This Week in Matrix 2021-09-24

2021-09-24 — This Week in Matrix — Thib

Matrix Live 🎙

Dept of Spec 📜

The latest in appservice proposals: Synthetic events

Half-Shot told us:

Hi folks, I've been let loose on more spec things: This time I'm looking at synthetic events. The goal with this proposal is to give appservices more visibility over the innards and actions of a homeserver. When a user registers, we want an appservice to know (perhaps to send them a little greeting, or to provision some resources) or perhaps you want to clear up bridge resources when the user deactivates their account.

The hope with this proposal is that it's going to set the foundations for services to be able to hook into and provide richer functionality based upon user actions outside of rooms. It might sound a little dry right now, but eventually I'm hoping this can be extended in lots of ways and potentially do away with per-implementation modules, instead writing services that work with all homeservers.

Please give the proposal some love/feedback :)

When asked if that was a specification change he drafted because of limitations faced when trying to implement a bridge, he said:

Yeah, so it's something I've been plotting for a while, but internally we wanted the ability to "act" based upon signups to a homeserver i.e. sending a welcome. In the past this has been implemented client-side in Element, but that has obvious caveats.

The traditional response has usually been to write a Synapse module, but I wanted to do something that could be used on other homeserver implementations and also not have to have it co-located with the homeserver, so the natural home for this kind of logic was appservices.

There are other things there too like logouts / deactivations which are good for erasing data on a service too. Generally I'm hoping it can be extended further once it's stable, for other use cases too


anoa announced:

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at

MSC Status

New MSCs:

MSCs with proposed Final Comment Period:

  • No MSCs entered proposed FCP state this week.

MSCs in Final Comment Period:

Merged MSCs:

  • No MSCs were merged this week.

Spec Updates

MSC3401 (Native Group Voip Signalling) has been receiving positive feedback over the course of the week. The MSC spells out how one would go about implementing native, decentralised group voice and video calls over Matrix without the need for a third-party service. This is the next step forward after the full-mesh group signalling work, as demoed in previous editions of TWIM, lands. Quite exciting stuff!

Otherwise there was another Spec Core Team retro this week. Discussion focused mainly on how to handle event types that not every implementation using Matrix may need (think pinned messages and how that might not be very useful for IoT networks...). Watch this space!

Random Spec of the Week

The random spec of the week is... MSC2666: Get rooms in common with another user!

This is actually already implemented and enabled by default in Synapse, believe it or not. But no clients have support for it yet (there is an outstanding matrix-react-sdk PR...).

This is a pretty cool feature in my opinion, any client want to be the first?


MSC3401 looks like there's a lot of work going on on the native VoIP side. I can't wait to see what the future holds!

Dept of Servers 🏢


callahad said:

This week we released Synapse 1.43! This mainly contains internal changes, including those in preparation for Spaces leaving beta, but it's worth calling out that this version of Synapse now uses the MSC3244: room version capabilities API to ask clients to prefer room version 9 when creating restricted rooms.

Support for room version 9 was introduced in Synapse 1.42, so we'd strongly encourage administrators to upgrade.

Perhaps more notably for Synapse developers, we've spent quite a lot of time over the past few weeks improving the SyTest suite of integration tests. Several of the tests had race conditions which would cause them to occasionally fail when testing a multi-worker deployment of Synapse. These flakey tests have plagued our continuous integration pipelines, and are finally being fixed.

The long term plan is still to transition to Complement (written in Go) and away from SyTest (written in Perl), but we still need to ensure that SyTest is reliable in the meantime.

Homeserver Deployment 📥️


Ananace offered:

This week - like all weeks - brings some Helm Chart updates, with matrix-synapse being updated to 1.43.0.

The chart store has been redone to track multiple versions now too, so older versions of the charts will stick around for a while.

Ananace always answering the call on TWIMday!

Aine announced: now offers hosting options (and some more stuff)

Hi there, Didn't post updates about the service for a while. If somebody not familiar - we setup and maintain matrix servers (based on awesome spantaleev/matrix-docker-ansible-deploy)... and setup VPN... and DNS recursive resolver, and... AND!!!! Provide hosting, yes. So, starting today that's available for everyone (we offer it for some time in "well, you know, we don't provide hosting, but if you want it so hard..." way and it works good)

Even with that update (literally the most requested thing, was in every third order we got), provided hosting considered as your own server, the only difference that you don't pay hosting provider directly, but through us. So, you get root access to the server and we treat it as any other customer's infrastructure

Join room and say hello in

Dept of Bridges 🌉


hifi offered:

Heisenbridge roundup!

Heisenbridge is a bouncer-style Matrix IRC bridge.

Release v1.2.0 🥳

  • Message formatting (from HTML to text) has been drastically improved

  • CTCP replies are now shown correctly but still ignored

  • Mentions/pills always honor room nick

  • Plumb notices don't loop around anymore

  • Self replies don't prefix with own nick

  • Single line truncation works when max lines is 1

  • Multiple fixes to displaynames or messages containing control characters leaking to IRC

  • New dependency: mautrix-python

  • Minimum Python version requirement has been bumped to 3.7

I've also started releasing source archives as GitHub releases for distribution packagers and the project is published to PyPI to have more installation options.

matrix-docker-ansible-deploy has also been updated with the new release, thanks again Slavi 🍻!


