Adds further static type hints to various modules.
We've also spent quite a lot of time on SyTest, our integration test suite. In particular, many of the tests made assumptions about event processing which were not correct when targeting a multi-worker Synapse deployment. These flakey tests have plagued our continuous integration pipelines, and are finally being fixed.
These are just the highlights; please see the Release Notes for a complete list of changes in this release.
Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including AndrewFerr, BramvdnHeuvel, and cuttingedge1109.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
In other news, MSC3381 (Polls - mk II) receive a fair amount of attention this week. It implements inline polls via a new m.poll type and makes use of the concept of extensible events. Do check it out if you're interested in voting through means other than message reactions!
Otherwise Alexandre Franke and myself will be looking at cleaning up the CI of the matrix-org/matrix-doc repo next week, as well as continue to move the infrastructure for the new spec release forwards.
This one is entirely new to me, and has some slight overlap with some work for MSC2762: Allowing widgets to send/receive events, where we were thinking about how a widget could act as a calendar using Matrix rooms and events as a calendar backend.
The Synapse team is busy gearing up for 1.43.0 next week, which will make room version 9 the default for newly created restricted rooms, among other things.
We've also been doing quite a lot of work on Sydent. Notably, last week's 2.4.0 release introduced a few regressions which have been resolved in subsequent point releases. The one-shot case folding migration script for Sydent is still performing unexpectedly slowly; look for that to be resolved soon.
As the end of the year approaches, now is a good time to ensure you're ready for the deprecation of PostgreSQL 9.6 (November) and Python 3.6 (December). Do you have plans to upgrade to Pg 10 and Py 3.7 or newer? If not, there's no time like the present! π
Lastly, Hacktoberfest 2021 is less than two weeks away! Many Matrix projects intend to participate, including Synapse.
With rooms version 9 as the default, it feels like Spaces are trying hard to escape beta!
And yet again more Kubernetes Helm Chart updates this week, with element-web being bumped first to 1.8.4 and then 1.8.5. More improvements for the new ingress object in K8s 1.19 also landed.
mautrix-hangouts has turned into mautrix-googlechat. It's still in alpha stage, but text messages work in both directions, media from google chat works and threads from google chat are bridged as replies.
Released 0.2.9 & 0.2.10 this week with the main thing being improvements in preventing scroll jumps when resizing or loading more content in the timeline. Not 100% of scroll jumps will be solved with this release, but it should be improved a lot. Please report any issues you may encounter in this area! There were also a few bugs fixed, see the linked release notes. Try it out at hydrogen.element.io!
Beeper is a unified chat app built on top of Matrix. We've created 10+ open source Matrix bridges and integrated them into an easy to use all-in-one service which does not require setting up your own homeserver. You can learn more at beeper.com.
We've been hard at work for the last few weeks and have a number of updates we'd like to share across all our clients and bridges.
New verification flow for Desktop, Android, and iOS! Logging in and verifying your session is now super easy to do. This is extra important for Beeper because we enable secure backup by default and require all users to set up a security key.
Added the ability to view your rooms using our Smart Inbox that places the most important messages at the top, or with Classic which leaves the room in a reverse chronological order.
You can now select network by network which messages should appear in your inbox using our Inbox Filtering feature
We now have beta support for Custom CSS theming! Check out some of the themes that have already been made by the community. https://gitlab.com/beeper/beeper-themes
Previously we only supported DMs for Discord out of the box, but now you can pick and choose which Discord servers to sync into Beeper
Redesigned room list: we started a redesign of our Android app and adopted the Material design language.
Integrated Android SMS bridge: Our previous Android Messages bridge was built on a shakey puppeteer foundation, so we rewrote it. Our new Android SMS uses native APIs to send/receive SMS. RCS remains elusively out of our grasp for now. We open sourced our bridge at https://gitlab.com/beeper/android-sms
We are hiring! Come join many other Matrix community members who have joined the Beeper team including @tulir:maunium.net, @annie:beeper.com, @kilian:beeper.com, @spiritcroc:beeper.com and @sumner:beeper.com (who replied to our last TWIM job post and got a job at Beeper within a week!)
We are hiring senior iOS, Android developers and a DevOps/SRE (preferably in North/South America timezone)
Nheko got a lot more colorful this week. red_sky (nheko.im) and LorenDB finished up the jdenticon support. This means instead of the first character of a users display name, you now have the option to see a colorful avatar for users without an explicit avatar. You may have seen something similar on Github and other platforms. Currently this needs the qt-jdenticon plugin, which is a bit troublesome to install correctly, but we should improve that in the near future.
Prezu added a homeserver entry field to the room directory, making it much more useful (no history yet though). Thulinma added a /goto command to navigate to specific events or room and fixed scrolling to a specific event (in the past it only approximately scrolled to the right location). Symphorien added the Alt+A shortcut to navigate between rooms with active mentions and notifications. Additionally Priit completed the Estonian translation.
Additionally we released a security fix on Monday (together with a few other clients). We only released a fix for the master branch in Nheko instead of also the latest stable release. This confused a few people, but I hope my explanations made sense. The gist of it is:
On the master branch the local homeserver admin could force Nheko to forget which identity keys it saw for a user and as such insert a new device with the same device id, but attacker controlled identity keys and request old encryption keys from Nheko. In Nheko's case we had some protections against that, but if the server sent a device_list.left event for that user, Nheko would delete those protections. From our understanding this could not be abused over federation.
On 0.8.2 this can also be abused, but 0.8.2 does not implement key sharing completely. It can only forward the currently in use encryption key, not historical ones. As such the impact in our opinion was too limited to release a security fix. 0.8.2 does not allow you to send encrypted messages only to verified devices as such the homeserver admin could always insert just a different device to get access to new encrypted messages. Because of that we have a big warning in the README and when enabling encryption in 0.8.2, that one should not rely on the security of the E2EE implementation in it. We are aiming to have stable and secure E2EE in the next release (and so far it is looking good), but if you are using 0.8.2 I can only repeat, that it won't protect you from an attacker even without the disclosed security issue.
