Synapse 1.45.1 is out now! Python 3.10 and PostgreSQL 14 are now tested and supported by Synapse. Support for Python 3.6 and PostgreSQL 9.6 will be removed by the end of the year.
Note: This release may require changes to how media storage providers access your homeserver's configuration. See the Upgrade Notes for more information.
Note: Synapse 1.45.0 was released yesterday and changed how Synapse's monthly active user limits were calculated. Today's release of 1.45.1 reverts that change, but is otherwise identical to 1.45.0.
Synapse can now automatically discover rich metadata when generating previews of links to sites which support oEmbed.
Before:
After:
Note that URL previews are generated server-side, and thus generally disabled in encrypted rooms to avoid leaking information about message content to your homeserver. You may need to adjust the room's settings to see the new oEmbed previews.
This release of Synapse fixes a race condition which would occasionally prevent your sent events from syncing back down to all of your clients. This caused messages to look like they were stuck at the bottom of the room, waiting to finish sending, even though other users would receive and see them normally.
Matrix allows users to set their display names to be different things in different rooms. For example, you might use an alias in public rooms, but your real name in rooms shared with friends and family.
To make it easy to initiate conversations with people, each homeserver maintains a user directory with the Matrix ID, display name, and avatar of the users it sees. Previously, this directory would be updated with the most recent profile metadata that Synapse had seen for a user, even if it was only changed in a single room.
As of 1.45, Synapse only uses includes the default display name of local users in its user directory, ignoring room-specific nicknames or avatars. (#5677).
This release includes numerous fixes and improvements to Synapse's internals.
We've added countless static type annotations to Synapse (and related projects like Sydent), giving us greater confidence in its correctness and reducing maintenance costs. Several modules newly have all of their definitions typed, allowing us to require and enforce complete type coverage for all future edits therein.
This release includes meaningful fixes and improvements to our OpenTracing and logging machinery, helping us better catch and eliminate bugs in Synapse. This work ultimately reduced matrix.org's Sentry event volume by an order of magnitude.
Magic accessor methods have been removed from Synapse's Config class. Previously, Synapse would interpret references like config.send_federation by attempting to guess a reasonable full path, like config.worker.send_federation. As of Synapse 1.45, the full path must be specified directly. This prevents errors where values could be drawn from unexpected or incorrect sections of the server's configuration.
We'd like to extend a special thanks to Fizzadar from Beeper for improving Synapse's update_synapse_database script (#10954) to allow schema changes to occur while Synapse is running. This is a great step toward reducing the downtime associated with upgrades.
These are just the highlights; please see the Upgrade Notes and Release Notes for a complete list of changes in this release.
Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including AndrewFerr, dklimpel, Fizzadar, lukaslihotzki, and maxkratz.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
Additionally, take a look at the Client-Server API, where all current APIs have been bumped from /r0/... to /v3/.... See this bit of MSC2844 for the rationale behind this change.
The pieces are starting to fall into place for the upcoming Matrix 1.1 spec release!
This is a concept that was used in the Spaces MSCs to allow servers and clients to denote a room as a Space vs. a typical Matrix room (and set up their UI appropriately). Only the type for a Space has been specified so far, but there are many different applications room types could serve; for example profile rooms!
This MSC aims to create a general concept for a typed room, whereas future MSCs would identify those types and their meaning.
Happy Friday! The Synapse team has been sorting out what we hope to accomplish before the end of the year, and it's looking like our main focus will remain research and experimentation towards making large room joins go very fast. We don't yet see an incremental path from where we are now to where we want to end up, so progress will likely come as a few discrete milestones, rather than a gradual acceleration over time.
Aside from room joins, we expect to spend a good bit of time time on bug fixes and preventative maintenance. For example, we hope to get Sydent passing mypy --strict by this time next week. Doing so would have prevented recent production issues, including one which caused phone number verification to silently fail.
Preparations for releasing 1.45.0 continue apace; I'm looking forward to telling you about it next week!
let's bridge everything! Have you ever wished you could make and receive phone calls with matrix?
The beginnings of a matrix <-> SIP bridge are done :) If you can imagine to live with bugs or even help with the development yourself, feel free to give it a try! :)
https://github.com/alangecker/matrix-appservice-pstn
This release fixes several bugs and makes E2EE enabled by default.
feat: Enable E2EE by default for new rooms
feat: Display all private rooms without encryption as red
feat: New design for bootstrap
feat: New design for emoji verification
feat: Display own MXID in the settings
feat: More finetuning for font sizes
chore: Updated translations (Thanks to all translators!)
fix: App crash on logout
fix: Temporary disable sign-up for matrix.org (Currently gives "500: Internal Server Error" while FluffyChat should send the same requests like Element)
fix: Implement Roboto font to fix font issues on Linux Desktop and mobile
Making steps towards stable E2EE, we have now implemented bootstrapping cross-signing on a new account. This allowed me to finally enable cross-signing on my Nico (nheko.im) account (which I intended to only use with Nheko). Thulinma also added a way to refresh the current device list as well as highlighting your current device in the device list, which should make it easier to recover, if a misscommunitcation with the server lead to an outdated device list. Meanwhile LorenDB has been plugging away on converting more dialogs to Qml and we merged like 3 converted dialogs!
Released Element Web 1.9.2 featuring chat export, Spaces and E2EE improvements, updates to Electron 13.5.1
More progress on the client side of threads, published an MSC and started work on Synapse support
Fixed some bugs in registration, Windows icons, phone number confirmation
Delight team
On iOS, weβve been implementing support for pagination of the Space Summary API, to support larger spaces, as well as improving performance. Weβve also started implementing support for creating Spaces.