What improvements did hifi bring to the formatting you may ask? I asked, and hifi answered:

the fallbacks are inconsistent and usually are markdown which is a lie 😅 replies and mentions are completely all over the place in the fallback in addition to being markdown the unformatted html is now something in between and doesn't do code blocks at all because those ticks are just noise on irc it tries to look like more that you pasted long text rather than sending markdown

That's very considerate for IRC user, thanks hifi!

Dept of Clients 📱

FluffyChat 0.41.0 has been released

FluffyChat is the cutest cross-platform matrix client. It is available for Android, iOS, Web and Desktop.

krille said:

This release features a lot of bug fixes and the new multi account feature which also include account bundles.

All changes:

  • feat: Multiple accounts

  • feat: New splash screen

  • fix: Password reset

  • fix: Dark text in cupertinodialogs

  • fix: Voice messages on iOS

  • fix: Emote settings

  • chore: update flutter_matrix_html, Matrix Dart SDK and other libraries

  • chore: Update to Flutter 2.5.1

  • chore: Updated translations


Multiple accounts and voice messages on iOS, in a single release, no less! Fluffychat is not only cute but also powerfull.


kitsune announced:

After 2+ years of development, Quaternion makes a leap from all the way to 0.0.95. The release notes list some key improvements: reactions, Markdown, revamped timeline, user profile dialog and a lot of other things. It’s the same small and fast client that blends nicely into your desktop environment, it just got much better. Go and get it!

Congrats on the release, kitsune!

Element Clients

Delight team

  • We’re testing & polishing Spaces, releasing them out of beta in the upcoming release cycle next week!
  • On iOS
    • We’re anticipating some performance issues on a very small number of accounts which participate in a very large number of rooms. After trying the next release, if this affects you, please let us know as it’ll help inform whether we cut an off-cycle hotfix or prep changes for the next release.
    • iOS doesn’t support pagination in the Space Summary API yet, so will only return the first 50 rooms in large Spaces when browsing. Support for this is planned for the following release.


  • Released Element Web 1.8.6 RC2.
  • Fixing bugs and cosmetic issues with our Threads feature, currently in Labs.
  • Cross-signing bug fixes.
  • This week we Ran our first community testing session on 1.8.6 with members of the community. We were very pleased with how this went and intend to continue the sessions. You can help making Element even better by participating in our fortnightly testing sessions. Join, and learn how to make the most useful feedback


  • The RC 1.6.0 with spaces is being reviewed by Apple
  • Element iOS requires now iOS 12.1 minimum
  • URL preview and voice message refinements
  • SwiftUI templates have been merged


  • The RC 1.3.0, with Spaces, will be prepared today.
  • We have started to work on Presence
  • We are still working to improve the overall performance of the application and the SDK
  • Also we are doing lots of maintenance on the whole code base, and we are improving the CI.


A minimal Matrix chat client, focused on performance, offline functionality, and broad browser support.

Bruno told us:

Multiple (0.2.12 & 0.2.13) bugfix releases this week for timeline and sync issues, and also some minor UX issues. Get them while they are hot!

Dept of Ops 🛠

synadm is the Synapse admin CLI

jojo offered:

A little synadm release went out this week. Thanks a lot to @govynnus for contributing "Registration token management", it's available as a new subcommand regtok. Also some tiny improvements here and there were brought in to make admin experience even more convenient.

Have a look at the release notes:



Those are the same registration tokens GSoC intern Callum implemented and told us about in this Matrix Live episode.

Dept of Events and Talks 🗣️

Ansible Contributor Summit 2021.09

cybette announced:

Ansible Contributor Summit 2021.09 is happening next week! It will be held over 2 days, on Tuesday September 28 and Friday October 1, from 13:00-21:00 UTC, and will be held on the Matrix platform.

The Ansible Community has recently adopted Matrix as an official chat platform and this is our first Matrix-powered conference. Feedback welcome! You will need a Matrix account to participate in the conversations. For more information, please see Communication - Real-time chat and the Ansible Community Matrix FAQ.

Join the Ansible Social Room anytime before or during the event and say hi! During the presentations, join the Main Conference Room to participate in the discussions. We will also have a session on How we are rolling out Matrix to the Ansible Community.

If you're interested, check out the details and register on Eventbrite. We look forward to seeing you on Matrix at the Ansible Contributor Summit!

Gwmngilfen added:

there's a mix of stuff going on to try out, we have hack sessions on Tues that may use the embedded Jitsi etc, and talks on Friday that will be more presenter/spectator


It's exciting to see an organisation holding an online conference on Matrix!

Gwmngilfen also promised:

I will blog about the setup as a post mortem

We count on that, others are interested in this kind of set-up too!

Dept of Ping 🏓

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

That's all I know 🏁

See you next week, and be sure to stop by with your updates!

Synapse 1.43.0 released

2021-09-21 — Releases — Dan Callahan

Synapse 1.43.0 is out now!

Preparing for Spaces

Quite a lot of work has gone into preparing for Spaces to graduate from beta testing. For example, Synapse now:

  • Asks clients to prefer room version 9 when creating restricted rooms (#10772), via the API defined in MSC3244: room version capabilities.
  • Allows the Spaces Summary APIs to be handled by worker processes.
  • Omits rooms with unknown room versions from the Spaces Summary.
  • Properly handles upgrades of Spaces to different room versions.