I hope this clears up some of the confusion. Feel free to visit us in #nheko:nheko.im and tell me, that I am wrong.
This week saw two releases of libolm, a library that implements olm, megolm, and some other Matrix-related encryption functions. The main changes in version 3.2.5 are new functions for getting error codes rather than error strings so that implementations don't need to rely on string parsing to decode errors, and added support for fallback keys in the Android and iOS bindings. There were also improvements in error handling in the unpickling functions, and the shared library no longer exports certain private symbols, which caused problems when those same symbols were exported by other libraries. The initial implementation of this last change caused build failures in some environments, so version 3.2.6 was released to fix this.
The Polyjuice project wades further into bad pun territory with a new project: Polyjuice Draughts, a set of checkers to verify that a homeserver is set up correctly and is accessible for clients and federation. It is similar in goal to the Matrix Federation Tester, but also checks client connections. It can either be run from the command line, or it can be used in a Matrix room, thanks to Igor, by sending a message of the form !servertest <servername> in a room that has an appropriately-configured bot in it. There is currently a bot in #synapse:matrix.org that can be used.
As you can see from the screenshot, my server isn't quite set up correctly, and I should fix it some day...
Polyjuice Client 0.4.3 has been released. This release adds functions for getting room membership (thanks to multi prise) and checking the server spec versions, along with some bug fixes.
Finally, the Polyjuice libraries have moved their git repositories from https://gitlab.com/uhoreg to https://gitlab.com/polyjuice. The old locations should automatically redirect to the new locations.
I have converted the script for auto updating the Element-web instance to latest version from Gist to the full Git repo MurzNN/element-web-update and added support for .env file to set desired variables.
This is a bash script that checks the new released version of Element from official Github repo and if it differs from installed - updates the local files with deleting old version (to cleanup old files) and unpacking new one, but with keeping the config files by mask config*.json.
You can put it to your crontab.daily and got an always fresh Element with forgetting about manual update routine.
I created a bot to assist with sending standup posts to a room. It reminds you to write a standup post, and then asks you what you did the previous day, what you intend to do today, if you have any blockers, and if you have any other notes. Then it posts a nicely formatted standup post to a room which you can configure.
You can find the source code here: https://sr.ht/~sumner/standupbot/
I am super happy to finally give you another update on TheBoard, due to holidays during the last weeks I had less time to work on TheBoard. But now there still accumulated enough changes for a little Update:
I experimented what technologies I could use for the still required GUI elements. A new User List was implemented using Vue.js. Vue seemed to be a little overkill for the kind of GUI required in the case of TheBoard. So I re-implemented the user list with react-no-js.
I am happy with react-no-js and it is used for a user list plus a tool settings menu on the right hand side of the canvas.
The tool panel in particular opens up a lot of possibilities. The eraser already makes use of it by giving the option to only delete specific item types (Image, stroke or text). This can be very handy if you want to delete strokes drawn on top of an image without deleting the image as well. What can be deleted is highlighted by a new filter system which allows to make any modification to objects selected by a filter function (see the attached image)
Other small changes:
Animated camera movement (for a upcoming "follow other user" feature) currently used for the Go Home Button
Opening a board now loads at the last edited location
The touchscreen navigation (zoom/pan) was re-implemented and should now work much better
Links and further reading:
Play with it at: https://toger5.github.io/TheBoard/ (feel free to join: https://matrix.to/#/#PublicWhiteboardTest_TheBoard:matrix.org with the account used for testing to join the first collaborative board)
Join the matrix room: https://matrix.to/#/#TheBoard:matrix.org
The Board is very exciting! I could see in the planned use cases that Timo already intends to make a widget out of it. It would be very useful for real-time collaboration, but that's not all! When asked if a standalone app will come, Timo confirmed:
Indeed. I wasn't thinking about a builtin home-server yet. But a standalone app is still planned because I want the app to be able to manage different boards. Therefore I need to be able to control room creation and listing rooms. It should basically feel like onenote if you intend to use it like that.
@s7evink The game is called AAGRINDER, hosted at aagrinder.xyz, the code is here, the bridge implementation is here, wiki is here. The game is a text-based sandbox multiplayer browser game that I (Maze) have been building for the past 3 years. Built from nothing, no game engine. It generates an infinite procedural terrain to venture in. The integrated chatbox is nothing special but it's really nice to have it bridged to Matrix now, it's less lonely when playing alone. The appservice bridge creates users matching player name and color. Display names from Matrix are presented in the same color as in Element.
Hopefully you're able to extract some useful information out of this ^^
I love the retro vibe of the game, it's really cool!
Third Room is an experimental metaverse client I've been working on for the past couple weeks. It combines three.js and Matrix to create 3D voice chat rooms where you embody an avatar.
There's a lot more info in my talk from last night at the Open Metaverse Interoperability Demo Night (my talk starts at 37:43)
Beeper mentioned they have several positions open, and Element is also talents hungry. Iβm particularly ecstatic to see that developing skills around Matrix can get people jobs. Of course I encourage strongly people to experiment with the protocol and use it in all sorts of crazy ways!
Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat. Element on iOS is not affected.
Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.
Exploiting this vulnerability to read encrypted messages requires gaining control over the recipientβs account. This requires either compromising their credentials directly or compromising their homeserver.
Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room.
This is not a vulnerability in the Matrix or Olm/Megolm protocols, nor the libolm implementation. It is an implementation bug in certain Matrix clients and SDKs which support end-to-end encryption (βE2EEβ).
We have no evidence of the vulnerability being exploited in the wild.
This issue was discovered during an internal audit by Denis Kasak, a security researcher at Element.
Patched versions of affected clients are available now; please upgrade as soon as possible β we apologise sincerely for the inconvenience. If you are unable to upgrade, consider keeping vulnerable clients offline until you can. If vulnerable clients are offline, they cannot be tricked into disclosing keys. They may safely return online once updated.
