Hey hey, Synapse 1.2.0 is here. It contains aggregations support, better error handling for deactivated accounts and some important bug fixes for redacting messages. Special thanks to community members skalarproduktraum and Lrizika for submissions to improve our documentation.

As ever, you can get the new update here or any of the sources mentioned at https://github.com/matrix-org/synapse. Note, Synapse is now available from PyPI, pick it up here. Also, check out our Synapse installation guide page

The changelog since 1.1.0 follows:

🔗Synapse 1.2.0 (2019-07-25)

No significant changes.

🔗Synapse 1.2.0rc2 (2019-07-24)

🔗Bugfixes

• Fix a regression introduced in v1.2.0rc1 which led to incorrect labels on some prometheus metrics. (#5734)

🔗Synapse 1.2.0rc1 (2019-07-22)

🔗Features

• Add support for opentracing. (#5544, #5712)
• Add ability to pull all locally stored events out of synapse that a particular user can see. (#5589)
• Add a basic admin command app to allow server operators to run Synapse admin commands separately from the main production instance. (#5597)
• Add sender and origin_server_ts fields to m.replace. (#5613)
• Add default push rule to ignore reactions. (#5623)
• Include the original event when asking for its relations. (#5626)
• Implement session_lifetime configuration option, after which access tokens will expire. (#5660)
• Return "This account has been deactivated" when a deactivated user tries to login. (#5674)
• Enable aggregations support by default (#5714)

🔗Bugfixes

• Fix 'utime went backwards' errors on daemonization. (#5609)
• Various minor fixes to the federation request rate limiter. (#5621)
• Forbid viewing relations on an event once it has been redacted. (#5629)
• Fix requests to the /store_invite endpoint of identity servers being sent in the wrong format. (#5638)
• Fix newly-registered users not being able to lookup their own profile without joining a room. (#5644)
• Fix bug in #5626 that prevented the original_event field from actually having the contents of the original event in a call to /relations. (#5654)
• Fix 3PID bind requests being sent to identity servers as application/x-form-www-urlencoded data, which is deprecated. (#5658)
• Fix some problems with authenticating redactions in recent room versions. (#5699, #5700, #5707)
• Ignore redactions of m.room.create events. (#5701)

🔗Updates to the Docker image

• Base Docker image on a newer Alpine Linux version (3.8 -> 3.10). (#5619)
• Add missing space in default logging file format generated by the Docker image. (#5620)

🔗Improved Documentation

• Add information about nginx normalisation to reverse_proxy.rst. Contributed by @skalarproduktraum - thanks! (#5397)
• --no-pep517 should be --no-use-pep517 in the documentation to setup the development environment. (#5651)
• Improvements to Postgres setup instructions. Contributed by @Lrizika - thanks! (#5661)
• Minor tweaks to postgres documentation. (#5675)

🔗Deprecations and Removals

• Remove support for the invite_3pid_guest configuration setting. (#5625)

🔗Internal Changes

• Move logging code out of synapse.util and into synapse.logging. (#5606, #5617)
• Add a blacklist file to the repo to blacklist certain sytests from failing CI. (#5611)
• Make runtime errors surrounding password reset emails much clearer. (#5616)
• Remove dead code for persiting outgoing federation transactions. (#5622)
• Add lint.sh to the scripts-dev folder which will run all linting steps required by CI. (#5627)
• Move RegistrationHandler.get_or_create_user to test code. (#5628)
• Add some more common python virtual-environment paths to the black exclusion list. (#5630)
• Some counter metrics exposed over Prometheus have been renamed, with the old names preserved for backwards compatibility and deprecated. See docs/metrics-howto.rst for details. (#5636)
• Unblacklist some user_directory sytests. (#5637)
• Factor out some redundant code in the login implementation. (#5639)
• Update ModuleApi to avoid register(generate_token=True). (#5640)
• Remove access-token support from RegistrationHandler.register, and rename it. (#5641)
• Remove access-token support from RegistrationStore.register, and rename it. (#5642)
• Improve logging for auto-join when a new user is created. (#5643)
• Remove unused and unnecessary check for FederationDeniedError in _exception_to_failure. (#5645)
• Fix a small typo in a code comment. (#5655)
• Clean up exception handling around client access tokens. (#5656)
• Add a mechanism for per-test homeserver configuration in the unit tests. (#5657)
• Inline issue_access_token. (#5659)
• Update the sytest BuildKite configuration to checkout Synapse in /src. (#5664)
• Add a docker type to the towncrier configuration. (#5673)
• Convert synapse.federation.transport.server to async. Might improve some stack traces. (#5689)
• Documentation for opentracing. (#5703)

It was drawn to our attention this afternoon that there is a bug in our GDPR data portability tooling that resulted in the data dump including some events that should not have been included.

This tooling has recently been updated (here is the new code), and the bug only affects reports generated with the updated tool. So far we have generated one report using the updated tooling.

The bug affects events which:

• were sent in rooms in which, at the point at which the message was sent, the message visibility was set to 'shared' or 'world readable', and
• were pulled in over federation from another server after the data subject left the room

As a reminder, 'shared' message visibility means anyone in the room can view the message, from the point in time at which visibility was set to 'shared' and 'world readable' means anyone can read the messages without joining the room, from the point in time at which visibility was set to 'world readable'.

Events are pulled onto a homeserver over federation when a user on that homeserver tries to access events which, for whatever reason, their homeserver does not already have a local copy. This most often happens when their homeserver is offline for any period of time, but can also happen when a user is the first user from their homeserver to join a room with active participants on other homeservers.

We're still analysing the data but so far it looks like the bug resulted in only a small number of events that were not publicly-accessible being shared (there were also publicly-accessible events mistakenly included). At this stage we have identified 19 events from 4 users across 2 rooms (the dump contained ~3.5 million events). This is not to diminish the severity of the bug - just to reassure that the scale of its impact appears to be extremely limited.

It is also worth noting that any encrypted events erroneously included in the dump will not have been decryptable (since the data subject would not have had access to the keys).

🔗Update (2019-08-06)

In our original analysis we stated that 19 events were shared erroneously. On closer analysis we missed 5 other timeline events - the correct figure is 24 timeline events originating from 4 users over 2 rooms. However, this figure focused on timeline data and does not take into account all state events (such as user joins, parts, topic changes etc). When considering these too, a further 56 state events were erroneously shared, referencing 64 users across these 2 rooms (mainly detailing when users had joined/left the room after the requesting user themselves had left). These membership events contained avatar & display name details which may not have been public (but in practice, the vast majority appear to be public data).

Aside from the events referenced above, the full dump contained ~20,000 events that also ought not to have been included; however these events were already publicly accessible due to being part of publicly accessible rooms (eg Matrix HQ) and so we do not consider them a breach of data.

🔗What caused the bug?

Events that are pulled in over federation are assigned a negative 'stream ordering' ID. This is designed to avoid their being sent down the sync (where they would likely be out of sequence). In normal operation (accessing your homeserver via a Matrix client) these events would be appropriately filtered, but a bug in the data dump tooling caused them to be included.

The bug was introduced as a result of two factors:

• The event filtering code assumes that the user is currently in the room - this was not intuitive, and was not called out in the documentation
• When we fetched the events from the database, we tried to limit to events sent before the user left the room. On reflection, we used the wrong ordering mechanism (stream ordering instead of topological ordering), resulting in the inclusion of events that were fetched from a remote server after the data subject had left

We are working to fix the bug, and we'll update here when it is resolved. As a reminder, please do report security bugs responsibly as per the Security Disclosure Policy so we can validate the issue and mitigate abuse.

