We became aware today of a flaw in sydentβs validation of email addresses which can lead to a failure to correctly limit registration to a given email domain. This only affects people who run their own sydent, and are relying on allowed_local_3pid in their synapse config. Weβd like to thank @fs0c131y for bringing it to our attention on Twitter this morning. We are not aware of this being exploited in the wild other than the initial report.
If you are running your own sydent, and limiting signup for your server using the allowed_local_3pids configuration option, then you need to upgrade your sydent immediately to Sydent 1.0.2.
Meanwhile, if you have been relying on the allowed_local_3pids configuration option to restrict access to your homeserver, you may wish to check your homeserverβs user_threepids table for malformed email addresses and your sydentβs database as follows:
$ sqlite3 sydent.db
sqlite> select count(*) from global_threepid_associations where address like '%@%@%';
0
$ psql matrix
matrix=> select count(*) from user_threepids where address like '%@%@%';
count
-------
0
If the queries return more than 0 results, please let us know at [email protected] - otherwise you are fine.
A flaw existed in sydent whereby it was possible to bypass the requirement specified in synapseβs allowed_local_3pids option, which restricts that users may only register with an email address matching a specific format.
This relied on two things:
sydent uses python's email.utils.parseaddr function to parse the input email address before sending validation mail to it, but it turns out that if you hand parseaddr an malformed email address of form [email protected]@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token for '[email protected]@important.com', the token would be sent to '[email protected]', but the address '[email protected]@important.com' would be marked as validated. This release fixes this behaviour by asserting that the parsed email address is the same as the input email address.
synapse's checking of email addresses relies on regular expressions in the home server configuration file. synapse does not validate email addresses before checking them against these regular expressions, so naive regular expressions will detect the second domain in email addresses such as the above, causing them to pass the check.
Check out the new digs! We're happy with this newly deployed blog, and all the old and loveable content is right down there. If you find issues, let me know. You may remember Nad, from previous editions of Matrix Live - huge thanks to him for his work on the design and upkeep of this new deployment.
Due to the security incident, all GitHub access tokens for the Scalar GitHub integration were cleared. This means that if you have a GitHub bot in the channel and want to use the !github bot commands, you need to re-login to github via the integration manager menu. Note, existing webhooks are untouched and should work fine without re-authenticating.
From the matrix.org bridge team, we are resurrecting bridges as fast as possible. Currently running are the freenode, slack, gitter and gimpnet (now hosted on gnome.org) with more to come today and next week.
We have the snoonet and oftc irc bridges back. Mozilla is coming soon hopefully this weekend too!
A big release of Pattle has just been pushed to the F-droid repo! Changes include:
Display names are now shown
You can now click on chats and view them!
Messages are grouped by time and sender (see screenshots)
Add fancy transition animation and ripples to chat messages (see video)
Use Sentry for error reporting (only Android version and device model is sent, along with the stacktrace of the error)
Also, please note that if you have a matrix.org you probably have reinstall the app if you're logged in because of the recent matrix.org incident (because there's no logout button yet and no detection for invalidated access tokens)
There has actually been a release since, which includes:
Quaternion 0.0.9.4 RC3, the last one before the release that will happen in the nearest days, is out. Release notes can be found at https://github.com/QMatrixClient/Quaternion/releases/tag/0.0.9.4-rc3. Translators, you literally have hours to add your translations for 0.0.9.4!
I reimplemented the matrix sdk into Neo, so it works nicer. Colors and font look nicer (base16-tomorrow, Open Sans), and there's text message sending, with localecho!
I also fixed a bug where react would recycle displayname-components across rooms, attributing them to the wrong messages
a video at https://lain.haus/_matrix/media/v1/download/lain.haus/VfshWRfaNUnpGQbdkyYczxvd
it's been a long while, but I've finally come around to improving on matrix-registration
For those of you, who have forgotten what this project is about, it basically lets you invite people to your homeserver with tokens, e.g. https://homeserver.tld/register?token=DoubleWizardSky
This whole update was about making the project more user friendly.
