This Week in Matrix 2018-05-25

GDPR

HAPPY GDPR DAY EVERYONE!!!!1!

  • Our long-awaited new privacy policy & term & conditions for the matrix.org server are here – Phase 1 is complete!
  • Folks are already accepting the new policies – thanks.
  • We’re going to start requiring acceptance to access the matrix.org server on Tuesday (May 29th).
  • We’re already receiving our first GDPR requests… :|
  • Erasure and Right-to-be-forgotten work (Phase 2) is next up so we can action the requests in a timely manner.
  • It looks like we will go ahead on removing MXIDs on events as a Phase 3 (although for now we do warn people that this is effectively a technical limitation of Matrix, albeit one that we’re working on).

Client Updates

mtxclient E2E progress

Big E2E progress from mujx, developer of the nheko client on his project mtxclientAs of this week, mxtclient is able to decrypt group events. When writing (that is, sending encrypted messages) is complete, the idea is to migrate this work back to nheko, though mujx points out this library could be used in any client.

Fractal

Back to work after the HackfestFractal have released version 0.1.30, featuring:

  • Translations support
  • Number of members in the room in the members button
  • File storage configuration support
  • Gold and Silver tags for admins and moderatos

Some coverage of the Fractal design thinking from last week, nothing new but a decent signal boost.

gomuks

tulir came in with some late breaking news about gomuks, the terminal client written in go. New features:

  • A fancy quick room switcher by Evidlo
  • A few basic UI options (hide user/room lists)
  • Plaintext view to be able to click long links and such
  • Fixed some bugs

Riot/Web

  • GDPR-capable release! 0.15.4 out today
  • Various bugfixes and performance regressions.

Riot/Mobile

  • GDPR-capable releases!
  • Sticker sending is ready modulo some CSS bugs; we’ll get it pushed shortly.

Bridging

JonTheNiceGuy bridging video

JonTheNiceGuy produced a helpful video describing how to use bridges for IRC, Slack and Telegram, showing the difference between the different bridges. I found this to be really clear and well-paced for following the many practical details of bridging. Watch here: https://www.youtube.com/watch?v=ZNEzgYRLj8g

Discord bridge

anoa and half-shot have been working on the matrix-appservice-discord bridge:

“finished edit passing between Discord and Matrix, as well as support for discord’s custom emojis (though UX is a bit manual until TravisR’s proposal goes through 😇)”

matrix-puppet-facebook-1to1-fixer from Brendan

Brendan shared a project he’s been working on this week: matrix-puppet-facebook-1to1-fixer. This project fixes a UI issue Brendan had with the Facebook Messenger Bridge, namely that activity in 1:1 rooms was not clear enough.

This small tool will take the local part of the room ID created by the Matrix<>Facebook Messenger bot once the friend has joined it, identify th friend, and grab their avatar and display name to set the room’s.

mautrix-telegram

Lots of progress on mautrix-telegram this lately including v0.2.0 RC. As reported by tulir:

  • A dockerfile by jcgruenhage
  • Option to whitelist/blacklist automatic bridging of specific chats
  • Fixed many bugs

matrix-appservice-sms

eta has been working on matrix-appservice-sms this week:

I have managed to do the first phase of a massive refactor that makes it way more reliable (temporarily store SMS in the database before delivery)

this makes it more resilient to synapse hiccups, as well as general failures

Other Projects

matrixboard, from betz

betz runs the https://hackerspaces.be/ matrix server and has this week, inbetween repairing his Synapse install, been working on a project called matrixboard. This tool is used to output the last five messages from a given room to displayed as HTML, the idea being to display output from a specific room as a website widget. You can see an example using #matrix-dev here.

opsdroid room state connector

SolarDrew implemented a database modulefor opsdroid to allow Matrix room state to be used to persist chat bot memory. (Suggestion apparently came from Cadair, the human not the place.)

