Synapse: Disclosing CVE-2020-26890

23.11.2020 14:59 — Security — Dan Callahan

Today we are disclosing CVE-2020-26890 / GHSA-4mp3-385r-v63f, a denial of service vulnerability affecting Synapse versions prior to 1.20.0. We strongly encourage all Synapse admins to upgrade as soon as possible. If you have not upgraded in a while, please refer to the upgrade notes, especially the latter portion of that document which covers any backwards incompatible changes which you may need to take into consideration.

As a best practice, we encourage Synapse admins to upgrade regularly, and either subscribe on GitHub or join #homeowners:matrix.org for low-traffic notifications of new releases.

We extend our thanks to Denis Kasak for reporting this issue, earning a second entry in the Matrix Security Hall of Fame.

This Week in Matrix 2020-11-20

20.11.2020 00:00 — This Week in Matrix — Ben Parsons

🔗Matrix Live 🎙

Something different this week as we welcomed the community to submit their own demos!

Oleg presents his Matrix home-automation setup, which uses Opsdroid, home-assistant and the reminder maubot.
Nico gives presents a selection of small-ish new features in Nheko
Timo gives a tour of the current state of the Conduit homeserver
MTRNord (Marcel) presents the time-tracking bot used by Famedly
Sorunome presents bootstrapping (creating cross-signing keys and online keybackup) in Fluffychat.
Bala from Noteworthy presents Deploy a Matrix home server in 2 minutes with Noteworthy (set to royalty free music!)

🔗Dept of Status of Matrix 🌡️

🔗Bundeswehr deployment and app goes live

Matthew reported:

The Matrix deployment for the Bundeswehr (German Armed Forces) has gone live - details (in German) at https://messenger.bwi.de/ and https://www.bwi.de/news-blog/news/artikel/open-source-matrix-ist-einheitlicher-messenger-standard-fuer-die-bundeswehr and further coverage at https://www.egovernment-computing.de/bwi-und-bundeswehr-setzen-auf-open-source-a-980033/

Oleg (same fellow from the video - wow!) added:

Heise (German news portal) also quoted the news: https://www.heise.de/news/Matrix-steht-als-Messenger-fuer-Soldaten-und-zivile-Angehoerige-zur-Verfuegung-4963211.html

David Mehren linked to Element's own coverage:

https://element.io/blog/bwmessenger-goes-live-for-bundeswehr/

🔗Dept of Spec 📜

🔗New spec platform

wbamberg said:

Demo site is at https://adoring-einstein-5ea514.netlify.app/1.1/

This week we have:

Migrated all spec documents into the new platform, updated all template calls to the new toolchain except those for versioning and changelogs.

Implemented basic support for representing spec versions in the new site, based on the global versioning MSC.

🔗Spec

anoa reported:

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://matrix.org/docs/spec/proposals.

🔗MSC Status

Merged MSCs:

No MSCs were merged this week.

MSCs in Final Comment Period:

MSC1544: Key verification using QR codes

This landed right after I wrote the first draft of this entry!

New MSCs:

MSC2870: Protect server ACLs from redaction

MSC2867: Marking rooms as unread

Personally I would find that last one quite helpful!

🔗Spec Core Team

In terms of Spec Core Team MSC focus for this week, we're sticking with the same three MSCs: MSC2844 (global versioning), MSC1544 (QR code verification) and MSC2790 (modal widgets). MSC2844 in particular I personally found quite interesting.

🔗Dept of Servers 🏢

🔗Dendrite / gomatrixserverlib

Dendrite is a next-generation homeserver written in Go

Neil Alexander said:

We started out this week by releasing Dendrite 0.3.0 and then ended the week with a bug-fix Dendrite 0.3.1 release.

I'd like to say thank you especially to our community contributors who have been adding new features and filling gaps!