As is standard practice for any data breach, we have notified the ICO.

As a step towards implementing Terms of Service for Sydent Identity Servers (MSC2140), we're rolling out a couple of changes to the two Identity Servers run by New Vector (running at vector.im and matrix.org):

1. We have erased all of the data where there is any chance that the data subject didn't understand how, why or with whom their data was being shared.
2. We've made a change to Sydent so that it no longer persists new associations relating to users on homeservers not run by New Vector.

The impact of these changes is that users on homeservers not run by New Vector will no longer be discoverable by their email or telephone number via the Identity Servers running at vector.im and matrix.org. As we roll out the rest of the changes for Terms of Service for Identity Servers, this functionality will again be made available for users who make an informed choice to opt in.

🔗Registration with Email and Password Reset

In the short term, the New Vector Identity Servers will continue to support registration with email (signing up with an email address as well as a matrix username) and password reset. However, as we continue to improve Identity Server data hygiene practices, we will phase out their use in registration with email and password reset entirely. We have already made the change to Synapse to support password reset without relying on an Identity Server (though this can optionally be re-enabled).

Once Synapse can support registration with email without relying on an Identity Server we will announce a schedule for disabling registration with email and password reset in our Identity Servers entirely. After this point, homeserver administrators will have to make sure their homeservers are configured to send email to keep registration with email and password reset working. More details on this to follow - please watch this space.

🔗Matrix Live Smörgåsbord 🎙

Featuring: Open Tracing, Synapse, Dendrite and Riot Web

🔗Dept of Spec 📜

🔗Spec News

• MSC2181: Add an Error Code for Signaling a Deactivated User
  • New MSC, with FCP proposed.
  • Will allow matrix clients to differentiate between incorrect password entry and a user who has been deactivated.
• MSC2174: Move the redacts key to a sane place
• MSC2175: Remove the creator field from m.room.create events
• MSC2176: Update the redaction rules
  • richvdh storms in with 3 MSCs to fix some old spec issues relating to event redactions.
• MSC2184: Allow the use of the HTML <details> tag
  • ananace’s first MSC!
  • Allowing expandable content within messages.
  • Would be very useful for logs dumps, bot help messages and for posting other large content without spamming the room.

🔗(not quite matrix) feneas call for comments on spec for metadata

jaywink:

<community-hat>
I'm working on a specification for exporting metadata and usage metrics out of federated servers. The aim is that the same specification could be re-used cross-protocol for example with not only Matrix servers but also ActivityPub, Diaspora and XMPP servers, as an example. Looking for comments here: https://talk.feneas.org/t/serverinfo-specification-for-server-metadata/99
</community-hat>

🔗Dept of Servers 🏢

🔗Dendrite

anoa:

🔗Feature Updates

Dendrite continues along with more development from anoa, our resident GSoC student cnly, and a few community members. cnly has been working mainly on fixing up /sync issues and other areas of the CS API, fixing the various federation issues, mainly those dealing with room state, and various other maintenance tasks around the codebase that are highly appreciated. peekay_46 has been hard at work completing Dendrite’s implementation of room tagging and trion129 returned to continue with adding a fallback page for recaptcha (for clients that can’t render web pages). We have a number of community PRs still with active members, but most are waiting for reviews, which anoa is working towards.

🔗The Plan

A couple TWIMs ago we teased that Dendrite had a plan in the works. Well one meeting later and here is the proposal:

It will take a while for Dendrite to become feature complete with Synapse, but we’d like people to be able to actually use Dendrite before then. Instead of waiting for feature-completeness, we propose a set of milestones for Dendrite development to reach and prioritize development for.

These milestones are currently listed on Dendrite’s github. The first is “Bot Hosting”, which means, once complete, Dendrite would be suitable as a “bot hub”, allowing server admins to run massive bridges on top of Dendrite while taking advantage of its horizontal-scaling capabilities. As written in the description, this goal includes basic CS API support, as well as federation with other homeservers. At this stage Dendrite should already be usable in rooms with other Synapse servers, which should make it a lot more interesting.

After that is several more milestones, each representing another use case that Dendrite can fill.

Don’t be alarmed at the currently quite small percentage of completeness, as these milestones have just been built from the open issue list. We’re actually quite far along to #1 already :)

We also want to mention that the milestones aren’t completely built yet - there’s still a few more issues to comb through. It’s taken a few days as anoa can’t help himself to fix things as he goes along. A few open issues have also been closed as they had already been fixed earlier.

This is all mentioned in this week’s Matrix Live above by the way, so be sure to catch for some extra details if you’re interested.

We look forward to shipping you a working Dendrite soon™. And as always feel free to join us in #dendrite-dev:matrix.org for discussion.

🔗Synapse

Neil, who oversees the Synapse factory:

This week we’ve been working on improving database performance, shipping the new small hosted homeserver instances - expect a lot of improvements to come that will benefit the whole community and merged our recent OpenTracing support. We’ve also made some changes to how Sydent processes and stores email - more details here https://matrix.org/blog/2019/07/19/privacy-changes-to-new-vector-identity-servers

Next week, expect a new release, more database performance improvements and general Synapse performance work.

Listen to Matrix Live to hear Erik talking about his DB perf work ☝️

🔗Ruma

This Week in Ruma, from Jimmy:

...
While I was working on ruma-signatures, I decided to fill in the missing functionality—signing and verifying events. In the process of doing that, I ended up with a significantly revised API for the crate, which has now been released as version 0.5.0.
...

🔗Dept of SDKs and Frameworks 🏗

🔗New release of matrix-nio (Python SDK)

poljar said:

New matrix-nio release bringing you documentation improvements across the board, while the documentation is still not fully complete yet it should be much easier to get started with nio.
Another highlight of this release is couroutine support for the event callbacks for the AsyncClient.

Take a look at the getting started guide too.

🔗Ruby SDK

Ananace:

I just cut a 1.3.0 release of the Ruby SDK, mainly focusing on solving an issue due to Ruby extensions polluting the global scope. It also adds a very slightly extended response handling, which recursively adds getters for the keys of the resulting objects.
Many thanks to the people reporting issues to me so I can keep improving the SDK.

🔗The Kotlin library koma

yuforia, author of koma and Continuum:

• Fixed incorrect type casting in function KResult.map
• Reorganize the structure of modules, separate APIs that don't require authentication, so that they can be used before signing in

🔗Dept of Bridges 🌉

🔗matrix-appservice-slack

Half-Shot announced:

Today we've released 0.3.0 of the slack bridge since the last rc has proved to be stable. I hope you all enjoy the new features we've packed into this release. And as a reminder, there is another release right around the corner :)

🔗Dept of Clients 📱

🔗RiotX (Android)

From the team (see Matrix Live from last week for more from them):

• RiotX 0.2.0 has been released on Thursday. Main new features: room filtering, message editing in e2e rooms, view editing history. Also many small new features and bugfixes.
  • Full perimeter can be found here: https://github.com/vector-im/riotX-android/milestone/6?closed=1
  • Known limitation: crash on device running Android KitKat (4.4). We are considering supporting only device running Android Lollipop (5.0) and up (see/approve/comment https://github.com/vector-im/riotX-android/issues/405)
• The team is still working on the main missing features: creation of direct chat, read receipt, along with UI/UX polishing.