Weβre also exploring larger changes to make to the layouts of Element on all platforms to surface simpler and more intuitive navigation all round and tackle some of the feedback we couldnβt get to during the Spaces beta. Watch this space!
iOS
We failed to publish the app on the app store this week because of observed crashes. RC 1.6.5 is available on TestFlight. We should be able to release on the App Store on Monday
User auto completion has landed on develop
Message forward is in the horizon
Settings got lipstick by reviewing headers and footers
Hi folks! This week I took a bit of time out of my day to create a new widget for Matrix. We have the concept of "Spanners" at Matrix where one person wants to take control of a resource, and they will say "I am taking the spanner". This prevents other people (verbally at least) from trying to use the resource at the same time.
For years we have been getting by with sending messages into Matrix, but no more! For now anyone can use the Spanner widget to set up a similar system in their room.
You can try this out now with /addwidget https://half-shot.uk/spanner?spannerName=YourSpannerName (although no promises about the uptime of half-shot.uk)
The repo can be found https://github.com/Half-Shot/matrix-spanner-widget.
You will need to ensure that all users who plan to use it must be able to send state events of type uk.half-shot.spanner. Otherwise, it should be ready to go!
Rager is a CLI tool for matrix client developers to easily view and parse rageshake logs. It handles syncing (with many parameters to sync only the logs you want), searching through downloaded logs, and paging through any log on your device (with peudo-syntax highlighting to make it easier to understand), right from the comfort of your terminal. It has been in development for a few months (being used/tested by devs at beeper.com) but I feel like it's now in a good enough state to release for everyone else to use. If it's something that may help you, try it out and let me know if it works for you!
We believe that having your own homeserver should be easy and require little technical knowledge. That's why we launched Hingst, a privacy focused Matrix hosting service which takes care of (almost) everything for you.
Our goal is that our users spend no time whatsoever on maintaining the actual server so they can focus on what matters - chatting with friends and colleagues.
All servers are located in Sweden and of course they run entirely on renewable energy!
That's all for now. Thanks for reading :)
If getting your own homeserver was hinging on the availability of such a service, you donβt have an excuse anymore!
First annual Finnish Matrix community meet is to be held 20.11 in Tampere, Finland. Infos and registration at https://mobilizon.be/events/5c9ce49d-83de-41d1-b824-8950293d3fd1
Hi everyone! Did you ever feel lost in the Matrix world? The room directory is big, but it's still hard to find something you like. Or are you a room moderator, but there is not much activity in your room because it doesn't have enough users?
This is why I want to share rooms (or spaces) I find interesting.
This week, I had the great pleasure of chatting with a lovely bunch from Element about Spaces. This feature just got out of beta and they tell us all about it.
Hello TWIM, it's me, not-anoa, again with your weekly spec update. I unfortunately didn't get a chance to figure out how to run the tooling which generates fancy graphs, but it looks like you'll have a more qualified person next week π
This week we saw a couple new MSCs:
MSC3419 - Letting guests do more things (which is needed for things like full mesh conference calling)
MSC3429 - A room preview API. Turns out this is more or less a duplicate of another MSC, but has a different approach. Be sure to check both out π
We've also been making progress on trying to get the spec release out by formally specifying all the new global version numbering and new endpoint versioning (see this and this), and have been experimenting with how room versions are represented by the spec.
From page 6 of the open MSCs there's MSC2723. The MSC is relatively small, but solves a fairly important problem with forwarded messages in Matrix: where were they forwarded from? From a glance, it has minor technical feedback and could do with an implementation (psst: client authors, this should be easy and fit well into a North American Long Weekend project π).
That's all I have for you today, but if I've missed something: sorry, and you should be in capable hands next week.
This week I have completely rewritten the Pinecone router with the aim of improving code quality and boosting performance. It now uses significantly less resources, making it much easier to simulate larger networks and using less battery power on mobile devices.
While there is still some work to be done to ensure the Pinecone network gracefully handles large-scale mobility events, protocol development is slowly progressing and we will soon be looking at how Matrix federation can be made more efficient by using routing intelligence from the overlay network.
If you have a passion for routing protocols and/or peer-to-peer systems, we're looking to hire engineers to work in the P2P Matrix space β get in touch by emailing your resume to us!
We also have our very own P2P Matrix room where you can follow along with the latest discussions and also occasionally pick up experimental iOS and Android builds of Element with an embedded P2P-enabled Dendrite homeserver.
We released Synapse 1.44 this week! The release was mainly focused on bug fixes and internal cleanups. In particular, we've made significant strides toward enforcing static type annotations across several more Synapse modules, we continue to remove "magic" code from our configuration handler, and we've landed significant refactors to both the user directory and federated event authentication. These changes pay off significant technical debt, reduce Synapse's maintenance cost, and ease future bug fixes.
But that's not all. This release also includes performance improvements around JSON serialization, new capabilities for extension modules, and better metrics around cache evictions. See the announcement for more details.
Hello one and all! We've got a minor-yet-MAJOR release candidate of the IRC bridge up for grabs. https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.32.0-rc1 is now based upon the 3.X matrix-appservice-bridge library, and so all the innards have been replaced with matrix-bot-sdk.
Please try it out, and the full release should be out next week.
The first maintenance release of Quaternion 0.0.95 is here, plugging more HTML injections (quite limited this time), with tweaks in positioning of the timeline to really return to the message you last read before closing the room, colourful display names in the timeline and not just in the user list, and one particular crash fix for a case when you made a typo in your password but then did it right - only to see Quaternion falling down to pieces. The release notes, together with self-contained binaries, are in a usual place, the Flathub repo has a new Flatpak too - just go and update!
Cinny v1.3.2 got released this week. It fixes unwanted "Password don't match" error on register page along with small improvements in Public room modal and message input (Thanks to Empty2k12). We also released v1.3.1 last week which fixed unnecessary CPU usages on idle and infinite spinner after login.
SchildiChat is a fork of Element that focuses on UI changes such as message bubbles and a unified chat list for both direct messages and groups, which is a more familiar approach to users of other popular instant messengers.
Both the Web/Desktop and the Android variant have received a couple of new features during the last weeks, so it's time again to share some of the highlights with you!
