This Week in Matrix 2023-09-08
08.09.2023 00:00 — This Week in Matrix — ThibMatrix Live
Dept of Status of Matrix 🌡️
Matthew announces
Josh joined the Matrix Foundation as its first ever Managing Director!
Matthew announces
Josh joined the Matrix Foundation as its first ever Managing Director!
Hi all,
Today is a big day! As you know, over the last few months we’ve been searching for a Managing Director to join the Matrix.org Foundation full-time, focused on managing the Foundation’s finances, organising the Foundation’s membership programme, helping raise funding to support Foundation work, working with the Guardians to ensure the Foundation stays on mission, and ensuring the Foundation can operate successfully as a fully independent entity.
Thib says
We’d like to thank everyone for their patience as we continue to work toward restoring the Libera.Chat bridge, and apologize for the continued inconvenience. We’ve heard from many people and communities who are impacted, who have confirmed that operating this bridge is an important service and we remain committed to getting it back online.
It’s been a month since our last update and folks have been reaching out, so we wanted to take this opportunity to provide a brief update.
The bridge team at Element is still actively working on the issues that led to the bridge being disabled in the first place. You can see some of the work that’s in flight through GitHub PRs: #1757, #1766, #1764, #1734.
We’re also looking into a way to transition responsibility for the bridge from Element to being directly run by The Matrix.org Foundation over the coming months - more details as we have them.
Unfortunately, we do not yet have a clear timeline for bringing the bridge back online. We’ll continue providing regular updates and will share more information as soon as we can. Thank you again for your patience! Please do not hesitate to reach out at #libera-matrix:libera.chat if you have any questions or concerns.
TravisR announces
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
- MSC4049: Sending events as a server or room
- MSC4048: Signed key backup
- MSC4047: Send Keys
- MSC4046: Make & send PDU endpoints
MSCs in Final Comment Period:
- No MSCs are in FCP.
Accepted MSCs:
Merged MSCs:
Matrix 1.8 is here!
If you haven't yet seen the blog post, check it out. Room version 11 is new in this release, and we've already got an idea for what Matrix 1.9 looks like :)
New MSCs in detail
In this new segment, we aim to give a bit more context as to why an MSC was opened, beyond what is available in the MSC's introduction.
MSC4049 is highly experimental investigative work into what it would take to support making messages as appearing to be sent by a room or server instead of a user. There are some use cases highlighted in the MSC itself, but the primary driving factor is a point of relatively minor feedback from the MIMI working group: "does
sender
really need to be a user ID?". The spike-shaped experiment overlaps heavily with both crypto IDs and pseudo IDs by accident, but might help inform those two projects via MSC4047 and MSC4046. Currently there is not a plan to push any of the 3 MSCs towards FCP, though feedback is very much welcome on how the stack feels.MSC4048 is part of the crypto team's mission to improve encryption across all of Matrix, with this particular MSC looking to improve the trustworthiness of key backups. Watch this space for updates as the MSC progresses, and please provide feedback on the proposal itself.
Hey all,
Matrix 1.8 is out now! The last release, Matrix 1.7, was full of features and laid out a plan for what Matrix 1.8 was expected to become. We spent most of our time focusing on the MSC3995-related MSCs from that original plan, but made an effort to get the other stuff looked at as well.
With this release we see a total of 9 MSCs achieve their formally adopted status. The full changelog at the bottom has all the details, but please read on for what’s new in room version 11, and Matrix 1.9’s roadmap :)
Matrix 1.8 features a new room version! Normally a room version wouldn’t have a particular theme, but for v11 we aimed to clean up the different algorithms and event format details. After 10 prior room versions there were some artifacts of the past sticking around (but not causing problems necessarily) - many of them are cleaned up here.
Specified originally as MSC3820, v11 introduces the following changes:
redacts
to the content
of m.room.redaction
events.creator
from m.room.create
events (use sender
instead).origin
from events.Alongside being a cleanup room version, v11 is the initial base we used for our efforts in the IETF world. It provides an easier starting point for new server implementations, particularly when paired with Linearized Matrix (described as both an IETF Internet-Draft and MSC3995).