Everything Else

This release of Synapse also:

  • Includes initial work toward fully supporting oEmbed for embedding URL previews (#10714, #10759).
  • Slightly speeds up room joins over federation (#10754, #10755, #10756, #10780, #10784).
  • Somewhat improves service restart times for large Synapse deployments.
  • Significantly refactors federation event authentication code for greater clarity (#10744, #10745, #10746, #10771, #10773, #10781).
  • Adds further static type hints to various modules.

We've also spent quite a lot of time on SyTest, our integration test suite. In particular, many of the tests made assumptions about event processing which were not correct when targeting a multi-worker Synapse deployment. These flakey tests have plagued our continuous integration pipelines, and are finally being fixed.

These are just the highlights; please see the Release Notes for a complete list of changes in this release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including AndrewFerr, BramvdnHeuvel, and cuttingedge1109.

This Week in Matrix 2021-09-17

2021-09-17 — This Week in Matrix — Thib

Matrix Live 🎙

We've been chatting with Denis about the vulnerabilities disclosed by Element this Monday.

Dept of Spec 📜


anoa said:

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at

MSC Status

New MSCs:

MSCs with proposed Final Comment Period:

MSCs in Final Comment Period:

  • No MSCs are in FCP.

Merged MSCs:

  • No MSCs were merged this week.

Spec Updates

If MSC2918 above is giving you feelings of déjà vu, don't worry. It already had FCP proposed, but due to a resolved concern being incorrectly processed by mscbot on github, a new FCP proposal was carried out.

In other news, MSC3381 (Polls - mk II) receive a fair amount of attention this week. It implements inline polls via a new m.poll type and makes use of the concept of extensible events. Do check it out if you're interested in voting through means other than message reactions!

Otherwise Alexandre Franke and myself will be looking at cleaning up the CI of the matrix-org/matrix-doc repo next week, as well as continue to move the infrastructure for the new spec release forwards.

Random Spec of the Week

The random spec of the week is... MSC1235: Proposal for Calendar Events.

This one is entirely new to me, and has some slight overlap with some work for MSC2762: Allowing widgets to send/receive events, where we were thinking about how a widget could act as a calendar using Matrix rooms and events as a calendar backend.

The more you know 🌠


Dept of Servers 🏢


callahad said:

The Synapse team is busy gearing up for 1.43.0 next week, which will make room version 9 the default for newly created restricted rooms, among other things.

We've also been doing quite a lot of work on Sydent. Notably, last week's 2.4.0 release introduced a few regressions which have been resolved in subsequent point releases. The one-shot case folding migration script for Sydent is still performing unexpectedly slowly; look for that to be resolved soon.

As the end of the year approaches, now is a good time to ensure you're ready for the deprecation of PostgreSQL 9.6 (November) and Python 3.6 (December). Do you have plans to upgrade to Pg 10 and Py 3.7 or newer? If not, there's no time like the present! 🗓

Lastly, Hacktoberfest 2021 is less than two weeks away! Many Matrix projects intend to participate, including Synapse.

With rooms version 9 as the default, it feels like Spaces are trying hard to escape beta!

Homeserver Deployment 📥️


Ananace said:

And yet again more Kubernetes Helm Chart updates this week, with element-web being bumped first to 1.8.4 and then 1.8.5. More improvements for the new ingress object in K8s 1.19 also landed.

Dept of Bridges 🌉


Heisenbridge is a bouncer-style Matrix IRC bridge.

hifi told us:

Heisenbridge roundup!

Release v1.1.1 🥳

  • Message edits are now supported and use stupid context aware "compact enough" edit format (+ - *)

  • Media will be quarantined if you redact them and the bridge is an admin on the HS

  • Public media URL can now be overridden in control room if auto-detection fails

  • New plumbs respect the default member sync setting

  • ; is included in pill separators

Better message formatting coming up in v1.2.0, I hope 🤔

matrix-docker-ansible-deploy has also been updated with the new release, thanks Slavi!



Tulir said:

mautrix-hangouts has turned into mautrix-googlechat. It's still in alpha stage, but text messages work in both directions, media from google chat works and threads from google chat are bridged as replies.

Dept of Clients 📱

Cinny v1.3.0: Initial Space support and notifications

ajbura announced:


  • Cinny now support Spaces. They are still in early development phase but you can see nesting and pin/unpin to sidebar.

  • There're options to control room notifications now.

  • Also added notification badges to sidebar so now there will be a visual notification of any message in Home/People/Spaces in sidebar.

  • And after a month discussion also renamed 'Channels' to 'Rooms' so don't get confused on finding rooms all over.

  • James (we got new contributor 🎉) added options to change avatar and display names. He also added support for uploading image by copy-pasting.

  • Edit message input now saves message on enter.

  • There now a toggle to view your password on login/register page.

  • And there will be an error message when client disconnect to server.


  • Fixed scroll on login page.

  • Fixed notification badge color in dark themes.


Find more about Cinny at

Join our channel at: Github:



I’m thrilled about Spaces support and I'm certain we’ll hear more about Cinny shortly!


Alexandre Franke got a bit carried away and announced in French:

La grande nouvelle de la semaine est l’arrivée du chargement de l’historique, implémenté par Julian. Nous avons également 2 nouveaux contributeurs :


A minimal Matrix chat client, focused on performance, offline functionality, and broad browser support.

Bruno told us:

Released 0.2.9 & 0.2.10 this week with the main thing being improvements in preventing scroll jumps when resizing or loading more content in the timeline. Not 100% of scroll jumps will be solved with this release, but it should be improved a lot. Please report any issues you may encounter in this area! There were also a few bugs fixed, see the linked release notes. Try it out at!