I made a new default registration page that requires 0 setup and you can install the project right from pypi with pip, so you don't even need to clone the repo any longer.
check a live example here: https://chat.dmnd.sh/register
and to play around with the api you can can go over to the github page: https://zeratax.github.io/matrix-registration/demo.html?token=ColorWhiskeyExpand
channel: #matrix-registration:dmnd.sh
github: https://github.com/zeratax/matrix-registration
matrix-media-repo now has s3 (and s3-like) support, making it easier to archive older media or use minimal disk space. See the new datastores option in the config and the admin docs ( https://github.com/turt2live/matrix-media-repo/blob/master/docs/admin.md#datastore-management ) for more information.
Dimension has been updated to more safely handle when upstream integration managers (like Scalar) are offline. Instead of crashing or breaking in various ways, it'll report which integrations are not accessible.
As well, due to recent events, if you use matrix.org bots or bridges in Dimension then go the the admin section and log everyone out using the red button. Dimension caches upstream tokens and isn't smart enough to realize that they are no longer valid, which means they need clearing. Clients should automatically handle getting new tokens in the background.
TL;DR: An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you're a matrix.org user you should change your password now.
The matrix.org homeserver has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im homeservers have not been affected by this outage.
The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins). Homeservers other than matrix.org are unaffected.
We have invalidated all of the active access tokens for users on Matrix.org - all users have been logged out.
Users with Matrix.org accounts should:
Change your password now - no plaintext Matrix passwords were leaked, but weak passwords could still be cracked from the hashed passwords
Change your NickServ password (if you're using IRC bridging) - there's no evidence bridge credentials were compromised, but if you have given the IRC bridges credentials to your NickServ account we would recommend changing this password
And as a reminder, it's good practice to:
Review your device list regularly - make sure you recognise all of the devices connected to your account
Always make sure you enable E2E encryption for private conversations
Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.
Source code and packages have not been impacted based on our initial investigations. However, we will be replacing signing keys as a precaution.
Modular.im servers are not affected, based on our initial analysis
Identity server data does not appear to have been compromised
The target appeared to be internal credentials for onward exploits, not end user information from the matrix.org homeserver.
πYou might have lost access to your encrypted messages.
As we had to log out all users from matrix.org, if you do not have backups of your encryption keys you will not be able to read your encrypted conversation history. However, if you use server-side encryption key backup (the default in Riot these days) or take manual key backups, youβll be okay.
This was a difficult choice to make. We weighed the risk of some users losing access to encrypted messages against that of all users' accounts being vulnerable to hijack via the compromised access tokens. We hope you can see why we made the decision to prioritise account integrity over access to encrypted messages, but we're sorry for the inconvenience this may have caused.
We were using Jenkins for continuous integration (automatically testing our software). The version of Jenkins we were using had a vulnerability (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) which allowed an attacker to hijack credentials (forwarded ssh keys), giving access to our production infrastructure. Thanks to @jaikeysarraf for drawing this to our attention.
At around 5am UTC on Apr 12, the attacker used a cloudflare API key to repoint DNS for matrix.org to a defacement website (https://github.com/matrixnotorg/matrixnotorg.github.io).
The API key was known compromised in the original attack, and during the rebuild the key was theoretically replaced. However, unfortunately
only personal keys were rotated, enabling the defacement. We are currently doublechecking that all compromised secrets have been rotated.
The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse.
If you have already changed your password, you do not need to do so again.
The defacement confirms that encrypted password hashes were exfiltrated from the production database, so it is even more important
for everyone to change their password. We will shortly be messaging and emailing all users to announce the breach and advise them
to change their passwords. We will also look at ways of non-destructively forcing a password reset at next login.
The attacker has also posted github issues detailing some of their actions and suggested remediations at
https://github.com/matrix-org/matrix.org/issues/created_by/matrixnotorg.