Unfortunately, it is difficult or impossible to retroactively identify instances of this attack with standard logging levels present on both clients and servers. However, as the attack requires account compromise, homeserver administrators may wish to review their authentication logs for any indications of inappropriate access.
Similarly, users should review the list of devices connected to their account with an eye toward missing, untrusted, or non-functioning devices. Because an attacker must impersonate an existing or historical device, exploiting this vulnerability would either break an existing login on the userβs account, or a historical device would be re-added and flagged as untrusted.
Lastly, if you have previously verified the users / devices in a room, you would witness the safety shield on the room turn red during the attack, indicating the presence of an untrusted and potentially malicious device.
Given the severity of this issue, Element attempted to review all known encryption-capable Matrix clients and libraries so that patches could be prepared prior to public disclosure.
fractal-next is not vulnerable due to depending on a recent enough commit.
weechat-matrix-rs, a rewrite of the original weechat-matrix script, had no tagged releases, but some commits did depend on vulnerable versions of the matrix-rust-sdk. Users should ensure to update to the latest master of weechat-matrix-rs, presently 2b093a7.
Matrix supports the concept of βkey sharingβ, letting a Matrix client which lacks the keys to decrypt a message request those keys from that user's other devices or the original sender's device.
This was a feature added in 2016 in order to address edge cases where a newly logged-in device might not have the necessary keys to decrypt historical messages. Specifically, if other devices in the room are unaware of the new device due to a network partition, they have no way to encrypt for itβmeaning that the only way the new device will be able to decrypt history is if the recipient's other devices share the necessary keys with it.
Other situations where key sharing is desirable include when the recipient hasn't backed up their keys (either online or offline) and needs them to decrypt history on a new login, or when facing implementation bugs which prevent clients from sending keys correctly. Requesting keys from a user's other devices sidesteps these issues.
Key sharing is described here in the Matrix E2EE Implementation Guide, which contains the following paragraph:
In order to securely implement key sharing, clients must not reply to every key request they receive. The recommended strategy is to share the keys automatically only to verified devices of the same user.
This is the approach taken in the original implementation in matrix-js-sdk, as used in Element Web and others, with the extension of also letting the sending device service keyshare requests from recipient devices. Unfortunately, the implementation did not sufficiently verify the identity of the device requesting the keyshare, meaning that a compromised account can impersonate the device requesting the keys, creating this vulnerability.
This is not a protocol or specification bug, but an implementation bug which was then unfortunately replicated in other independent implementations.
While we believe we have identified and contacted all affected E2EE client implementations: if your client implements key sharing requests, we strongly recommend you check that you cryptographically verify the identity of the device which originated the key sharing request.
The fact that this vulnerability was independently introduced so many times is a clear signal that the current wording in the Matrix Spec and the E2EE Implementation Guide is insufficient. We will thoroughly review the related documentation and revise it with clear guidelines on safely implementing key sharing.
Going further, we will also consider whether key sharing is still a necessary part of the Matrix protocol. If it is not, we will remove it. As discussed above, key sharing was originally introduced to make E2EE more reliable while we were ironing out its many edge cases and failure modes. Meanwhile, implementations have become much more robust, to the point that we may be able to go without key sharing completely. We will also consider changing how we present situations in which you cannot decrypt messages because the original sender was not aware of your presence. For example, undecryptable messages could be filed in a separate conversation thread, or those messages could require that keys are shared manually, effectively turning a bug into a feature.
We will also accelerate our work on matrix-rust-sdk as a portable reference implementation of the Matrix protocol, avoiding the implicit requirement that each independent library must necessarily reimplement this logic on its own. This will have the effect of reducing attack surface and simplifying audits for software which chooses to use matrix-rust-sdk.
Finally, we apologise to the wider Matrix community for the inconvenience and disruption of this issue. While Element discovered this vulnerability during an internal audit of E2EE implementations, we will be funding an independent end-to-end audit of the reference Matrix E2EE implementations (not just Olm + libolm) in the near future to help mitigate the risk from any future vulnerabilities. The results of this audit will be made publicly available.
Ultimately, Element took two weeks from initial discovery to completing an audit of all known, public E2EE implementations. It took a further week to coordinate disclosure, culminating in today's announcement.
Monday, 23rd August β Discovery that Element Web is exploitable.
Thursday, 26th August β Determination that Element Android is exploitable with a modified attack.
Wednesday, 1 September β Determination that Element iOS fails safe in the presence of device changes.
Friday, 3 September β Determination that FluffyChat and Nheko are exploitable.
Tuesday, 7th September β Audit of Matrix clients and libraries complete.
A critical security vulnerability impacting several popular Matrix clients and libraries was recently discovered. A coordinated security release of the affected components will be happening in the afternoon (from an UTC perspective) of Monday, Sept 13th.
We will be reaching out to downstream packagers to ensure they can prepare patched versions of affected packages at the time of the release. The details of the vulnerability will be disclosed in a blog post on the day of the release. There is so far no evidence of the vulnerability being exploited in the wild.
Please be prepared to upgrade as soon as the patched versions are released.
Thank you for your patience while we work to resolve this issue.
As just blogged there is an important security fix coming for several Matrix clients. More news, and patched versions will be announced on Monday. Though there is no evidence this vulnerability has been exploited, please be ready to upgrade on Monday.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
I'm actually surprised myself that this wasn't part of the spec already! Looks like it would be a nice to-do to get this implemented and then checked off by approvers. Anyone want to submit some PRs to HS and AS implementations? π
Dimension, an integration manager alternative for Element, got a refresh from @TimeWalker to bring the project up to modern day standards. Please give it a go if you've been running Dimension, and report bugs if there's problems! While I haven't personally had time to maintain it as much as I'd like, it's great to see people taking on 3 year old bad code and fixing it π
For TWIM readers, Dimension is an "integration manager" that replaces the default one shipped with Element. It's not entirely mobile-ready yet, but does give a user interface for managing various bots, bridges, and widgets. In practice, an integration manager isn't needed as most bots and bridges (and even widgets) can be set up without an integrations manager, like all of https://t2bot.io/ (ironically, given Dimension was originally targeted at t2bot.io). People do still use it though to configure self-hosted platforms with their very own Element, Synapse, bridges, and bots.