If you're using Android, definitely start trying RiotX, you can even find it in the Play Store now.

🔗Riot Web

From the team:

Riot v1.3.0 was released with support for reactions and message editing enabled. Check out the Riot blog post for more details. No changes are needed to enable these features for self-hosted installs anymore (which is change from what was stated in last week’s TWIM update).

We’re continuing to work on several privacy improvements to related to integration managers and identity servers to give users more control over these.

🔗Riot Android

From the team:

Riot 0.9.2 has been released on Friday. It contains some bug fixes and new translations for many strings especially for the device verification feature.

🔗Riot iOS

From the team:

• We released v0.9.1 with message editing, reactions and file upload.
• We are continuing to work on reactions (emoji picker).
• We have started to implement soft logout.

🔗FluffyChat

krille:

In the newest update FluffyChat now supports avatars in Push Notifications. Also translations have been updated and some minor design tweaks have been made.

I know that E2EE for FluffyChat is continuing to be worked on, just not quite ready yet.

🔗Continuum, client based on koma

yuforia, author of koma and Continuum:

• Update GUI library openjfx from version 11 to 12
• Rewrite build script in Kotlin, replacing Groovy

🔗Fractal, GNOME client

Alexandre Franke on Fractal:

Several bugs were fixed in the past three weeks. We are also sending typing notifications now. With 4.1.1 out, we’re at the second beta on the way to 4.2.

Also:

some people might be interested in a tweak in our build config that makes it so that crashes are aborts now (i.e. you get a trace and they are not silent anymore)

🔗Spectral

Black Hat is changing Spectral's buildsystem from QMake to CMake.

🔗Dept of Ops 🛠

🔗sendtomatrix script

Madic has created a shell script to send messages to a room:

I've written a linux shell script with which you can send (multiline) messages to a matrix room. It only needs a username / password or access token, server fqdn and roomid as argument or provided by a configuration file. Arguments can overwrite settings from the file, for e.g. using same credentials but different channel. If no access token is provided, a new one will be requested and used to send the message. You can use the script for e.g. cronjobs, nagios notifications or ci pipelines. An example for a cronjob and a nagios notification script is also provided.

I have ended up with an similar file of my own containing a bunch of commented-out curl lines, but this is a lot cleaner!

You may also recall a similar project: matrix-shell-suite (#matrix-shell-suite:matrix.org).

🔗Dept of Bots 🤖

🔗Maths bot(s)

Tim created a bot for rendering Maths:

I was told that people here might be interested: I just wrote a small bot that can reply with PNG renderings of maths (https://github.com/thosgood/matrix-maths-bot)

and then, tulir blatantly ripped him off was inspired to create a maubot providing the LaTeX to SVG rendering: https://github.com/maubot/tex

🔗Dept of Services 🚀

🔗New room for t2bot.io

TravisR, who arranges and hosts the various bots and bridges on t2bot.io:

#news:t2bot.io is now a room for people who want to follow along with news about t2bot.io which might be missed in #help:t2bot.io. Stuff like when bridges are updated and new services will be announced in there. #status:t2bot.io is where service stability is addressed during major problems with the service.

🔗That's all I know 🏁

See you next week, and be sure to stop by #twim:matrix.org with your updates!

Hi all,

If you’ve been looking for a way to have you own Matrix homeserver without having to run it yourself, you may be interested to hear that Modular (the Matrix hosting provider run by New Vector, the startup which hires many of the Matrix core team) is now offering a personal-sized small homeserver hosting service, supporting a minimum size of 5 user servers.

A lot of recent performance work on Synapse has been driven by the need to make smaller dedicated servers more efficient to run - and so if you run your own homeserver you’ll be benefiting from all this work too :) Meanwhile, if you choose to outsource your server hosting to Modular, you’ll be indirectly supporting core Matrix and Synapse development, given most of the core Matrix team work for New Vector - it’s through buying services like this which lets us keep folks able to hack on Matrix as their day job.

See more details over at the Modular blog post!

🔗Matrix Live: RiotX

Nice! Manu and Benoit, who work on the Riot Mobile, discuss the development status of RiotX.

🔗Dept of Servers 🏢

🔗Synapse

A bit of everything this week, we’ve made changes to support the upcoming edits and reactions release, worked on soft log out, experimented with improving general perf for small homeservers, landed open tracing support, improved db query load.
Next week we’ll see about landing the small homeserver perf improvements, work on id hashing in sydent, fix some e2ee bugs (made easier to track down with OpenTracing), do some more database performance work and start gradually rolling out the new Sygnal instance.

🔗Construct

Jason back on it:

This week in Matrix, Construct made the crazy-loading mode of client sync the default. Crazy-loading is an approach to initial sync that goes beyond lazy-loading for a better UX. It's even backwards compatible with clients that don't support lazy-loading.

Construct also made significant progress on implementing version 3 and 4 rooms during the week. This is nearly complete, and should be ready for testing by the weekend.

Good to know there is progress with new room versions as more and more rooms start to be moved over to v4. #zemos-test:matrix.org for testing and more info.

🔗Dendrite

This week we’ve implemented profile retrieval over federation, single event retrieval, room tagging as well as host of bug fixes.
Next week we’ll be looking at state resolution and implementing our latest and greatest algorithm needed by modern room versions.

🔗This Week in Ruma

Jimmy provided This Week in Ruma:

Work continues on the major revamp of ruma-events mentioned in the last update.
...
There are also a few modules that are somewhat blocked on an issue in ring. Some of the types in ruma-events contain types from ruma-signatures which don't implement Clone and PartialEq because they contain types from ring which don't.
...
Rust 1.36 was released, and it includes stabilization of the Future trait, one of the long-awaited building blocks for first-class async support in Rust. [...] the biggest reason for Ruma's development hiatus is waiting for async networking in Rust to mature, and this is one of the final pieces of foundational support we've been waiting for. The remaining pieces are async/await syntax, which is expected in either the next version or the one following it, and finally, waiting for important libraries like Hyper and Tokio, as well as web frameworks, to adopt the new stuff.

🔗Dept of SDKs and Frameworks 🏗

🔗libQuotient gets .well-known support

kitsune:

Thanks to Black Hat, libQuotient gained support of .well-known - a very useful feature to connect to Modular-hosted homeservers!

Also, the first block of E2EE functionality from aa13q has been merged to libQuotient master - so far it's just uploading the keys but receiving messages is already well in the works!

🔗Dept of Bridges 🌉

🔗mautrix-telegram v0.6.0

tulir:

mautrix-telegram v0.6.0 was released. Recent changes include bridging strikethrough, underline and nested formatting to telegram and some bug fixes, including one security fix. Full changelog on GitHub.

Debian 10 was also released recently, which means v0.6 is the last version with Python 3.5 support. Starting from v0.7.0, mautrix-telegram will only support Python 3.6 and up.

mautrix-telegram v0.6.0 also includes Native Matrix edit support, message editing between platforms.

🔗matrix-appservice-slack 0.3.0-rc2

Half-Shot and the Slack-bridge-gang have announced matrix-appservice-slack 0.3.0-rc2

Hi folks, the slack bridge has had another RC release this week 0.3.0-rc2 which has been deployed onto matrix.org :). In other news, we are nearly done with the port of the bridge to Typescript (slated for the 0.4 release) which has allowed us to clean up the codebase significantly and splat a lot of bugs.