The idea of using the room state to encapsulate bot data per-room was well received, discussion in #TWIM:matrix.org suggests this is an estabilished practice for some developers.

matrix-python-sdk

No general GSOC round-up this week, &Adam shared the news that GSOC-student Zil0‘s first PR towards E2E in matrix-python-sdk landed on master. These PRs are working from efforts previously contributed by pik.

Ruma

Work continues in the Ruma space. This week saw the release of

  • ruma-events 0.10.0: ruma-events contains Serializable Rust types for the events in the Matrix specification. 0.10.0 sees a major update with code provided by mujx, and contains many breaking changes.
  • ruma-api-macros 0.2.2, and ruma-client-api] is also updated to use the new macro.

f0x account migration helper

f0x has started work on a tool to help migrate accounts – including across homeservers. Right now he’s working on the GUI, but check out progress at https://github.com/f0x52/matrix-migrate.

DSN Traveller by Florian

Florian reports:

As part of my master’s thesis, I wrote the DSN Traveller bot, which is crawling the matrix federation to measure the shape and size of the matrix network, and how distributed it currently is. The bot is already in a smaller number of rooms for testing, and will join the remaining rooms over the next days. All details at https://dsn-traveller.dsn.scc.kit.edu/, room at #dsn-traveller:dsn-traveller.dsn.scc.kit.edu.

Synapse

  • GDPR policy management is welcomed in by Synapse 0.30
  • Means we get server notices too!
  • Explosion of Python 3 activity from notafile & Amber (hawkowl)
  • andrewsh has prepared a Debian package for the 0.30 release.

Dendrite

  • Anoa is on the case, having joined the core team on Monday – Dendrite is already sending events to ASes! Meanwhile APwhitehat is hacking away on his GSoC projects!

Spec

The Matrix Spec Change Proposals list is populated, popular, and under discussion at #matrix-spec:matrix.org. There are multiple issues ready to review, for example: TravisR is calling for attention on MSC1256: “Custom emoji and sticker packs in matrix”.

New Rooms

GSOC

Last week I promised an update on the state of the various GSOC projects in the Matrix Ecosystem. There is activity happening but other than what’s been discussed above we’ll wait a week or two for more detailed updates.

See you soon

As always, if you have things to say, projects to advertise, or anything else, ping me or visit #TWIM:matrix.org. I’m keen to get everyone included and keep this community enthused about all the work going on in the Matrix ecosystem.

Check out this week’s Matrix Live:

This Week in Matrix 2018-05-18

On the Web

Enter the Matrix

Brendan produced a really, really informative article introducing Matrix. As someone who is still very new to the project I found this writng to be very clear and informative, so thank you! The article made it to the top of Hacker News, where you can find a discussion of both the article and Matrix itself.

Presentation about Matrix

martinkrafft presented about Matrix at wossat a New Zealand Open Source show and tell meetup. His talk can be seen here, and focuses on the benefits of Matrix for users.

Spec Proposals

As you may have seen from the previous blog post, we have a new drive to advance the Matrix Specification itself. Part of this is https://matrix.org/docs/spec/proposals, which lists all the spec change proposals we’ve accumulated so far, and describes the flow for getting new proposals merged. There is a new room, #matrix-spec:matrix.org for discussion, please join if you want to get involved in this process. Check out the page and the blog post for more detail.

Next up: try to turn some of the many WIP proposals into Spec PRs…

Fractal Hackfest 2018

Fractal Hackfest 2018: was super successful and productive by all accounts, and there were many! Check out reports from Daniel García Moreno (Day 1, Day 2), Eisha Chen-yen-su, Adrien Plazas, Julian Sparber, Tobias Bernard and Alexandre Franke.

A major topic at the Hackfest was a discussion of splitting the Fractal client into two UIs for the different behaviours of messaging apps. For anyone interested in product design thinking this is a genuinely fascinating topic. I encourage you to read “Banquets and Barbecues”, Tobias’ excellent coverage of the latest thinking. The different chat personas are very well explained and the post brings up some of the immediate technical challenges too.