Brad Murray offered:

Beeper is a unified chat app built on top of Matrix. We've created 10+ open source Matrix bridges and integrated them into an easy to use all-in-one service which does not require setting up your own homeserver. You can learn more at

We've been hard at work for the last few weeks and have a number of updates we'd like to share across all our clients and bridges.

For detailed release notes, check out our changelog here:

All clients

  • New verification flow for Desktop, Android, and iOS! Logging in and verifying your session is now super easy to do. This is extra important for Beeper because we enable secure backup by default and require all users to set up a security key.


  • Added the ability to view your rooms using our Smart Inbox that places the most important messages at the top, or with Classic which leaves the room in a reverse chronological order.

  • You can now select network by network which messages should appear in your inbox using our Inbox Filtering feature

  • We now have beta support for Custom CSS theming! Check out some of the themes that have already been made by the community.

  • Previously we only supported DMs for Discord out of the box, but now you can pick and choose which Discord servers to sync into Beeper



  • A complete beautiful rewrite of the Room List using SwiftUI. The room list now looks much more native to iOS, while still feeling like Beeper.


  • Redesigned room list: we started a redesign of our Android app and adopted the Material design language.

  • Integrated Android SMS bridge: Our previous Android Messages bridge was built on a shakey puppeteer foundation, so we rewrote it. Our new Android SMS uses native APIs to send/receive SMS. RCS remains elusively out of our grasp for now. We open sourced our bridge at




  • We are hiring! Come join many other Matrix community members who have joined the Beeper team including,,, and (who replied to our last TWIM job post and got a job at Beeper within a week!)

  • We are hiring senior iOS, Android developers and a DevOps/SRE (preferably in North/South America timezone)

Check out our Jobs page here Apply via that page or just send a DM


Nheko is a desktop client using Qt and C++17. It supports E2EE and intends to be full featured and nice to look at

Nico ( reported:

Nheko got a lot more colorful this week. red_sky ( and LorenDB finished up the jdenticon support. This means instead of the first character of a users display name, you now have the option to see a colorful avatar for users without an explicit avatar. You may have seen something similar on Github and other platforms. Currently this needs the qt-jdenticon plugin, which is a bit troublesome to install correctly, but we should improve that in the near future.

Prezu added a homeserver entry field to the room directoy, making it much more useful (no history yet though). Thulinma added a /goto command to navigate to specific events or room and fixed scrolling to a specific event (in the past it only approximately scrolled to the right location). Symphorien added the Alt+A shortcut to navigate between rooms with active mentions and notifications. Additionally Priit completed the Estonian translation.

Additionally we released a security fix on Monday (together with a few other clients). We only released a fix for the master branch in Nheko instead of also the latest stable release. This confused a few people, but I hope my explanations made sense. The gist of it is:

  • On the master branch the local homeserver admin could force Nheko to forget which identity keys it saw for a user and as such insert a new device with the same device id, but attacker controlled identity keys and request old encryption keys from Nheko. In Nheko's case we had some protections against that, but if the server sent a device_list.left event for that user, Nheko would delete those protections. From our understanding this could not be abused over federation.

  • On 0.8.2 this can also be abused, but 0.8.2 does not implement key sharing completely. It can only forward the currently in use encryption key, not historical ones. As such the impact in our opinion was too limited to release a security fix. 0.8.2 does not allow you to send encrypted messages only to verified devices as such the homeserver admin could always insert just a different device to get access to new encrypted messages. Because of that we have a big warning in the README and when enabling encryption in 0.8.2, that one should not rely on the security of the E2EE implementation in it. We are aiming to have stable and secure E2EE in the next release (and so far it is looking good), but if you are using 0.8.2 I can only repeat, that it won't protect you from an attacker even without the disclosed security issue.

I hope this clears up some of the confusion. Feel free to visit us in and tell me, that I am wrong.



Element Clients

Delight team

  • Testing and polishing of Spaces.


  • Released Element Web 1.8.4, with an important security fix
  • Released Element Web 1.8.5.
  • Improvements to replies.
  • Continuing discovery of threads.
  • Cross-signing bug fixes.
  • We’re going to involve the community in testing the product. More details to come early next week if you want to lend a hand!


  • Made another Release candidate 1.5.4 because of reported regressions. It will be available on the app store on Monday
  • URL preview moved out from LABS
  • New screen templates with SwiftUI, mocked data, unit and UI tests are almost there
  • There was a new version of OLMKit with the support of fallback keys
  • The crypto part of the SDK now support fallback keys, key backup cross-signing and device dehydration


  • Released Element Android 1.2.2, with an important security fix
  • Working on improving the build time and the dependency management
  • Investigated performance issue on incremental sync
  • Start working to implement presence support

Dept of SDKs and Frameworks 🧰


uhoreg told us:

This week saw two releases of libolm, a library that implements olm, megolm, and some other Matrix-related encryption functions. The main changes in version 3.2.5 are new functions for getting error codes rather than error strings so that implementations don't need to rely on string parsing to decode errors, and added support for fallback keys in the Android and iOS bindings. There were also improvements in error handling in the unpickling functions, and the shared library no longer exports certain private symbols, which caused problems when those same symbols were exported by other libraries. The initial implementation of this last change caused build failures in some environments, so version 3.2.6 was released to fix this.

Polyjuice Client

Polyjuice Client is a Matrix library for Elixir

uhoreg announced:

Polyjuice is a collection of Matrix libraries in Elixir.

