As of yesterday, Matrix.org is using a curated room directory. We’re paring down the rooms that are visible to a collection of moderated spaces and rooms. This is an intervention against abuse on the network, and a continuation of work that we started in May 2024.

In early 2024 we noticed an uptick in users creating rooms to share harmful content. After a few iterations to identify these rooms and shut them down, we realised we needed to change tack. We landed on first reducing the discoverability and reach of these rooms - after all, no other encrypted messaging platform provides a room directory service, and unfortunately it can clearly serve as a mechanism to amplify abuse. So, in May 2024 we froze the room directory. Matrix.org users were no longer permitted to publish their rooms to the room directory. We also did some manual intervention to reduce the size of the directory as a whole, and remove harmful rooms ahead of blocking them.

This intervention aimed at three targets:

• Lowering the risk of users discovering harmful rooms
• Stopping the amplification of abuse via an under-moderated room directory
• Reducing the risk for Matrix client developers for app store reviews

In truth, the way room discovery works needs some care and attention. Room directories pre-date Spaces, and some of the assumptions don't hold up to real world use. From the freeze, and the months since, we've learned a few things. First, the criteria for appearing in a server's room directory in the first place is way too broad. Also, abuse doesn't happen in a vacuum. Some rooms that were fine at the time of the freeze, are not now. There are a few different causes for that, including room moderators losing interest. We looked for criteria to give us the confidence in removing the freeze, and we hit all the edge cases that make safety work so challenging.

Those lessons led to a realization. One of the values of the Foundation is pragmatism, rather than perfection. We weren't living up to that value, so we decided to change. The plan became simpler: move to a curated list of rooms, with a rough first pass of criteria for inclusion. In parallel, we asked the Governing Board to come up with a process for adding rooms in the future, and to refine the criteria. We've completed the first part of the plan today.

🔗What comes next

There's plenty of scope for refinement here, and we've identified a few places where we can get started:

• The Governing Board will publish criteria for inclusion in the Matrix.org room directory. They'll also tell you how you can suggest rooms and spaces for the directory.
• We're going to recommend safer defaults. Servers should not let users publish rooms unless there are appropriate filtering and moderation tools in place, and people to wield them. For instance, Element have made this change to Synapse in PR18175
• We're exploring discovery as a topic, including removing the room directory API. One promising idea is to use Spaces: servers could publish a default space, with rooms curated by the server admin. Our recent post includes some other projects we have in this area: https://matrix.org/blog/2025/02/building-a-safer-matrix/

🔗FAQs

What criteria did you use for this first pass?
We used a rough rubric: Is the room already in the room directory, and does the Foundation already protect the room with the Matrix.org Mjolnir? From there, we extended to well-moderated rooms and spaces that fit one of the following:

• Matrix client and server implementations (e.g. FluffyChat, Dendrite)
• Matrix community projects (e.g. t2bot.io)
• Matrix homeserver spaces with a solid safety record (e.g. tchncs.de, envs.net)

Why isn't the Office of the Foundation in the directory?
It didn't exist before May 2024, so the Office has never been in the directory. We're going to add it in the next few days, with a couple of other examples that fit our rough rubric.

How do I add my room/space to the list?
At the moment, you can't. The Governing Board will publish the criteria and the flow for getting on the list.

What do I do if I find a harmful room in the current directory?
You shouldn't, but if a room does have harmful content, check out How you can help

🔗Dept of Status of Matrix 🌡️

🔗Trust & Safety

Jim announces

If you are wondering what the Foundation Safety team get up to, and what we have planned, we have an update for you. Check out the post: Building a Safer Matrix

🔗Dept of Spec 📜

TravisR announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC4264: Tokens for Contacting Accounts
• MSC4265: Data Protection Officer contact in /.well-known/matrix/support
• MSC4266: Policies in /.well-known/matrix/support

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• No MSCs were closed/rejected this week.

🔗Spec Update

Lots of MSC implementation and iteration is happening behind the scenes at the moment, leading to not very exciting Spec Core Team (SCT) updates :) As this implementation work progresses, the Matrix 2.0 MSCs in particular will continue to push forwards towards acceptance.

In the meantime, early versions of Extensible Profiles is up for review and today's blog post "Building a Safer Matrix" hints at some T&S spec changes expected soon.

The next spec release is expected in early March 2025 - if there's MSCs you think should be included there, let the team know in the SCT Office!