Projects and Products

mxisd v1.1 RC1 available

Max reports on mxisd, a Federated Matrix Identity server for self-hosted Matrix infrastructures:

mxisd v1.1 RC1 is out, addressing various privacy issues and being more GDPR-friendly overall. Testing and feedback from the community is very much appreciated

Dimension

Dimension, an open source integrations manager for matrix clients from TravisR, now supports sticker packs.

Ruma

Rust-based Ruma has new activity, starting with the release of ruma-api-macros 0.2.0. This moves ruma-api-macros from dependency on hyper to using types from the http crate. This will give more flexibility about library and framework choices for ruma-client-api and ruma-client.

Federation Tester Graphical Frontend

f0x produced and shared a graphical frontend for the federation tester, already getting some use. Check it out at https://neo.lain.haus/fed-tester/ and see the source on GitHub.

Synapse

  • Synapse 0.29 out – pretty much a maintenance release.
  • Chunk PRs are landing, providing a long-term solution to the ‘depth’ issue which is still impacting #matrix and #matrix-dev.
  • Lots and lots of GDPR work – you can follow progress at https://github.com/vector-im/riot-meta/projects/7.
  • Fixes SYN-1(!!!) – server notifications in general.
  • …and a last minute update from Andrej Shadura that the official Debian packages for Synapse are now up-to-date in Debian Unstable!!

Riot/Web

  • Riot/0.15 is out! With Stickers, Electron 2.0, Firefox E2E speed ups and lots of polishing
  • Working on GDPR now – cookie warnings have already landed on /develop, for instance. Remaining is the consent flow, and the deactivation/erasure flow.
  • Currently on a blitz to mop up P1 bugs
  • Accidental mission to replace Draft with Slate to make the RTE robust.
  • Upcoming: enabling Jitsi everywhere; E2E cross-signing; member lazyloading.

Riot/Mobile

  • Sticker sending is almost done!
  • GDPR work in progress
  • Released a fix for unreliable notification (and bg syncing) on Android 8 on Fdroid (released on Wednesday – please update!)

Neo Alpha 0.05

neo alpha 0.05 was announced by f0x, go take a look at https://github.com/f0x52/neo/releases/tag/alpha0.05. From the changelog:

features to bridge better with telegram, like Replies and Stickers, general ui improvement with fontawesome icons
added:
Replies
Receiving stickers

and more

Discord Bridge

Half-Shot and anoa are working on the matrix-appservice-discord, and have embarked on bridging Discord edited messages to Matrix

headed up by anoa, feedback for this is useful as it’s early days, https://github.com/Half-Shot/matrix-appservice-discord/pull/131

They’ve been writing tests and crushing bugs along the way. This is all in aid of the coming 0.2.0 release.

gomuks

A gomuks package was added to added to NixOS nixpkgs, shows interest in the client: https://github.com/NixOS/nixpkgs/pull/40510.

CromFr doge bot

CromFr has been working on a doge bot, which he describes as a hack over the hyper / haiku bots”, and is hosted on TravisR‘s https://t2bot.io/. Go try it out in the test room #test-doge-bot-crom:matrix.org.

Independent Client-Server interactions



Lots of excitement at the variety of independent clients and servers able to interact over the matrix protocol. The images above show The Construct (server) and gomuks (client), and then mxhsd and Fractal. A fundamental part of matrix is to be an open protocol, so it’s great to see entirely independent implementations liaising together! While implementing mxhsd, Max has been documenting spec omissions in a branch of the spec – we’re hoping he will contribute these back!

Honourable mention for mujx, who was sending messages with nheko and Ruma a year ago!

Matrix Core team expansion

  • Stève – 17th May (yesterday)
  • Amber – 21st (Monday)
  • Anoa – 21st (Monday)
  • Hubert – 28th May
  • Half-Shot – 4th June
    …and one more community member, hopefully (just sorting paperwork currently!)

