🔗Matrix Spec (website)

uhoreg announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC4020: Room model configuration
• MSC4019: Encrypted event relationships
• MSC4018: Reliable call membership

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• WIP: MSC3588: Encrypted Stories As Rooms

🔗Spec Updates

We released version 1.7 of the Matrix Spec on Thursday. This release features media repository improvements and reactions. Thank you to all who contributed to this release, whether through writing or reviewing MSCs, writing spec PRs, or finding spec bugs. And congratulations to those who had their first MSC make it to the release. Read the blog post for the full details.

We're in the process of working out what Matrix 1.8 looks like and need to hear what people are working on. If you have an MSC or idea you're planning on looking at in the next 2 months, let us know in #sct-office:matrix.org so we can prioritize it accordingly.

🔗Random MSC of the Week

The random MSC of the week is... MSC3184: Challenges Messages! This feature allows participants in a room to make decisions randomly by playing rock, paper, scissors; flipping a coin; or drawing straws.

Continue reading…

Hey all,

Matrix 1.7 has just been released! The last spec release was about 3 months ago, keeping us on track for regular quarterly releases. Unlike Matrix 1.6 though, today’s release is packed with plenty of features, some of which we’d like to call out here. Not all implementations will have support for these features yet though, and that’s okay (expected, even).

Adding support for a spec release can be a significant body of work. Instead of implementations having everything ready for spec release day, the idea is that they gain support over the next few months. If you’re able, please help those projects get v1.7’s features.

Today, we see 15 MSCs achieve their formally adopted status. All of them bring forward some much-needed features to Matrix, and a few highlights are below. Read on to the full changelog for a complete overview, and for a sneak peak at what the Spec Core Team (SCT) is planning to look at for v1.8 👀

Continue reading…

Today we are retroactively publishing advisories for security bugs in Synapse. From oldest to most recent, they are:

• GHSA-p9qp-c452-f9r7 (CVE-2022-39374), fixed in Synapse 1.68.0 and affecting all prior versions since Synapse 1.62.0;
• GHSA-45cj-f97f-ggwv (CVE-2022-39335), fixed in Synapse 1.69.0 and affecting all prior versions; and finally
• GHSA-f3wc-3vxv-xmvr (CVE-2023-32323), fixed in Synapse 1.74.0 and affecting all prior versions.

We strongly advise Synapse operators who are still on earlier Synapse versions to upgrade to the latest version (v1.84.0) or at the very least v1.74.0 (released Dec 2022), to prevent attacks based on these vulnerabilities. Please see the advisories for the full details, including a description of

• the vulnerability and potential attacks,
• exactly which deployments are vulnerable, and
• workarounds and mitigations.

Because these bugs are either related to or exploitable over Matrix federation, we have delayed publishing these advisories until now out of caution. This allowed us to ensure that the majority of Synapse homeservers across the public federation have upgraded to a sufficiently patched version, based on the (opt-in) stats reporting to the Matrix.org foundation.

If you have any questions or comments about this announcement or any of the advisories, e-mail us at [email protected].

🔗Matrix Live

No Matrix Live this week as Thib's away. Tune in next week though - maybe he'll do two!

🔗Dept of Spec 📜

Andrew Morgan (anoa) announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• [WIP] MSC4016: Streaming E2EE file transfers with random access
• MSC4015: Voluntary Bot indicators

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• No MSCs were closed/rejected this week.

🔗Spec Updates

Matrix v1.7 has been given a release date of May 25th, right before the next TWIM! Expect a matrix.org blog post with all the details on the day.

Leading up to the release we've seen a number of great spec PRs appearing and being merged! Thank you to everyone for writing them (saving the SCT some time!) and to other reviewing on commenting. It's a huge help and the spec feels like it's chugging along at a blistering pace!

🔗Random MSC of the Week

The random MSC of the week is... MSC2213: Rejoinability of private/invite-only rooms!