Changes this week include:

Memory optimisation by reference passing, significantly reducing the number of allocations and duplications in memory

A concurrency bug has been fixed in the federation API that could cause Dendrite to crash

A hook API has been added for experimental MSCs, with an early implementation of MSC2836

Forgetting rooms is now supported (thanks to S7evinK)

The last seen timestamp and IP address are now updated automatically when calling /sync

The last seen timestamp and IP address are now reported in /_matrix/client/r0/devices (thanks to alexkursell)

An optional configuration option sync_api.real_ip_header has been added for specifying which HTTP header contains the real client IP address (for if Dendrite is running behind a reverse HTTP proxy)

Partial implementation of /_matrix/client/r0/admin/whois (thanks to DavidSpenler)

The error when registering a username with invalid characters has been corrected (thanks to bodqhrohro)

The -version command line flag has been added (thanks to S7evinK)

Backfilling should now work properly on rooms with world-readable history visibility (thanks to MayeulC)

Some more client event fields have been marked as omit-when-empty (thanks to S7evinK)

The build.sh script has been updated to work properly on all POSIX platforms (thanks to felix)

Spec compliance is unchanged, although some Synapse-specific tests have been removed and some new tests have been added:

Client-server APIs: 58%, same as last week

Server-server APIs: 83%, same as last week

As always, feel free to join us in #dendrite:matrix.org for general Dendrite chat or #dendrite-dev:matrix.org for development discussion.

🔗Synapse

callahad offered:

We released Synapse 1.23.0 on Wednesday! Read all about it on the Matrix Blog. Otherwise, we'd like to highlight a few developments over the past week:

We're discussing a policy for ending support for old versions of Python and PostgreSQL. If you have opinions, please let us know on GitHub.

Our initial implementation of MSC2403: Add "knock" feature is undergoing review, and will likely land soon.

We've been looking at ways to improve the efficiency of state resolution, and Erik has managed to devise some algorithmic improvements that yield an order of magnitude speedup for a handful of pathologic cases. We hope to have a better idea of how this might work for real world workloads soon.

Lastly, we'd like to take this opportunity to remind you to please regularly upgrade your Synapse. Especially if you're not yet on 1.20.0, as we'll be disclosing a denial of service issue which affects older versions on Monday.

🔗maunium/synapse

Tulir said:

mewmew wanted to use my fork of Synapse, so I made the changes there configurable (instead of hardcoding to my user ID) and even added a readme to list the features. It might also be useful for other people who want custom room IDs and other fun stuff.

The fork is available at https://mau.dev/maunium/synapse

🔗Homeserver Deployment 📥️

🔗Kubernetes

Ananace offered:

And just to be on time, I just pushed an updated tag and new version of my K8s container image and chart for Synapse 1.23.0

🔗Dendrite

Dendrite is a next-generation homeserver written in Go

TR_SLimey offered:

I've updated the Dendrite ARM docker images to v0.3.0. They can be found at https://hub.docker.com/r/trslimey/dendrite-monolith & https://hub.docker.com/r/trslimey/dendrite-polylith

and later

I have once again updated the Docker ARM Dendrite images for version 0.3.1.

🔗Dept of Bridges 🌉

🔗mx-puppet-bridge

mx-puppet-discord is a (double)puppeting and relay bridge for discord, based on mx-puppet-bridge

sorunome told us:

Support for receiving EDUs from matrix (typing, read indicators and presence) has been added. Protocol implementations can start using the new events, if they want to. Version 0.1.0 has been released along with this. You have to enable the de.sorunome.msc2409.push_ephemeral flag in your registration file

🔗mx-puppet-discord

Added support for bridging typing and presence matrix->discord

🔗Gitter

Eric Eastwood offered:

The native Gitter <-> Matrix bridge is in production! 🚀🚀 We're only testing it out in a single room but feel free to come by and send a message 😀

https://gitter.im/gitter/testing-matrix-bridge <-> #5faa0809d73408ce4ff3ad8e:gitter.im

We also have edits from the Gitter side flowing to Matrix and soon to support edits from Matrix. You can track our full progress from the GitLab epic for the native Gitter <-> Matrix bridge.

🔗mx-puppet-vk

Coma Grayce told us:

Hey, our team of colorful ponies proud to introduce you a new Matrix bridge to VK.com chats. It's powered by mx-puppet-bridge and so far supports almost all of core features people want to see, like replies, message edits and file attachments.

Project home: https://github.com/innereq/mx-puppet-vk

Video introduction: https://www.youtube.com/watch?v=nBRBUA9beXs

🔗Dept of Clients 📱

🔗Nheko

Nheko is a desktop client using Qt, Boost.Asio and C++17. It supports E2EE (with the notable exception being device verification for now) and intends to be full featured and nice to look at

Nico (@deepbluev7:neko.dev) announced:

Profiles should now open again on older versions of Qt.

I've been slowly rewriting the message are to be qml, to make it easier to do fancy styling. As a result emojis in the emoji-completer are now colorful and the avatars in the username completer now match the avatars used in the timeline. It also open up a few other improvements, like finally sending mentions as links instead of plain text.