Polyjuice 🧙

A few from the wizarding world this week.

The Polyjuice project wades further into bad pun territory with a new project: Polyjuice Draughts, a set of checkers to verify that a homeserver is set up correctly and is accessible for clients and federation. It is similar in goal to the Matrix Federation Tester, but also checks client connections. It can either be run from the command line, or it can be used in a Matrix room, thanks to Igor, by sending a message of the form !servertest <servername> in a room that has an appropriately-configured bot in it. There is currently a bot in that can be used.


As you can see from the screenshot, my server isn't quite set up correctly, and I should fix it some day...

Polyjuice Client 0.4.3 has been released. This release adds functions for getting room membership (thanks to multi prise) and checking the server spec versions, along with some bug fixes.

Finally, the Polyjuice libraries have moved their git repositories from to The old locations should automatically redirect to the new locations.

Dept of Ops 🛠

Alexey reported:

I have converted the script for auto updating the Element-web instance to latest version from Gist to the full Git repo MurzNN/element-web-update and added support for .env file to set desired variables.

This is a bash script that checks the new released version of Element from official Github repo and if it differs from installed - updates the local files with deleting old version (to cleanup old files) and unpacking new one, but with keeping the config files by mask config*.json.

You can put it to your crontab.daily and got an always fresh Element with forgetting about manual update routine.

Dept of Bots 🤖


Sumner said:

I created a bot to assist with sending standup posts to a room. It reminds you to write a standup post, and then asks you what you did the previous day, what you intend to do today, if you have any blockers, and if you have any other notes. Then it posts a nicely formatted standup post to a room which you can configure.


You can find the source code here:

Dept of Events and Talks 🗣️

Berlin Meetup

Christian offered:

Are you in Berlin 🐻🇩🇪? Why not join us on Tuesday evening at 7:30 PM for a beer or two while chatting about Matrix development and hosting. We're going to meet at Schoenbrunn. This is a small 3G (self-tests are ok) event in an outdoor beer garden.

If possible, join our Matrix Meetup Berlin room.

Dept of Interesting Projects 🛰️

The Board

Timo said:

I am super happy to finally give you another update on TheBoard, due to holidays during the last weeks I had less time to work on TheBoard. But now there still accumulated enough changes for a little Update:

I experimented what technologies I could use for the still required GUI elements. A new User List was implemented using Vue.js. Vue seemed to be a little overkill for the kind of GUI required in the case of TheBoard. So I re-implemented the user list with react-no-js. I am happy with react-no-js and it is used for a user list plus a tool settings menu on the right hand side of the canvas.

The tool panel in particular opens up a lot of possibilities. The eraser already makes use of it by giving the option to only delete specific item types (Image, stroke or text). This can be very handy if you want to delete strokes drawn on top of an image without deleting the image as well. What can be deleted is highlighted by a new filter system which allows to make any modification to objects selected by a filter function (see the attached image)

Other small changes:

  • Animated camera movement (for a upcoming "follow other user" feature) currently used for the Go Home Button

  • Opening a board now loads at the last edited location

  • The touchscreen navigation (zoom/pan) was re-implemented and should now work much better

Links and further reading:

Play with it at: (feel free to join: with the account used for testing to join the first collaborative board) Join the matrix room:

GitHub: Technical Details:


The Board is very exciting! I could see in the planned use cases that Timo already intends to make a widget out of it. It would be very useful for real-time collaboration, but that's not all! When asked if a standalone app will come, Timo confirmed:

Indeed. I wasn't thinking about a builtin home-server yet. But a standalone app is still planned because I want the app to be able to manage different boards. Therefore I need to be able to control room creation and listing rooms. It should basically feel like onenote if you intend to use it like that.

Dept of Built on Matrix 🏗️


Maze announced:

@s7evink The game is called AAGRINDER, hosted at, the code is here, the bridge implementation is here, wiki is here. The game is a text-based sandbox multiplayer browser game that I (Maze) have been building for the past 3 years. Built from nothing, no game engine. It generates an infinite procedural terrain to venture in. The integrated chatbox is nothing special but it's really nice to have it bridged to Matrix now, it's less lonely when playing alone. The appservice bridge creates users matching player name and color. Display names from Matrix are presented in the same color as in Element.

Hopefully you're able to extract some useful information out of this ^^

I love the retro vibe of the game, it's really cool!

Third Room

Robert Long announced:

Third Room is an experimental metaverse client I've been working on for the past couple weeks. It combines three.js and Matrix to create 3D voice chat rooms where you embody an avatar.

There's a lot more info in my talk from last night at the Open Metaverse Interoperability Demo Night (my talk starts at 37:43)

If you want to chat more about Third Room, you can join our Matrix room:


The future is now, I'm really thrilled about Third Room!

Final Thoughts 💭

Beeper mentioned they have several positions open, and Element is also talents hungry. I’m particularly extatic to see that developing skills around Matrix can get people jobs. Of course I encourage strongly people to experiment with the protocol and use it in all sorts of crazy ways!

Dept of Ping 🏓

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

That's all I know 🏁

See you next week, and be sure to stop by with your updates!

Disclosing CVE-2021-40823 and CVE-2021-40824: E2EE vulnerability in multiple Matrix clients

2021-09-13 — Security — Denis Kasak, Dan Callahan, and Matthew Hodgson

Today we are disclosing a critical security issue affecting multiple Matrix clients and libraries including Element (Web/Desktop/Android), FluffyChat, Nheko, Cinny, and SchildiChat. Element on iOS is not affected.