This MSC adds the ability for users who have previously joined a room to rejoin again. Typically this isn't desired in a public room setting, but it does specifically make sense in the case of a DM that you've left and want to return to without the other user needing to invite you. This case has specific implications for cases where there could be only ever one room between two users. Being able to rejoin it if the other user has disappeared is key!

Outside of the DM use case, this functionality can mostly already be achieved by using restricted rooms, where users of a given space/another room can always join your room. However, it would be nice to have the flexibility of allowing certain users to rejoin a room without needing another room to serve as proof of membership.

Is this something you're interested in? Do you have additional use cases? Feel free to check out the MSC and comment with your thoughts!

Continue reading…

🔗Matrix Live

🔗Dept of Spec 📜

Andrew Morgan (anoa) announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• [WIP] MSC4014: Pseudonymous Identities
• MSC4013: Poll history cache

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• MSC3882: Allow an existing session to sign in a new session
• MSC3860: Media Download Redirects
• MSC2659: Application service ping endpoint
• MSC2249: Require users to have visibility on an event when submitting reports
• Mechanism to communicate 3PID binding updates or deletions to homeservers

Closed MSCs:

• MSC2463: Exclusion of MXIDs in push rules content matching

🔗Spec Updates

A regular reminder that every Tuesday, the Spec Core Team (SCT) publishes their approximate priorities in the public Office of the Spec Core Team room - check it out to see what the SCT is working on. Similarly, if you’d like the SCT to engage with your MSC, mention so in that room.

The release of Matrix 1.7 is expected in the next 1-2 weeks! Keep an eye out for announcement blog post specifically for it. We'll call it out in the following TWIM as well of course :)

Matrix 1.8 is currently scheduled for around August 2023.

🔗Random MSC of the Week

The random MSC of the week is... MSC3914: Matrix native group call push rule!

This MSC adds a new push rule that causes your Matrix client to emit a notification if a group call (as defined by MSC3401 is started in a Matrix room. This MSC (obviously) depends on MSC3041, so that MSC will need to be accepted before this one can be.

There is currently a client-side implementation for this MSC, but it is missing a homeserver side one (for adding the push rule).

Check out the MSC if you're interested, or perhaps take a look at adding that server-side implementation?

Continue reading…

🔗Matrix Live

🔗Dept of Social Good 🙆

Denise announces

we know there have been some questions about the recent ban on Element by the Indian Central Government. We are still trying to get answers ourselves and have put out a public statement on our understanding of the situation so far: https://element.io/blog/india-bans-flagship-client-for-the-matrix-network/

🔗Dept of Spec 📜

Andrew Morgan (anoa) reports

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC4011: Thumbnail media negotiation
• MSC4010: Push rules and account data
• MSC4009: E.164 Matrix IDs
• MSC4006: "completed elsewhere" hangup reason.
• MSC4005: Explicit read receipts for sent events

MSCs in Final Comment Period:

• MSC3882: Allow an existing session to sign in a new session (merge)
• MSC3860: Media Download Redirects (merge)
• MSC2659: Application service ping endpoint (merge)
• MSC2463: Exclusion of MXIDs in push rules content matching (close)
• MSC2249: Require users to have visibility on an event when submitting reports (merge)

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• No MSCs were closed/rejected this week.

🔗Spec Updates

Lots of MSCs moving through the pipeline this week! Plus a myriad of spec changes too! The spec seems to be gently humming along.

In other news, the next release of the spec, v1.7, is coming up in the not-too-distant future. In keeping with our roughly quarterly release schedule - the release of v1.6 was on February 14th, 2023 - a new release of the spec should come some time in next few weeks.

We haven't set a date yet, but expect to do so soon. So watch this space!

🔗Random MSC of the Week

The random MSC of the week is... MSC3741: Revealing the useful login flows to clients after a soft logout!

This MSC fixes an edge case in the spec. Imagine the following scenario. You're logged into your homeserver via an SSO flow (let's say by signing into GitLab), and then you try to change your password on GitLab. Doing so may cause a "soft logout" to occur for your Matrix client. A soft logout, by the way, happens when your access token is invalidated, but your client is told explicitly not to wipe its local state (including encryption keys).

