Call for Participation to the FOSDEM 2025 Matrix Devroom

05.11.2024 16:00 — General, Conferences, FOSDEMThib

Hello everyone,

The Matrix.org Foundation is excited to host a Matrix.org Foundation and Community devroom in person next year again at FOSDEM! Half a day of talks, demos and workshops around Matrix itself and projects built on top of Matrix.

We encourage people working on the Matrix protocol or building on it in an open source project to submit a proposal! Note that companies are welcome to talk about the Matrix details of their open source projects, but marketing talks are not welcome.

Continue reading…

This Week in Matrix 2024-11-01

01.11.2024 00:00 — This Week in MatrixMTRNord

🔗Dept of Status of Matrix 🌡️

🔗Matrix 2.0

Matthew reports

We've also announced Matrix 2.0 as now being usable by mainstream users, to complement the keynote from The Matrix Conference - giving an update on all the APIs that will form Matrix 2.0! https://matrix.org/blog/2024/10/29/matrix-2.0-is-here/

🔗The wait is over, videos from The Matrix Conference 2024 are here

Matthew reports

The Matrix Conference talk videos have been published - check them out at https://2024.matrix.org/watch/ and see Josh's round-up of the conference at https://matrix.org/blog/2024/10/29/matrixconf/

🔗Dept of Spec 📜

uhoreg says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

MSCs in Final Comment Period:

Accepted MSCs:

Closed MSCs:

  • No MSCs were closed/rejected this week.

Continue reading…

The wait is over, videos from The Matrix Conference 2024 are here!

29.10.2024 16:00 — ConferenceJosh Simmons

PHEW! One month later and I’m still buzzing from the inaugural Matrix Conference in Berlin. This was the first time we’ve gathered such a broad cross-section of the ecosystem both upstream and downstream, bringing together contributors, vendors, and end-users in the same place at the same time.

The result was a fantastic demonstration of how much we can learn from each other, how much progress we’ve made, and how valuable it is to have The Matrix.org Foundation as an ecosystem steward that can bring us all together.

When we were planning the conference, we weren’t sure how big the demand would be. Having hit capacity and sold out of tickets weeks before the event, we know to aim higher next time! We’ll get a larger venue next year, but it was very gratifying to have sessions where the room was literally full!

You could really feel the energy: all told, we had 236 participants from 12 countries across 3 continents, representing 79 different organisations, join us across 4 days of events featuring 52 speakers.

You can find the slides and video recordings on the website, or see the photo albums.

Thumbnails of all the conference talks

Thumbnails of all the conference talks

And the world noticed, with press in The Guardian, Heise, and Fast Company.

Continue reading…

Matrix 2.0 Is Here!

29.10.2024 00:00 — GeneralMatthew Hodgson

Hi all,

Since the outset of Matrix, our aim has always been to provide a protocol that lets you build open, decentralised, secure communication apps which outperform the mainstream centralised alternatives. It’s been a twisty journey - first focusing on making Matrix work at all (back in 2014), and then getting it out of beta with Matrix 1.0 in 2019, and now focusing on making Matrix fast, usable and mainstream-ready with Matrix 2.0.

Meanwhile, the pendulum of decentralisation continues to accelerate in our direction. Our friends at Bluesky have shown that it’s possible to build decentralised social apps which are mainstream friendly enough for Presidents to recommend them; Elon continues to destroy Twitter and showcase the importance of decentralisation to everyone, and even Meta is dabbling in decentralised social media (and decentralised communication!)

So, where does Matrix sit in all this? Well, in order to make the transition to mainstream, we’ve been beavering away to implement four main pillars in Matrix 2.0:

  1. Instant login, instant launch, and instant sync (aka Simplified Sliding Sync, MSC4186)
  2. Next Generation Auth (aka Native OIDC, MSC3861)
  3. Native Matrix Encrypted Multiparty VoIP/Video (aka MatrixRTC, MSC4143)
  4. Invisible Encryption (MSC4153 & friends).

Continue reading…

This Week in Matrix 2024-10-25

25.10.2024 00:00 — This Week in MatrixThib

🔗Matrix Live

🔗Dept of Spec 📜

Andrew Morgan (anoa) {he/him} says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

MSCs in Final Comment Period:

Accepted MSCs:

  • No MSCs were accepted this week.

Closed MSCs:

  • No MSCs were closed/rejected this week.

🔗Spec Updates

Steady progress across a range of MSCs this week. I'm particularly excited to see MSC2409 to reach FCP given its widespread use. Perhaps MSC4203: Sending to-device events to appservices is next?

Continue reading…

This Week in Matrix 2024-10-18

18.10.2024 00:00 — This Week in MatrixThib

🔗Dept of Social Good 🙆

spaetz says

The German Data Protection Officer is creating a catalogue of criteria to assess messengers. They still take feedback till Nov 15. List of criteria is available in German and English.

Toot: https://social.bund.de/@bfdi/113306169664247379

English criterion pdf link is: https://www.bfdi.bund.de/SharedDocs/Downloads/EN/Konsultationsverfahren/3_Messengerdienste/Katalog-SMA-Front-End.pdf?__blob=publicationFile&v=2

🔗Dept of Spec 📜

TravisR says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

MSCs in Final Comment Period:

  • No MSCs are in FCP.