Heads up that we’re consciously trying to hire a mix of folks from the Matrix community as well as those outside it – and avoid hiring the whole community, both to ensure diversity of viewpoint & experience in the core team, and also to avoid cannibalising folks who working on their own commercial projects on top of Matrix. We’d prefer Matrix to be as decentralised and heterogenous as possible, needless to say – and instead try to support folks in building on Matrix without hiring them into the core team (where we’d expect them to focus on the core project for everyone’s benefit). This may change once we have Matrix set up as a separate foundation, once we’ve got out of beta, of course.

New Rooms

Next week in Matrix

Next week I’ll take a look at Matrix-related GSOC 2018 projects, what the plans are and how the first few weeks are going.

So Long…

That’s all for now! Join us on #TWIM:matrix.org if you’d like to make an announcement and be featured in this series.

Check out this week’s Matrix Live below, and we’ll see you next week!

Introducing Matrix Specification Changes

Hi all,

We’ve been able to start investing more time in advancing the Matrix Specification itself over the last month or so thanks to Ben joining the core team (and should be able to accelerate even more with uhoreg joining in a few weeks!)  The first step in the new wave of work has been to provide much better infrastructure for the process of actually evolving the spec – whether that’s from changes proposed by the core team or the wider Matrix Community.

So, without further ado, we’d like to introduce https://matrix.org/docs/spec/proposals – a dashboard for all the spec change proposals we’ve accumulated so far (ignoring most of the ones which have already been merged), as well as a clearer workflow for how everyone can help improve the Matrix spec itself.  Part of this is introducing a formal numbering system – e.g. MSC1228 stands for Matrix Spec Change 1228 (where 1228 is the ID of the Github issue on the github.com/matrix-org/matrix-doc/issues repository that tracks the proposal).

Please note that these are *NOT* like XEPs or RFCs – i.e. optional proposals or add-ons to the protocol; instead they are literally proposals for changes to the Matrix Spec itself.  Once merged into the spec, they are only of historical interest.

We’ve also created a new room: #matrix-spec:matrix.org to discuss specific spec proposal changes – please join if you want to track how proposals are evolving! (Conversation is likely to fork off into per-proposal rooms or overflow into #matrix-dev:matrix.org or #matrix-architecture:matrix.org depending on traffic levels, however).

Feedback would be much appreciated on this – so please head over to #matrix-spec:matrix.org and let us know how it feels and how it could do better.

This is also a major step towards properly formalising Matrix.org’s governance model – hopefully the changes above are sufficient to improve the health of the evolution of the Spec as we work towards an initial stable release later this year, and then you should expect to see a spec proposal for formal governance once we’ve (at last!) exited beta :)

Huge thanks to Ben for putting this together, and thanks to everyone who’s contributed so far to the spec – we’re looking forward to working through the backlog of proposals and turning them all into merged spec PRs!!

Matthew

This Week in Matrix 2018-05-11

Fractal Hackfest 2018

The talk of the town in Strasbourg this week was the arrival of Fractal Hackfest 2018! Event is still ongoing, and I’m sure they will provide a report of the progress on https://wiki.gnome.org/Hackfests/Fractal2018, though Alexandre kindly sent us a photo of the group in action
Fractal Hackfest 2018

Home Assistants

Wonderful things are happening and being discovered regarding IoT and Home Automation. uhoreg was the first to point us to tinloaf’s project to build a Matrix Chatbot component for Home Assistant:

This component allows you to send messages to matrix rooms, as well as to react to messages in matrix rooms. Reacting to commands is accomplished by firing an event when one of the configured commands is triggered.

(this is not the same as notify.matrix https://www.home-assistant.io/components/notify.matrix/, which is used to deliver messages from Home Assistant to a room.)

Enthusiasm for this work led to jfred discussing his past adventures in Matrix, including a component for sibyl, ‘a python chatbot with a focus on XBMC’ allowing Matrix communication.

All this excitement led to Cadair creating #homeautomation:cadair.com, which has started a more thorough discussion. I’m eager to see more non-chat applications of Matrix, #twim:matrix.org came up with others with projects in progress.