Your Matrix client is telling you to log back in again, and in doing so calls out to the GET /_matrix/client/v3/login endpoint to see what login methods are available. Your homeserver supports both password-based and SSO-based login, so that's what you get back. Your client happily presents you both options. You try to type your GitLab password, but it's incorrect. And you've just given your GitLab password to this Matrix homeserver in plaintext - oh no!

The problem here stems from the fact that GET /login is unauthenticated. The homeserver doesn't know who you are when you attempt to log in again, and thus can't tailor the available login methods to those that make sense for you. This MSC aims to fix this by having your Matrix client, upon trying to learn how to log in again after a soft logout, provide your expired access token in an Authorization request header. The homeserver can then check and see that 1) you were just soft logout'd and 2) you are an account that is authorised via SSO - so it doesn't make sense to suggest you log in again via a password specific to your Matrix homeserver!

While this MSC discusses a valuable solution, it is worth considering that the User-Interactive Authentication system as a whole is going to be completely replaced by OpenID Connect instead, which will make this problem (and solution) moot. Still, that day is not here yet, so if you suffer from this problem today, this may be one method to deal with it.

Continue reading…

🔗Matrix Live

🔗Dept of Status of Matrix 🌡️

🔗Matrix.org Foundation

Michael Downey announces

Don't miss this week's Matrix Live, where Amandine & Matthew talk about the growth of the Foundation and how it will help all of us working in the Matrix ecosystem be more successful. And in case you missed it, a job description for the Foundation's first Managing Director has now been posted. If you think you have what it takes, or if you want to share it with others who might, don't delay!

🔗Matrix.org Website Bug Hunt

Thib says

Some of you might have heard of it, but we're about to launch a (long overdue) update of the matrix.org website! The current one has served us well, but it grew organically as exciting projects and features were added to it. It became a little impractical to navigate and sometimes confusing.

The new matrix.org website, nicknamed "Zola" after the static site generator it uses, is not just a fresh coat of paint on the website: it's a complete rewrite to address three kind of people who would browse the website. Sorted by time they're willing to spend on a web page:

• The general public, who is not tech savvy and doesn't want to understand how things work, but who wants to get an easy onboarding
• Community managers, who are not too tech savvy but are willing to spend a bit of time to understand more advanced use cases
• Developers who want to understand how matrix works, and who want to build & break things!

We're in the final stages of developing the website, and we need you to help us making it ready! Head to the preview of the website, use the website, and give is feedback by opening an issue on the website tracker. Please make sure the issue doesn't already exist before opening it.

Reporting the following is particularly helpful:

• Something looks off, misplaced, is not aligned well or behaves oddly
• Something is missing (the doc is incomplete? Some informationg is missing somewhere?)
• There's an accessibility issue
• Something doesn't work on your browser
• It's not clear how to get to a particular information (you're looking for a client or a SDK, and after visiting the website you still don't know which one to use or how to get it?)

We still need to:

• Finish up the Bots page (which will likely be replaced by an Integrations page)
• Flesh out the support page to highlight more of the work of the Matrix.org Foundation
• Import the historical projects that are no longer maintained (clients, servers, bots, bridges, sdks)

If you want to follow along, you can join the #matrix.org-website:matrix.org room.

Help us make the website look as neat as possible for launch!

Matthew reports

The UK's online safety bill is a catastrophe in the making, and as currently written empowers the UK telecoms industry regulator (OFCOM) to obligate end-to-end encrypted messaging apps to embed proprietary 3rd party scanning software which attempts to identify and flag abusive content and report it to the authorities. If you are in the UK, please sign this petition https://petition.parliament.uk/petitions/634725 to try to force the government to reconsider. Element, for instance, would rather be blocked by the UK govt from the app stores than embed third party scanning technology. For more info: https://element.io/blog/the-uks-online-safety-bill-undermines-everyones-safety/ and https://element.io/blog/the-online-safety-bill-an-attack-on-encryption/

Continue reading…

🔗Matrix Live

Continue reading…

🔗Matrix Live

An unfortunate series of events prevented us from recording this week! Stay tuned for great bridge news next week.