Accepted MSCs:

Closed MSCs:

🔗Spec Updates

Matrix 1.12 went out last week! This release contains a few Trust & Safety improvements, bug fixes for authenticated media, an ability to mark rooms as unread, and several other quality of life features. Check it out, and get an early preview for what the next release might look like 👀

If there's something you'd like the Spec Core Team to take a look at, let us know in our office room: #sct-office:matrix.org

Continue reading…

Security disclosure for matrix-js-sdk (CVE-2024-47080) and matrix-react-sdk (CVE-2024-47824)

15.10.2024 11:39 — SecurityMatrix.org Security Team

Hi all,

We are disclosing two high-severity vulnerabilities in matrix-js-sdk and matrix-react-sdk related to MSC3061, which specifies sharing room keys with newly invited users for message history access.

🔗Affected versions

🔗Vulnerability details

When inviting a user to an encrypted room, in the legacy (pre-Rust) encryption implementation, matrix-react-sdk forwarded existing message keys to the newly invited user so they could decrypt shared message history as per MSC3061. The implementation is provided by matrix-js-sdk, which incorrectly applied the same rules for sending existing keys to the invited user as for sending new keys, which allows them to be sent to unverified devices and unverified users. While there's always some risk of key exposure to a server-side attacker when you're interacting with unverified users, the risk is higher for historical keys.

🔗Root cause and remediation

The root cause of the matrix-react-sdk vulnerability is a function call into vulnerable functionality implemented in the matrix-js-sdk. The matrix-react-sdk vulnerability was addressed earlier, in matrix-react-sdk version 3.102.0, by removing the call. The matrix-js-sdk vulnerability will be addressed in version 34.8.0 to remove the vulnerable functionality completely. Because of these differences, two separate advisories were warranted.

Note that the vulnerability is only present in the matrix-js-sdk when running the old, non-Rust encryption stack. The vulnerable functionality was never implemented in the Rust-based stack. As a result, clients using the matrix-js-sdk in Rust crypto mode (i.e. calling initRustCrypto rather than initCrypto) are not vulnerable, even if on a nominally vulnerable version.

Furthermore, matrix-android-sdk2 and matrix-ios-sdk have similar functionality that is gated behind an experimental setting—we recommend avoiding use of this setting, though there are no specific advisories since the feature has only been available in an experimental state.

🔗Proposed specification changes

To fix this functionality in terms of the specification process, we will open an MSC to explicitly clarify that MSC3061 key forwarding should only forward keys to verified devices owned by verified users, ensuring that historical keys are never shared with untrusted devices. This also encourages users to verify each other to enable reading message history, thereby improving Matrix security against interception.

🔗Note on project ownership

The matrix-react-sdk is no longer a Foundation project but that of Element and has been moved to https://github.com/element-hq/matrix-react-sdk. However, the vulnerability in question was introduced, found and patched while it was still under Foundation ownership. For this reason, the Matrix.org Security team decided to treat this as a Foundation advisory. Future advisories for matrix-react-sdk (if any) will come from Element.

Matrix v1.12 release

07.10.2024 19:53 — Releases, SpecTravis Ralston

Hey all,

Welcome to the Matrix 1.12! It’s been just over 3 months since Matrix 1.11 introduced authenticated media, and today we’re bringing more Trust & Safety features to the ecosystem, alongside the normal clarifications and general improvements to the protocol. This release is also technically a few days late on the quarter, but it’s for good reason! Folks from across the ecosystem got together in Berlin for the Matrix Conference, and after things wrapped up we were busy following up on ideas started on site. We can’t wait to see all of these ideas materialize as MSCs, but in the meantime, back to the honorary Q3 release of the spec:

Matrix 1.12 marks the recommended date for all servers to enable their media freeze, similar to matrix.org’s back in early September 2024. Servers which haven’t yet enabled their media freeze are strongly encouraged to do so, if it makes sense for their users. Matrix 1.12 also brings some improvements and clarifications to authenticated media, and a total of 9 MSCs covering a wide range of features.

Read on for a few highlights, and the full changelog at the end of this post.

Continue reading…

This Week in Matrix 2024-10-04

04.10.2024 00:00 — This Week in MatrixMTRNord

🔗Matrix Live

🔗Dept of Spec 📜

🔗The weekly spec update

Andrew Morgan (anoa) {he/him} announces

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.

🔗MSC Status

New MSCs:

MSCs in Final Comment Period:

Accepted MSCs:

Closed MSCs:

  • No MSCs were closed/rejected this week.

🔗Spec Update

Lots of interesting MSCs came in this week! Note that last week's are also listed as the spec update was skipped.

A swath are looking to improve moderation in Matrix, while others aiming to improve the story around notifications and end-to-end encrypted bridges. There's also been lots of discussion on the hot MSC4133: Extending User Profile API with Key:Value pairs, which can be built upon with spec'd profile fields such as m.timezone (MSC4175).

MSC4208 is the result of splitting out the custom fields portion of that MSC, as it was determined that that portion of MSC4133 needed further discussion before merging.

Finally, MSC4189: Allowing guests to access uploaded media being merged closes one of the final gaps with the authenticated media epic.

Continue reading…