🔗Informal TI-Messenger Spec Discussion

Johannes reports

@this-week-in:matrix.org for people interested in informally discussing the Matrix-based TI-Messenger (TI-M) spec, as of today we have a public room: https://matrix.to/#/#tim-spec:matrix.org

If you haven't heard of TI-M before, in a nutshell it's a chat standard for the German healthcare system.

Continue reading…

N.B. this post is also available in German below.

🔗Introduction

Right now, the world needs secure communication more than ever. Waves of security breaches such as the “Salt Typhoon” compromise of the telephone network’s wiretap system have led the FBI to advise US citizens to switch to end-to-end-encrypted communication. Geopolitical shifts painfully highlight the importance of privacy-preserving communication for vulnerable minorities, in fear of being profiled or targeted. Meanwhile the International Rules-Based Order is at risk like never before.

We built Matrix to provide secure communication for everyone - to be the missing communication layer of the Open Web. This is not hyperbole: Matrix is literally layered on top of the Web - letting organisations run their own servers while communicating in a wider network. As a result, Matrix is “decentralised”: the people who built Matrix do not control those servers; they are controlled by the admins who run them - and just as the Web will outlive Tim Berners-Lee, Matrix will outlive us.

Matrix itself is a protocol (like email), defined as an open standard maintained by The Matrix.org Foundation C.I.C - a UK non-profit incorporated in 2018 to act as the steward of the protocol; to coordinate the protocol’s evolution and to work on keeping the public Matrix network safe. The Foundation is funded by donations from its members (both individuals and organisations), and also organises the Matrix.org homeserver instance used by many as their initial home on the network.

Much like the Web, Matrix is a powerful technology available to the general public, which can be used both for good and evil.

The vast majority of Matrix’s use is constructive: enabling collaboration for open source software communities such as Mozilla, KDE, GNOME, Fedora, Ubuntu, Debian, and thousands of smaller projects; providing a secure space for vulnerable user groups; secure collaboration throughout academia (particularly in DACH); protecting healthcare communication in Germany; protecting national communication in France, Germany, Sweden and Switzerland; and providing secure communication for NATO, the US DoD and Ukraine. You can see the scope and caliber of the Matrix ecosystem from the talks at The Matrix Conference in September.

However, precisely the same capabilities which benefit privacy-sensitive organisations mean that a small proportion of members of the public will try to abuse the system.

We have been painfully aware of the risk of abuse since the outset of the project, and rather than abdicating responsibility in the way that many encrypted messengers do, we’ve worked steadily at addressing it. In the early days, even before we saw significant abuse, this meant speculating on approaches to combat it (e.g. our FOSDEM 2017 talk and subsequent 2020 blog post proposing decentralised reputation; now recognisable in Bluesky’s successful Ozone anti-abuse system and composable moderation). However, these posts were future-facing at the time - and these days we have different, concrete anti-abuse efforts in place.

In this post, we’d like to explain where things are at, and how they will continue to improve in future.

🔗What we do today

The largest use of our funding as a Foundation is spent on our full-time Safety team, and we expanded that commitment at the end of 2024. On a daily basis, the team triage, investigate, identify and remove harmful content from the Matrix.org server, and remove users who share that material. They also build tooling to prevent, detect and remove harmful content, and to protect the people who work on user reports and investigations.

The humans who make up the Foundation Trust & Safety team are dedicated professionals who put their own mental health and happiness in jeopardy every day, reviewing harmful content added by people abusing the service we provide. Their work exposes them to harms including child sexual exploitation and abuse (CSEA), terrorist content, non-consensual intimate imagery (NCII), harassment, hate, deepfakes, fraud, misinformation, illegal pornography, drugs, firearms, spam, suicide, human trafficking and more. It’s a laundry list of the worst that humanity has to offer. The grim reality is that all online services have to deal with these problems, and to balance the work to detect and remove that content with the rights of their users. We’re committed to that work, and to supporting the Trust & Safety team to the best of our ability — we are very grateful for their sacrifice.

Continue reading…

The Matrix.org Foundation and its growing community were once again present at the biggest OSS conference in Europe, and it's been a tremendous success! It was an opportunity for us to gather, share ideas and debate about ongoing topics, meet the broader FOSS community and present our work.