The Web/Desktop variant has received plenty of love for the last few weeks, so best to list some of the bigger changes:
Added a setting for the room list style: you can now choose between "roomy" with big avatars and two-line previews, "intermediate" for a smaller avatar and a single line preview, or "compact" to get a tiny avatar and the room preview in the same line of the room name
Added a setting how to color usernames in the chat: either uniform, based on the MXID, or based on the user's power level (Android has this feature for some time already, too!)
Added a setting to not open automatically the most recent chat when switching spaces
Improved theme settings: you can now choose custom themes independently for both light and dark mode
Workaround for switching between light and dark mode together with the system on Linux
We added support for MSC2654 for server-reported unread counts. This means that we can now display the number of unread messages even for muted chats, if your homeserver supports it (synapse does)!
Hello! Halcyon is a Matrix bot library created with the intention of being easy to install and use. My goal is to lower the barrier of entry currently required to write and maintain a bot. I do not intend you to need a database, or have to juggle encryption keys.
With the initial release of the library we currently have:
A CLI tool for creating and revoking tokens
Hooks for new messages, message edits
Hooks for room invites, and leaving rooms
Sending messages as text, markdown, and HTML
Sending replies to messages
Ever improving documentation
Please check out the example in https://github.com/WesR/Halcyon and join us over in #halcyon:blackline.xyz
This week has seen two maintenance releases of libQuotient - just after 0.6.10 went out, fixing an issue with invites not showing up, another issue with URLs that have unescaped double-hashes (coincidentally, matrix.to URLs to some IRC channels are exactly those). Those URLs are not quite following the RFC but are accepted widely enough to warrant a fix, and a new release. Get 0.6.11 from here (or better, just checkout the respective Git tag).
A few weeks ago, I posted about the standupbot that I wrote to help assist with creating and sending standup posts to a room. I'm excited to announce today that you can choose to interact with the standupbot using threads! Instead of asking you about each part of the standup post individually, it creates threads for each of the parts that you can fill in. Your replies get added to the standup post like before, but it's a bit more interactive of a process. Here's a picture of how it looks (ignore all the display bugs due to Element).
If you are interested in learning more, the source code is here: https://sr.ht/~sumner/standupbot and you can join the development matrix room #standupbot-dev:sumnerevans.com
πAn (unofficial) Matrix server for the Newgrounds community.
Since I was pressed for time last week, I didn't go much in depth on how this server works. Here is a brief overview of its components:
https://app.ngmvs.one: A self-hosted Element Web with some theming tweaks, and the easiest way to visit the server.
https://matrix.ngmvs.one: the homeserver itself (Synapse). It has open registration, but only for Newgrounds Supporters (ie. patrons) via SSO logins with Newgrounds accounts. But Newgrounds doesn't have its own "Log in with Newgrounds" capability, so that leads me to the next component:
ng-saml-idp: middleware built on PySAML2 for using Newgrounds logins as a SAML2 Identity Provider. The code is tailored for my Synapse installation, but it can easily be tweaked to allow Newgrounds SSO logins to any SAML2-compatible service!
W-Bot: a Matrix appservice/bot built on mautrix-python that serves two purposes:
Creates Matrix rooms for Newgrounds movie/game submission pages (ie. maps #portal_view_<ID>:ngmvs.one to https://www.newgrounds.com/portal/view/<ID>), and adds a widget containing the submission itself to these rooms (but only if it's a movie--widgets for games will only have a link)
Restricts membership of any room it moderates to logged-in Newgrounds Supporters. Users without a :ngmvs.one account can authenticate to the bot via the "login" bot command, which lets them log into their Newgrounds account.
Point 2 also means that anyone on the Matrix network can make a room that's restricted to Newgrounds Supporters. Just make sure the bot has a high enough power level to kick users!
Public (and federation-accessible) instance is at @w-bot:ngmvs.one.
(PS: The "W" stands for "double"--because of its job of "copying" rooms into Matrix.)
MVSX: a Firefox extension that, when visiting a Newgrounds movie/game submission page, puts a button in the URL bar that sends you to the Matrix room created for that submission by W-Bot.
This week's updates:
W-Bot now has the inviteme command to invite the issuing user to the invite-only space room for logged-in Newgrounds Supporters. (Users should be invited there automatically, but this command is for people who leave / reject invites to that space & want to re-join it later.)
The MVSX extension has been updated to allow joining rooms with Matrix clients other than app.ngmvs.one. Right-clicking the URL bar icon now shows a drop-down list of alternative clients, and lets you set which one to use by default (on left-clicks of the icon).
Hi everyone! Did you ever feel lost in the Matrix world? The room directory is big, but it's still hard to find something you like. Or are you a room moderator, but there is not much activity in your room because it doesn't have enough users?
This is why I want to share rooms (or spaces) I find interesting.
"Iβm in plenty of retro computing and gaming related Discords and got annoyed that there was no such thing on Matrix. So, I created a Matrix Space for all things retro computing and gaming, hoping there might be enough like-minded people on Matrix to build a community. There should hopefully be rooms for everything now, although a few are still missing room icons - that will come over the next days. Hereβs to hoping that the retro computing community can also thrive outside of Discord π."
We now stay within C code while generating large JSON objects for responses, which should be substantially faster than the previous technique, which fell back to Python for encoding.
Spam checker modules can now use a user_may_create_room_with_invites callback to inspect room creation events which include invitations to users via Matrix or other media (email, etc.).
Additionally, the ModuleApi can now inspect IP and User Agent data, as well as checking whether Rooms and MXIDs are local to the current homeserver.
These are just the highlights; please see the Upgrade Notes and Release Notes for a complete list of changes in this release.
Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including aaronraimist, cvwright, govynnus, Kokokokoka, and tulir.
This week in Matrix, William tells us about the State Compressor he wrote during his internship to reduce the size of Synapse's database, and so much more. William being a former intern of the backend team, who else than his mentor Brendan could lead the interview?