I'm for any movement toward TypeScript - seems to be a winner in the JS-world. Says Half-Shot:

I'm a bit fanatical about Typescript, it's objectively better to write things in TS than JS if you have the freedom to do so. It's also allowed us to keep the bug count down on the Discord bridge, so I'm starting to look at the other bridges for typescript support too.

🔗Reliable Bridges GSoC project 🎓

Thanks Kai for this update!

The new Spec proposal MSC2162: Signaling Errors at Bridges landed! It is about adding permanent errors: The ability of bridges to mark events as not delivered to all participants. While there is already code supporting the feature, the Spec process is important for getting everyone on board and finding potential problems with the current approach.

In spite of being a relatively small proposal, there were already a lot of suggestions and directions in which it can evolve. Shoutout and thanks to everyone who already contributed to it with their comments!

Meanwhile on the more practical front a fork of Riot Web was extended to now support the actual visual display of bridge error markings on messages.

See it in action:

🔗Dept of Clients 📱

🔗RiotX big announcement!

• We have released a beta version to the PlayStore on Thursday! You can download (and rate it) here: https://play.google.com/store/apps/details?id=im.vector.riotx . Also feel free to join https://matrix.to/#/#riotx:matrix.org to provide any feedback!
• You will find more details about what RiotX can (and cannot yet) do here: https://medium.com/@RiotChat/introducing-the-riotx-beta-for-android-b17952e8f771
• Now we are working on fixing bugs, and keep going implementing the missing features

I've been using RiotX a lot lately and find it great - really snappy.

🔗Spectral

Black Hat:

Spectral supports .well-known now obviously. see libQuotient update above
Also a lot of changes:

1. Bubble shapes for pending events are fixed.
2. You can set device name when logging in. This becomes important as libQuotient begins to upload one-time device key as part of E2EE implementation.
3. Markdown is parsed automatically by default, and works with replies.
4. Small UI improvements in timeline and room list.

🔗Continuum

yuforia has continued work on Continuum, a desktop client written in Kotlin:

Continuum now preserves media content URI (mxc://) internally in order to treat them specially, instead of converting to all URI to http (or https) upon receiving.
This week's version never considers cached mxc resources stale and no network request will be performed for refreshing.
Continuum also loads previews for http image links in text messages automatically. The usual http cache control rules are still followed in those cases.

Join #tkmc:matrix.org to chat more about Continuum, or about koma, the underlying library.

🔗Riot Web

Riot v1.3.0-rc.1 is now ready for testing at https://riot.im/staging. This includes some last minute polish of reactions and edits, and also adds initial support for soft logout. This release will have reactions and message editing enabled via configuration on riot.im once it stabilises.
Self-hosted installs that wish to do the same would need to alter their config.json in similar fashion. This is because these features currently depend on unstable APIs, and we don't want to move them out of labs and fully on by default until that is resolved.

🔗Riot iOS

• Reactions and edits:
  • Enabled by default (no more LABS setting)
  • Reactions with non-unicode keys
  • Original event in the edit history (need homeserver update)
• Upgraded rooms are now autojoined when tapping on the upgraded banner
• File upload from the room screen and from the share extension
• Crypto: logs have been improved and a script has been created to help to debug e2e bugs (see the screenshot at https://github.com/matrix-org/matrix-ios-sdk/pull/692)
• This Friday TestFlight can be considered as a release candidate

🔗Dept of Ops 🛠

🔗matrix-docker-ansible-deploy: synapse-janitor now available

Slavi:

Thanks to Aaron's frequent mention of synapse-janitor and other such cleanup methods, I've finally gotten inspired enough to give it a try.

The playbook now contains a new Synapse Maintenance documentation page and an easy/safe way to run synapse-janitor.

To give an example, using synapse-janitor and a full Postgres VACUUM yielded a 29% reduction in disk space used by Postgres on my personal homeserver (5.3GB -> 3.8GB).

Alexey Murz Korepov also reminded us about synapse-purge, which we've mentioned here before - but is designed for a similar purpose.

🔗avhost/docker-matrix

Mathijs:

the avhost/docker-matrix image has moved to a debian buster base image, which got us an upgrade from python 3.5 to python 3.7.3 and jemalloc1 to jemalloc2, which should improve the performance of synapse.

🔗Dept of Articles 📝

Pneumaticat: "wrote a blog post on integrating Riot chat with our dapp & scientific research auditing platform, Delphus!"

🔗Final thoughts 💭

I had/stole the idea to create a bot which uses message edits to send frames of an ASCII-art animation. I indeed created the bot, which works to a degree, but is quickly punished by rate-limiting, which limits the effectiveness. Still it's quite fun, you can check out the code here.

TravisR's work on matrix-bot-sdk is interesting for bot or other client devs, and there is a new guide available: http://matrix.org/docs/guides/usage-of-matrix-bot-sdk

A few weeks ago I mentioned matrix-enact, which uses Web Audio API to play back room history. There is a guide to how it was built, looking at the /context endpoint now available: https://matrix.org/docs/guides/creating-a-simple-read-only-matrix-client

Half-Shot "bridged #synapse:matrix.org to #matrix-synapse on freenode to help folks who might be experiencing issues with their homeserver and need a IRC based support channel"

Black Hat made a cool-looking thing: "It basically shows all pictures in this room in a waterfall, with 'infinite scroll'"

🔗That's all I know 🏁

See you next week, and be sure to stop by #twim:matrix.org with your updates!

🔗Matrix Live, featuring Erik and the Interns 🎙

Thanks Erik, Jorik and Oliver!

Note that there is a audio hiccup around 2m30 - video is ok otherwise.

🔗Dept of Spec 📜

🔗Highlights

• MSC2140: Terms of Service for ISes and IMs
  • Largely complete
• MSC2134: Identity Hash Lookups
  • Largely complete
  • Going ahead with the simple hash lookup method
• Matthew/msc1849 rewrite
  • Rewrite of the Proposal for m.relates_to aggregations MSC with new updates
• MSC2153: Add a default push rule to ignore m.reaction events
  • Will help prevent ghost notifications appearing when a reaction is the last event in the room

🔗Movement on Matrix URIs

Sudden interest in matrix-org/matrix.to/pull#47 means we're getting a lot closer to agreement on Matrix URIs. Kitsune even added support for them in Quaternion (see below).

🔗Dept of Servers 🏢

🔗Dendrite

anoa:

Dendrite continues marching forward! As more attention is turned towards our fairly lengthy PR list, contributors who have not done so already are reminded to merge Dendrite's master branch into their PRs, as converting the project to go modules caused a lot of conflicts. A tag has been added to each PR that needs forward merging, visible here.

Our GSoC student cnly has been working away on implementing profile retrieval over federation as well as updating his various other PRs and would likely have a lot more if they were getting more reviews, but worry not as things look on track for that next week.

We've also got plans now! Plans for how to properly ship this thing over the coming months so look out for that soon!

🔗Synapse 1.1.0 released

This week we shipped v1.1.0, which provides an overhaul of docker configuration, more authentication options and improved db io. It’s worth noting that v1.1.0 is the first Synapse release to drop support for Python 2 (and Postgres 9.4), this paves the way for using Python 3 only functionality.