We have now CI running on our self hosted gitlab instance. We will probably switch of the travis CI, once this is more battle tested. Repositories are now also automatically mirrored between gitlab and github.

Fixed a bug, where we tried to read the internal world group on your server instead of keeping that to ourself.

🔗Konheko

Nico (@deepbluev7:neko.dev) offered:

I released 0.0.3 a few days ago bundling a few smaller improvements like redactions, copying messages and the ability to click on more links as well as some visual cleanups. Nothing radical, but also nothing breaking (I hope).

🔗Element

Neil said:

🔗Delight (Rich vdH, Michael (t3chguy), Valere, Steve, Nique, Nad)

Improving usability

Last week

Observed user tests of people trying to use Element for the first time for personal and professional use cases

This week:

Began work on fixing several of the issues observed, like:

adding an invite people button to new rooms, so users can more easily add people;

changing copy to help people understand what DMs are

Spaces

Communities are coming back with a bang! Last week we said we renamed them to Spaces, and this week, we’ve started designing what MSC1772 would look like for users on Element, to start user testing next week.

Social login

To make authentication easier, we’ve started initial implementations of SSO in Element, exploring how homeservers & Matrix clients can support multiple SSO providers. Most of the work so far is captured in MSC2858.

🔗VoIP (Dave, Brendan, Ismail, Francois, Simon, Nad)

Web

PR up for new look in-call UI, now looking at line 1 / 2 support

Mobile

Work ongoing to update both platforms to v1 VoIP

Design

Some tweaks as implementation is ongoing

🔗Web Platform (Ryan)

Element Web 1.7.14-rc.1 is now available at https://staging.element.io, including:

Several tweaks and improvements to the room list filter

Improved registration based on user feedback

Improved invite / create DM flow

🔗iOS Platform (Manu, Gil)

Last week:

The release has been blocked because a bug has been found in the end to end encryption module. It has been fixed but we want to fix damages it created on one time keys before releasing the new app version.

The new background sync service mechanism PR has been updated

We started to integrate tuist to stop to be annoyed with merge conflicts on the Xcode project file

This week:

Release!

Merge the background sync service mechanism PR and make more people test it

🔗Android Platform (Benoit, Onuray)

Last week:

We’ve just merged a lot of PRs, to improve room creation form and fix some bugs.

SDK side, Dominaezzz is converting some of the Service API methods to coroutines, for a cleaner code. See for instance https://github.com/vector-im/element-android/pull/2414 . 9 out of about 45 services have been migrated so far. We have about a 45 services in the SDK (!)

This week:

Release including a new way to invite friends to Matrix and to Element.

🔗Hydrogen

Bruno reported:

Released 0.1.30 with image uploads. There is also a new preference in the settings to scale sent images down.

🔗Dept of SDKs and Frameworks 🧰

🔗Ruma

Ruma is a Rust project to create a comprehensive set of APIs for Matrix. Previously there was a Ruma homeserver project.

jplatte said:

Since our last update four weeks ago,

iinuwa created issues for all of the identity service api endpoints (w/ suggested module names!) 🎉

I updated lots of enumerated types to allow unspecced values, for future compatibility & robustness

Devin R made sure a custom Content-Type in responses overwrites the default rather than creating a duplicate header. #339

gnieto fixed a bunch of bugs in ruma-federation-api

Alejandro Domínguez added support for deserializing string power levels (requires the unstable-synapse-quirks feature because these events are invalid according to the spec but Synapse used to (?) accept them)

🔗Ruby SDK

Ananace reported:

Just released version 2.2.0 of the Matrix Ruby SDK with the help of the community, with this release support for JRuby is improved - though still not perfect, in the higher-level abstraction direct messaging rooms are now exposed for all users - as well as all that the current user has, and the lower-level abstraction sees the addition of the CS API method to get an event context.

And just to reiterate; if you're using the gem - or have questions/comments about it. please do drop into the discussion room at #ruby-matrix-sdk:kittenface.studio.

🔗Dept of Bots 🤖

You can see demos of both bots in this section by watching Matrix Live \o/

🔗home-assistant-bot v2.0.0 released

Oleg told us:

Opsdroid bot for triggering home-assistant automations.

🔗Changes

⚠️ Possible breaking change: change behavior how messages are matched

Before: messages were matched only if a message starts with !