Hello! It is not-anoa here with the spec update this week, which unfortunately means no pretty graph of MSCs (sorry). I do however have some curated updates to the spec for you:
Though WIP, both are exciting steps towards much larger goals - looking forward to see how they progress! We also saw FCP finish on MSC3231: Token authenticated registration, part of Callum's GSOC project this summer - congratulations! MSC2918: Refresh tokens also finished FCP this week, making it a good time for clients to consider that access tokens might expire or appear in a different format in upcoming versions of the spec. MSC2582: Remove mimetype from EncryptedFile object was also merged to the spec - thanks Sorunome for finding the duplicated field which was duplicated!
Behind the scenes, the Spec Core Team (SCT) has been thinking about how we can release the spec as we've been talking about doing so for months. We're declaring a bit of a freeze on new things entering the spec for the time being, but that doesn't stop MSCs from completing FCP or being opened - they just might miss the v1.1 cut (sorry). Most of the work needed to release is deployment stuff rather than Matrix stuff, so the hope is is we can get it all worked out soon.
I don't have the random MSC script on hand, but I do have access to the MSC list and found WIP: MSC3030: Jump to date API endpoint. It's listed as work in progress, but is one of the MSCs I personally look forward to being accepted in time!
That's all for spec this week. I'm not sure about next week, but you might be stuck with me again. Maybe I can find those fancy graph tools in time...
Thanks a lot not-anoa, that was a great spec update!
Lots of work in preparation for Synapse 1.44 which is due out next week. Notably, we've found a few small regressions in rc1, so expect another release candidate on Monday followed by a formal release on Tuesday or Wednesday.
I look forward to telling you all about that, and our plans for Q4, next week. π
Now that's some teasing! I can't wait for next week!
Hey folks, it's been a while since we released changes to the Slack bridge but here we are on our next RC. This one includes a few new things, most notably:
The bridge now automatically invites users to private rooms if there is a message and they are not joined. (#613)
Update bridge to matrix-appservice-bridge 3.1.0 (#614)
Also, a PSA: If you were struggling to bridge your rooms to matrix while using the matrix.org bridge, this should now be fixed. An update made to the Slack APIs silently broke the oauth flow, which has since been fixed. This was a misconfiguration-gone-unnoticed in our Slack app configuration, so self hosters don't need to upgrade. The details are in https://github.com/matrix-org/matrix-appservice-slack/issues/617#issuecomment-932047990
While I am a bit busy at the moment, Nheko is getting a lot of valuable smaller contributions:
Updated the emoji pickers to Unicode 14, so that you can properly troll people.
Pasting images should now work properly again on Windows and macOS, including pasting SVGs!
The help and version command line parameters now work properly, even if an instance of Nheko is already running.
There has also been a lot of progress on the translations! We just cracked 50% translated, but since that includes a lot of languages with only a few percent, this is actually much more than it sounds! We actually have 8 languages with over 90% translations now. If you speak one of the languages at 70% or so, any help translating the remaining bits is very much appreciated. You can easily translate without an account here: https://weblate.nheko.im/projects/nheko/nheko-master/#translations If you want to translate without having to rely on the upvote mechanism, feel free to ask for translation permissions directly in #nheko:nheko.im. That is also the right room to ask questions about the translation process or translations themselves.
Nheko is also participating at Hacktoberfest this year. Translations done using the webinterface won't get counted for that though, you would need to submit a pull request manually for that. If you always felt like contributing to Nheko would be fun, but you had no reason to, now you can do it to let someone plant a tree for you (or get a T-shirt)!
Hydrogen saw a few bug fixes (0.2.14, 0.2.15 and 0.2.16) this week again, and also gained the possibility to recover from low-storage scenarios where the browser would clear indexedDB.
One of the bugs fixed might have caused a timeline corruption, so when you get the 0.2.16 update the history cache will be cleared and you'll notice a bit of delay as you do an initial sync again.
Aside from working on Hydrogen as a standalone app, I'm also making it easier to embedded in other projects. More info to come on that!
We've also had a priority planning this week, which spawned an updated backlog. Have a look if you're interested what can be expected next (although be aware that the backlog has proven volatile in the past π).
Hydrogen embedded! I'm looking forward to that. Great work Bruno!
After 4 years, matrix-email-bot finally got an update. Now at v2, the bot has been rewritten using TypeScript and matrix-bot-sdk (farewell, js-sdk from 2017). It still requires manual setup and the behaviour overall should be the same as before, though the amount of testing is somewhat minimal - please complain in #email:t2bot.io if something goes wrong.
The bot also now supports encrypted rooms out of the box, including on the t2bot.io instance. Check out t2bot.io/emailbot for information on how to get the bot set up in your room.
The full changelog is available on the repo: https://github.com/t2bot/matrix-email-bot/releases/tag/v2.0.0
Useful to watch a security mailing-list from the comfort of a Matrix room!
An (unofficial) Matrix server by and for the Newgrounds community.
This is a Matrix server with membership restricted to Newgrounds Supporters. Newgrounds is an independent arts & entertainment site that has been around for over 20 years, and I felt that its spirit of independence is a perfect match with the openness of Matrix!
The most notable feature of the server is comment rooms for Newgrounds submissions. Unlike other content-sharing sites, Newgrounds submissions don't have comment sections, but review sections, which let you post a single comment (and optional rating) for a submission. This encourages reviews to be focused on providing constructive feedback instead of being a place for off-topic discussions. With that said, open comment systems are nice too, so this Matrix server provides it! Simply visit #portal_view_SUBMISSION_ID:ngmvs.one to view!
These comment rooms are world-visible, but (at least for the time being) only Newgrounds Supporters may join these rooms & post comments in them.
To help along with this, I made a Firefox extension to make joining these rooms a breeze: NG MVSX. Simply view a Newgrounds submission page, and click on the icon that appears in your URL bar!
Code for all components is open-sourced on GitLab.