🔗Dept of Spec 📜

Andrew Morgan (anoa) [GMT-6] says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC3999: Add causal parameter to /timestamp_to_event
• MSC3998: Add timestamp massaging to /join and /knock
• MSC3997: Add timestamp massaging to /createRoom
• MSC3996: Encrypted mentions-only rooms.
• MSC3995: [WIP] Linearized Matrix

MSCs in Final Comment Period:

• MSC3970: Scope transaction IDs to devices (merge)

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• No MSCs were closed/rejected this week.

🔗Spec Updates

The concept of Linearized Matrix (MSC3995) is moving forwards as a potential answer to the European Union's, Digital Markets Act. The fully-decentralised Direct Acyclic Graph (DAG) model of Matrix is well-known, yet complex to implement and thus a potential blocker to gatekeepers who are looking for an interoperable messaging protocol to link their chat service to. Enter Linearized Matrix, a concept of a Matrix room that uses a linked-list to store events in a room, rather than a DAG. Crucially, while being simpler to implement, our aim is to be forward-compatible with the DAG version of Matrix, such that gatekeepers may switch over to DAG-style Matrix in the future if they so chose.

See MSC3995 for more information, and a reminder that this is all still very much in flux!

🔗Random MSC of the Week

The random MSC of the week is... MSC2943: Return an event ID for membership endpoints!

Currently, when you send a (state) event manually via PUT /_matrix/client/v3/rooms/{roomId}/send/{eventType}/{txnId}, you'll receive an event ID in the response. While you can send membership events this way, it's often a bit nicer to use the various POST /_matrix/client/v3/rooms/{roomId}/join,leave,kick endpoints instead. However, these do not return an event ID in their response. For clients that don't use /sync, this would force them to use the former, generic endpoint in order to retrieve the event ID of the membership event.

MSC2943 attempts to rectify that by specifying that membership-related endpoints should return an event ID, similar to the generic event send endpoint. Currently this MSC is just waiting on an implementation in a homeserver (and possible a client) in order to move forward. If you feel strongly about this change being included in the Matrix spec, why not get your hands dirty with some homeserver dev?

Continue reading…

🔗Matrix Live

🔗Dept of Spec 📜

TravisR says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC3994: Display why an event caused a notification
• MSC3993: Room takeover
• MSC3991: Power level up! Taking the room to new heights
• MSC3989: Redact origin field on events
• MSC3995: [WIP] Linearized Matrix

MSCs in Final Comment Period:

• No MSCs are in FCP.

Merged MSCs:

• MSC3980: Dotted Field Consistency

🔗Spec Updates

This last week the core team has been working on Linearized Matrix, which now exists in MSC form. The idea is still very much in flux, but the MSC covers a large part of the backing context for the overall approach. More detail about IETF116, Linearized Matrix, and the overall mission can be found in last week's TWIM, and we're happy to answer any questions in #matrix-spec:matrix.org on Matrix.

Meanwhile, the Spec Core Team (SCT) has been focusing on Matrix 2.0 MSCs for OIDC, VoIP, etc alongside quite a few other smaller MSCs. You can follow along with the SCT's weekly priorities in the #sct-office:matrix.org room on Matrix.

🔗Random MSC of the week

Today's random proposal is MSC3860: Media Download Redirects! Quite a few medium-large servers use a CDN of some kind to host media shared in rooms, and currently the usefulness of that CDN is diminished by servers not necessarily being able to tell clients that the media is actually found on another URL. This proposal formalizes HTTP 307 redirects, and the SCT is interested to hear if this will break any clients - check it out, leave some comments, and let us know :)

Continue reading…