🔗Fringe Event

With 8000 visitors, FOSDEM is primarily a place to share your work with others and present the latest developments to those interested. But it's not necessarily the best venue for conversations within the community about topics that are still in-flight.

Because so many people are doing the trip to gather in a single city, it remains a good opportunity to gather your own community in a more intimate setting. This is precisely what Fringe Events happening before or after FOSDEM are about.

Continue reading…

🔗Matrix Live

🔗Dept of Status of Matrix 🌡️

Quentin Gliech reports

This week we released Matrix Authentication Service 0.13.0!

This is a big release, as we haven't done one since September.

It is fixing a lot of small issues, but here are a few of the big highlights:

• The email verification has been completely reworked, meaning that accounts don't require a valid email address on them anymore! They are still required for open password registrations, but MAS won't nag you anymore to add an email to your account.
• No more spurious logouts when consuming a refresh token! That was a recurring annoyance for people using Element X in poor network conditions.
• It now reliably provisions users to Synapse! Sometimes, MAS would just stop provisioning new sessions if, for some reason, it lost connections to Postgres. This is a thing of the past, as now MAS has a reliable job queue.
• New translations! MAS is now available in Czech, Dutch, Estonian, English, French, German, Portuguese, Simplified Chinese, Swedish, and Ukrainian. If you'd like to help MAS get translated to your language, head out to our Localazy project
• Better support for non-OIDC upstream OAuth 2.0 providers. Support for 'social login' options like Google or Sign-in with Apple went from 'good' to 'great', with many UI improvements.

Upgrading should be as easy as grabbing the latest Docker image or the pre-built binaries, restarting the service and voilà!

Feel free to stop by #matrix-auth:matrix.org to join in on the discussion and if you encounter a bug make sure to report it here.

Continue reading…

🔗Dept of Status of Matrix 🌡️

Thib (m.org) announces

FOSDEM was a huge success for the Matrix.org Foundation and community this year again!

• 🍕60 pizzas and an uncountable amount of drinks at the Fringe event
• 👕 100 t-shirts sold at the booth on the first day!!
• 🧑‍🏫 A completely packed devroom
• 🤝 Many great conversations at the booth

Shout out to Workadventure, Nordeck and Famedly who sponsored the Fringe Event and kept us refreshed and fed. And a huge thanks to everybody who showed up at the booth either to staff it or to say a kind word, bring constructive criticism, or have a casual conversation.

A more detailed wrap up post will be published this week. In the meantime, I’m leaving FOSDEM with a sense that we are doing the right thing, going in the right direction, and that people notice. I'm looking forward to meeting you all again, as well as those who couldn't make it to FOSDEM!

Continue reading…

This week we tried publishing TWIM on a Monday, but people seem to enjoy reading their Matrix news during the weekend. We will get back to publishing TWIM on Fridays!

🔗Matrix Live

🔗Dept of Spec 📜

Andrew Morgan (anoa) {he/him} says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC4256: RFC 9420 MLS mode Matrix
• MSC4255: Bulk Profile Updates

MSCs in Proposed Final Comment Period:

• MSC3765: Rich text in room topics
• MSC3266: Room summary API
• MSC3757: Restricting who can overwrite a state event
• MSC4183: Additional Error Codes for submitToken endpoint
• MSC2965: OAuth 2.0 Authorization Server Metadata discovery

MSCs in Final Comment Period:

• MSC4239: Room version 11 as the default room version (merge)
• MSC4133: Extending User Profile API with Key:Value Pairs (merge)
  • FCP currently blocked due to an ongoing discussion.

Accepted MSCs:

• MSC4213: Remove server_name parameter from join and knock endpoints

Closed MSCs:

• MSC3975: rel_type for Replies
  • Closed by the MSC author.

🔗Spec Updates

Quite a flurry of activity in spec-land this week, as you can see from the above! MSC4133: Extending User Profile API with Key:Value Pairs moved into final comment period. While it still has one outstanding concern as of today, hopefully that can be worked out in the near future.

We also had a newly accepted MSC; MSC4213: Remove server_name parameter from join and knock endpoints. A small change, but a nice clean up to the spec.

Once again, thanks to everyone who's involved, and those that are only just getting started! The more the merrier.

Continue reading…

🔗Matrix Live

🔗Dept of Events and Talks 🗣️

🔗Matrix@FOSDEM 2025

As a reminder Matrix will again be present at FOSDEM this year!