This is all very new, so things might break! If they do, tell me in #ngmvs-public-discussion:ngmvs.one
Hi folks, I've been let loose on more spec things: This time I'm looking at synthetic events. The goal with this proposal is to give appservices more visibility over the innards and actions of a homeserver. When a user registers, we want an appservice to know (perhaps to send them a little greeting, or to provision some resources) or perhaps you want to clear up bridge resources when the user deactivates their account.
The hope with this proposal is that it's going to set the foundations for services to be able to hook into and provide richer functionality based upon user actions outside of rooms. It might sound a little dry right now, but eventually I'm hoping this can be extended in lots of ways and potentially do away with per-implementation modules, instead writing services that work with all homeservers.
Please give the proposal some love/feedback :)
When asked if that was a specification change he drafted because of limitations faced when trying to implement a bridge, he said:
Yeah, so it's something I've been plotting for a while, but internally we wanted the ability to "act" based upon signups to a homeserver i.e. sending a welcome. In the past this has been implemented client-side in Element, but that has obvious caveats.
The traditional response has usually been to write a Synapse module, but I wanted to do something that could be used on other homeserver implementations and also not have to have it co-located with the homeserver, so the natural home for this kind of logic was appservices.
There are other things there too like logouts / deactivations which are good for erasing data on a service too. Generally I'm hoping it can be extended further once it's stable, for other use cases too
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
MSC3401 (Native Group Voip Signalling) has been receiving positive feedback over the course of the week. The MSC spells out how one would go about implementing native, decentralised group voice and video calls over Matrix without the need for a third-party service. This is the next step forward after the full-mesh group signalling work, as demoed in previous editions of TWIM, lands. Quite exciting stuff!
Otherwise there was another Spec Core Team retro this week. Discussion focused mainly on how to handle event types that not every implementation using Matrix may need (think pinned messages and how that might not be very useful for IoT networks...). Watch this space!
This is actually already implemented and enabled by default in Synapse, believe it or not. But no clients have support for it yet (there is an outstanding matrix-react-sdk PR...).
This is a pretty cool feature in my opinion, any client want to be the first?
MSC3401 looks like there's a lot of work going on on the native VoIP side. I can't wait to see what the future holds!
This week we released Synapse 1.43! This mainly contains internal changes, including those in preparation for Spaces leaving beta, but it's worth calling out that this version of Synapse now uses the MSC3244: room version capabilities API to ask clients to prefer room version 9 when creating restricted rooms.
Support for room version 9 was introduced in Synapse 1.42, so we'd strongly encourage administrators to upgrade.
Perhaps more notably for Synapse developers, we've spent quite a lot of time over the past few weeks improving the SyTest suite of integration tests. Several of the tests had race conditions which would cause them to occasionally fail when testing a multi-worker deployment of Synapse. These flakey tests have plagued our continuous integration pipelines, and are finally being fixed.
The long term plan is still to transition to Complement (written in Go) and away from SyTest (written in Perl), but we still need to ensure that SyTest is reliable in the meantime.
etke.cc now offers hosting options (and some more stuff)
Hi there,
Didn't post updates about the etke.cc service for a while. If somebody not familiar - we setup and maintain matrix servers (based on awesome spantaleev/matrix-docker-ansible-deploy)... and setup VPN... and DNS recursive resolver, and... AND!!!! Provide hosting, yes. So, starting today that's available for everyone (we offer it for some time in "well, you know, we don't provide hosting, but if you want it so hard..." way and it works good)
Even with that update (literally the most requested thing, was in every third order we got), provided hosting considered as your own server, the only difference that you don't pay hosting provider directly, but through us. So, you get root access to the server and we treat it as any other customer's infrastructure
Join #announcements:etke.cc room and say hello in #discussion:etke.cc
Heisenbridge is a bouncer-style Matrix IRC bridge.
Release v1.2.0 π₯³
Message formatting (from HTML to text) has been drastically improved
CTCP replies are now shown correctly but still ignored
Mentions/pills always honor room nick
Plumb notices don't loop around anymore
Self replies don't prefix with own nick
Single line truncation works when max lines is 1
Multiple fixes to displaynames or messages containing control characters leaking to IRC
New dependency: mautrix-python
Minimum Python version requirement has been bumped to 3.7
I've also started releasing source archives as GitHub releases for distribution packagers and the project is published to PyPI to have more installation options.
What improvements did hifi bring to the formatting you may ask? I asked, and hifi answered:
the fallbacks are inconsistent and usually are markdown which is a lie π
replies and mentions are completely all over the place in the fallback in addition to being markdown
the unformatted html is now something in between and doesn't do code blocks at all because those ticks are just noise on irc
it tries to look like more that you pasted long text rather than sending markdown
That's very considerate for IRC user, thanks hifi!
After 2+ years of development, Quaternion makes a leap from 0.0.9.4 all the way to 0.0.95. The release notes list some key improvements: reactions, Markdown, revamped timeline, user profile dialog and a lot of other things. Itβs the same small and fast client that blends nicely into your desktop environment, it just got much better. Go and get it!
Weβre testing & polishing Spaces, releasing them out of beta in the upcoming release cycle next week!
On iOS
Weβre anticipating some performance issues on a very small number of accounts which participate in a very large number of rooms. After trying the next release, if this affects you, please let us know as itβll help inform whether we cut an off-cycle hotfix or prep changes for the next release.
iOS doesnβt support pagination in the Space Summary API yet, so will only return the first 50 rooms in large Spaces when browsing. Support for this is planned for the following release.
Fixing bugs and cosmetic issues with our Threads feature, currently in Labs.
Cross-signing bug fixes.
This week we Ran our first community testing session on 1.8.6 with members of the community. We were very pleased with how this went and intend to continue the sessions. You can help making Element even better by participating in our fortnightly testing sessions. Join #element-community-testing:matrix.org, and learn how to make the most useful feedback
A little synadm release went out this week. Thanks a lot to @govynnus for contributing "Registration token management", it's available as a new subcommand regtok. Also some tiny improvements here and there were brought in to make admin experience even more convenient.