On GDPR

GDPR has been a favourite topic for a while now. If you didn’t already, take a look at the latest thinking from the Matrix Core team here: https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix/

It’s worth noting that we feel that GDPR is an excellent piece of legislation from the perspective of forcing us to think more seriously about our privacy – it has forced us to re-prioritise all sorts of long-term deficiencies in Matrix (e.g. dependence on DNS; improving User Interactive authentication; improving logout semantics etc). There’s obviously a lot of work to be done here, but hopefully it should all be worth it!

TravisR on GDPR

TravisR has also been thinking about GDPR, and how it relates to his Voyager bot. In his words:

TWIM: I’ve mostly been working on figuring out how GDPR affects t2bot.io for the last couple weeks. One of the things running on t2bot.io is Voyager – a bot that tries to join rooms it sees mentioned in people’s messages, graphing them on https://voyager.t2bot.io. With the increase in talk about GDPR and more bots starting to wander the federation, the recurring topic of whether Voyager should change its approach to finding and listing rooms.

With the current approach, Voyager reads messages and tries to find room aliases to try and join. Individual people can opt-out of this tracking to stop Voyager from reading/parsing their messages (opting back in at a later time, if desired). The room moderators can kick or ban the bot to completely remove their room from the graph, and can invoke a ‘soft kick’ if they’d like to have their room remain listed, but don’t want the bot in the room. Voyager will make sure to only show information for public rooms and will update the graph if the room flips between public and private.

If anyone has feedback on how this approach could be improved (or if it should be left as-is), please come by #voyager:t2bot.io on matrix to start the conversation.

Translations

I was surprised and excited to learn that a Russian translation of the Matrix FAQ has been produced by a group of Russian-lanugage users. ma1uta reported:

There are a several Russian-speaking users spontaneously decided to unite and help Matrix. We created a room where translated FAQ using the embedded etherpad widget. Some of us are here: Magnolia and Fenneko is a Good Girl for example. Anybody can join to us #perevodators:matrix.org and helps. We accept any help.
Preview: https://ma1uta.github.io/index.html

They’ve provided a PR which I will presently merge (though of course, as I don’t speak Russian I will need to trust that it’s really a translation of the FAQ!)

Projects and Updates

Matrix Ruby SDK

Ananace reports that work has begun on a Matrix SDK for Ruby ‘with a design based heavily on the Python one‘. Doing a lot of sysadmin work, Ananace has been working a lot with Ruby, and also wants to get going using the SDK to write bots.

neo

Neo from f0x released Alpha 0.04.

Added two very ux-improving features, local echo and tab completion. User list, eslinter, auto-retrying requests

Take a look at the changelog for more.

matrixstats.org

a13xmt came to use with https://matrixstats.org, a bot-powered room directory

Public catalog for matrix rooms announced: matrixstats.org. The place where you can find a lot of rooms and sort them by ratings or categories. Presented rooms are collected from different homeservers; some of rooms have detailed statistics. The homeservers itself can be explored without the registration. The project is currently in beta stage, so some features may be missing. We would be glad to receive any feedback and ideas for further improvement. Additional info available at https://matrixstats.org/about, related discussions at #matrixstats:matrix.org.

Quaternion

says kitsune:

TWIM: Quaternion 0.0.9.1 is out, with building/packaging fixes; those who use 0.0.9 need not upgrade (https://github.com/QMatrixClient/Quaternion/releases/tag/v0.0.9.1)

Riot/Web

  • New release due monday – whether it’s 0.14.3 or 0.15 depends on whether we can make the sticker picker fast enough to launch!
  • Lots of other polish; E2E is now as fast on Firefox as it is on Chrome!

Riot/Mobile

  • Almost all of France has been holiday this week…
  • …although we’ve got sticker sending mostly working on iOS & Android anyway!

