Matrix Live

Dept of elections πŸ—³οΈ

Josh Simmons (away, back May 9th) announces

Voting has started for the Governing Board elections and runs till May 31 – but don't delay, vote today! πŸ—³ Huge thanks to all of the nominees who have thrown their hat in the ring.

All eligible voters should have received an email from the election system. All of the results will be published on the blog on June 3. Read our announcement post or visit our election center for more info.

Dept of Spec πŸ“œ

Andrew Morgan (anoa) says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

MSC Status

New MSCs:

MSCs in Final Comment Period:

Accepted MSCs:

Closed MSCs:

Spec Updates

As an early heads up, Trust & Safety at the Foundation is working on an important update to Matrix, MSC3916 - Authenticated Media. This change will mean that all clients (and servers) will need to present a valid access token in their Authentication header to access media - which is critical to ensure that URLs are only visible to the correct users, and prevents abuse of Matrix for hosting binaries. More details will be published as we work to get everything released - we wanted to get the information out there as early as possible in the meantime. Let us know if you have any questions.

Matrix.org plans to freeze unauthenticated media endpoints within a couple of months after the spec release, which is expected in the next few weeks. "Freezing" means that media uploaded or cached before the freeze will remain accessible via unauthenticated endpoints indefinitely, but any media cached or uploaded after the freeze will require authentication. The unauthenticated endpoints will be deprecated but will still serve old media on matrix.org.

To ensure a smooth transition, we encourage you to start testing against the unstable endpoints and unreleased server builds. The changes for Synapse are being developed here, and for MMR here. Both are expected to release their changes soon. Once MSC3916 passes FCP, stable endpoints will become available. While releasing unstable support to users isn't required, having patches ready will help speed up the rollout.

We know this is a quicker rollout than usual, but with your help, we can improve user safety and security across the ecosystem. Most clients should find this update straightforward, but if issues are encountered, please reach out in #matrix-client-developers:matrix.org or on the MSC discussion. The team is monitoring the room to help clients adopt the change.

Web browser clients might face the most challenges, given the need to specify an Authentication HTTP header on media requests, so reviewing this pull request and its dependencies could provide useful implementation insights.

Thank you for your support. If you have any questions, let us know. We look forward to a smooth transition with minimal user-visible impact πŸ™‚

Dept of Servers 🏒

conduwuit (website)

strawberryπŸ“ (it/pup/she/they) πŸ³οΈβ€βš§οΈ πŸ¦΄πŸ’œπŸ©· reports

Release 0.3.4 and Release 0.3.3

Hi everyone! conduwuit 0.3.4 has just been released, and 0.3.3 was released last week. Both releases have been focused on security and some small maintenance things, vastly improved documentation on maintenance, moderation, usability, and admin commands, and a new moderation feature for proactively deactivating bad users on your homeserver.

conduwuit was officially added to Complement, and support for conduwuit running the Content-Disposition safety tests was added there too: https://github.com/matrix-org/complement/pull/723

Some of the new changes include:

  • Send various security-related HTTP headers for all conduwuit responses by default, most importantly a strong Content-Security-Policy
  • Perform additional sanitisation on the uploaded attachment file name for the browser Content-Disposition header
  • Return inline browser Content-Disposition based on our own detection of the file, only return inline on safe multi-media files, and fully distrust the Content-Type header with safe and secure fallbacks
  • Fix non-functional user event homeserver reports
  • Fix non-functional unbans due to incorrect upstream code
  • New moderation config option to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
  • Fix Debian packaging
  • Don't send the target user's avatar_url or display name on ban events
  • Forget all the rooms when leaving all rooms for a user upon account deactivation
  • Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
  • Fix incorrect appservice namespace alias check
  • Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
  • Fix using conduwuit on NixOS without flakes
  • Resolve various arithmetic and type casting correctness
  • And bump all the dependencies

GitHub Releases | Docker Hub | NixOS

Liberapay | GitHub Sponsors | Ko-fi

Chat with us in #conduwuit:puppygock.gay

Synapse (website)

Synapse is a Matrix homeserver implementation developed by the Element

Andrew Morgan (anoa) says

This week Synapse v1.107.0 was released.

Top of the list of features is declaring support for Matrix v1.10, adding support for both MSC3823: Account Suspension and MSC4115: membership metadata on events. This is alongside the usual host of bugfixes, doc updates and dependency bumps.

Dept of Clients πŸ“±

Commet (website)

airyz announces

Hello all, today we released a minor update: v0.2.1! This update is fixing some minor bugs found with last weeks release, as well as adding a few smaller feature requests:

  • Added saving of images/videos from messages
  • Added an option to follow the system theme
  • Formatting of timestamps now follows system format
  • Added support for UI scale on mobile

Thanks to everyone who stopped by with feedback and support of last weeks release!

Join Our Room Β· GitHub

kazv (website)

nannanko says

kazv 0.2.0 has been released.

Added

Fixed

Internal changes

Nheko (website)

Desktop client for Matrix using Qt and C++17.

Nico announces

Heya, short update from the Nheko side.

checkraisefold has been pretty busy getting video calls to work on Windows. Now you probably won't be able to get to use them in the near future because we haven't solved the packaging problem. But if you build Nheko yourself and spend a bit of extra effort, you can get it to work. (Linux calls of course still work as before and macOS hasn't been touched yet.)

q234rtc is also busy pointing all my faults in the activation token logic and it should now work much better with the latest sway changes.

