backend.
The more you know 🌠
The Synapse team is busy gearing up for 1.43.0 next week, which will make room version 9 the default for newly created restricted rooms, among other things.
We've also been doing quite a lot of work on Sydent. Notably, last week's 2.4.0 release introduced a few regressions which have been resolved in subsequent point releases. The one-shot case folding migration script for Sydent is still performing unexpectedly slowly; look for that to be resolved soon.
As the end of the year approaches, now is a good time to ensure you're ready for the deprecation of PostgreSQL 9.6 (November) and Python 3.6 (December). Do you have plans to upgrade to Pg 10 and Py 3.7 or newer? If not, there's no time like the present! 🗓
Lastly, Hacktoberfest 2021 is less than two weeks away! Many Matrix projects intend to participate, including Synapse.
With rooms version 9 as the default, it feels like Spaces are trying hard to escape beta!
And yet again more Kubernetes Helm Chart updates this week, with element-web being bumped first to 1.8.4 and then 1.8.5. More improvements for the new ingress object in K8s 1.19 also landed.
Heisenbridge is a bouncer-style Matrix IRC bridge.
hifi told us:
Release v1.1.1 🥳
Message edits are now supported and use stupid context aware "compact enough" edit format (+ - *)
Media will be quarantined if you redact them and the bridge is an admin on the HS
Public media URL can now be overridden in control room if auto-detection fails
New plumbs respect the default member sync setting
; is included in pill separators
Better message formatting coming up in v1.2.0, I hope 🤔
matrix-docker-ansible-deploy has also been updated with the new release, thanks Slavi!
mautrix-hangouts has turned into mautrix-googlechat. It's still in alpha stage, but text messages work in both directions, media from google chat works and threads from google chat are bridged as replies.
Cinny now support Spaces. They are still in early development phase but you can see nesting and pin/unpin to sidebar.
There're options to control room notifications now.
Also added notification badges to sidebar so now there will be a visual notification of any message in Home/People/Spaces in sidebar.
And after a month discussion also renamed 'Channels' to 'Rooms' so don't get confused on finding rooms all over.
James (we got new contributor 🎉) added options to change avatar and display names. He also added support for uploading image by copy-pasting.
Edit message input now saves message on enter.
There now a toggle to view your password on login/register page.
And there will be an error message when client disconnect to server.
Fixed scroll on login page.
Fixed notification badge color in dark themes.
- We are also started shipping an official docker image which you can find on DockerHub ajbura/cinny.
Find more about Cinny at https://cinny.in/
I’m thrilled about Spaces support and I'm certain we’ll hear more about Cinny shortly!
Alexandre Franke got a bit carried away and announced in French:
La grande nouvelle de la semaine est l’arrivée du chargement de l’historique, implémenté par Julian. Nous avons également 2 nouveaux contributeurs :
A minimal Matrix chat client, focused on performance, offline functionality, and broad browser support. https://github.com/vector-im/hydrogen-web/
Bruno told us:
Released 0.2.9 & 0.2.10 this week with the main thing being improvements in preventing scroll jumps when resizing or loading more content in the timeline. Not 100% of scroll jumps will be solved with this release, but it should be improved a lot. Please report any issues you may encounter in this area! There were also a few bugs fixed, see the linked release notes. Try it out at hydrogen.element.io!
Brad Murray offered:
Beeper is a unified chat app built on top of Matrix. We've created 10+ open source Matrix bridges and integrated them into an easy to use all-in-one service which does not require setting up your own homeserver. You can learn more at beeper.com.
We've been hard at work for the last few weeks and have a number of updates we'd like to share across all our clients and bridges.
For detailed release notes, check out our changelog here: https://beeper.notion.site/Beeper-Product-Changelog-cdbc7b68526d45f7b8ced8d4ba170c8d
- New verification flow for Desktop, Android, and iOS! Logging in and verifying your session is now super easy to do. This is extra important for Beeper because we enable secure backup by default and require all users to set up a security key.
Added the ability to view your rooms using our Smart Inbox that places the most important messages at the top, or with Classic which leaves the room in a reverse chronological order.
You can now select network by network which messages should appear in your inbox using our Inbox Filtering feature
We now have beta support for Custom CSS theming! Check out some of the themes that have already been made by the community. https://gitlab.com/beeper/beeper-themes
Previously we only supported DMs for Discord out of the box, but now you can pick and choose which Discord servers to sync into Beeper
- A complete beautiful rewrite of the Room List using SwiftUI. The room list now looks much more native to iOS, while still feeling like Beeper.
Redesigned room list: we started a redesign of our Android app and adopted the Material design language.