Synapse

Spec Proposals

Much-needed work has begun to classify and present the spec proposals for the Matrix specification. We’ve tagged up the all the issues in GitHub, new page will appear on matrix.org at the start of next week if I can just stop preening the generator.

Around the Web (and more)

Another week, another article on the front page of Hacker News. The author is focused more on Riot than Matrix, still it’s great knowing how much interest there is in the wild.

Happily, I was at an unrelated event in London earlier in the week, and had my first IRL experience meeting someone who already knew (and then enthused) about the project. Feels good.

Rooms of note

TTFN

Do you have a suggestion for this series? What could we be doing more of? I have a nascent plan to do ‘deeper’ conversations with people or projects that aren’t necessarily in the normal run of things, but are interesting uses of Matrix. Does this sound like something you’d want to read on a Friday afternoon? Drop a line in #twim:matrix.org or ping benpa.

This Week In Matrix – 2018-05-04

Matrix Ecosystem Updates

Project Updates

Clients

nheko

nheko, Qt desktop client announced release v0.4.0. From their own changlog:

  • Basic member list
  • Basic room settings menu
  • Support for displaying stickers
  • Fuzzy search for rooms

https://github.com/mujx/nheko/releases/tag/v0.4.0 for more information.

mujxhttps://github.com/mujx/nheko#nheko:matrix.org

Fractal

Fractal have released v0.1.28 – couple of new features plus fixes.

Fractal of course have their in-person meeting coming up soon, and are looking forward to GSoCers getting onboard.

https://gitlab.gnome.org/World/fractal#fractal-gtk:matrix.org

neo

f0x is keeping the pace up on neo. New version (alpha0.03), new website!

Rollup of changes since last week includes

  • settings menu
  • mentions
  • unread counts
  • room invite handling
  • video thumbnails

and a lot more.

f0xhttps://github.com/f0x52/neo/#neo_client:matrix.org

gomuks

Ever modest, tulir has been tearing through issues and fixes over on gomuks. I’m quite excited to have a matrix-native console client getting up to speed so fast.

tulirhttps://github.com/tulir/gomuks#gomuks:maunium.net

Journal

One of the riot developers, luke has a fun side-project called Journal, this being a blogging platform built on matrix.

Says Luke:

The big news this week being that I’m going to redesign the interface to focus on the personal blog use-case, optimising for easy setup and easy blog post sharing.
And hopefully push a 1.0 release that I’d be happy to use as my own personal blog.

Worth noting that the linked project page (Journal) is itself a blog using journal (the url might give you a hint of this!)

lukehttps://journal.ldbco.de/#/journal/journal:ldbco.de

Bridges and other projects

synapse-diaspora-auth

Po Shamil reports an update for synapse-diaspora-auth. New documenation on how to integrate with mxisd, plus email syncing from diaspora.

Po Shamilhttps://git.fosscommunity.in/necessary129/synapse-diaspora-auth

matrix-appservice-discord

matrix-appservice-discord is now at v0.2.0-rc1.

There are several changes moving this project along, but checking out the change list I can see there were a bunch of contributors to thank, (eeeeeta, Sorunome, TravisR), which is super-cool to see.

Half-Shothttps://github.com/Half-Shot/matrix-appservice-discord

GTAD

This week kitsune has been focused on ‘GTAD (Generate Things from API Description)’, which is a code generator for C++, taking API description in Swagger/OpenAPI as it’s source. Now at version 0.5, apparently GTAD

can generate correct buildable (and runnable) code to convert data structures used in CS API between JSON and C++ – for the entirety of CS API calls. That basically means that libqmatrixclient gains (so far low-level) C++ CS API for all calls in The Spec and will follow updates to it.

This is super-exciting, especially as we are going to see discussion and progress on the spec…

kitsunehttps://github.com/KitsuneRal/gtad/commits/master

Riot/Web

  • We shipped 0.14.2 as an incremental release
  • Jitsi by default on the horizon…
  • Trying to work our way through the regressions which keep stacking up
  • Lots of work on improved UTs for Groups and Replies; discussion about flux stuff
  • Next up is E2E verification (at last).