Have a look at the release notes: https://github.com/JOJ0/synadm/releases
Ansible Contributor Summit 2021.09 is happening next week! It will be held over 2 days, on Tuesday September 28 and Friday October 1, from 13:00-21:00 UTC, and will be held on the Matrix platform.
The Ansible Community has recently adopted Matrix as an official chat platform and this is our first Matrix-powered conference. Feedback welcome! You will need a Matrix account to participate in the conversations. For more information, please see Communication - Real-time chat and the Ansible Community Matrix FAQ.
there's a mix of stuff going on to try out, we have hack sessions on Tues that may use the embedded Jitsi etc, and talks on Friday that will be more presenter/spectator
It's exciting to see an organisation holding an online conference on Matrix!
Adds further static type hints to various modules.
We've also spent quite a lot of time on SyTest, our integration test suite. In particular, many of the tests made assumptions about event processing which were not correct when targeting a multi-worker Synapse deployment. These flakey tests have plagued our continuous integration pipelines, and are finally being fixed.
These are just the highlights; please see the Release Notes for a complete list of changes in this release.
Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including AndrewFerr, BramvdnHeuvel, and cuttingedge1109.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
In other news, MSC3381 (Polls - mk II) receive a fair amount of attention this week. It implements inline polls via a new m.poll type and makes use of the concept of extensible events. Do check it out if you're interested in voting through means other than message reactions!
Otherwise Alexandre Franke and myself will be looking at cleaning up the CI of the matrix-org/matrix-doc repo next week, as well as continue to move the infrastructure for the new spec release forwards.
This one is entirely new to me, and has some slight overlap with some work for MSC2762: Allowing widgets to send/receive events, where we were thinking about how a widget could act as a calendar using Matrix rooms and events as a calendar backend.
The Synapse team is busy gearing up for 1.43.0 next week, which will make room version 9 the default for newly created restricted rooms, among other things.
We've also been doing quite a lot of work on Sydent. Notably, last week's 2.4.0 release introduced a few regressions which have been resolved in subsequent point releases. The one-shot case folding migration script for Sydent is still performing unexpectedly slowly; look for that to be resolved soon.
As the end of the year approaches, now is a good time to ensure you're ready for the deprecation of PostgreSQL 9.6 (November) and Python 3.6 (December). Do you have plans to upgrade to Pg 10 and Py 3.7 or newer? If not, there's no time like the present! π
Lastly, Hacktoberfest 2021 is less than two weeks away! Many Matrix projects intend to participate, including Synapse.
With rooms version 9 as the default, it feels like Spaces are trying hard to escape beta!
And yet again more Kubernetes Helm Chart updates this week, with element-web being bumped first to 1.8.4 and then 1.8.5. More improvements for the new ingress object in K8s 1.19 also landed.
mautrix-hangouts has turned into mautrix-googlechat. It's still in alpha stage, but text messages work in both directions, media from google chat works and threads from google chat are bridged as replies.
Released 0.2.9 & 0.2.10 this week with the main thing being improvements in preventing scroll jumps when resizing or loading more content in the timeline. Not 100% of scroll jumps will be solved with this release, but it should be improved a lot. Please report any issues you may encounter in this area! There were also a few bugs fixed, see the linked release notes. Try it out at hydrogen.element.io!
Beeper is a unified chat app built on top of Matrix. We've created 10+ open source Matrix bridges and integrated them into an easy to use all-in-one service which does not require setting up your own homeserver. You can learn more at beeper.com.
We've been hard at work for the last few weeks and have a number of updates we'd like to share across all our clients and bridges.
New verification flow for Desktop, Android, and iOS! Logging in and verifying your session is now super easy to do. This is extra important for Beeper because we enable secure backup by default and require all users to set up a security key.
Added the ability to view your rooms using our Smart Inbox that places the most important messages at the top, or with Classic which leaves the room in a reverse chronological order.
You can now select network by network which messages should appear in your inbox using our Inbox Filtering feature
We now have beta support for Custom CSS theming! Check out some of the themes that have already been made by the community. https://gitlab.com/beeper/beeper-themes
Previously we only supported DMs for Discord out of the box, but now you can pick and choose which Discord servers to sync into Beeper
Redesigned room list: we started a redesign of our Android app and adopted the Material design language.
Integrated Android SMS bridge: Our previous Android Messages bridge was built on a shakey puppeteer foundation, so we rewrote it. Our new Android SMS uses native APIs to send/receive SMS. RCS remains elusively out of our grasp for now. We open sourced our bridge at https://gitlab.com/beeper/android-sms
We are hiring! Come join many other Matrix community members who have joined the Beeper team including @tulir:maunium.net, @annie:beeper.com, @kilian:beeper.com, @spiritcroc:beeper.com and @sumner:beeper.com (who replied to our last TWIM job post and got a job at Beeper within a week!)
We are hiring senior iOS, Android developers and a DevOps/SRE (preferably in North/South America timezone)
Nheko got a lot more colorful this week. red_sky (nheko.im) and LorenDB finished up the jdenticon support. This means instead of the first character of a users display name, you now have the option to see a colorful avatar for users without an explicit avatar. You may have seen something similar on Github and other platforms. Currently this needs the qt-jdenticon plugin, which is a bit troublesome to install correctly, but we should improve that in the near future.
Prezu added a homeserver entry field to the room directory, making it much more useful (no history yet though). Thulinma added a /goto command to navigate to specific events or room and fixed scrolling to a specific event (in the past it only approximately scrolled to the right location). Symphorien added the Alt+A shortcut to navigate between rooms with active mentions and notifications. Additionally Priit completed the Estonian translation.
Additionally we released a security fix on Monday (together with a few other clients). We only released a fix for the master branch in Nheko instead of also the latest stable release. This confused a few people, but I hope my explanations made sense. The gist of it is:
On the master branch the local homeserver admin could force Nheko to forget which identity keys it saw for a user and as such insert a new device with the same device id, but attacker controlled identity keys and request old encryption keys from Nheko. In Nheko's case we had some protections against that, but if the server sent a device_list.left event for that user, Nheko would delete those protections. From our understanding this could not be abused over federation.
