Voting has started for the Governing Board elections and runs till May 31 – but don't delay, vote today! 🗳 Huge thanks to all of the nominees who have thrown their hat in the ring.
All eligible voters should have received an email from the election system. All of the results will be published on the blog on June 3. Read our announcement post or visit our election center for more info.
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
MSCs in Final Comment Period:
Accepted MSCs:
Closed MSCs:
Spec Updates
As an early heads up, Trust & Safety at the Foundation is working on an important update to Matrix, MSC3916 - Authenticated Media. This change will mean that all clients (and servers) will need to present a valid access token in their Authentication header to access media - which is critical to ensure that URLs are only visible to the correct users, and prevents abuse of Matrix for hosting binaries. More details will be published as we work to get everything released - we wanted to get the information out there as early as possible in the meantime. Let us know if you have any questions.
Matrix.org plans to freeze unauthenticated media endpoints within a couple of months after the spec release, which is expected in the next few weeks. "Freezing" means that media uploaded or cached before the freeze will remain accessible via unauthenticated endpoints indefinitely, but any media cached or uploaded after the freeze will require authentication. The unauthenticated endpoints will be deprecated but will still serve old media on matrix.org.
To ensure a smooth transition, we encourage you to start testing against the unstable endpoints and unreleased server builds. The changes for Synapse are being developed here, and for MMR here. Both are expected to release their changes soon. Once MSC3916 passes FCP, stable endpoints will become available. While releasing unstable support to users isn't required, having patches ready will help speed up the rollout.
We know this is a quicker rollout than usual, but with your help, we can improve user safety and security across the ecosystem. Most clients should find this update straightforward, but if issues are encountered, please reach out in #matrix-client-developers:matrix.org or on the MSC discussion. The team is monitoring the room to help clients adopt the change.
Web browser clients might face the most challenges, given the need to specify an Authentication HTTP header on media requests, so reviewing this pull request and its dependencies could provide useful implementation insights.
Thank you for your support. If you have any questions, let us know. We look forward to a smooth transition with minimal user-visible impact 🙂