We’ve been working on supporting soft logout, more edits and reactions support, open tracing support not to mention a complete rewrite of the push server Sygnal. We’ll be rolling out new Sygnal gradually over the next week or two.

Finally, aided by dropping Python 2 support, we’ve been putting in a bunch of work to improve Synapse in resource constrained environments. This will be a constant theme over the coming months.

🔗Dept of SDKs and Frameworks 🏗

🔗python-matrixbot

Brian Ó appeared to tell us about python-matrixbot. This is a project that has existed for some time.

A Python module meant to act as a base class for a Matrix bot.
The MatrixBot class will connect to the Matrix server, start a listener on each joined room, and listen for room invites from other users. It also includes helper methods you can use to extend the functionality. It is built on the Matrix Python SDK which can be directly accessed via MatrixBot.client

🔗koma

yuforia:

koma got some improvements, based on what's learned developing Continuum, which is a desktop client based on it.

• Make api calls suspendable functions (which are like Kotlin's flavor of async). This way, the caller don't need to worry about forgetting to call await or a coroutine being left unstarted.
• Borrowing from functional programming, model the outcome of a call as a discriminated union, which can be either a success or a failure. The successful case is optimized with inline classes, an experimental feature in Kotlin 1.3, and wrapping is avoided.
• Make MatrixError a subclass of HttpError, because the http status code can be handy

🔗Ruby SDK

Ananace:

Just released version 1.2.1 of the Ruby SDK, fixing an error in the media download URL generation

🔗Dept of Bridges 🌉

🔗matrix-appservice-bridge release 1.9.0

Half-Shot was seen to exist IRL this week, he also found time for a new release:

Today we have a new matrix-appservice-bridge release 1.9.0. The bigname feature this week is a new store for mapping matrix events to remote ones, so bridges can handle changes made to sent events like reactions/threading/edits/redactions :). The reason for this feature appearing suddenly will become clear very soon.. 😈

🔗mx-puppet-bridge (inc slack, tox, discord)

Another week, which means more work on the mx-puppet-bridge ecosystem! A new > bridge has been added, mx-puppet-discord. Soru finally added license files > (Apache-2-0) and some readmes.

🔗mx-puppet-bridge

• bugfixes
• implement optional double-puppeting (also logging into your matrix acc)
• relate remote event IDs to matrix event IDs
• handle edits in both directions
• handle redactions in both directions
• initiating conversations from matrix! Invite a ghost for 1:1 or follow a > room alias for rooms
• bot provisioning: list users and rooms

🔗mx-puppet-slack

• add linting
• map channels and slack pills
• handle message edits
• handle message deletions
• properly handle /me messages
• handle ghost invites
• handle room joins via alias

🔗mx-puppet-tox

• add linting
• improve bootstrapping
• improve file transfers
• handle ghost invites

🔗mx-puppet-discord

This is the new puppeting bridge! The idea is that, in the long run, this will > be run in conjunction with matrix-appservice-discord Half-Shot/matrix-appservice-discord), where mx-puppet-discord handles DM > puppeting and matrix-appservice-discord the remaining. For this, the message > parsing was split in a new repository, matrix-discord-parser. The idea is that, in the > future, when inviting a ghost on matrix-appservice-discord it'll initiate > conversation within mx-puppet-discord

• basic text messages
• handle files
• handle edits, deletes

mx-puppet-discord does only DMs, for non-DMs please use matrix-appservice-discord

If you have any questions for any of these, please join our channel > #mx-puppet-bridge:sorunome.de. Software doesn't write itself, please consider > donating on liberapay!

🔗matrix-appservice-slack

Cadair and Half-Shot have been doing substantial work on matrix-appservice-slack.

We've got a dedicated room for slack bridge development over at #matrix_appservice_slack:cadair.com, since it's picked up in terms of community PRs and general interest. It's not currently being used as a support room, however.

They mention,

warning may contain ranting about the codebase

But that could be any room, so it seems ok to me.

WARNING: LATE ADDITION

Hi everyone! Myself and Cadair have been working hard on a new Slack bridge release, and we are finally ready to push out a release candidate for 0.3.

The headline features are:

• Implement message deletion.
• Add support for edits.
• Add support for reactions.
• Add support for threading (using replies).
• Support displayname and avatar lookups for Slack bots.
• Replace channel mentions with canonical aliases for bridged rooms.
• Support for slack attachments (Thanks @umitalp for the initial groundwork and @Cadair for the cleanup)

The new release is having very final minute checks, and will be available at https://github.com/matrix-org/matrix-appservice-slack/releases shortly.

🔗Dept of Clients 📱

🔗RiotX (Android)

After an internal release, we are working on improving the performance, especially for initial sync and for navigation between rooms.
Also we are fighting bugs.

🔗Pattle 0.9.0 and Testflight available

Wilko:

A new version of Pattle has been pushed to F-droid and TestFlight!

Changes:

• Fix the infamous FormatException: Not a valid url: error!
• Room upgrades are now handled!
  • Upgraded rooms are now hidden from the overview
  • To access older messages from the previous room, simply scroll up: the timeline is seamless
• Improve performance of loading the overview. Opening the app should be a lot quicker now!
• Improve performance of loading a chat
• Add ability to swipe through images in a chat (thanks to Nathan van Beelen!) See preview here!

Get Pattle from F-droid for Android by adding this repo:

https://fdroid.pattle.im/?fingerprint=E91F63CA6AE04F8E7EA53E52242EAF8779559209B8A342F152F9E7265E3EA729

APK also in assets of this release.

For iOS: join TestFlight here

Report issues to the repo, you can login via GitHub and Gitlab.com.

Follow development in #app:pattle.im!

To support Wilko: you can now do so via Liberapay and Patreon.

I've invested a lot of money in making Pattle happen on iOS: MacBook, Apple Developer Program, and an iPhone. Pretty costly, so any donations will be greatly appreciated!

What to expect in the next release:

• Fix timeline jump issues
• Remove redundant state messages when a room is upgraded
• Start work on chat details screen (members, change name, etc.)

🔗Quaternion now with Matrix URI support

kitsune:

to push things forward on Matrix URIs front, Quaternion master branch now supports matrix:user/userid, matrix:room/roomalias and matrix:roomid/roomid URIs. For example, Quotient/Quaternion room can be opened by a link matrix:room/quotient:matrix.org.

This will be so much easier to use! Also:

Quaternion has got a new contributor, Roland Pallai (https://github.com/rpallai), who added colouring of messages sent by the local user and support of drag-n-drop of text and images on Quaternion, along with general improvements on the timeline. Many thanks!

Windows builds of Quaternion (CI and future releases) come with Qt Keychain enabled, storing your access tokens in Windows secure storage.

🔗Spectral news

Black Hat:

A lot of improvements have been added to Spectral last week.

1. Spectral uses QtKeychain now. Access tokens are stored in system keychain instead of in plain text.
2. Room list's filter has a better UX(aka TabBar). Switching between rooms and DMs is now as easy as switching between, well, tabs.
3. Notification count in system tray icon, implementation modified from nheko.
4. Display initial sync progress. Some people have been complaining about not knowing the progress of initial sync so I added an indicator.
5. A better room setting page. Specifically displaying aliases and changing room avatar are working.
6. Big emojis.
7. Typing indicator UI is tweaked and looks better.