This confirms that GPG keys used for signing packages were compromised. These keys are used for signing
the synapse debian repository (AD0592FE47F0DF61), and releases of Riot/Web (E019645248E8F4A1).
Both keys have now been revoked. The window of compromise for the keys started from April 4th; there have
been no Synapse releases since then. There has been one release of Riot/Web (1.0.7), however as the key
was passphrased and based on our initial analysis of the release, we believe it to be secure.
Once things are back up and running we will retrospect on this incident in detail to identify the changes we need to make. We will provide a proper postmortem, including follow-up steps; meanwhile we are obviously going to take measures to improve the security of our production infrastructure, including patching services more aggressively and more regular vulnerability scans.
From the dates described below, we will no longer guarantee support for deprecated versions. This means that SynapseΒ mayΒ continue to work with these versions but we will not make any attempt to ensure compatibility and will remove old library versions from our CI.
Synapse 1.0 will continue to support both technologies, but subsequent releases may not:-
For Python, we shared that we would discontinue to Python 2.x support fromΒ April 1st 2019, so for the first release that follows 1.0 we do not guarantee Python 2.x support.
For Postgres, will give server admins 6 weeks to upgrade to a newer version, and will guarantee support up until 20th May 2019.
We want to make use of new language features not supported in old versions. This will enable us to continue to improve the performance and maintainability of Synapse.
Since very few server admins still use these technologies on the wild, providing support is costly and we want to reduce our overall maintenance load.
πLa la la I am ignoring you - what will happen?
You will be able to upgrade to Synapse 1.0, but will likely experience incompatibilities that prevent you upgrading further. Seriously, you really need to upgrade.
πOkay, but I have questions, where should I go?
Come and say Hi in #synapse:matrix.org and we'll do our best to help you.
Last week we carried on with Synapse 1.0 work, in particular server key signing validity, a config option to verify federation certificates to support MSC1711 and support for 3PID unbinding APIs (MSC1915). Outside of that we've been thinking about how to improve room upgrades for private rooms and landed the preparatory work for a refactor of the room directory.
Coming up next, we'll continue to bash out 1.0 blockers, Hawkowl has started work on optimising for small hosted homeservers, and anoa will be working on the new super fast room directory. Finally Erik has started work on aggregations support so clients will be able to offer things like edits and reactions ?
Dockerfile for sytest running against Dendrite approved. Close to being able to run Dendrite against sytest. Also using sytest's new test white/blacklist functionality to include a list of tests that Dendrite is known to pass in the repo. When people make new PRs that allow Dendrite to pass new tests, they can also append the names of the tests to the testfile to help automatically track Dendrite's improving progress. Look forward to seeing further progress post Synapse 1.0.
libQMatrixClient 0.5.1 is out! This is a minor release with bugfixes and small improvements, a base for Quaternion 0.0.9.4, RC of which is coming this weekend. Full release notes here
and to follow up:
Quaternion 0.0.9.4 Release Candidate is available for all those who don't need a "release" seal of approval to use applications. Get out, grab it, report bugs that could still sneak in: https://github.com/QMatrixClient/Quaternion/releases/tag/0.0.9.4-rc. A separate call out to translators - it's a great moment to teach Quaternion a few more phrases in your language!
This weekend I took a brief pause from doing matrix work, and then went back into it by finishing the feature set for the .NET Core Synchrotron. It's "feature complete" meaning all specced features of sync are in this branch, excluding legacy endpoints. There are a few bugs logged against it and it's really only useful as a super early test, while I fix some of the p1 bugs.
The federation sender continues to be reliable and stable, and we are prepping for the release of synapse 0.99.3 which made a few changes to the replication stream. For more info, please see https://github.com/turt2live/synapse-netcore-workers
Wilko has officially discontinued the previous version of Pattle, and is focused on their Flutter SDK and new version of Pattle based on it:
After some silence here but a lot of development, Pattle has now moved to Flutter. The new app is available in the same F-droid repository, you can just update. Note that you will have to log in again. If there are issues with updating, try removing the old app and installing the new one.