In this version: the whole message is matched. This means in v2.0.0 this will work Hey, please !turnon light1

You can override this by using ^ in the config for. For example: regex: "^!turnon"

This allows one bot trigger another. See this TWIM video for details. 😉

Add howto for setting up wakeup-light with home-assistant

Update Opsdroid to v0.19.0

Update opsdroid-homeassistant to 0.1.8

Add debug config parameter to display messages in the chat, that the bot is getting but, maybe, is not processing/matching

🔗Feedback

Join us at #home-assistant-bot:fiksel.info #opsdroid-general:matrix.org

🔗Famedly Timetracking bot

MTRNord announced:

As seen in the video I am working at famedly on a bot to track our work hours.

Until this happens the video gives you a sneakpeak on the functions of that bot.

🔗Current (implemented) functions

Tracking of time using !in and !out commands with forced usage of a description as well as ISO 8601 timestamps.

Verification if a time is logical based on the known data

Saving the times tracked inside of postgresql

Tracking durations using a !record command

Responding to only allowed users. (Including ignoring invites if a user is not allowed to use the bot.)

Using !delete to remove entries from the database as needed

🔗Planned functions

Handling of timezones based on users

!stats command which prints you the tracked durations based on a predefined or custom range of time

CSV Export based on a defined range

!break command. Putting a break in between a record or a in/out combination.

Better handling of multiple !in commands

Improved responses

Reminders to call !out and to take breaks

Fell free to join us at #timetracking-bot:famedly.de . As soon as the repo gets opened up to public we will announce it in TWIM. Feel free to give suggestions or wishes in our room :)

Get it at: https://gitlab.com/famedly/bots/timetracking

🔗Dept of Ping 🏓

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server. Join #ping:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.

Rank	Hostname	Median MS
1	envs.net	297
2	neko.dev	297.5
3	maescool.be	346
4	sorunome.de	396
5	apetre.sc	439.5
6	maunium.net	503
7	midov.moe	520.5
8	matrix.sp-codes.de	603
9	matrix.thedisco.zone	608
10	casavant.org	609

🔗That's all I know 🏁

See you next week, and be sure to stop by #twim:matrix.org with your updates!

Synapse 1.23.0 released

18.11.2020 00:00 — Releases — Dan Callahan

Reminder: On Monday, we will be announcing a denial of service vulnerability which affects Synapse versions prior to 1.20.0. If you have not upgraded recently, please do so.

Synapse 1.23.0 now available!

For Synapse admins, this release support generating structured logs via the standard logging configuration (#8607, #8685). This may require changing your synapse configuration; see the upgrade notes for more information.

We've also added many new Admin APIs, contributed by @dklimpel:

Add API to get information about uploaded media (#8647)
Add API for local user media statistics (#8700)
Make it possible to delete files that were not used for a defined time (#8519)
Split API for reported events into detail and list endpoints. This is a breaking change to #8217 which was introduced in Synapse v1.21.0. Those who already use this API should check their scripts (#8539)
Allow server admins to list users' notification pushers (#8610, #8689)

Lastly, Synapse 1.23.0 addresses some significant bugs, including regressions in the SQLite-to-PostgreSQL database porting script (#8729, #8730, #8755) and an issue which could prevent Synapse from recovering after losing its connection to its database (#8726). Synapse will also reject ACL modifications from clients which would otherwise cause a server to ban itself from a room (#8708).

Installation instructions are available on GitHub, as is the v1.23.0 release tag.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including @chagai95 and @dklimpel.

The full changelog for 1.23.0 is as follows:

🔗Synapse 1.23.0 (2020-11-18)

This release changes the way structured logging is configured. See the upgrade notes for details.

Note: We are aware of a trivially exploitable denial of service vulnerability in versions of Synapse prior to 1.20.0. Complete details will be disclosed on Monday, November 23rd. If you have not upgraded recently, please do so.

🔗Bugfixes

Fix a dependency versioning bug in the Dockerfile that prevented Synapse from starting. (#8767)

🔗Synapse 1.23.0rc1 (2020-11-13)

🔗Features

Add a push rule that highlights when a jitsi conference is created in a room. (#8286)
Add an admin api to delete a single file or files that were not used for a defined time from server. Contributed by @dklimpel. (#8519)
Split admin API for reported events (GET /_synapse/admin/v1/event_reports) into detail and list endpoints. This is a breaking change to #8217 which was introduced in Synapse v1.21.0. Those who already use this API should check their scripts. Contributed by @dklimpel. (#8539)
Support generating structured logs via the standard logging configuration. (#8607, #8685)
Add an admin API to allow server admins to list users' pushers. Contributed by @dklimpel. (#8610, #8689)
Add an admin API GET /_synapse/admin/v1/users/<user_id>/media to get information about uploaded media. Contributed by @dklimpel. (#8647)
Add an admin API for local user media statistics. Contributed by @dklimpel. (#8700)
Add displayname to Shared-Secret Registration for admins. (#8722)