Integrated Android SMS bridge: Our previous Android Messages bridge was built on a shakey puppeteer foundation, so we rewrote it. Our new Android SMS uses native APIs to send/receive SMS. RCS remains elusively out of our grasp for now. We open sourced our bridge at https://gitlab.com/beeper/android-sms
Wrote a bot for managing Linear issues from Matrix: https://gitlab.com/beeper/linear-maubot
Wrote a bot to mirror chats into Chatwoot (an open source Intercom-like customer support platform): https://gitlab.com/beeper/chatwoot
We are hiring! Come join many other Matrix community members who have joined the Beeper team including @tulir:maunium.net, @annie:beeper.com, @kilian:beeper.com, @spiritcroc:beeper.com and @sumner:beeper.com (who replied to our last TWIM job post and got a job at Beeper within a week!)
We are hiring senior iOS, Android developers and a DevOps/SRE (preferably in North/South America timezone)
Check out our Jobs page here https://beeper.notion.site/Jobs-Beeper-ff5da486daed462ebfc4b21eacc48cae. Apply via that page or just send a DM @eric:beeper.com
Nheko is a desktop client using Qt and C++17. It supports E2EE and intends to be full featured and nice to look at
Nico (@deepbluev7:neko.dev) reported:
Nheko got a lot more colorful this week. red_sky (nheko.im) and LorenDB finished up the jdenticon support. This means instead of the first character of a users display name, you now have the option to see a colorful avatar for users without an explicit avatar. You may have seen something similar on Github and other platforms. Currently this needs the qt-jdenticon plugin, which is a bit troublesome to install correctly, but we should improve that in the near future.
Prezu added a homeserver entry field to the room directory, making it much more useful (no history yet though). Thulinma added a /goto command to navigate to specific events or room and fixed scrolling to a specific event (in the past it only approximately scrolled to the right location). Symphorien added the Alt+A shortcut to navigate between rooms with active mentions and notifications. Additionally Priit completed the Estonian translation.
Additionally we released a security fix on Monday (together with a few other clients). We only released a fix for the master branch in Nheko instead of also the latest stable release. This confused a few people, but I hope my explanations made sense. The gist of it is:
On the master branch the local homeserver admin could force Nheko to forget which identity keys it saw for a user and as such insert a new device with the same device id, but attacker controlled identity keys and request old encryption keys from Nheko. In Nheko's case we had some protections against that, but if the server sent a device_list.left event for that user, Nheko would delete those protections. From our understanding this could not be abused over federation.
On 0.8.2 this can also be abused, but 0.8.2 does not implement key sharing completely. It can only forward the currently in use encryption key, not historical ones. As such the impact in our opinion was too limited to release a security fix. 0.8.2 does not allow you to send encrypted messages only to verified devices as such the homeserver admin could always insert just a different device to get access to new encrypted messages. Because of that we have a big warning in the README and when enabling encryption in 0.8.2, that one should not rely on the security of the E2EE implementation in it. We are aiming to have stable and secure E2EE in the next release (and so far it is looking good), but if you are using 0.8.2 I can only repeat, that it won't protect you from an attacker even without the disclosed security issue.
I hope this clears up some of the confusion. Feel free to visit us in #nheko:nheko.im and tell me, that I am wrong.
uhoreg told us:
This week saw two releases of libolm, a library that implements olm, megolm, and some other Matrix-related encryption functions. The main changes in version 3.2.5 are new functions for getting error codes rather than error strings so that implementations don't need to rely on string parsing to decode errors, and added support for fallback keys in the Android and iOS bindings. There were also improvements in error handling in the unpickling functions, and the shared library no longer exports certain private symbols, which caused problems when those same symbols were exported by other libraries. The initial implementation of this last change caused build failures in some environments, so version 3.2.6 was released to fix this.
Polyjuice Client is a Matrix library for Elixir
Polyjuice is a collection of Matrix libraries in Elixir.
A few from the wizarding world this week.
The Polyjuice project wades further into bad pun territory with a new project: Polyjuice Draughts, a set of checkers to verify that a homeserver is set up correctly and is accessible for clients and federation. It is similar in goal to the Matrix Federation Tester, but also checks client connections. It can either be run from the command line, or it can be used in a Matrix room, thanks to Igor, by sending a message of the form
!servertest <servername>in a room that has an appropriately-configured bot in it. There is currently a bot in #synapse:matrix.org that can be used.
As you can see from the screenshot, my server isn't quite set up correctly, and I should fix it some day...