Also note that this version is still very basic and does not have all features of the old Pattle unfortunately. The reason that I chose to already replace it on the repo is that the old app will not receive updates anymore.
The current features are logging in and an overview of all chats. What is new is that data is now stored locally, so you won't have to do an initial sync everytime you open the app (which was the case with old app). What's also new is that I've decided to use more red, because.. I like red.
There is still a lot to do! Please notify me of anything that you think is missing, even though some things may be obvious (sorting chats based on date, chat avatars), some may not be as obvious to me!
If you'd like to contribute, the new repo is here. Note that many contributions will probably start at the SDK level. Pattle uses my own Dart SDK, which you can find here.
There is at the moment a very specific bug in Flutter, where on Android 7.1 with release builds, the app crashes when building a list widget. If you use Android 7.1 (like me) and you crash after logging in, that's the reason. It seems I can't do anything about it, sorry.
πlibaqueous (Matrix Dart SDK) and Aqueous client
Aqueous now comes with room categories and history messages support.
Also, a lot of code refactoring is going on to change the backend store from plain json file to sqlite, which should improve the performance a lot.
The room is at #libaqueous:encom.eu.org
Three releases this week, to fix several bugs with the new EventStreamServiceX, and to fix issue with the Jitsi conference call (Riot.im 0.8.29). FDroid users should receive the upgrade soon.
Users are happy with the new notifications!
Valere is still working on SAS, we are reaching the end :).
I'll be writing a Helm chart for 1.0 as well, just haven't had time to do so yet. I need to update all the references to TLS as well, as that's supposed to be left to kube-lego or cert-manager for a modern install
Following up on last week's effort, a number of issues on the Matrix federation tester, both on the backend and the frontend side, have been fixed, including fixing certificate validity checks, not following CNAME records in SRV records, fixing display of the SRV lookup in the UI, preventing some crashes, and a few more.
All outstanding issues on both the federation tester's backend and its frontend that could have preventing people to test efficiently how their server is performing in the context of Synapse's 1.0 release have now been fixed and deployed on https://matrix.org/federationtester/.
A few bounties have been added to Synapse and Riot recently to encourage community members to work on those projects. Although they aren't large enough to actually pay for development, I believe they can serve as a small push to help an already interested developer justify spending some time working on these projects.
pantalaimon has been seen in the wild, even appearing to run on Android. We'll get a little closer to the project and see how it's going in a future edition.
new, alpha quality, matrix python client for asyncio and with support for e2e encryption: https://github.com/SFTtech/aiomatrix Polishing is needed but the basics do work already :)
The big news in 0.99.3 is that the user directory has been completely re-written and should now be much more performant - this will benefit all installations, but especially those housing larger servers.
Aside from that we continue our 1.0 preparations and relatedly we've improved our docs, in particular to explain how .well-known works. On the perf side we've added rate limiting to login and register endpoints as well as now batching up read receipts to send over federation.
I've said it before, and I'll say it again:-
The most important thing that admins should know is that prior to 1.0 landing later this month, it is essential that the federation API has a valid TLS certificate - self signed certificates will no longer be accepted. For more details see our handy guide. Failure to do this will result in being unable to federate with other 1.0 servers.