Bulby has fixed some emoji confusion, where some emojis had their description swapped, which while funny, isn't really that useful. They also cleaned up the code around the emoji completer code generation a lot, which is great!

A few people also pointed out that our flatpak nightly repo was broken for the last few weeks, but luckily that was easily resolved by updating a few packages. So if you are a nightly user (the unstable builds, not because you sleep during the day), you should be able to get automatic updates again for the flatpak packages!

We also put quite some work into fixing up rough corners in our explicit mentions support. Not only did we disable the normal mentions rules even on servers that don't support the new ones, we also had our logic the wrong way around... Replies also now include an explicit mention, however it isn't recursive. See MSC4142 for details!

Nep fixed the image copying on Windows. Nheko has a copy button for copying the currently opened image to your clipboard. On Windows that didn't work, because Windows has stricter requirements which thread is allowed to access the clipboard.

We also had a computer guy cleanup our flatpak builds. Over the time our app metadata files have acquired quite some cruft and various tooling started to complain. In most cases even rightfully so!

And lastly, if a message contains a spoiler, you won't get spoiled anymore by having to read the message with the spoiler revealed in the sidebar or notifications! Instead the whole message will just say it contains spoilers and you need to open the room and manually reveal the spoilers. The specification actually suggests a different behaviour where you link to a text file in the media repo, however we couldn't find a way to make that work in encrypted rooms, so we just decided to implement the other side of the stick and hide spoiler messages where possible in the client. Probably we should bring that up as a specification issue at some point.

For now though, that is all I have. Various board meetings and elections have been quite exciting the last few weeks and I hope I have something cool to share with you soon about that (not about the Matrix Foundation board before you go and speculate)! And it has been a pleasure seeing so many contributions all the time, thanks a lot to everyone involved! But until then, see ya later!

Element X iOS (website)

A total rewrite of Element-iOS using the Matrix Rust SDK underneath and targeting devices running iOS 16+.

Mauro Romito reports

  • version 1.6.7 is out (but soon a new version 1.6.8 with a quick hotfix for voice message recording will be out)
  • Permalink support is completed and available!
  • mentioning now works when the rich text editor is disabled
  • the UI for room dm and members details has been completely revamped, to provide a better user experience
  • QR Code Login has made great progress and is working great, and will probably be ready for the next month!

Dept of SDKs and Frameworks 🧰

libkazv

nannanko reports

libkazv 0.4.0 has been released.

Security

Added

Fixed

Removed

Internal changes

matrix-rust-sdk (website)

Next-gen crypto-included SDK for developing Clients, Bots and Appservices; written in Rust with bindings for Node, Swift and WASM

dkasak says

Security release: We've released matrix-sdk-crypto 0.7.1 (the crypto crate which is part of the Matrix Rust SDK project; Github tag, crates.io release), which is a security release fixing a Moderate severity issue (CVE-2024-34353/GHSA-9ggc-845v-gcgv). See the linked advisory for details.

Dept of Interesting Projects πŸ›°οΈ

Homeserver-Spec-Versions Dashboard

clokep announces

I made a dashboard to track the support for Matrix spec versions across homeserver implementations. It includes charts for how long it took homeserver implementations to support a new version after it was published, as well as historically when each version was supported.

It works by fetching the repository of each homeserver and crawling changes to particular files and checking the supported versions at each change. It notes whenever the supported versions changes and then visualizes the data.

If you see an issue or have a suggestion, please open an issue on the repo.

Matrix Federation Stats

Aine announces

collected by MatrixRooms.info - an MRS instance by etke.cc

As of today, 9459 Matrix federateable servers have been discovered by matrixrooms.info, 2841 (30.0%) of them are publishing their rooms directory over federation. The published directories contain 159566 rooms.

Stats timeline is available on MatrixRooms.info/stats

How to add your server | How to remove your server

Final Thoughts πŸ’­

Writing a good "This Week in Matrix" entry

MTRNord announces

Hello fellow TWIM posters and yet to become TWIM posters.

There is now a guide available for rules and suggestions around writing your next TWIM entry. You can find this guide at https://matrix.org/twim-guide/

Going forward we expect people to follow the rules stated in this and hope that people also apply the mentioned recommendations on the formatting.

If you have any questions, please reach out over in the TWIM Room

Dept of Ping πŸ“

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.

#ping:maunium.net

Join #ping:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS
1doctoruwu.uk218.5
2girlboss.ceo220.5
3nerdhouse.io263.5
4daedric.net278
5synapse.rntpts.de283.5
6boehm.sh366
7craftingcomrades.net379
8bunkerbu.de398
9lewd.social407
10sulian.eu457

#ping-no-synapse:maunium.net

Join #ping-no-synapse:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS
1spritsail.io68
2doctoruwu.uk83.5
3girlboss.ceo122
4synapse.rntpts.de152
5aguiarvieira.pt178
6transfem.dev192
7sulian.eu201.5
8shiftsystems.net208
9matrix.its-tps.fr234.5
10uwu.sulian.eu259

That's all I know

See you next week, and be sure to stop by #twim:matrix.org with your updates!

To learn more about how to prepare an entry for TWIM check out the TWIM guide.

The Foundation needs you

The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.

It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.

Support us