🔗Bugfixes

Fix fetching of E2E cross signing keys over federation when only one of the master key and device signing key is cached already. (#8455)
Fix a bug where Synapse would blindly forward bad responses from federation to clients when retrieving profile information. (#8580)
Fix a bug where the account validity endpoint would silently fail if the user ID did not have an expiration time. It now returns a 400 error. (#8620)
Fix email notifications for invites without local state. (#8627)
Fix handling of invalid group IDs to return a 400 rather than log an exception and return a 500. (#8628)
Fix handling of User-Agent headers that are invalid UTF-8, which caused user agents of users to not get correctly recorded. (#8632)
Fix a bug in the joined_rooms admin API if the user has never joined any rooms. The bug was introduced, along with the API, in v1.21.0. (#8643)
Fix exception during handling multiple concurrent requests for remote media when using multiple media repositories. (#8682)
Fix bug that prevented Synapse from recovering after losing connection to the database. (#8726)
Fix bug where the /_synapse/admin/v1/send_server_notice API could send notices to non-notice rooms. (#8728)
Fix PostgreSQL port script fails when DB has no backfilled events. Broke in v1.21.0. (#8729)
Fix PostgreSQL port script to correctly handle foreign key constraints. Broke in v1.21.0. (#8730)
Fix PostgreSQL port script so that it can be run again after a failure. Broke in v1.21.0. (#8755)

🔗Improved Documentation

Instructions for Azure AD in the OpenID Connect documentation. Contributed by peterk. (#8582)
Improve the sample configuration for single sign-on providers. (#8635)
Fix the filepath of Dex's example config and the link to Dex's Getting Started guide in the OpenID Connect docs. (#8657)
Note support for Python 3.9. (#8665)
Minor updates to docs on running tests. (#8666)
Interlink prometheus/grafana documentation. (#8667)
Notes on SSO logins and media_repository worker. (#8701)
Document experimental support for running multiple event persisters. (#8706)
Add information regarding the various sources of, and expected contributions to, Synapse's documentation to CONTRIBUTING.md. (#8714)
Migrate documentation docs/admin_api/event_reports to markdown. (#8742)
Add some helpful hints to the README for new Synapse developers. Contributed by @chagai95. (#8746)

🔗Internal Changes

Optimise /createRoom with multiple invited users. (#8559)
Implement and use an @lru_cache decorator. (#8595)
Don't instantiate Requester directly. (#8614)
Type hints for RegistrationStore. (#8615)
Change schema to support access tokens belonging to one user but granting access to another. (#8616)
Remove unused OPTIONS handlers. (#8621)
Run mypy as part of the lint.sh script. (#8633)
Correct Synapse's PyPI package name in the OpenID Connect installation instructions. (#8634)
Catch exceptions during initialization of password_providers. Contributed by Nicolai Søborg. (#8636)
Fix typos and spelling errors in the code. (#8639)
Reduce number of OpenTracing spans started. (#8640, #8668, #8670)
Add field total to device list in admin API. (#8644)
Add more type hints to the application services code. (#8655, #8693)
Tell Black to format code for Python 3.5. (#8664)
Don't pull event from DB when handling replication traffic. (#8669)
Abstract some invite-related code in preparation for landing knocking. (#8671, #8688)
Clarify representation of events in logfiles. (#8679)
Don't require hiredis package to be installed to run unit tests. (#8680)
Fix typing info on cache call signature to accept on_invalidate. (#8684)
Fail tests if they do not await coroutines. (#8690)
Improve start time by adding an index to e2e_cross_signing_keys.stream_id. (#8694)
Re-organize the structured logging code to separate the TCP transport handling from the JSON formatting. (#8697)
Use Python 3.8 in Docker images by default. (#8698)
Remove the "draft" status of the Room Details Admin API. (#8702)
Improve the error returned when a non-string displayname or avatar_url is used when updating a user's profile. (#8705)
Block attempts by clients to send server ACLs, or redactions of server ACLs, that would result in the local server being blocked from the room. (#8708)
Add metrics the allow the local sysadmin to track 3PID /requestToken requests. (#8712)
Consolidate duplicated lists of purged tables that are checked in tests. (#8713)
Add some mdui:UIInfo element examples for saml2_config in the homeserver config. (#8718)
Improve the error message returned when a remote server incorrectly sets the Content-Type header in response to a JSON request. (#8719)
Speed up repeated state resolutions on the same room by caching event ID to auth event ID lookups. (#8752)

Dendrite 0.3.0 released

16.11.2020 17:44 — Releases — Matthew Hodgson

Hi all,

Heads up that we just cut another beta release of Dendrite - now at 0.3.0!