Specifically, in certain circumstances it may be possible to trick vulnerable clients into disclosing encryption keys for messages previously sent by that client to user accounts later compromised by an attacker.

Exploiting this vulnerability to read encrypted messages requires gaining control over the recipient’s account. This requires either compromising their credentials directly or compromising their homeserver.

Thus, the greatest risk is to users who are in encrypted rooms containing malicious servers. Admins of malicious servers could attempt to impersonate their users' devices in order to spy on messages sent by vulnerable clients in that room.

This is not a vulnerability in the Matrix or Olm/Megolm protocols, nor the libolm implementation. It is an implementation bug in certain Matrix clients and SDKs which support end-to-end encryption (“E2EE”).

We have no evidence of the vulnerability being exploited in the wild.

This issue was discovered during an internal audit by Denis Kasak, a security researcher at Element.

Remediation and Detection

Patched versions of affected clients are available now; please upgrade as soon as possible — we apologise sincerely for the inconvenience. If you are unable to upgrade, consider keeping vulnerable clients offline until you can. If vulnerable clients are offline, they cannot be tricked into disclosing keys. They may safely return online once updated.

Unfortunately, it is difficult or impossible to retroactively identify instances of this attack with standard logging levels present on both clients and servers. However, as the attack requires account compromise, homeserver administrators may wish to review their authentication logs for any indications of inappropriate access.

Similarly, users should review the list of devices connected to their account with an eye toward missing, untrusted, or non-functioning devices. Because an attacker must impersonate an existing or historical device, exploiting this vulnerability would either break an existing login on the user’s account, or a historical device would be re-added and flagged as untrusted.

Lastly, if you have previously verified the users / devices in a room, you would witness the safety shield on the room turn red during the attack, indicating the presence of an untrusted and potentially malicious device.

Affected Software

Given the severity of this issue, Element attempted to review all known encryption-capable Matrix clients and libraries so that patches could be prepared prior to public disclosure.

Known vulnerable software:

We believe the following software is not vulnerable:

We believe the following are not vulnerable due to not implementing key sharing:


Matrix supports the concept of “key sharing”, letting a Matrix client which lacks the keys to decrypt a message request those keys from that user's other devices or the original sender's device.

This was a feature added in 2016 in order to address edge cases where a newly logged-in device might not have the necessary keys to decrypt historical messages. Specifically, if other devices in the room are unaware of the new device due to a network partition, they have no way to encrypt for it—meaning that the only way the new device will be able to decrypt history is if the recipient's other devices share the necessary keys with it.

Other situations where key sharing is desirable include when the recipient hasn't backed up their keys (either online or offline) and needs them to decrypt history on a new login, or when facing implementation bugs which prevent clients from sending keys correctly. Requesting keys from a user's other devices sidesteps these issues.

Key sharing is described here in the Matrix E2EE Implementation Guide, which contains the following paragraph:

In order to securely implement key sharing, clients must not reply to every key request they receive. The recommended strategy is to share the keys automatically only to verified devices of the same user.

This is the approach taken in the original implementation in matrix-js-sdk, as used in Element Web and others, with the extension of also letting the sending device service keyshare requests from recipient devices. Unfortunately, the implementation did not sufficiently verify the identity of the device requesting the keyshare, meaning that a compromised account can impersonate the device requesting the keys, creating this vulnerability.

This is not a protocol or specification bug, but an implementation bug which was then unfortunately replicated in other independent implementations.

While we believe we have identified and contacted all affected E2EE client implementations: if your client implements key sharing requests, we strongly recommend you check that you cryptographically verify the identity of the device which originated the key sharing request.

Next Steps

The fact that this vulnerability was independently introduced so many times is a clear signal that the current wording in the Matrix Spec and the E2EE Implementation Guide is insufficient. We will thoroughly review the related documentation and revise it with clear guidelines on safely implementing key sharing.

Going further, we will also consider whether key sharing is still a necessary part of the Matrix protocol. If it is not, we will remove it. As discussed above, key sharing was originally introduced to make E2EE more reliable while we were ironing out its many edge cases and failure modes. Meanwhile, implementations have become much more robust, to the point that we may be able to go without key sharing completely. We will also consider changing how we present situations in which you cannot decrypt messages because the original sender was not aware of your presence. For example, undecryptable messages could be filed in a separate conversation thread, or those messages could require that keys are shared manually, effectively turning a bug into a feature.

We will also accelerate our work on matrix-rust-sdk as a portable reference implementation of the Matrix protocol, avoiding the implicit requirement that each independent library must necessarily reimplement this logic on its own. This will have the effect of reducing attack surface and simplifying audits for software which chooses to use matrix-rust-sdk.

Finally, we apologise to the wider Matrix community for the inconvenience and disruption of this issue. While Element discovered this vulnerability during an internal audit of E2EE implementations, we will be funding an independent end-to-end audit of the reference Matrix E2EE implementations (not just Olm + libolm) in the near future to help mitigate the risk from any future vulnerabilities. The results of this audit will be made publicly available.


Ultimately, Element took two weeks from initial discovery to completing an audit of all known, public E2EE implementations. It took a further week to coordinate disclosure, culminating in today's announcement.