The user directory has been rewritten to make it faster, with less chance of falling behind on a large server. (#4537,Β #4846,Β #4864,Β #4887,Β #4900,Β #4944)
Add configurable rate limiting to the /register endpoint. (#4735,Β #4804)
Move server key queries to federation reader. (#4757)
Add support for /account/3pid REST endpoint to client_reader worker. (#4759)
Add an endpoint to the admin API for querying the server version. Contributed by Joseph Weston. (#4772)
Include a default configuration file in the 'docs' directory. (#4791,Β #4801)
Synapse is now permissive about trailing slashes on some of its federation endpoints, allowing zero or more to be present. (#4793)
Add support for /keys/query and /keys/changes REST endpoints to client_reader worker. (#4796)
Add checks to incoming events over federation for events evading auth (aka "soft fail"). (#4814)
Add configurable rate limiting to the /login endpoint. (#4821,Β #4865)
Remove trailing slashes from certain outbound federation requests. Retry if receiving a 404. Context: #3622. (#4840)
Allow passing --daemonize flags to workers in the same way as with master. (#4853)
Batch up outgoing read-receipts to reduce federation traffic. (#4890,Β #4927)
Add option to disable searching the user directory. (#4895)
Add option to disable searching of local and remote public room lists. (#4896)
Add ability for password providers to login/register a user via 3PID (email, phone). (#4931)
Clarify what registration_shared_secret allows for. (#4844)
Correctly log expected errors when fetching server keys. (#4847)
Update install docs to explicitly state a full-chain (not just the top-level) TLS certificate must be provided to Synapse. This caused some people's Synapse ports to appear correct in a browser but still (rightfully so) upset the federation tester. (#4849)
Move client read-receipt processing to federation sender worker. (#4852)
Neil, Synapse overseer, reports on the acceleration towards 1.0:
We have much improved sytest support for Synapse worker mode, Hawkowl landed a brand new super fast super shiny user directory implementation, Brendan fixed a bunch of niggles in the federation tester and we finally got to the bottom of our sync caching bug that obscured accepting invites (thanks richvdh for sticking with it). Erik solved our presence spamming bug and anoa fixed some LDAP auth bugs and submitted a PR for certificate checking - one of our final blockers for Synapse 1.0. For all the latest checkout out our latest release candidate 0.99.3rc1.
Next week, we'll ship 0.99.3, we'll be looking at server key validity periods, adding a 3PID unbind API and starting work on tuning low powered Synapse installations. https://www.arewereadyyet.com/ is still rising so keep banging to everyone you know that they ensure their federation certificates are valid.
Pantalaimon is a new project that acts as a reverse proxy for clients to connect to. Once a client is connected Pantalaimon handles end to end encryption for the client transparently.
The project is only a week old but already at a working prototype phase. A demo can be found here: http://webmshare.com/play/Qn4wg
This is a huge gain! Use of this project, as you will see in the video, permits any Matrix client to support End-to-End encryption of messages, by handling encryption/decryption in a daemon rather than in the client.
The matrix Construct server has made significant progress this week implementing the 1.0 specification and is very close to a 1.0 release! Special thanks to our star tester Yan Minari and expert Matrix consultants Tulir and Max and C++ developers Jason of Zemos and Mujx of nheko for all their hard work to make this happen. The Construct now fully supports IPv6 and is ready to participate in fully end-to-to-end encrypted ipv6 networks like #yggdrasil:matrix.org and #cjdns:matrix.org. This week also saw additions for .well-known support, m.fully_read and even DNS caching inside a matrix room shared between servers (which is really cool if you ask me).
The Construct is written in C++ for maximum performance and scalability. It is the first fully federating server after the Synapse reference implementation. Your contributions in code and participation are essential to bring Construct to its upcoming release; get involved at https://github.com/matrix-construct/construct and in #zemos-test:matrix.org.
We've been upgrading and optimising our Jitsi instance so people should see more reliable video conference calls, especially if they avoid connecting from Firefox over poor connections. We've been squashing scroll jumps (where the timeline pops out of position unexpectedly due to images loading, etc.). We've come up with a radical reimplementation of the timeline (which should be imperceptible, except it doesn't jump) - try it out on https://riot.im/develop now.
Bruno, who has been working on scroll functional for Riot deserves a call-out - scrolling in new Riot web works great, and he may now be the most qualified dev on scroll: anchor outside of Mozilla or Googleβ¦
You can now get all Riot updates from #riot-web-announcements:matrix.org, the official room of Riot web announcements! You can especially get this update, which was also featured on Twitter:
Attention Riot Web Admins! We reset Scalar tokens to address a potential security vuln. with some clients - if you run your own Riot instance please upgrade to at least v1.0.4 to keep using integrations (widgets, sticker picker, any bots and bridges configured through Scalar).