As always, FOSDEM is free to attend and will happen at the 1. and 2. of February. Additionally we will have a fringe event on the 31st of January. You can find more information in the "Matrix in full force at FOSDEM" blog post.

Additionally please be aware that the Health and Safety Policy for the fringe event will be the same as the one of the Matrix Conference. Extremely briefly: You need to wear a mask while indoors, except while eating and drinking.

🔗Dept of Spec 📜

Andrew Morgan (anoa) {he/him} reports

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• MSC4253: Modifying or rejecting accepted MSCs
• MSC4252: Extensible Events modification: State event handling
• MSC4250: Authenticated media v2 (Cookie authentication for Client-Server API)

MSCs in Final Comment Period:

• MSC4213: Remove server_name parameter from join and knock endpoints (merge)

Accepted MSCs:

• No MSCs were accepted this week.

MSCs in Proposed Final Comment Period:

• MSC4133: Extending User Profile API with Key:Value Pairs
• MSC3765: Rich text in room topics
• MSC3266: Room summary API
• MSC4239: Room version 11 as the default room version
• MSC3757: Restricting who can overwrite a state event
• MSC4183: Additional Error Codes for submitToken endpoint

Closed MSCs:

• MSC3575: Sliding Sync (aka Sync v3)
  • Superseded by MSC4186: Simplified Sliding Sync
• [WIP] MSC4097: Interactions between media redirection and authentication
  • Replaced by spec-independent approaches.

🔗Spec Updates

As suggested from folks in the TWIM room, the above status now contains MSCs that are currently in proposed Final Comment Period. The hope is that this directs attention to MSCs that are close to being either merged/closed.

Let me know what you think!

Continue reading…

🔗Dept of Status of Matrix 🌡️

🔗Governing Board (website)

The Governing Board is an advisory board that is made up of elected representatives from all across the Matrix ecosystem.

HarHarLinks says

I'm excited to share some quick news from the governing board today! Over the holidays around the new year, we finished the committee chair elections and congratulate:

• Bram and Sumner, chair and vice chair of the Governance committee,
• Sumner and Nico, chair and vice chair of the Community committee,
• Robin and Kevin, chair and vice chair of the Finance committee,
• J.B. and Nico, chair and vice chair of the Trust & Safety committee!

This paves the way for the committees to start taking up work while at the same time the governing board as a whole also finalises the processes around working groups so we can onboard all of you!

We look forward to sharing another update soon, and Matrix @ FOSDEM is also on the horizon, where attendees will be able to meet a good handful of governing board members face to face! For any questions, feedback, or discussion with/about the governing board, join our #governing-board-office:matrix.org!

Until next time!

🔗Dept of Spec 📜

Andrew Morgan (anoa) {he/him} says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

• There were no new MSCs this week.

MSCs in Final Comment Period:

• No MSCs are in FCP.

Accepted MSCs:

• No MSCs were accepted this week.

Closed MSCs:

• No MSCs were closed/rejected this week.

🔗Spec Updates

It may seem quiet from the stats above, but there's actually been a healthy amount of activity across various MSCs this week!

MSC3266: Room summary API had FCP proposed, which moves this long-awaited MSC significantly closer to being accepted. This MSC allows clients to get a quick preview of a room before joining it, which is useful in all sorts of scenarios (see the MSC for a list!). There's still a fair amount of feedback to get through, but much of it is small clarifying comments. Exciting to see this one move forward!

MSC4133: Extending User Profile API with Key:Value Pairs has also been moving forward, with the Synapse implementation in active review by the maintainers, and all concerns on the MSC (currently) having been resolved this week.

There's plenty of activity on other MSCs as authors work to update them. Also a huge thanks again to those working on the spec text itself. Multiple PRs against the matrix-spec repo have been opened following the holidays, all making the spec better for everyone. Thank you!

Continue reading…

The Matrix.org homeserver will see changes related to authentication in Q1 2025. The team will turn off guest account access on Matrix.org on January 16th and roll out Matrix Authentication Service (MAS) to embrace Matrix 2.0 after February 10. Client developers need to ensure their clients support the required changes.

🔗What is MAS

Matrix Authentication Service is Matrix's next-generation authentication stack. It allows for more flexible authentication journeys without requiring client developers to support every one of them.

You can find all the technical details in Quentin's Matrix Conf talk, Harder Better Faster Stronger Authentication with OpenID Connect.

Continue reading…