  • Monday, 23rd August — Discovery that Element Web is exploitable.
  • Thursday, 26th August — Determination that Element Android is exploitable with a modified attack.
  • Wednesday, 1 September — Determination that Element iOS fails safe in the presence of device changes.
  • Friday, 3 September — Determination that FluffyChat and Nheko are exploitable.
  • Tuesday, 7th September — Audit of Matrix clients and libraries complete.
  • Wednesday, 8th September — Affected software authors contacted, disclosure timelines agreed.
  • Friday, 10th September — Public pre-disclosure notification. Downstream packagers (e.g., Linux distributions) notified via Matrix and e-mail.
  • Monday, 13th September — Coordinated releases of all affected software, public disclosure.

This Week in Matrix 2021-09-10

2021-09-10 — This Week in Matrix — Ben Parsons

Matrix Live 🎙

Chatting with Manu about iOS, Mobile, team growth and more. See video description for agenda!

Dept of Status of Matrix 🌡️

Incoming security fix

As just blogged there is an important security fix coming for several Matrix clients. More news, and patched versions will be announced on Monday. Though there is no evidence this vulnerability has been exploited, please be ready to upgrade on Monday.

Dept of Spec 📜


anoa announced:

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at

MSC Status

New MSCs:

MSCs with proposed Final Comment Period:

MSCs in Final Comment Period:

  • No MSCs are in FCP.

Merged MSCs:

  • No MSCs were merged this week.

Spec Updates

Lots of new MSCs this week. Thanks to everyone contributing!

Random Spec of the Week

The random spec of the week is... MSC2832: HS -> AS authorization header!

I'm actually surprised myself that this wasn't part of the spec already! Looks like it would be a nice to-do to get this implemented and then checked off by approvers. Anyone want to submit some PRs to HS and AS implementations? 🙂


Dept of Servers 🏢


TravisR said:

Dimension, an integration manager alternative for Element, got a refresh from @TimeWalker to bring the project up to modern day standards. Please give it a go if you've been running Dimension, and report bugs if there's problems! While I haven't personally had time to maintain it as much as I'd like, it's great to see people taking on 3 year old bad code and fixing it 😄

For TWIM readers, Dimension is an "integration manager" that replaces the default one shipped with Element. It's not entirely mobile-ready yet, but does give a user interface for managing various bots, bridges, and widgets. In practice, an integration manager isn't needed as most bots and bridges (and even widgets) can be set up without an integrations manager, like all of (ironically, given Dimension was originally targeted at People do still use it though to configure self-hosted platforms with their very own Element, Synapse, bridges, and bots.

While I still probably won't have much time personally to maintain it, PRs are certainly accepted. Dimension is a bit complex to work within and test, but people in should be able to help out.

Synapse 1.42.0

callahad told us:

Synapse 1.42.0 is out now! This release includes support for Room Version 9, which fixes an issue with Version 8's support for restricted rooms. We also implement a bunch of new MSCs (including MSC3231: Token authenticated registration by Callum Brown as part of his Google Summer of Code project), improve efficiency, and sidestep a longstanding issue with users getting stuck in unsupported room versions. Read the announcement for details!


This week saw the release of Sydent 2.4 which finally implements MSC2265: mandating case folding when processing e-mail address local parts. After upgrading, Sydent administrators must manually run a script to retroactively case-fold existing email addresses in the Sydent database.

This Sydent release also includes support for Jinja2 templating, a complete overhaul of our CI/CD pipeline, and a comprehensive update to the codebase to follow modern Python practices including the addition of mypy type hints throughout.

Lastly, we'd like to welcome Shay to the Backend Team at Element. Her work as an Outreachy intern paved the way for the recent improvements to Sygnal and Sydent. Thanks, Shay, and welcome aboard!

Homeserver Deployment 📥️


Ananace offered:

And another week, another Kubernetes Helm Chart update, this time seeing matrix-synapse updated to 1.42.0 - as well as a whole lot of fixes to support the new ingress object version introduced in Kubernetes 1.19

Dept of Bridges 🌉

matrix-appservice-bridge reaches 3.0.0!

Half-Shot told us:

Hi folks, we're massively pleased to announce the third major release of the TS/JS bridging library matrix-appservice-bridge. This release contains several large breaking changes to the previous way of life, most notably we have stopped using the matrix-js-sdk for most of our code, instead using the matrix-bot-sdk (Hi TravisR , we see you up there!).

There are several reasons why we went this way:

  • Notably, this library focuses work on simply implementing APIs and bridge/bot logic. There is no additional cruft to support client use-cases or browsers.

  • It's historically had a brilliant coverage of the CS and AS APIs, and has been extremely flexible to add new stable and unstable APIs to it.

  • At the start of this project, it was the only library with a complete Typescript coverage. Typescript types continue to be extremely useful to us.

  • We're hoping to make use of the upcoming encrypted appservices support, to replace the slightly janky pantalaimon support the bridge library currently uses.

Thanks to Travis and the bridge team for working through these changes!

There are a bunch of common sense improvements that break API compatibility in this release also, so please be sure to check them out and update. We don't anticipate supporting 2.X except for extreme circumstances.

Finally, we'll be updating the matrix-org suite of bridges over the coming weeks so please watch for bugs and let us know how we're doing!

Dept of Clients 📱

SchildiChat for Android

SpiritCroc announced:

SchildiChat is a fork of Element that focuses on UI changes such as message bubbles and a unified chat list for both direct messages and groups, which is a more familiar approach to users of other popular instant messengers.