While I still probably won't have much time personally to maintain it, PRs are certainly accepted. Dimension is a bit complex to work within and test, but people in #dimension:t2bot.io should be able to help out.
Synapse 1.42.0 is out now! This release includes support for Room Version 9, which fixes an issue with Version 8's support for restricted rooms. We also implement a bunch of new MSCs (including MSC3231: Token authenticated registration by Callum Brown as part of his Google Summer of Code project), improve efficiency, and sidestep a longstanding issue with users getting stuck in unsupported room versions. Read the announcement for details!
This Sydent release also includes support for Jinja2 templating, a complete overhaul of our CI/CD pipeline, and a comprehensive update to the codebase to follow modern Python practices including the addition of mypy type hints throughout.
Lastly, we'd like to welcome Shay to the Backend Team at Element. Her work as an Outreachy intern paved the way for the recent improvements to Sygnal and Sydent. Thanks, Shay, and welcome aboard!
And another week, another Kubernetes Helm Chart update, this time seeing matrix-synapse updated to 1.42.0 - as well as a whole lot of fixes to support the new ingress object version introduced in Kubernetes 1.19
Hi folks, we're massively pleased to announce the third major release of the TS/JS bridging library matrix-appservice-bridge. This release contains several large breaking changes to the previous way of life, most notably we have stopped using the matrix-js-sdk for most of our code, instead using the matrix-bot-sdk (Hi TravisR , we see you up there!).
There are several reasons why we went this way:
Notably, this library focuses work on simply implementing APIs and bridge/bot logic. There is no additional cruft to support client use-cases or browsers.
It's historically had a brilliant coverage of the CS and AS APIs, and has been extremely flexible to add new stable and unstable APIs to it.
At the start of this project, it was the only library with a complete Typescript coverage. Typescript types continue to be extremely useful to us.
We're hoping to make use of the upcoming encrypted appservices support, to replace the slightly janky pantalaimon support the bridge library currently uses.
Thanks to Travis and the matrix.org bridge team for working through these changes!
There are a bunch of common sense improvements that break API compatibility in this release also, so please be sure to check them out and update. We don't anticipate supporting 2.X except for extreme circumstances.
Finally, we'll be updating the matrix-org suite of bridges over the coming weeks so please watch for bugs and let us know how we're doing!
SchildiChat is a fork of Element that focuses on UI changes such as message bubbles and a unified chat list for both direct messages and groups, which is a more familiar approach to users of other popular instant messengers.
After a couple of weeks/months of internal testing and public beta testing, the latest stable version (1.2.0.sc42) now supports UnifiedPush!
This means that you can now choose your own push provider, if you do not want to use Google's FCM push notifications.
Huge thanks to @sim_g:matrix.org for working on this!
You might remember my short story from last TWIM about the race between different translators? Seems like that one was good enough to motivate a few people to contribute translations. While those don't seem to be 100% complete yet, we saw a significant jump in translation percentages (especially Portuguese), so thank you to everyone who contributed to that!
Thulinma also made the whole userprofile scrollable, which improves the experience on small screens a lot. He also implemented message deduplication by event id, which is required by the spec to be done on the client side. This fixes a lot of duplicates when using conduit and your join event appearing 2~3 times on synapse.
We also fixed an issue with how different homeservers update one time key counts and added some additional code to remove old one time keys, if we ever uploaded to many (which might have happened in the past in a few edge cases). We also now escape img tags in usernames correctly in more places, redundant date separators when paginating back in a room should not appear anymore and tastytea decreased the margins on blockquotes, so that they look less jarring and take up less space.
The biggest news is that multi-account support landed in fractal-next (donβt be fooled by the title of the MR, itβs more than just a widget!). I feel like this is one of the most requested features across all clients, yet not many have it yet, and Iβm ecstatic that weβre joining them π. This work was done as part of GSoC by Alejandro under the mentorship of Julian π.
Room version 9 will be marked as the preferred version for MSC3083 restricted rooms on matrix.org and released in Synapse 1.43.
Web
Released Element Web 1.8.3 RC2.
Pushing forward with threads, improving on our Labs prototype. Weβre exploring what backend and spec changes we will need to support threads robustly.
Cross-signing bug fixes.
iOS
1.5.3 is available on TestFlight. It will be released on Monday with:
Startup optimisation. The duration is divided by 3 or 4
Media size selection on sending: the option must be enabled from settings
URL preview under a LABS setting
We made good progress on SwiftUI screen templates. We will be able to use them soon for real views or screens
Better app navigation is still in progress
Android
The Matrix Android SDK2 is now available on MavenCentral!
Element Android 1.2.1 has been release to the beta channel of the PlayStore and should be push on production on next Monday. It includes improvement for the Spaces (still in beta) and improvement for the VoIP. Full changelog can be found here: https://github.com/vector-im/element-android/releases/tag/v1.2.1
v0.6.0-beta.2 has been published of matrix-bot-sdk as an early version to support encryption on bots and improvements to appservices. It's a bit self-directed to figure out how it works, but #matrix-bot-sdk:t2bot.io is available to try and help out.
Please give it a go and report bugs. The final v0.6.0 release is expected to contain not only encryption support for bots, but also appservices and real documentation. For now though, it's just the bots.
It's an "automation backend" bot of etke.cc and has following features:
send html forms from your website directly to matrix
manage matrix-registration invite tokens in matrix chat
Miounne hits first stable release. I already shared some info about it here some time ago... but now it's stable! Source code has 83+% of unit tests coverage and some bizarre bug have been fixed.