🔗Riot iOS

• Reactions in e2e rooms
• “Show all” button when there are too many reactions
• Support edition of emotes and replies
• Edits history (even in e2e rooms)
• Fix joining new upgraded room through federation
• Use via parameters to join a new room (useful in case of federation)

🔗Riot Web

• Allow resending edits, reactions and redactions through context menu, also better visualization of send errors.
• Allow redacting and viewing source of edits in edit history dialog

🔗Dept of Ops 🛠

🔗K8s

Ananace:

Bumped the K8s optimized Docker image to 1.1.0, with the same dropping of Python 2 and Postgres 9.4 support as the official image.
NB: The upstream docker configuration changes do not affect the K8s-optimized image, no configuration change is necessary to upgrade from 1.0.0 to 1.1.0

🔗avhost/docker-matrix image

Mathijs:

As announced last week, with the release of synapse 1.1.0 the avhost/docker-matrix image switched to running synapse with jemalloc by default

🔗Dept of Services 🚀

🔗modular.im starting to make Small instances available

modular.im are making the much-asked-for SMALL instances available. This service is rolling out starting with people who have previously enquired about availability, which I gather is a lot of people. Go sign up if you're interested!

The wait is almost over ... We're now rolling out our trial of Small Hosted Homeservers for Matrix. Have you got your golden ticket yet? 😀🎟️ pic.twitter.com/iUkAIHW9MY

— Modular (@ModularIM) July 3, 2019

we've been working on a v1 admin dashboard for managing your Synapse instances through Modular. This is now live on the site and provides a basic suite of functionality including:

• Viewing users of your synapse homeserver(s)
• Creating users
• Deleting users
• Resetting user passwords
• Viewing user profile and server access / activity
• Sending messages to all system users as the system alerts user
• Information about the synapse instance versions

🔗Final thoughts 💭

Ananace is "continuing the rewrite of the release tracker project. Working towards getting it to only store state in Matrix so it can be run in a read-only environment like a K8s deployment."

lino "wrote a script to update riot. It also works so far, but still needs some improvements"

Black Hat has been working "to add .well-known support for libQuotient" - presumably this will come back to be used in Spectral when it's ready.

Somehow I had a tab open with a maubot for Urban Dictionary.

🔗That's all I know 🏁

See you next week, and be sure to stop by #twim:matrix.org with your updates!

Right folks, this is our first post 1.0 release, which means that we have now officially dropped support for Python 2 and Postgres 9.4. This means that we can start making use of Python 3 specific features and you should expect lots of associated performance wins over the coming months. See the upgrade notes for more.

Synapse 1.1.0 also contains a reworked approach to the Docker image, as well lots of performance improvements with special focus on DB IO - expect more to come in this area.

Special thanks to community member Alexander Trost for rounding out our SAML support and also to Daniel Hoffend for contributing the ability to disable local password authentication.

As ever, you can get the new update here or any of the sources mentioned at https://github.com/matrix-org/synapse. Note, Synapse is now available from PyPI, pick it up here. Also, check out our Synapse installation guide page

The changelog since 1.0.0 follows:

🔗Synapse 1.1.0 (2019-07-04)

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4. See the upgrade notes for more details.

This release also deprecates the use of environment variables to configure the docker image. See the docker README for more details.

No changes since 1.1.0rc2.

🔗Synapse 1.1.0rc2 (2019-07-03)

🔗Bugfixes

• Fix regression in 1.1rc1 where OPTIONS requests to the media repo would fail. (#5593)
• Removed the SYNAPSE_SMTP_* docker container environment variables. Using these environment variables prevented the docker container from starting in Synapse v1.0, even though they didn't actually allow any functionality anyway. (#5596)
• Fix a number of "Starting txn from sentinel context" warnings. (#5605)

🔗Internal Changes

• Update github templates. (#5552)

🔗Synapse 1.1.0rc1 (2019-07-02)

As of v1.1.0, Synapse no longer supports Python 2, nor Postgres version 9.4. See the upgrade notes for more details.

🔗Features

• Added possibility to disable local password authentication. Contributed by Daniel Hoffend. (#5092)
• Add monthly active users to phonehome stats. (#5252)
• Allow expired user to trigger renewal email sending manually. (#5363)
• Statistics on forward extremities per room are now exposed via Prometheus. (#5384, #5458, #5461)
• Add --no-daemonize option to run synapse in the foreground, per issue #4130. Contributed by Soham Gumaste. (#5412, #5587)
• Fully support SAML2 authentication. Contributed by Alexander Trost - thank you! (#5422)
• Allow server admins to define implementations of extra rules for allowing or denying incoming events. (#5440, #5474, #5477)
• Add support for handling pagination APIs on client reader worker. (#5505, #5513, #5531)
• Improve help and cmdline option names for --generate-config options. (#5512)
• Allow configuration of the path used for ACME account keys. (#5516, #5521, #5522)
• Add --data-dir and --open-private-ports options. (#5524)
• Split public rooms directory auth config in two settings, in order to manage client auth independently from the federation part of it. Obsoletes the "restrict_public_rooms_to_local_users" configuration setting. If "restrict_public_rooms_to_local_users" is set in the config, Synapse will act as if both new options are enabled, i.e. require authentication through the client API and deny federation requests. (#5534)
• The minimum TLS version used for outgoing federation requests can now be set with federation_client_minimum_tls_version. (#5550)
• Optimise devices changed query to not pull unnecessary rows from the database, reducing database load. (#5559)
• Add new metrics for number of forward extremities being persisted and number of state groups involved in resolution. (#5476)

🔗Bugfixes

• Fix bug processing incoming events over federation if call to /get_missing_events fails. (#5042)
• Prevent more than one room upgrade happening simultaneously on the same room. (#5051)
• Fix a bug where running synapse_port_db would cause the account validity feature to fail because it didn't set the type of the email_sent column to boolean. (#5325)
• Warn about disabling email-based password resets when a reset occurs, and remove warning when someone attempts a phone-based reset. (#5387)
• Fix email notifications for unnamed rooms with multiple people. (#5388)
• Fix exceptions in federation reader worker caused by attempting to renew attestations, which should only happen on master worker. (#5389)
• Fix handling of failures fetching remote content to not log failures as exceptions. (#5390)
• Fix a bug where deactivated users could receive renewal emails if the account validity feature is on. (#5394)
• Fix missing invite state after exchanging 3PID invites over federaton. (#5464)
• Fix intermittent exceptions on Apple hardware. Also fix bug that caused database activity times to be under-reported in log lines. (#5498)
• Fix logging error when a tampered event is detected. (#5500)
• Fix bug where clients could tight loop calling /sync for a period. (#5507)
• Fix bug with jinja2 preventing Synapse from starting. Users who had this problem should now simply need to run pip install matrix-synapse. (#5514)
• Fix a regression where homeservers on private IP addresses were incorrectly blacklisted. (#5523)
• Fixed m.login.jwt using unregistered user_id and added pyjwt>=1.6.4 as jwt conditional dependencies. Contributed by Pau Rodriguez-Estivill. (#5555, #5586)
• Fix a bug that would cause invited users to receive several emails for a single 3PID invite in case the inviter is rate limited. (#5576)