Riot/Mobile

  • Replies
  • Sticker sending
  • Android is now Kotlin enabled!

Synapse

  • Handling abuse of the depth parameter; short-term fix deployed and longer term coming along shortly.
  • This destroyed progress on the algorithmic perf improvements.
  • Half-Shot PRs for negotiating size limits
  • Amber is inbound!

Dendrite

  • We’re behind on PRs – sorry Thibaut :(

Matrix.org Ops

  • Ansible stuff is being refactored based on our experiences trying to use it in the wild
    status.matrix.org is coming soon!

Spec

  • Loads of work happening to build the Spec Proposals website, tracking workflow for all the proposals in flux and putting them into a formal RFC-style process. It should help community participation in the spec process massively whilst we finalise the longer term governance model for Matrix.org
  • Also looking at publishing formal roadmaps for Synapse, Dendrite and Riot (at last!) – we have them internally these days but need to just chuck them up on the web and maintain them.
  • Finally, GDPR work is in full swing.

New(ish) Rooms

This section is scraped manually from #newrooms:matrix.org, though there has not been much activity there this week. Meanwhile, there are a couple of rooms suggested by Creak which deserve some love:

Before we go

New Core team member

Amber Brown of the Twisted project will be joining the Matrix core team in a few weeks. She’ll be focusing on Synapse implementation work, and will bring a lot of Python experience with her. Having someone working full time on synapse will increase others bandwidth for homeserver and spec work.

Matrix Live

Matrix Live is now available, where among other things you can see this blog post being written!

SECURITY UPDATE: Synapse 0.28.1

Hi all,

Many people will have noticed disruption in #matrix:matrix.org and #matrix-dev:matrix.org on Sunday, when a validation bug in Synapse was exploited which allowed a malicious event to be inserted into the room with ‘depth’ value that made the rooms temporarily unusable. Whilst a transient workaround was found at the time (thanks to /dev/ponies, kythyria and Po Shamil for the workaround and to Half-Shot for working on a proposed fix), we’re doing an urgent release of Synapse 0.28.1 to provide a temporary solution which will mitigate the attack across all rooms in upgraded servers and un-break affected ones.  Meanwhile we have a full long-term fix on the horizon (hopefully) later this week.

This vulnerability has already been exploited in the wild; please upgrade as soon as possible.

Synapse 0.28.1 is available from https://github.com/matrix-org/synapse/releases/tag/v0.28.1 as normal.

The ‘depth’ parameter is used primarily as a way for servers to signal the intended cosmetic order of their events within a room (particularly when the room’s message graph has gaps in it due to the server being offline, or due to users backfilling old disconnected chunks of conversation). This means that affected rooms may experience message ordering problems until a full long-term fix is provided, which we’re working on currently (and tentatively involves no longer trusting ‘depth’ information from servers).  For full details you can see the proposal documents for the temporary fix in 0.28.1 and the options for the imminent long-term fix.

We’d like to acknowledge jzk for identifying the vulnerability, and Max Dor for providing feedback on the fixes.

As a general reminder, Synapse is still beta (as is the Matrix spec) and the federation API particularly is still being debugged and refined and is pre-r0.0.0. For the benefit of the whole community, please disclose vulnerabilities and exploits responsibly by emailing [email protected] or DMing someone from +matrix:matrix.org. Thanks.

Changes in synapse v0.28.1 (2018-05-01)

SECURITY UPDATE

  • Clamp the allowed values of event depth received over federation to be [0, 2^63 – 1]. This mitigates an attack where malicious events injected with depth = 2^63 – 1 render rooms unusable. Depth is used to determine the cosmetic ordering of events within a room, and so the ordering of events in such a room will default to using stream_ordering rather than depth (topological_ordering). This is a temporary solution to mitigate abuse in the wild, whilst a long solution is being implemented to improve how the depth parameter is used.Full details at https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI
  • Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API.