Besides, now you can use pinned version of the bot (docker registry)
PS: we have #miounne:etke.cc room to discuss (whine) and post updates about it
Patience, a full stack integration testing approach for Matrix clients and servers, has added initial support for Hydrogen this week. As it already supported Element Web, we now have a (basic) system for testing multiple clients together which is taking shape! π₯³ From here, we plan to add configuration options to express the permutations of clients you want to test together.
This project is still in its early stages, but we hope to eventually have support for many different clients and then use it to test common flows like user verification, which can differ quite a lot across clients. If you're interested in this topic, feel free to join the new #matrix-patience:matrix.org room.
Someone has been making Matrix fanfic! I'm not sure how federation ties in, and for some reason they feature rubber duck debugging at one point but otherwise it looks fun :) https://www.youtube.com/watch?v=9ix7TUGVYIo
This release includes changes that you may need to be aware of before upgrading, such as the removal of two deprecated Admin APIs or a retroactive fix to ensure that email notifications are only sent to addresses which are presently associated with an account. Please see the Upgrade Notes for details.
Synapse 1.42 includes support for Room Version 9, which fixes an oversight in the list of event fields which were protected from redaction in Room Version 8's restricted rooms. This makes it possible, in certain circumstances, for a restricted room to degrade into a state where participating servers will disagree about the room's membership.
Because changing a room version's redaction algorithm also changes the way that event IDs are calculated, properly fixing this issue required the creation of a new room version.
To ensure compatibility with existing servers, Synapse 1.42's MSC3244: Room version capabilities hints will continue to ask clients to prefer Room Version 8 when creating restricted rooms and Room Version 6 otherwise. A future release of Synapse will ask clients to prefer Room Version 9 for restricted rooms.
Very rarely, users find themselves in rooms created with unstable or experimental room versions. Then, when Synapse removes support for these versions, bad things happen. The server no longer understands how to interact with that room version, which means you can't interact with that room. And if you can't interact with that room, you can't leave.
In Synapse 1.42, rooms with unknown room versions are no longer returned down /sync. This prevents them from appearing in your client, though you may need to empty your client's cache and re-sync to see any effect.
In addition to Room Version 9 (MSC3375), this release includes:
An initial implementation of MSC3231: Token authenticated registration, which makes it possible for homeservers to disable user registration while still allowing new accounts to be made by people who know a pre-shared secret.
This MSC and its implementations were produced as part of a Google Summer of Code (GSoC) project by Callum Brown.
An updated implementation of MSC2946: Spaces Summary following recent changes to the proposal.
In addition to the usual array of improvements to performance, type hints, error messages, and documentation:
Custom Presence Router modules can now be built using Synapse's new, unified module interface which debuted in Synapse 1.37.
Code around federation event handling and authentication has been significantly refactored to improve reliability and maintainability, including extracting nearly 1,800 lines of code from the FederationHandler class into a separate FederationEventHandler class.
Backfilling history and fetching missing events now use the same code paths, reducing the potential for bugs.
Concurrently fetching the same large set of events (#10703) is now much more efficient, preventing the process hangs which were possible in prior, extreme cases.
These are just the highlights; please see the Upgrade Notes and Release Notes for a complete list of changes in this release.
Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including aaronraimist, dklimpel, govynnus, and HugoDelval.
We forgot to mention that Doug is also the creator of Watch the Matrix! https://github.com/pixlwave/Watch-The-Matrix This allows you to use your Apple Watch as a native client (rather than through another iDevice)
These fellows all recently started to work for Element, and (claim!) to enjoy it. Element are HIRING, so if YOU think think you'd like to apply, check out https://apply.workable.com/elementio/ for current listings and details of how to apply.
We finally did it! We released Conduit Beta: https://conduit.rs/release-0-2-0, we even made it to the Hacker News frontpage: https://news.ycombinator.com/front?day=2021-09-02
This is huge news for us and hopefully we will see a lot more Conduit instances pop up in the near future.
Thanks everyone!
Congratulations to Timo and the gang, you're making superb progress!
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
You may be wondering: what's up with all of these abandoned MSCs?? The answer is that the matrix-org/matrix-doc repo changed its base branch to main to help preserve the git history since the spec website rewrite. In doing so, all PRs were automatically updated to the new base branch by github... except those that were coming from deleted users and repos. Those ones were simply closed!
But as they seemed to be have been effectively abandoned by their authors, it was more of a cleanup than an accident. However, if your MSC was affected by this change and you would like to continue it, please contact someone in the #matrix-spec-office:matrix.org and we'll help you out.
MSC2448 defines a way for clients to include a "blurhash", or a short, textual representation of a blurred version of an image, inside events which other clients can show while waiting for thumbnails to download from media servers. This replaces the potentially blank space while an image's thumbnail is loading with a (IMO) beautiful alternative!
Yes I wrote this MSC... but I swear it's what the script picked! We do not question the script!!
Synapse 1.41.1 is out and it contains patches for two security vulnerabilities which could inappropriately disclose private room metadata to unauthorized users on a participating homeserver. Please upgrade.
Room Version 9 is coming in Synapse 1.42 next week. This version fixes an oversight in which event fields are protected from redaction in room version 8, making it possible for restricted rooms to break if a join event is redacted. Because event IDs are based on the redaction algorithm, we can't fix this without creating a new room version.
In the interest of compatibility across the federation, Synapse 1.42 will still instruct clients to create restricted rooms using room version 8. Synapse 1.43, scheduled for release on 21 September, will begin instructing clients to use room version 9 instead.
Hey folks! I had some spare time today so I've invested it into the matrix-github bridge. The latest work is GitHub discussions support. It's still needs a bit more testing / minor feature implementation, but I leave you with a screenshot below of how it currently integrates spaces!