🔗Updates to the Docker image

• Add ability to change Docker containers timezone with the TZ variable. (#5383)
• Update docker image to use Python 3.7. (#5546)
• Deprecate the use of environment variables for configuration, and make the use of a static configuration the default. (#5561, #5562, #5566, #5567)
• Increase default log level for docker image to INFO. It can still be changed by editing the generated log.config file. (#5547)
• Send synapse logs to the docker logging system, by default. (#5565)
• Open the non-TLS port by default. (#5568)
• Fix failure to start under docker with SAML support enabled. (#5490)
• Use a sensible location for data files when generating a config file. (#5563)

🔗Deprecations and Removals

• Python 2.7 is no longer a supported platform. Synapse now requires Python 3.5+ to run. (#5425)
• PostgreSQL 9.4 is no longer supported. Synapse requires Postgres 9.5+ or above for Postgres support. (#5448)
• Remove support for cpu_affinity setting. (#5525)

🔗Improved Documentation

• Improve README section on performance troubleshooting. (#4276)
• Add information about how to install and run black on the codebase to code_style.rst. (#5537)
• Improve install docs on choosing server_name. (#5558)

🔗Internal Changes

• Add logging to 3pid invite signature verification. (#5015)
• Update example haproxy config to a more compatible setup. (#5313)
• Track deactivated accounts in the database. (#5378, #5465, #5493)
• Clean up code for sending federation EDUs. (#5381)
• Add a sponsor button to the repo. (#5382, #5386)
• Don't log non-200 responses from federation queries as exceptions. (#5383)
• Update Python syntax in contrib/ to Python 3. (#5446)
• Update federation_client dev script to support .well-known and work with python3. (#5447)
• SyTest has been moved to Buildkite. (#5459)
• Demo script now uses python3. (#5460)
• Synapse can now handle RestServlets that return coroutines. (#5475, #5585)
• The demo servers talk to each other again. (#5478)
• Add an EXPERIMENTAL config option to try and periodically clean up extremities by sending dummy events. (#5480)
• Synapse's codebase is now formatted by black. (#5482)
• Some cleanups and sanity-checking in the CPU and database metrics. (#5499)
• Improve email notification logging. (#5502)
• Fix "Unexpected entry in 'full_schemas'" log warning. (#5509)
• Improve logging when generating config files. (#5510)
• Refactor and clean up Config parser for maintainability. (#5511)
• Make the config clearer in that email.template_dir is relative to the Synapse's root directory, not the synapse/ folder within it. (#5543)
• Update v1.0.0 release changelog to include more information about changes to password resets. (#5545)
• Remove non-functioning check_event_hash.py dev script. (#5548)
• Synapse will now only allow TLS v1.2 connections when serving federation, if it terminates TLS. As Synapse's allowed ciphers were only able to be used in TLSv1.2 before, this does not change behaviour. (#5550)
• Logging when running GC collection on generation 0 is now at the DEBUG level, not INFO. (#5557)
• Reduce the amount of stuff we send in the docker context. (#5564)
• Point the reverse links in the Purge History contrib scripts at the intended location. (#5570)

Canonical version of this article at https://matrix.org/docs/guides/usage-of-matrix-nio

This article concerns matrix-nio, and asyncio. We'll build a simple "echo bot", meaning a bot which replies to messages with the text it has just read. Note that this article does not cover E2EE with matrix-nio.

🔗Instantiation and Login

First create a new venv, and install matrix-nio via pip. On the command line, run:

python3 -m venv env
source env/bin/activate
pip install matrix-nio

Next, create a new Python file, and open it for editing. We'll import everything we require for this tutorial:

from importlib import util
import asyncio
from nio import (AsyncClient, SyncResponse, RoomMessageText)

We're importing asyncio so we can use the AsyncClient class from matrix-nio.

Create a new instance of AsyncClient by passing the homeserver and username as arguments:

async_client = AsyncClient(
    "https://matrix.org", "%%YOUR-USERNAME-HERE%%"
)

Then login, and await the response:

response = await async_client.login("%%YOUR-PASSWORD-HERE%%")
print(response)

Of course, we are using an async client, and awaiting the response. Because of this, we must call the async_client.login() from an async method, like so:

async def main():
    response = await async_client.login("%%YOUR-PASSWORD-HERE%%")
    print(response)

asyncio.run(main())

Note that for versions of Python before 3.7 the asyncio syntax must be:

async def main():
    response = await async_client.login("%%YOUR-PASSWORD-HERE%%")
    print(response)

loop = asyncio.get_event_loop()
loop.run_until_complete(main())

The remainder of this tutorial assumes you are running everything from an async method.

The response string should look like:

Logged in as @pyconweb-bot:matrix.org, device id: ZBLAJHLKVP.

🔗Get into a /sync loop

To get updates from a Matrix homeserver to the client, the client makes a request to the /sync endpoint. In the matrix-nio AsyncClient, this is wrapped by the sync() method. We can get the latest updates:

sync_response = await async_client.sync(30000)

30000 means we will wait up to 30 seconds before returning. sync_response will now contain a Python object containing a mapping of the (JSON) response from the Matrix homeserver. We'll inspect this response in the next section.

In fact, we expect there to be updates regularly, so let's create a very simple loop:

while (True):
    sync_response = await async_client.sync(30000)
    print(sync_response) # note that this could be LARGE!
    # do some reading from sync_response

In this way, every time there is a response (i.e. new events) from the homeserver, they are made available in sync_response for processing, and we loop again.

🔗Explore the sync response object

sync_response can contain multitudes, depending on the rooms this user is part of, or has been part of. sync_response.rooms.join contains updates for the rooms which the current user is "joined to" (meaning, is a member of.)

Of these joined rooms, we are (perhaps!) most interested in the events on the timeline. These are stored in timeline.events, see below:

if len(sync_response.rooms.join) > 0:

    joins = sync_response.rooms.join
    for room_id in joins:
        for event in joins[room_id].timeline.events:
            print(event)

Message events are a specific type of event which contain an Instant Messenger message. We can check the type before proceeding:

for event in joins[room_id].timeline.events:
    if isinstance(event, RoomMessageText):
        print (event.body)

In these cases, where the event is a message to a room, the body field will contain the message text.

🔗Isolate specific message event objects

Knowing that we can get the message text from an event, we can read it to determine a response. Let's make a new variable and have it store some string we'll check for:

response_string = "!replybot"

Now let's suppose we're in our /sync loop, and just received an event. We can filter messages that are meant for our bot as follows:

if len(sync_response.rooms.join) > 0:
    joins = sync_response.rooms.join
    for room_id in joins:
        for event in joins[room_id].timeline.events:
            if hasattr(event, 'body') and event.body.startswith(response_string):
                print(event)

🔗Use room_send

To send messages, matrix-nio provides a room_send() method. There are three arguments:

• the room_id
• the message type, we will use "m.room.message"
• a JSON object representing the content of the message

Let's improve the example above, by sending back a message to echo the ones we isolated above:

joins = sync_response.rooms.join
for room_id in joins:
    for event in joins[room_id].timeline.events:
        if hasattr(event, 'body') and event.body.startswith(response_string):
            response_body = event.body.replace(response_string, "").strip()
            content = {
               "body": response_body,
               "msgtype": "m.text"
            }
            await async_client.room_send(room_id, 'm.room.message', content)

Now whenever the bot receives a message "!replybot some message" it will send back "some message".