On 0.8.2 this can also be abused, but 0.8.2 does not implement key sharing completely. It can only forward the currently in use encryption key, not historical ones. As such the impact in our opinion was too limited to release a security fix. 0.8.2 does not allow you to send encrypted messages only to verified devices as such the homeserver admin could always insert just a different device to get access to new encrypted messages. Because of that we have a big warning in the README and when enabling encryption in 0.8.2, that one should not rely on the security of the E2EE implementation in it. We are aiming to have stable and secure E2EE in the next release (and so far it is looking good), but if you are using 0.8.2 I can only repeat, that it won't protect you from an attacker even without the disclosed security issue.
I hope this clears up some of the confusion. Feel free to visit us in #nheko:nheko.im and tell me, that I am wrong.
This week saw two releases of libolm, a library that implements olm, megolm, and some other Matrix-related encryption functions. The main changes in version 3.2.5 are new functions for getting error codes rather than error strings so that implementations don't need to rely on string parsing to decode errors, and added support for fallback keys in the Android and iOS bindings. There were also improvements in error handling in the unpickling functions, and the shared library no longer exports certain private symbols, which caused problems when those same symbols were exported by other libraries. The initial implementation of this last change caused build failures in some environments, so version 3.2.6 was released to fix this.
The Polyjuice project wades further into bad pun territory with a new project: Polyjuice Draughts, a set of checkers to verify that a homeserver is set up correctly and is accessible for clients and federation. It is similar in goal to the Matrix Federation Tester, but also checks client connections. It can either be run from the command line, or it can be used in a Matrix room, thanks to Igor, by sending a message of the form !servertest <servername> in a room that has an appropriately-configured bot in it. There is currently a bot in #synapse:matrix.org that can be used.
As you can see from the screenshot, my server isn't quite set up correctly, and I should fix it some day...
Polyjuice Client 0.4.3 has been released. This release adds functions for getting room membership (thanks to multi prise) and checking the server spec versions, along with some bug fixes.
Finally, the Polyjuice libraries have moved their git repositories from https://gitlab.com/uhoreg to https://gitlab.com/polyjuice. The old locations should automatically redirect to the new locations.
I have converted the script for auto updating the Element-web instance to latest version from Gist to the full Git repo MurzNN/element-web-update and added support for .env file to set desired variables.
This is a bash script that checks the new released version of Element from official Github repo and if it differs from installed - updates the local files with deleting old version (to cleanup old files) and unpacking new one, but with keeping the config files by mask config*.json.
You can put it to your crontab.daily and got an always fresh Element with forgetting about manual update routine.
I created a bot to assist with sending standup posts to a room. It reminds you to write a standup post, and then asks you what you did the previous day, what you intend to do today, if you have any blockers, and if you have any other notes. Then it posts a nicely formatted standup post to a room which you can configure.
You can find the source code here: https://sr.ht/~sumner/standupbot/
I am super happy to finally give you another update on TheBoard, due to holidays during the last weeks I had less time to work on TheBoard. But now there still accumulated enough changes for a little Update:
I experimented what technologies I could use for the still required GUI elements. A new User List was implemented using Vue.js. Vue seemed to be a little overkill for the kind of GUI required in the case of TheBoard. So I re-implemented the user list with react-no-js.
I am happy with react-no-js and it is used for a user list plus a tool settings menu on the right hand side of the canvas.
The tool panel in particular opens up a lot of possibilities. The eraser already makes use of it by giving the option to only delete specific item types (Image, stroke or text). This can be very handy if you want to delete strokes drawn on top of an image without deleting the image as well. What can be deleted is highlighted by a new filter system which allows to make any modification to objects selected by a filter function (see the attached image)
Other small changes:
Animated camera movement (for a upcoming "follow other user" feature) currently used for the Go Home Button
Opening a board now loads at the last edited location
The touchscreen navigation (zoom/pan) was re-implemented and should now work much better
Links and further reading:
Play with it at: https://toger5.github.io/TheBoard/ (feel free to join: https://matrix.to/#/#PublicWhiteboardTest_TheBoard:matrix.org with the account used for testing to join the first collaborative board)
Join the matrix room: https://matrix.to/#/#TheBoard:matrix.org
The Board is very exciting! I could see in the planned use cases that Timo already intends to make a widget out of it. It would be very useful for real-time collaboration, but that's not all! When asked if a standalone app will come, Timo confirmed:
Indeed. I wasn't thinking about a builtin home-server yet. But a standalone app is still planned because I want the app to be able to manage different boards. Therefore I need to be able to control room creation and listing rooms. It should basically feel like onenote if you intend to use it like that.
@s7evink The game is called AAGRINDER, hosted at aagrinder.xyz, the code is here, the bridge implementation is here, wiki is here. The game is a text-based sandbox multiplayer browser game that I (Maze) have been building for the past 3 years. Built from nothing, no game engine. It generates an infinite procedural terrain to venture in. The integrated chatbox is nothing special but it's really nice to have it bridged to Matrix now, it's less lonely when playing alone. The appservice bridge creates users matching player name and color. Display names from Matrix are presented in the same color as in Element.
Hopefully you're able to extract some useful information out of this ^^
I love the retro vibe of the game, it's really cool!
Third Room is an experimental metaverse client I've been working on for the past couple weeks. It combines three.js and Matrix to create 3D voice chat rooms where you embody an avatar.
There's a lot more info in my talk from last night at the Open Metaverse Interoperability Demo Night (my talk starts at 37:43)
Beeper mentioned they have several positions open, and Element is also talents hungry. Iβm particularly ecstatic to see that developing skills around Matrix can get people jobs. Of course I encourage strongly people to experiment with the protocol and use it in all sorts of crazy ways!
Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat. Element on iOS is not affected.
Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.
Exploiting this vulnerability to read encrypted messages requires gaining control over the recipientβs account. This requires either compromising their credentials directly or compromising their homeserver.
Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room.
This is not a vulnerability in the Matrix or Olm/Megolm protocols, nor the libolm implementation. It is an implementation bug in certain Matrix clients and SDKs which support end-to-end encryption (βE2EEβ).
We have no evidence of the vulnerability being exploited in the wild.
This issue was discovered during an internal audit by Denis Kasak, a security researcher at Element.
Patched versions of affected clients are available now; please upgrade as soon as possible β we apologise sincerely for the inconvenience. If you are unable to upgrade, consider keeping vulnerable clients offline until you can. If vulnerable clients are offline, they cannot be tricked into disclosing keys. They may safely return online once updated.
Unfortunately, it is difficult or impossible to retroactively identify instances of this attack with standard logging levels present on both clients and servers. However, as the attack requires account compromise, homeserver administrators may wish to review their authentication logs for any indications of inappropriate access.
Similarly, users should review the list of devices connected to their account with an eye toward missing, untrusted, or non-functioning devices. Because an attacker must impersonate an existing or historical device, exploiting this vulnerability would either break an existing login on the userβs account, or a historical device would be re-added and flagged as untrusted.
Lastly, if you have previously verified the users / devices in a room, you would witness the safety shield on the room turn red during the attack, indicating the presence of an untrusted and potentially malicious device.
Given the severity of this issue, Element attempted to review all known encryption-capable Matrix clients and libraries so that patches could be prepared prior to public disclosure.
fractal-next is not vulnerable due to depending on a recent enough commit.
weechat-matrix-rs, a rewrite of the original weechat-matrix script, had no tagged releases, but some commits did depend on vulnerable versions of the matrix-rust-sdk. Users should ensure to update to the latest master of weechat-matrix-rs, presently 2b093a7.
Matrix supports the concept of βkey sharingβ, letting a Matrix client which lacks the keys to decrypt a message request those keys from that user's other devices or the original sender's device.
This was a feature added in 2016 in order to address edge cases where a newly logged-in device might not have the necessary keys to decrypt historical messages. Specifically, if other devices in the room are unaware of the new device due to a network partition, they have no way to encrypt for itβmeaning that the only way the new device will be able to decrypt history is if the recipient's other devices share the necessary keys with it.
Other situations where key sharing is desirable include when the recipient hasn't backed up their keys (either online or offline) and needs them to decrypt history on a new login, or when facing implementation bugs which prevent clients from sending keys correctly. Requesting keys from a user's other devices sidesteps these issues.
Key sharing is described here in the Matrix E2EE Implementation Guide, which contains the following paragraph:
In order to securely implement key sharing, clients must not reply to every key request they receive. The recommended strategy is to share the keys automatically only to verified devices of the same user.
This is the approach taken in the original implementation in matrix-js-sdk, as used in Element Web and others, with the extension of also letting the sending device service keyshare requests from recipient devices. Unfortunately, the implementation did not sufficiently verify the identity of the device requesting the keyshare, meaning that a compromised account can impersonate the device requesting the keys, creating this vulnerability.
This is not a protocol or specification bug, but an implementation bug which was then unfortunately replicated in other independent implementations.
While we believe we have identified and contacted all affected E2EE client implementations: if your client implements key sharing requests, we strongly recommend you check that you cryptographically verify the identity of the device which originated the key sharing request.
The fact that this vulnerability was independently introduced so many times is a clear signal that the current wording in the Matrix Spec and the E2EE Implementation Guide is insufficient. We will thoroughly review the related documentation and revise it with clear guidelines on safely implementing key sharing.
Going further, we will also consider whether key sharing is still a necessary part of the Matrix protocol. If it is not, we will remove it. As discussed above, key sharing was originally introduced to make E2EE more reliable while we were ironing out its many edge cases and failure modes. Meanwhile, implementations have become much more robust, to the point that we may be able to go without key sharing completely. We will also consider changing how we present situations in which you cannot decrypt messages because the original sender was not aware of your presence. For example, undecryptable messages could be filed in a separate conversation thread, or those messages could require that keys are shared manually, effectively turning a bug into a feature.
We will also accelerate our work on matrix-rust-sdk as a portable reference implementation of the Matrix protocol, avoiding the implicit requirement that each independent library must necessarily reimplement this logic on its own. This will have the effect of reducing attack surface and simplifying audits for software which chooses to use matrix-rust-sdk.
Finally, we apologise to the wider Matrix community for the inconvenience and disruption of this issue. While Element discovered this vulnerability during an internal audit of E2EE implementations, we will be funding an independent end-to-end audit of the reference Matrix E2EE implementations (not just Olm + libolm) in the near future to help mitigate the risk from any future vulnerabilities. The results of this audit will be made publicly available.
Ultimately, Element took two weeks from initial discovery to completing an audit of all known, public E2EE implementations. It took a further week to coordinate disclosure, culminating in today's announcement.
Monday, 23rd August β Discovery that Element Web is exploitable.
Thursday, 26th August β Determination that Element Android is exploitable with a modified attack.
Wednesday, 1 September β Determination that Element iOS fails safe in the presence of device changes.
Friday, 3 September β Determination that FluffyChat and Nheko are exploitable.
Tuesday, 7th September β Audit of Matrix clients and libraries complete.
A critical security vulnerability impacting several popular Matrix clients and libraries was recently discovered. A coordinated security release of the affected components will be happening in the afternoon (from an UTC perspective) of Monday, Sept 13th.
We will be reaching out to downstream packagers to ensure they can prepare patched versions of affected packages at the time of the release. The details of the vulnerability will be disclosed in a blog post on the day of the release. There is so far no evidence of the vulnerability being exploited in the wild.
Please be prepared to upgrade as soon as the patched versions are released.
Thank you for your patience while we work to resolve this issue.
.png)