Polyjuice Client 0.4.3 has been released. This release adds functions for getting room membership (thanks to multi prise) and checking the server spec versions, along with some bug fixes.
Finally, the Polyjuice libraries have moved their git repositories from https://gitlab.com/uhoreg to https://gitlab.com/polyjuice. The old locations should automatically redirect to the new locations.
I have converted the script for auto updating the Element-web instance to latest version from Gist to the full Git repo MurzNN/element-web-update and added support for
.envfile to set desired variables.
This is a bash script that checks the new released version of Element from official Github repo and if it differs from installed - updates the local files with deleting old version (to cleanup old files) and unpacking new one, but with keeping the config files by mask
You can put it to your
crontab.dailyand got an always fresh Element with forgetting about manual update routine.
I created a bot to assist with sending standup posts to a room. It reminds you to write a standup post, and then asks you what you did the previous day, what you intend to do today, if you have any blockers, and if you have any other notes. Then it posts a nicely formatted standup post to a room which you can configure.
You can find the source code here: https://sr.ht/~sumner/standupbot/
Are you in Berlin 🐻🇩🇪? Why not join us on Tuesday evening at 7:30 PM for a beer or two while chatting about Matrix development and hosting. We're going to meet at Schoenbrunn. This is a small 3G (self-tests are ok) event in an outdoor beer garden.
If possible, join our Matrix Meetup Berlin room.
I am super happy to finally give you another update on TheBoard, due to holidays during the last weeks I had less time to work on TheBoard. But now there still accumulated enough changes for a little Update:
I experimented what technologies I could use for the still required GUI elements. A new User List was implemented using Vue.js. Vue seemed to be a little overkill for the kind of GUI required in the case of TheBoard. So I re-implemented the user list with react-no-js. I am happy with react-no-js and it is used for a user list plus a tool settings menu on the right hand side of the canvas.
The tool panel in particular opens up a lot of possibilities. The eraser already makes use of it by giving the option to only delete specific item types (Image, stroke or text). This can be very handy if you want to delete strokes drawn on top of an image without deleting the image as well. What can be deleted is highlighted by a new filter system which allows to make any modification to objects selected by a filter function (see the attached image)
Other small changes:
Animated camera movement (for a upcoming "follow other user" feature) currently used for the Go Home Button
Opening a board now loads at the last edited location
The touchscreen navigation (zoom/pan) was re-implemented and should now work much better
Links and further reading:
Play with it at: https://toger5.github.io/TheBoard/ (feel free to join: https://matrix.to/#/#PublicWhiteboardTest_TheBoard:matrix.org with the account used for testing to join the first collaborative board) Join the matrix room: https://matrix.to/#/#TheBoard:matrix.org
GitHub: https://github.com/toger5/TheBoard Technical Details: https://github.com/toger5/TheBoard/blob/main/spec.md
The Board is very exciting! I could see in the planned use cases that Timo already intends to make a widget out of it. It would be very useful for real-time collaboration, but that's not all! When asked if a standalone app will come, Timo confirmed:
Indeed. I wasn't thinking about a builtin home-server yet. But a standalone app is still planned because I want the app to be able to manage different boards. Therefore I need to be able to control room creation and listing rooms. It should basically feel like onenote if you intend to use it like that.
@s7evink The game is called AAGRINDER, hosted at aagrinder.xyz, the code is here, the bridge implementation is here, wiki is here. The game is a text-based sandbox multiplayer browser game that I (Maze) have been building for the past 3 years. Built from nothing, no game engine. It generates an infinite procedural terrain to venture in. The integrated chatbox is nothing special but it's really nice to have it bridged to Matrix now, it's less lonely when playing alone. The appservice bridge creates users matching player name and color. Display names from Matrix are presented in the same color as in Element.
Hopefully you're able to extract some useful information out of this ^^
I love the retro vibe of the game, it's really cool!
Robert Long announced:
Third Room is an experimental metaverse client I've been working on for the past couple weeks. It combines three.js and Matrix to create 3D voice chat rooms where you embody an avatar.
There's a lot more info in my talk from last night at the Open Metaverse Interoperability Demo Night (my talk starts at 37:43)
If you want to chat more about Third Room, you can join our Matrix room: #thirdroom-dev:matrix.org
The future is now, I'm really thrilled about Third Room!
Beeper mentioned they have several positions open, and Element is also talents hungry. I’m particularly ecstatic to see that developing skills around Matrix can get people jobs. Of course I encourage strongly people to experiment with the protocol and use it in all sorts of crazy ways!
Join #ping:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.
Join #ping-no-synapse:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.
See you next week, and be sure to stop by #twim:matrix.org with your updates!