We had a race between 3 Translators this week. All 3 of them were trying really hard, so in my opinion every placement is a first place, buuuuuut Thulinma actually came first by bringing the Dutch translation from 5% to 100%. A few hours later Priit came in as a close second updating the Estonian translation to 100%. ISSOtm noticed that and tried to catch up which resulted in a 3rd place finish for the French translation. Now I understand the excitement people feel watching others compete in sports without having to do anything themselves!
red_sky (nheko.im) meanwhile fought a much more difficult enemy, Apple documentation and code signing! To be honest, I expected him to be beaten, but Nheko's DMGs are now actually properly signed and notarized. So if you are on macOS, you should now see less ugly warnings when installing Nheko. All nightlies building of the master branch are signed as well as our future releases.
In more community contributions, resolritter fixed the right click menu not working on replies. So you can copy a link from a reply now by right-clicking it without having to scroll up. Thulinma fixed window alerts not working when using conduit, because Conduit does not implement the /notifications endpoint Nheko uses and he helped me debug and fix device lists not showing up when using Conduit as well as sessions always getting rotated in "Send encrypted messages to verified devices only" mode.
In our work to stabilize E2EE we also now require a proper secrets daemon running on Linux (and other platforms, but there it is always provided by the OS). This is used to store the pickle key as well as the cross-signing secrets, so that an attacker can't read the from the config file. We already used such a daemon before, but we failed silently and we didn't use it for the pickle key until now. So if this prevents you from running Nheko, please open an issue so that we can work on a solution. Those APIs can be really fickle so additional testing and feedback would help us out a lot!
Also exciting is that Nheko now supports playing encrypted audio and video files without storing a temporary unencrypted copy on disk as well as animated images like WebP and GIF! It took us a while to figure out a proper solution, but now you can send animated stickers and you will finally be able to understand why other people were lauging at still images. (We also had to fix some bugs in our sticker editor, where we didn't add the mimetype to the sticker info for that.)
Some more embarrassing news, I didn't know I was a moderator in #conduit:fachschaften.org, so I happily pinged everyone in the room while discussing room mentions. To prevent that from happening in the future, Nheko now shows a red warning above the message input if you will be pinging the whole room to give you time to reconsider. If that is not enough to stop me from doing that, we might require confirmation before sending such messages in the future, but so far this seems to work. Pinging everyone by accident can really scare you and composing a message in Matrix shouldn't be scary!
I hope I didn't forget anything and please make sure you check out Conduit, since they are doing a great job in revealing bugs in Nheko!
This release fixes a bug which makes it impossible to send images in unencrypted rooms. It also implements a complete new designed new chat page which now uses a QR code based workflow to start a new chat.
feat: Dismiss keyboard on scroll in iOS
feat: Implement QR code scanner
feat: New design for new chat page
feat: Use the stripped body for notifications and room previews
feat: Send on enter configuration for mobile devices
fix: Prefix of notification text
fix: Display space as room if it contains unread events in timeline
Weβve added an early, incomplete prototype of Threads to Labs
Bug fixes
iOS
App startup has been improved by x3 by lazy loading room messages and read receipts
Element-iOS is now iOS12 minimum. Code have been cleaned up
URL preview is still in progress but it should be available in the next release, 1.5.3
SwiftUI: There is now a target to run the Xcode project without the MatrixSDK to speedup SwiftUI preview. This is the first piece for the coming new screen templates
Android
Working on upgrading Android Gradle Plugin to 7.0.2 and other dependencies.
Set up GitHub actions and reduce the number of tasks run by Buildkite
Spaces PRs are merged one by one to develop, the feature will be available in the coming releases
Working on crypto: dehydrated devices, Olm fallback keys
This version of the simplematrixbotlib package adds the ability to send messages formatted in markdown via the bot.api.send_markdown_message() method. Example usage is shown below:
#### Respond to all messages from users with a hello world message that involves markdown formatting
import simplematrixbotlib as botlib
creds = botlib.Creds("https://home.server", "user", "pass")
bot = botlib.Bot(creds)
@bot.on_message_event
async def hello_world_md(room, message):
match = botlib.MessageMatch(room, message, bot)
markdown_message = "# Hello World from [simplematrixbotlib](https://github.com/KrazyKirby99999/simple-matrix-bot-lib)!"
if match.is_not_from_this_bot():
await bot.api.send_markdown_message(
room_id=room.room_id,
message=markdown_message)
bot.run()
We're getting very close to a real App Store launch. The latest beta release this week is 0.98 This version might be The One! So please, if you haven't tried Circles in a while, give this one a shot. Also please share the link with any friends and family who you think might be interested. The current signup token has plenty of slots for everyone.
If you want to see some activity in your circles, invite me to follow your Community circle and I'll invite you to follow back. I'm @cvwright:kombucha.social.
If you've been using Circles with your own (non-Kombucha) server, you probably DO NOT WANT this version. Support for bring-your-own-server will return very soon after our App Store launch.
Broke and then re-enabled new account signup. Thanks to everyone who helped diagnose this one, and sorry if you were unable to sign up using a recent build.
Fixed a weeks-old bug where posting a message into a circle would then send you back to your list of all your social circles. Big thanks to Yosef for bringing this to my attention.
Fixed a bug in recent 0.9x builds where the Matrix rooms underlying circles and groups were being created with invalid encryption parameters. If you've been unable to post anything, this is the likely culprit. The fix is to update to the latest build, then delete your old circles/groups and create new ones.
We have a new icon. It's blue! I was worried that Apple might think the old icon looked too much like the Apple Photos icon.
New and improved interface for managing your account information. Added support for changing your password and for deactivating your account. I hope you never want this last one, but Apple requires it for apps that allow you to create accounts.
Removed support for Markdown formatting in posts and image captions. This is a sad one, but unfortunately the performance of the open source library that we were using for Markdown just wasn't up to the task. On the bright side, our timelines load much more quickly now, and the scrolling should be much smoother. Look for Markdown support to return with the release of iOS 15 later this year.
Another update to the Recent Activity list. Now it should refresh itself automatically if/when it initially comes up empty.