In future room versions the cleanup effort will continue, alongside additional features for supporting the IETF use cases. Watch this space for updates.
We’re continuing the trend of planning ahead and have the following themes planned for work in Matrix 1.9:
A lot of this stuff might take the shape of opening MSCs or thinking about the problems, but we’re also very optimistic about getting them through FCP before November 2023. Watch this space for updates :)
There’s so many more things than what we covered in this blog post - flip through the changelog below for a full idea of what’s landed.
Backwards Compatible Changes
Spec Clarifications
type
property in the JSON schema definition of the m.reaction
event. Contributed by @chebureki. (#1552)null
in room_types
in POST /publicRooms
endpoints schemas. (#1564)Deprecations
Backwards Compatible Changes
Spec Clarifications
/state_ids
can respond with a 404. (#1521)POST /_matrix/federation/v1/user/keys/claim
. (#1559)null
in room_types
in POST /publicRooms
endpoints schemas. (#1564)Spec Clarifications
fields
in thirdparty lookup queries. (#1584)Spec Clarifications
No significant changes.
Backwards Compatible Changes
redacts
from top level to content
on m.room.redaction
events in room version 11, as per MSC2174. (#1604)creator
from m.room.creator
events in room version 11, as per MSC2175. (#1604)origin
from events in room version 11, as per MSC3989. (#1604)Backwards Compatible Changes
Spec Clarifications
Backwards Compatible Changes
@matrix-org/spec
npm package to ship the SAS Emoji data definitions & translations. (#1620)Spec Clarifications
x-changedInMatrixVersion
is a string. (#1562)oneOf
s in JSON schemas. (#1585)TravisR announces
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
- MSC4045: Deprecating the use of IP addresses in server names
- MSC4044: Enforcing user ID grammar in rooms
MSCs in Final Comment Period:
- MSC4040: Update SRV service name to IANA registration (merge)
- MSC3930: Polls push rules/notifications (merge)
Accepted MSCs:
Closed MSCs:
- No MSCs were closed/rejected this week.
Spec Updates
This last week the SCT has largely been preparing for the spec release happening on August 23rd, 2023 and working on getting some of the IETF/MIMI work into MSC shape. It's largely business as usual at the moment for the SCT :)
Matrix 1.9's planned work will be finalized on Monday as well, ahead of the Matrix 1.8 release on Wednesday. Please raise any MSCs or general feature areas to the SCT before Monday in #sct-office:matrix.org for them to be considered. The SCT will have limited/no bandwidth to look at things not raised for consideration.
TravisR says
Spec
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
- MSC4043: Presence Override API
- MSC4042: Disabled Presence State
- MSC4041: http header Retry-After for http code 429
MSCs proposed for Final Comment Period:
MSCs in Final Comment Period:
- MSC3958: Suppress notifications from message edits (merge)
- MSC3061: Sharing room keys for past messages (merge)
Accepted MSCs:
- No MSCs were accepted this week.
Closed MSCs:
- No MSCs were closed/rejected this week.
Spec Updates
We have a release date planned for Matrix 1.8! We're looking at Wednesday, August 23rd, 2023, and tracked as issue #1614. Currently the only release blocker is room version 11, which should land well in advance of August 23rd. If there's other things we should be considering please raise them ASAP in #sct-office:matrix.org.
August 23rd also begins the Matrix 1.9 cycle where we'll be sticking to our MSC review plan more strongly. Stay tuned to TWIM for news on the exact MSCs/features we'll be looking at for that cycle, and let us know in #sct-office:matrix.org if you think we should consider something in our planning.
The SCT has otherwise been thinking a lot about the MIMI working group at the IETF and how the protocol layering works there. About half of the SCT is going to take a break from MSC review over the next few weeks to ensure the protocol we're designing for MIMI will be fully compatible with Matrix - this will mean that some MSCs will move slower through FCP, sorry.