🔗Use of /sync next_batch tokens

Finally, let's consider the importance of next_batch tokens. Whenever you receive a response from the /sync endpoint, the response will contain a "next_batch" field, which you then pass on the next request to ensure you have the latest messages. matrix-nio keeps track of this automatically, so it doesn't get repeated messages. However, when you stop the program and call the .sync() method again, how can you tell it where to start from? First let's get the latest next_batch token:

async def main():
    response = await async_client.login("%%YOUR-USERNAME-HERE%%", "")

    while (True):
        sync_response = await async_client.sync(30000)
        print(sync_response.next_batch) # this is the token

Then we'll write the token to a file:

async def main():
    response = await async_client.login("%%YOUR-USERNAME-HERE%%", "")

    while (True):
        sync_response = await async_client.sync(30000)

        # we write the token to a file here
        with open("next_batch","w") as next_batch_token:
            next_batch_token.write(sync_response.next_batch)

Once that token is written, we know we can re-use it for the first /sync/ request next time:

async def main():
    response = await async_client.login("%%YOUR-USERNAME-HERE%%", "")

    # we read the previously-written token...
    with open ("next_batch","r") as next_batch_token:
        # ... and well async_client to use it
        async_client.next_batch = next_batch_token.read()

    while (True):
        sync_response = await async_client.sync(30000)
        with open("next_batch","w") as next_batch_token:
            next_batch_token.write(sync_response.next_batch)

🔗Conclusion

With this, you can see that in very few lines, it's possible to write a working Matrix bot in Python, using matrix-nio.

Hi all,

A few weeks ago there was some discussion around the privacy of typical Matrix configurations, particularly how Riot's default config uses vector.im as an Identity Server (for discovering users on Matrix by their email address or phone number) and scalar.vector.im as an Integration Manager (i.e. the mechanism for adding hosted bots/bridges/widgets into rooms). This means that Riot, even if using a custom homeserver and running from a custom Riot deployment, will try to talk to *.vector.im (run by New Vector; the company formed by the core Matrix team in 2017) for some operations unless an alternative IS or IM has been specified in the config.

We haven't done as good a job at explaining this as we could have, and this blog post is a progress update on how we're fixing that and improving other privacy considerations in general.

Firstly, the reason Riot is configured like this is for the user's convenience: in general, we believe most users just want to discover other people on Matrix as easily as possible, and a logically-centralised server for looking up user matrix IDs by email/phone number (called third party IDs, or 3PIDs) is the only comprehensive way of doing so. Decentralising this data while protecting the privacy of the 3PIDs and their matrix IDs is a Hard Problem which we're unaware of anyone having solved yet. Alternatively, you could run a local identity server, but it will end up having to delegate to a centralised identity server anyway for IDs it has no other way to know about. Similarly, providing a default integration server that just works out of the box (rather than mandating the user configures their own) is a matter of trying to keep Riot's UX simple, especially when onboarding users, and especially given Riot's reputation for complexity at the best of times.

That said, the discussion highlighted some areas for improvement. Specifically:

1. When doing work on making Matrix GDPR compliant back in May 2018, we set up a single privacy policy for the services we run, and got users to agree to it by locking them out of the matrix.org homeserver until they did. However, we missed that users not on the matrix.org homeserver might still be using our Identity Service (IS) & Integration Manager (IM) without accepting the privacy policy. Over the last few weeks we've been working on addressing this - it turns out that it's a pain to fix, given the Identity Service doesn't have the concept of users, so tracking which users have agreed to the policy policy or not means some fairly major changes. The current proposal is to change the Identity Service to use a form of OpenID to authenticate users against their homeserver in order to check they've accepted the IS's terms of use - see MSC2140 for the gory details.

Meanwhile, Riot is being updated to prompt the user to accept the IS & IM terms of use (if different to the HS's), and thus make it crystal clear to the user that they are using an IS & IM and that they have the option not to if desired - see https://github.com/vector-im/riot-web/issues/10167 and associated issues. This includes also explicitly prompting the user as to whether they want 3PIDs they provide at registration to be discoverable, as per https://github.com/vector-im/riot-web/issues/10091.

2. Riot on iOS & Android gives the option of scanning your local addressbook to discover which of your contacts are on Matrix. The wording explaining this wasn't clear enough on Android - which we promptly fixed. Separately, the contact details sent to the server are currently not obfuscated. This is partially because we hadn't got to it, and partially because obfuscating them doesn't actually help much with privacy, given an attacker can just scan through possible obfuscated phone numbers and email addresses to deobfuscate them. However, we've been working through obfuscating the contact details anyway by hashing as per MSC2134, which has all the details. We're also adding an explicit lookup warning in Riot/Web, as per https://github.com/vector-im/riot-web/issues/10093.

3. There was a bug where Riot/Web was querying the Integration Manager every time you opened a room, even if that room had no integrations (actually, it did it 3 times in a row). This got fixed and released in Riot/Web 1.2.2 back on June 19th.

4. Matrix needs to authenticate whether events were actually sent by the server that claimed to send them. We do this by having servers sign their events when they create them, and publishing the public half of their signing keys for anyone to query. However, this poses problems if you receive an event which is signed by a server which isn't currently online. To solve this, we have the concept of trusted_key_servers (aka notary servers), which your server can query to see if they know about the missing server's keys. By default, matrix.org is configured as Synapse's trusted notary, but you can of course change this. If you choose an unreliable server as the notary (e.g. by not setting one at all) then there's a risk that you won't be able to look up signing keys, and a splitbrain will result where your server can't receive certain events, but other servers in the room can. This can then result in your server being unable to participate in the room entirely, if it's missing key events in the room's lifetime.

   Our plan here is to get rid of notaries entirely by changing how event signing works as per MSC1228, but this is going to take a while. Meanwhile we're going to check Synapse's code to ensure it doesn't talk to the notary server unnecessarily. (E.g. it should be caching the signing keys locally, and it should only use the notary server if the remote server is down.)

5. When doing VoIP in Matrix, clients need to use a TURN server to discover their network conditions and perform firewall traversal. The TURN server should be specified by your homeserver (and each homeserver deployment should ideally include a TURN server). However, for users who have not configured a TURN server, Riot (on all 3 platforms) defaulted to use Google's public STUN service (stun.l.google.com). STUN is a subset of TURN which provides firewall discovery, but not traffic relaying. This slightly increased the chances of calls working for users without a proper TURN server, but not by much - and rather than fall back to Google, we've decided to simply remove it from Riot (e.g. https://github.com/matrix-org/matrix-ios-sdk/commit/24832a2b14fb72ae6f051d5aba40262d11eef65d). This means that VoIP might get less reliable for users who were relying on this fallback, but you really should be running your own TURN server anyway if you want VoIP to work reliably on your homeserver.

6. We should make it clearer in Riot that device names are world-readable, and not just for the user's own personal reference. This is https://github.com/vector-im/riot-web/issues/10216

As you can see, much of the work on improving these issues is still in full swing, although some has already shipped. As should also be obvious, these issues are categorically not malicious: Matrix (and Riot) literally exists to give users full control and autonomy over their communication, and privacy is a key part of that. These are avoidable issues which can and will be solved. It's worth noting that we have to prioritise privacy issues alongside all the other development in Matrix however: there's no point in having excellent privacy if there are other bugs stopping the platform from being usable.

We'll do another blog post to confirm once most of the fixes here have landed - meanwhile, hopefully this post provides some useful visibility on how we're going about improving things.