This is a really fun release given almost all the changes are contributed from the wider community - so huge thanks to S7evinK, MayeulC and felix!

The main new feature is full Read Receipt support thanks to S7evinK, which makes an enormous perceptual improvement when using Dendrite - so especial thanks are due there :)

So, if you're interested in helping us test, please spin up a copy from https://github.com/matrix-org/dendrite and let us know how it goes - and if you're already running one, now is an excellent time to upgrade!

Full changelog (including 0.2.1, which we forgot to blog about) follows:

🔗Dendrite 0.3.0 (2020-11-16)

🔗Features

Read receipts (both inbound and outbound) are now supported (contributed by S7evinK)
Forgetting rooms is now supported (contributed by S7evinK)
The -version command line flag has been added (contributed by S7evinK)

🔗Fixes

User accounts that contain the = character can now be registered
Backfilling should now work properly on rooms with world-readable history visibility (contributed by MayeulC)
The gjson dependency has been updated for correct JSON integer ranges
Some more client event fields have been marked as omit-when-empty (contributed by S7evinK)
The build.sh script has been updated to work properly on all POSIX platforms (contributed by felix)

🔗Dendrite 0.2.1 (2020-10-22)

🔗Fixes

Forward extremities are now calculated using only references from other extremities, rather than including outliers, which should fix cases where state can become corrupted (#1556)
Old state events will no longer be processed by the sync API as new, which should fix some cases where clients incorrectly believe they have joined or left rooms (#1548)
More SQLite database locking issues have been resolved in the latest events updater (#1554)
Internal HTTP API calls are now made using H2C (HTTP/2) in polylith mode, mitigating some potential head-of-line blocking issues (#1541)
Roomserver output events no longer incorrectly flag state rewrites (#1557)
Notification levels are now parsed correctly in power level events (gomatrixserverlib#228, contributed by Pestdoktor)
Invalid UTF-8 is now correctly rejected when making federation requests (gomatrixserverlib#229, contributed by Pestdoktor)

This Week in Matrix 2020-11-13

13.11.2020 00:00 — This Week in Matrix — Ben Parsons

🔗Matrix Live 🎙

This marks the start of Season 6 of Matrix Live (S06E01), a decision M+A apparently made on the fly just now. Incrementing a mostly-arbitrary counter... Imagine wielding that kind of raw power!

🔗Dept of Status of Matrix 🌡️

🔗IETF three-way bridge

Matthew reported:

The IETF have been continuing to experiment with new chat systems, and #xmpp_bridgingmeta_jabber.ietf.org:matrix.org exists as a three-way bridge to discuss the initiative spanning Matrix, XMPP & Zulip. Really fun to see open chat converging like this :)

🔗Dept of Science 🧪

🔗Analysis of the Matrix Event Graph Replicated Data Type

Florian announced:

Fresh off the arXiv presses comes our

“Analysis of the Matrix Event Graph Replicated Data Type” preprint! This time, it is a deep dive into the data structure properties of the event graph:

What type of consistency guarantees does it provide, how many of the other homeservers you share a room with can be faulty or malicious without violating those guarantees (short answer: all of them!),

and how is it possible that a frayed-out event graph ever laces back to just a few current events, while there is a probability larger than zero for growth to arbitrarily high limits?

To shed light on those questions, we had a great cooperation between my Decentralized Systems and Network Services Research Group and Prof. Dr. Norbert Henze from the Institute of Stochastics.

While we are still in search of the right venue for peer-reviewed publication, we went for a preprint this time to share our results with the scientific and the Matrix community in a timely manner.

In this figure, k is the number of participating servers, U_n is the current width of the event graph.

For example, with a current width of U_n = 1000 events and k = 200 servers, we can expect that the width goes below E(U_{n+1}) < 600 events in just one step.*

🔗Dept of Spec 📜