As always, if you have questions, concerns, complaints, etc then let us know in #sct-office:matrix.org 🙂
TravisR also announces
port 8448 has formally been registered by IANA 🎉
Following a series of stability issues, the Libera.Chat team has requested that the Matrix <> Libera.Chat bridge be disabled until we can resolve the stability issues.
From 14:00 UTC on Saturday 5th August the bridge will be unavailable. We will be working to get the bridge back up as soon as we can, however, given the severity of the situation we do not expect immediate resolution.
We send our sincere apologies to anyone caught up in this decision and unable to reach folks on the Libera side.
We’ll get you back as soon as we can.
Andrew Morgan (anoa) says
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
- There were no new MSCs this week.
MSCs in Final Comment Period:
- No MSCs are in FCP.
Accepted MSCs:
- No MSCs were accepted this week.
Closed MSCs:
- No MSCs were closed/rejected this week.
Spec Updates
No movement through the process on the surface for any MSCs according to the above chart, but some things have been happening! Other than the usual background hum of IETF work, conversations across many MSCs have been moving along. We also saw MSC3930 (Polls push notifications) have FCP proposed! The latter would stop a notification from being generated every time someone voted in a poll, which is sorely needed.
A reminder that in keeping with the spec's quarterly release schedule, Matrix v1.8 is due to release this month and Matrix v1.9 is due for November. We want to plan well ahead for the v1.9 release though, so if you would like to see anything in particular land in v1.9, please raise that concern in the Office of the Spec Core Team room!
See this message in the same room for more information including the currently planned v1.9 spec changes.
Random MSC of the Week
The random MSC of the week is... Refine and clarify how presence works!
This is a very old "MSC" (still on google docs), but it's come up and I've seen folks taking a look at revamping presence recently, so I figured it may be interesting to share.
The document lists a number of confusing behaviours that come with the current presence spec (at the time, though it hasn't moved much since then). There is also a bullet-point list of what a redesigned presence could look like.
Given the conversation on the GitHub issue, this document appears lost to time. But perhaps someone will find it useful today.
Hi folks. As previously mentioned on Monday, we’re now disclosing the vulnerabilities patched for the IRC, Slack and Hookshot bridges. If you have not already done so, please ensure you are running the patched versions.
Today we are disclosing the 3 vulnerabilities.
GHSA-vc7j-h8xg-fv5x / CVE-2023-38691
The POST /v1/exchange_openid
endpoint did not check that the servername part of the sub
parameter (containing the user's claimed MXID) is the same as the servername we are talking to. This could allow a malicious actor to spin up a server on any given domain, respond with a sub
parameter according to the user they want to act as and use the resulting token to perform provisioning requests.
This is now patched so that the server part of the sub / user ID is checked against the server used to make the request.
Discovered and reported by a community member.
GHSA-3pmj-jqqp-2mj3 / CVE-2023-38690
When the IRC bridge attempted to parse an admin command from a Matrix user, it would only split arguments by a literal space. For example, sending “!join #matrix\nfoobar” would treat the channel name as “#matrix\nfoobar”. This could then be exploited to inject any IRC command into the bridge to be run. Since the !join command first joins via the bridge bot user, it could be used to execute commands as the bridge bot.
This is now patched so that both the command handler is more strict about its arguments, as well as channel names being explicitly validated when provided by users.
Discovered and reported by Val Lorentz.
GHSA-c7hh-3v6c-fj4q / CVE-2023-38700
The IRC bridge caches recent timeline messages in memory, so that when a reply is seen for a message it doesn’t need to request the event content from the homeserver. However the room ID was not validated when accessing this cache, so a malicious actor could craft a reply event in another room referencing any event ID (so long as it was still in the bridge cache) to trick the bridge into posting the message content into a bridged reply.
Discovered and reported by Val Lorentz.
If you have further questions, please reach out on [email protected]