After a couple of weeks/months of internal testing and public beta testing, the latest stable version (1.2.0.sc42) now supports UnifiedPush!

This means that you can now choose your own push provider, if you do not want to use Google's FCM push notifications. Huge thanks to for working on this!


Nheko is a desktop client using Qt and C++17. It supports E2EE and intends to be full featured and nice to look at

Nico ( said:

You might remember my short story from last TWIM about the race between different translators? Seems like that one was good enough to motivate a few people to contribute translations. While those don't seem to be 100% complete yet, we saw a significant jump in translation percentages (especially Portuguese), so thank you to everyone who contributed to that!

Thulinma also made the whole userprofile scrollable, which improves the experience on small screens a lot. He also implemented message deduplication by event id, which is required by the spec to be done on the client side. This fixes a lot of duplicates when using conduit and your join event appearing 2~3 times on synapse.

We also fixed an issue with how different homeservers update one time key counts and added some additional code to remove old one time keys, if we ever uploaded to many (which might have happened in the past in a few edge cases). We also now escape img tags in usernames correctly in more places, redundant date separators when paginating back in a room should not appear anymore and tastytea decreased the margins on blockquotes, so that they look less jarring and take up less space.


Alexandre Franke announced:

So many merged requests have been merged since our previous update two weeks ago that I can’t even 😲.

The biggest news is that multi-account support landed in fractal-next (don’t be fooled by the title of the MR, it’s more than just a widget!). I feel like this is one of the most requested features across all clients, yet not many have it yet, and I’m extatic that we’re joining them 🎉. This work was done as part of GSoC by Alejandro under the mentorship of Julian 👏.


Kai made it so that rooms are sorted by activity in fractal-next, like they already are in stable ✔️. He also fixed module inception, for better code quality 🐛.

Julian landed a whole bunch of changes ❗️ He added scrolling and a scroll to bottom button, fixed keyboard shortcuts and a wrapping issue with long “words” that caused the timeline to jump to a wider size. But all this pales in comparison to loading previous events 🤯

Element Clients

Updates from the teams.

Delight team

  • Testing and polishing of Spaces.
  • Room version 9 will be marked as the preferred version for MSC3083 restricted rooms on and released in Synapse 1.43.


  • Released Element Web 1.8.3 RC2.
  • Pushing forward with threads, improving on our Labs prototype. We’re exploring what backend and spec changes we will need to support threads robustly.
  • Cross-signing bug fixes.


  • 1.5.3 is available on TestFlight. It will be released on Monday with:
    • Startup optimisation. The duration is divided by 3 or 4
    • Media size selection on sending: the option must be enabled from settings
    • URL preview under a LABS setting
  • We made good progress on SwiftUI screen templates. We will be able to use them soon for real views or screens
  • Better app navigation is still in progress



Dept of SDKs and Frameworks 🧰


TravisR offered:

v0.6.0-beta.2 has been published of matrix-bot-sdk as an early version to support encryption on bots and improvements to appservices. It's a bit self-directed to figure out how it works, but is available to try and help out.

Please give it a go and report bugs. The final v0.6.0 release is expected to contain not only encryption support for bots, but also appservices and real documentation. For now though, it's just the bots.

MRSBFH - Matrix-Rust-SDK-Bot-Framework-Helper

MTRNord announced:

After 6 Months I finally got a use for this again so I finally did update this.

Basically everything as before but now including recent tokio, recent (stable) matrix-rust-sdk and rust edition 2021.

Source as before over at

Dept of Bots 🤖

Mother Miounne v1.0.0 is here

Aine said:

Miounne? What is it?

It's an "automation backend" bot of and has following features:

  • send html forms from your website directly to matrix

  • manage matrix-registration invite tokens in matrix chat

Miounne hits first stable release. I already shared some info about it here some time ago... but now it's stable! Source code has 83+% of unit tests coverage and some bizzare bug have been fixed.

Besides, now you can use pinned version of the bot (docker registry)

PS: we have room to discuss (whine) and post updates about it

Dept of Interesting Projects 🛰️


Ryan announced:

Patience, a full stack integration testing approach for Matrix clients and servers, has added initial support for Hydrogen this week. As it already supported Element Web, we now have a (basic) system for testing multiple clients together which is taking shape! 🥳 From here, we plan to add configuration options to express the permutations of clients you want to test together.

This project is still in its early stages, but we hope to eventually have support for many different clients and then use it to test common flows like user verification, which can differ quite a lot across clients. If you're interested in this topic, feel free to join the new room.


Final Thoughts 💭

Someone has been making Matrix fanfic! I'm not sure how federation ties in, and for some reason they feature rubber duck debugging at one point but otherwise it looks fun :)

Dept of Ping 🏓

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

Join to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS

That's all I know 🏁

See you next week, and be sure to stop by with your updates!

Pre-disclosure: upcoming critical fix for several popular Matrix clients

2021-09-10 — Security — Matrix Security

Hi all,

A critical security vulnerability impacting several popular Matrix clients and libraries was recently discovered. A coordinated security release of the affected components will be happening in the afternoon (from an UTC perspective) of Monday, Sept 13th.

We will be reaching out to downstream packagers to ensure they can prepare patched versions of affected packages at the time of the release. The details of the vulnerability will be disclosed in a blog post on the day of the release. There is so far no evidence of the vulnerability being exploited in the wild.

Please be prepared to upgrade as soon as the patched versions are released.

Thank you for your patience while we work to resolve this issue.

NextPage 2