The CoMatrix project enables the usage of the Matrix protocol (more precisely Matrix Client-Server API) for constrained IoT devices via CoAP and CBOR in a constrained network (e.g. a 802.15.4/6LoWPAN network).
CoMatrix provides a gateway, which ports Matrix to CoAP/CBOR/(DTLS). This gateway communicates with constrained IoT devices on one side via CoAP+CBOR and translates to the Matrix protocol on the other side (i.e. HTTP+JSON). CoMatrix also provides a client library (for RIOT-OS) which is a starting point to implement CoMatrix clients (for constrained devices) which are able to interact with Matrix homeservers via the gateway.
Currently CoMatrix supports the following features:
I have made a small 120k pipeline-agent software (including all dependencies except NodeJS v8) which can run on multiple platforms (including OpenWRT) and takes pipeline work over the Matrix protocol. In the end it's going to be used to setup things like VPN connections between gateways.
We also have a commercial web portal almost published where one can create web apps and configure pipelines to process the results. And yes, the portal also uses Matrix as its persistent storage -- it was implemented using my Matrix CRUD Repository from last week :)
The agent software (pipeline-runner) is open source and has zero (0) runtime dependencies except NodeJS, and available from here: https://github.com/sendanor/pipeline-runner -- It's still in early development, though.
Hi everyone! Did you ever feel lost in the Matrix world? The room directory is big, but it's still hard to find something you like. Or are you a room moderator, but there is not much activity in your room because it doesn't have enough users?
This is why I want to share rooms (or spaces) I find interesting.
"Discover music through peers - Please write a small description of your discoveries. No uploads of non-free music please. For discussions and chat please visit the room's sibling #musicdiscussion:matrix.org "
Today we are releasing Synapse 1.41.1, a security update based on last week's release of Synapse 1.41.0. This release patches two moderate severity issues which could reveal metadata about private rooms:
GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private room's list of members and their display names.
If an unauthorized user both knows the Room ID of a private room and that room's history visibility is set to shared, then they may be able to enumerate the room's members, including their display names.
The unauthorized user must be on the same homeserver as a user who is a member of the target room.
GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.
The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (enable_group_creation in the Synapse configuration; off by default).
Note that in both cases:
The private room's Room ID must be known to the attacker.
Another user on the attacker's homeserver must be a legitimate member of the target room.
The information disclosed is already present in the database and thus legitimately known to the administrators of homeservers participating in the target room.
We'd like to credit 0xkasper for discovering and responsibly disclosing these issues.
This release also fixes a small regression in 1.41.0 (#10709) which broke compatibility with older Twisted versions when Synapse was a configured to send email.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/unstable/proposals.
MSC2582 (Removing mimetype from EncryptedFile object) was one of those MSCs that were relatively small, but had been languishing for ages. Partly because it required client implementations to update, but also partly because one needed to go in after a while and actually confirm that all known clients had updated. @uhoreg took up the mantle on his own to do so, and as a result this MSC has hit FCP and is soon to be merged. Thank you!
Alongside MSC2957 and MSC3265, this MSC is requesting a better way of communicating one's password to the homeserver without sending it in plaintext (over TLS, hopefully).
Remember that this is only done in exchange for an access token, which is then used for all subsequent requests. Still though, I can see the merit!
Synapse 1.41.0 is out! Check the release announcement to find out about all of the details, including progress on MSCs, great new Admin APIs, and the ability to handle the /createRoom endpoint on workers. As mentioned in last week's TWiM, Synapse 1.41 uses MSC3244: Room version capabilities to tell clients that they can and should use Room Version 8 when creating restricted rooms. The future is here!
We've also stopped publishing Debian packages for Ubuntu 20.10 (Groovy).
β οΈ We expect to publish a security release Synapse 1.41.1 on Tuesday, 31 August which fixes two moderate severity issues.
Lastly, the Synapse team would like to extend a warm welcome to Sean Quah, who joined Element's backend team this week. Welcome, Sean!
This release adds more functionality for spaces, enhances the html viewer, adds a brand new video player and brings some improvements for voice messages. Thanks to everyone involved!
Please note: It will take some days until it arrives in all appstores.
This week Tobias implemented blurhash in NeoChat for a smoother image loading experience. Tobias also continued working on E2EE and this past week his focus was on decrypting encrypted files.
Ement.el, a Matrix client for Emacs, gained some more improvements this week:
Multi-account support was merged, so you can now use multiple accounts at the same time. You can even be in the same room in two different accounts, at the same time, in side-by-side windows (which is useful for testing). (Note that existing users will need to log in again, because the format of the saved-session file changed.)
Rooms you have been invited to now show up in the rooms list, and you can join them by clicking a button in the room's buffer.
Encrypted rooms now display a warning in the header and suggest that users consider using Pantalaimon.
Membership events are now formatted more usefully, similar to Element's style.
Completion for room and user names and IDs is implemented using standard Emacs commands and bindings (i.e. C-M-i by default).
The last-read marker may be jumped to, even if it's at an earlier event that has not yet been retrieved.
Emotes (i.e. /me-style messages) can be sent by pressing e.
Timestamps in the room list are shaded according to how "hot" (i.e. recently updated) the room is (see screenshot).
Nheko now supports uploading to online key backup and warns you before enabling it, that we don't recommend using the asymmetric version. If you update to one of the current builds (and or the next version), you will also experience a bit longer load times on first startup. That is because we force-cleared the cache to be able to handle the new goodies like spaces and sticker/emote-packs. In the best case, everything is seamless.
We also had contributions by various people:
resolritter cleaned up that while tab moved you down most popup lists, it didn't move up when shift was pressed.
Harmathy extended the FAQ to answer commonly asked questions like "Does Nheko support E2EE" or "What commands are supported". Don't worry, we know most of you won't read that and will still answer that question when you undoubtedly come asking it again. We just can now be even more passive aggressive than just pointing at the right wiki page. Instead we will point at the FAQ now, which will point at the wiki!
thombles made the emoji completer behave more nicely. Instead of jumping to the bottom left corner before closing, it will now just close. It should also now behave correctly when selecting text.
alfasi updated the install instructions for Gentoo.