Another case of UTD (https://github.com/vector-im/riot-ios/issues/2320) has been fixed. Some logs have been added to track push notifications that disabled themselves. SAS verification implementation is still in progress.
UTD = "Unable to Decrypt", messages as seen in Riot
Rework of EventStreamService, to fix many issues (crash) reported by users. The feature is available on the develop branch.
Also we are trying to upgrade Jitsi library, to fix other errors reported by users.
SAS verification implementation is still in progress.
Also, you may have already seen the use of Android 9-style notifications, featuring "Mark as read" + "Quick reply" buttons. This addition has started to make Riot Android my client of choice for burning through notifying rooms.
Quick note that nheko (v 0.6.3) is now packaged for FreeBSD as well. The C++ code was fine (we use Clang, that does trip up some people) but I have Opinions about the CMake code (in particular that the find code for nlohmann/json.hpp, lmdb++.h and tweeny.h could use a lot of work -- if I feel perky I may come up with a PR). Thanks for the good work!
Black Hat has been using Dart and Flutter this week, and is making progress with an SDK and reference client:
I am trying to use libaqueous(Matrix Dart SDK) to create a cross-platform matrix client for Android and iOS. Almost nothing works except Already a significant number of client features are available: login/logout, room list, basic timeline and message posting
Flutter is quite good for rapidly building mobile apps. ? Strong-typed json serialization/deserialization in Dart is a bit difficult at first, but I managed to solve that. the repo is here, the SDK is here, and the room for discussion is at #libaqueous:encom.eu.org
I chatted with Kitsune, maintainer of libQMatrixClient, Quaternion and Spec Core Team member. We talked about the history and future of these projects, platform preferences, the importance of decentralisation and more.
Huge thanks to everyone who has helped increase the number of β1.0 ready' synapse installs. If you don't know what this means, see our blog. https://arewereadyyet.com reports > 60% adoption on a per server basis, and high 90s on a per user basis. We are now really close to being able to ship a 1.0 release candidate and start the 2 week countdown before releasing 1.0 proper.
This week we have focussed on performance, richvdh has been working on batching of outgoing read receipts and hawkowl shipped a much more performant implementation of user search. Erik has been putting the state compressor through its paces, he saw one room compress down to 1% of its original size. Andrew has been focusing on ensuring spec compliance on various Synapse endpoints and is currently looking at some bugs in the federation tester.
It's the most up to date version straight from the pipeline, so not necessarily stable.
You can now scroll up and load history
As part of the project, Wilko also announced the intention to create a Dart SDK:
I'm currently working on a Matrix SDK for Dart, which will be used for the Pattle rewrite in Flutter.
The reason for this is outlined here. To summarize: My goal for Pattle is to release for not only Android but also iOS and web, with a single code base. Other reasons include that Android native development is just bad, and the fact that I'm not too happy with the official Matrix Android SDK design and documentation.
I will maintain and also add some features to the current version of Pattle, to try things out. The Flutter version will replace the native one once the features are in sync.
Click on the smiley face to the right of where you type messages then the Edit button in the top right.
Paste the URL of the sticker pack into the box and click "Add Stickerpack".
Start using your new stickers.
These instructions are also available at https://github.com/turt2live/matrix-dimension/blob/master/docs/custom_stickerpacks.md as is the admin/operator guide for running your own sticker bot (you're not stuck with using t2bot.io unless you want to be). Custom sticker packs are still beta while the proposals to share this with the wider Matrix ecosystem are still works in progress. This serves as a proof of concept to see how crazy of an idea it is to have stickerpacks-as-rooms (yes, they're just plain Matrix rooms under the hood) and what needs ironing out before moving ahead with the MSC.