I'm not sure we have ever seen that many new faces contributing to Nheko in a week, I'm pretty happy to see that!
Busy week in Fractal land! It is the end for GSoC, but itβs not really over. While some merge requests from our interns are still ongoing, Julian merged a bunch of them. On Kaiβs side, the long awaited Room details are finally here. Alejandro, on the other hand, landed code to get display name and avatar of accounts at startup.
Circles is a project to build a secure, end-to-end encrypted social network on top of Matrix. The iOS app is currently in the final stages of beta testing in preparation for a 1.0 release.
Updates this week include:
Fixed a bug that prevented some new users from registering. If you tried to sign up last week but the email validation failed, please give it another try with the latest build.
Cleaned up the "Home" tab for a simpler, cleaner look.
Fixed a bug where the summary of recent activity was failing to load on app startup. Also added a manual "refresh" button as a fallback.
If you would like to try the latest Circles beta (v0.93), you can get it from Apple here
Room version 8 was marked as the preferred version for MSC3083 restricted rooms on matrix.org and in Synapse 1.41, released this week. This means Element clients can now show UI to create restricted rooms within a Space, and prompt users to upgrade rooms if necessary when making them restricted.
Improvements to the performance of the room summary API.
Lots of testing of Spaces in anticipation of it leaving beta.
VoIP
Fix cases where a call ringtone would continue even after the call was answered.
Add active speaker indicators when a user in a call is currently talking.
Working on showing call duration in call tiles.
Web
Weβve released 1.8.2 RC3 which includes fixes to windows font rendering, blur hashing and accessibility improvements, and other bugs.
Our internal threads prototype is in code review.
This week, weβve been doing more work on threads, fixed some more cross-signing bugs, iterating on more compact replies, and investigating our process for translations.
iOS
Continue to work on URL preview.
App Navigation improvement: Continue to work on room navigation.
Account notification settings are now available.
Voice message rendering and playback fixes have been made.
We added a banner to advertise that iOS 11 will be dropped soon.
Room creation: prevent room duplication on creation.
Media upload sizing: Continue to improve media size selection.
Android
We are still improving the experience with Spaces
Notifications setting will be updated in the next release, with the ability to get notified when keywords are included in any message (only on un-encrypted rooms for now)
Working on Olm fallback key support
Besides that we are fixing bugs across the application and the SDK. We have fixed the issue of crashing when opening a room on devices running API 21. The fix will be in the next release.
It's been so long since our last update that I couldn't possibly list all of the individual changes, but here's a rough overview of the work since then (three months ago):
There's been loads of bug fixes, many compatibility improvements and at least one large refactoring. We've been much faster about releasing changes to crates.io after ruma 0.1.0, now we're already at ruma 0.4.0 (!); the changes needed to upgrade are really not that significant though. Notable areas of improvement are
UIAA: No more stringly-typed auth type + map of properties. The AuthData enum that holds the authentication information clients send to servers now has one variant for every auth type defined in the spec.
Event relations: These used to be serialized wrongly for encrypted events and were only (de)serializable as part of a larger event (making using them in custom ways impossible). Both of these issues were fixed.
If you want more detailed updates about Ruma, please watch our repository's GitHub releases, since nobody in the project currently wants to write regular blog posts or TWIM updates (if you are interested in changing that, get in touch over at #ruma:matrix.org).
This week a new stable version of libQuotient, 0.6.8, has been released. While the main focus has been fixing bugs and sustaining the codebase, one significant highlight is that read receipts and fully read markers are distinguished now, which should improve interaction with other clients that has been treating them differently for quite some time now. This version is anticipated to become the base of the upcoming Quaternion 0.0.95.
Hi everyone! Did you ever feel lost in the Matrix world? The room directory is big, but it's still hard to find something you like. Or are you a room moderator, but there is not much activity in your room because it doesn't have enough users?
This is why I want to share rooms (or spaces) I find interesting.
"Channel dedicated to games running in terminal environment (or one that looks like terminal) As long as the game could be easily ported to terminal, it belongs here :) Telegram: t.me/cligaming"
If you want to suggest a room for this section, tell me in #roomoftheweek
NOTE: We anticipate publishing a security release next Tuesday, the 31st of August.
Synapse 1.41.1 will contain fixes for two moderate severity issues.
Synapse 1.41 includes changes to forward proxies, template settings, and media workers which may require your attention. Please see the Upgrade Notes for details.
Also, this release removes support for Ubuntu 20.10 (Groovy Gorilla), which reached End of Life last month. Support for Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 21.04 (Hirsute Hippo) will be withdrawn near the end of this year under our platform deprecation policy.
Synapse 1.41 includes experimental support for MSC3244: Room version capabilities, which indicates to clients that they should use Room Version 8 when creating restricted rooms. For example, Element's clients will use the MSC3244 metadata, which is on by default in Synapse 1.41, to determine whether to show end users the UI for creating restricted rooms.
Room Version 6 will remain the default for newly created rooms which do not explicitly request the restricted room capabilities at creation time. This strikes a balance between the broad compatibility of an older default room version, while still making newer features available upon request.
Synapse can now route outbound federation requests, remote media downloads, and public key fetches through a forward proxy.
Custom template configuration has now been centralized into a single custom_templates_directoryconfiguration setting.
Matrix clients which allow users to set a status_msg with their presence will find that Synapse no longer arbitrarily unsets the message when a user goes offline. Instead, each user's status_msg will persist until it is deliberately cleared by their client.
The extension module API now exposes a function, get_userinfo_by_id, which accepts an MXID and returns a UserInfo object. This should simplify writing extension modules like spam checkers.
These are just the highlights; please see the Upgrade Notes and Release Notes for a complete list of changes in this release.
.png)