Brendan has created a notification profile manager:
Over the past few weeks, I grew a bit fed up of always having to turn on and off every notification rule each time I'm having a slight change in what I'm working on or depending on what mood I was in (e.g. want to focus only on work-related stuff and nothing else, don't want to hear about work at all, somewhere in the middle, etc.), so I built a notification profile manager for Matrix. It's available both as a command line interface or a Go package in case people want to build on top of it.
It allows one to take a snapshot of their current notifications settings and save that as a profile, so that this profile can be applied later. It also allows one to delete a profile or list the existing profiles (more features to be added as time goes by). In order to make the whole thing interoperable with other projects building on top of the Go package, it also uses the user's account data on the user's Matrix homeserver to store profiles.
F0x has recommenced development on the Matrix client Neo:
After discussion following https://cyberia.social/@foks/101785513826000032 I've resumed development on Neo. Suggestions are very much welcomed on the pad and mastodon thread I'm implementing components one by one now, with just mocked events. Actual Matrix integration will come when the gui components are ready.
Neo is now partly integrated with matrix-js-sdk because I grew tired of having to write my own mock events. There's a basic authentication flow, with 0 error handling, and parsing of m.text and m.image events
mautrix-telegram 0.5.0 was released after I finally fixed the bug that was causing the bridge database to lock up. It turned out to be a single line of ORM usage that I had missed while converting everything to use SQLAlchemy Core.
The full release notes are at https://github.com/tulir/mautrix-telegram/releases/tag/v0.5.0.
I also released v0.5.1 to fix a bug that made the DBMS migration script not work and Python 3.5 compatibility. I wouldn't recommend using Python 3.5 though, I'm going to drop support for it some time after Debian 10 is released
I love that you've got Amazon with their Alexa messaging, Apple in their own bubble with iMessage, Facebook doing chat 3-ways and Google trying 50 ways to do chat. And that's before you even get into things like Slack, Discord, Telegram, Riot, Line, WeChat etc etc. And then the current hot way to chat is in a document...
I mean, how much money is being invested in trying to create the perfect chat solution?
That's the news, if you have something to say, or something to add, then you should go to #twim:matrix.org and share it. If you have other projects to discuss, come share them. If you'd prefer to come quietly, my door is always open: @benpa:matrix.org.
Folks, as you know we are now very close to achieving Matrix 1.0 and finally being in a position to shed our βbeta' tag. It has been a long time coming and speaks to the huge effort from hundreds of people over the past 5 years.
A critical step towards this goal is the release of Synapse 1.0. We want to ship Synapse 1.0 as soon as possible but can't do so without your help!
We'd like to introduce AreWeReadyYet.com - a quick and easy way for everyone to track the progress and check if their federation is ready for Matrix 1.0!!
Synapse 1.0 is good news for anyone running a Synapse installation - it contains critical bug fixes, security patches, a new room algorithm version and dramatically improved user and room search. However, as part of the security work it also
contains a breaking change from previous Synapse versions. From 1.0 onwards it will necessary to ensure a valid TLS certificate on the federation API. Self signed certificates will no longer be accepted. Why would we do such a thing?
In anticipation for this, everyone currently running a homeserver must ensure that they have checked their federation certificate (check yours here). Failure to do so will mean being unable to federate with any Matrix 1.0 compliant server. If your server fails the check, our FAQ has all the details on what you need to do.
This post is a call to arms to try and get as many admins to upgrade their certificates as possible. We are tracking adoption at https://arewereadyyet.com - currently this sits at about 55% - we need this figure to be higher before we can pull the lever. Β
So what are you waiting for? Check that your server has valid certs - then tell all your admin pals to do the same.
Friends don't let friends miss out on Synapse 1.0, send them to arewereadyyet.com (or tweet here to remind them!) We really need the community to help us here because at some point soon, we will need to pull the lever and release.
Once we make more progress on adoption, we will announce an official release date and finally get Synapse out of beta!
This week you're stuck with me, but I'm chatting to Ryan, who works on Riot web. Having previously worked at Mozilla, Ryan has a LOT of interesting things to say about Firefox, the browser market, the importance of decentralisation, Matrix being GREAT, and more.
It's all about 1.0 for the Synapse gang this week. This means performance improvements across the board in the form of read receipt batching, user directory (room directory coming soon!) and rate limiting on log in and registration APIs.
Brendan shipped the low bandwidth CoAP proxy we demo'd at FOSDEM
As well as a bunch of spec implementation projects to ensure that Synapse (and Sydent) are ready for Synapse 1.0.
Turn-of-phrase of the week from Half-Shot ("make it more performant and less crashy"):
synapse-netcore-workers is progressing as strongly as ever. This week has mainly been supporting a couple of users trying to use the fed sender, and also trying to make it more performant and less crashy. I've been using it solidly for two weeks now, and by and large it's been working nicely :)
Black Hat has been working on Cortex, a similar project in Rust:
Support for replication protocol in Cortex is mostly complete. A federation sender worker implementation is being worked on. If anyone is interested or wants to contribute, please go to #cortex:encom.eu.org
Wilko announced Pattle, a Matrix client for Android:
Hey all, I've been working on my Matrix Android app, Pattle! The goal of Pattle is to be an easy to use app for Matrix, with it's design inspired by popular apps such as WhatsApp and Telegram. Development happens here, and contributions are encouraged! The app is not currently suited for daily use, but some functionality is there, such as registering, logging in and viewing chats.
Currently it's an Android only app using the official Matrix Android SDK, but the plan is to support iOS and web too, in the future.
There's also a sort of design document available, stating how Pattle differs from standard Matrix apps and what it's goals are. The intent of the design document is to make development easier later on for other platforms
Quaternion 0.0.9.4 beta 2 (too many numbers? That too shall pass) is out, with bugfixes and translation updates. Notably, Quaternion won't crash on upgraded rooms in some cases, and won't cry in #gsoc:matrix.org and other v3 rooms. Translators are still strongly encouraged to push forward - due to all the features and fixes, there are many untranslated strings across the board! Also, some bugfixes are still in order before we can call the release RC, and some of them are really easy - so if you'd like to contribute, it's a great time to start!
iOS released 2 times. Last release was to fix an issue with invalid scalar token.
Review of one PR from the community for iOS10 notifications.
Started implementing device verification with emoji.
We've released v0.8.25 on Thursday, containing refresh of invalid scalar token, and some bugfixes. Links on m.notice messages are now clickable again. Started implementing device verification with emoji.
I just realized that I haven't had lazy loading activated by default in the Ruby SDK, despite having had lazy loading code in place since ages back, so now that's going to be the default value going forward.
Further:
I started hacking - just a couple of hours or so ago - on a notification sender for The Foreman, a server orchestration system. So it can forward notifications to Matrix. https://github.com/ananace/foreman_notification_send
If you're using, or considering using, The Foreman for orchestration this may be very useful.
matrix-appservice-bridge got a 1.8.0 release last night, featuring automatic handling of room upgrades for all your room upgrade needs. Providing your bridge uses the RoomStore as designed, it's literally a few lines to enable :). Changelog here
What is this? A matrix-appservice-irc release? No, it's a release candidate. Announcing that 0.12.0-rc1 is now out and about for folks to play with. More IRC updates to come in the future :)
I wrote a small bot that takes a kick/ban policy from room state from all rooms it's a member of and tries to enact that policy. In practice that means it applies a regex to all MXIDs and tries to kick/ban them based on that. It's been a request of TravisR , source code is available at https://gitlab.com/jcgruenhage/banhammer, documentation is still lacking but will hopefully soon be added
So that's all I have to say! I hope you enjoyed this edition of This Week in Matrix, and whether you did or you didn't, I'd love too hear from you in #twim:matrix.org. If you have Matrix news to share, that's the place to come and do so!