Matrix merch is some of the most sought-after apparel and adhesive labeling available in the world today. We supply discerning customers with t-shirts, hoodies and stickers which remind them which decentralised, federated, end-to-end encrypted communications protocol is the best choice.
This is all very well, but we wondered whether it would be possible to have a warm, hooded garment which promotes the wearers preference of chat system, and also has a zip on the front.
Today, we’re proud to announce a breakthrough in this area: Matrix Zipped Hoodies are available now from shop.matrix.org!
Grab yours now from shop.matrix.org!
anoa announced:
Here's what happened in spec land this week:
Merged MSCs:
- MSC 1756: cross-signing devices using a master identity key
- MSC 2313: Moderation policies as rooms (ban lists)
Final Comment Period:
- MSC 2324: Facilitating early releases of software dependent on spec
- MSC 2367: Add reason field to all membership events
New MSCs:
The Spec Core Team have chosen the following three MSCs to focus on for next week: MSC 1270 (URL resolver in media), MSC 2366 (accept in verification), and MSC 1849 (aggregations/edits)
Neil offered:
This week we put out Synapse 1.6.0, and 1.6.1 checkout all the juicy details in the blog post. Aside from that message retention and ephemeral message support continues and we expect the latter to merge early next week.
The next big thing we’ll be looking at is sharding out the Synapse master process so that instances running in worker mode can make full use of the CPU power available. This will make a big difference to matrix.org.
Several packaging projects have been updated to deploy the new version
Additionally, from JCG:
Synapse 1.6.1 has been packaged for VoidLinux, FreeBSD and Alpine Linux, with NixOS waiting to have the PR updating it to 1.6.1 merged. Synapse 1.6.0 has been packaged for Debian Unstable and Ubuntu 20.04.
JCG announced:
The container image with the updated LDAP auth provider over at https://gitlab.com/famedly/container/synapse-ldap/container_registry has been updated to 1.6.0 too.
Timothée has been working on a university project to integrate the Yggdrasil library into the CoAP proxy, which allows Matrix homeservers to federate over a pure Yggdrasil connection instead of using IP. The Yggdrasil portion gives full reachability and traffic forwarding between nodes in the mesh even in complicated topologies, and end-to-end encryption as an additional benefit
As a reminder,
Yggdrasil is a proof-of-concept mesh network that is designed to avoid the scaling issues that we've seen in the past with existing mesh systems. It uses a spanning tree-based topology and aims to make all nodes in the mesh fully routable, even at massive scale
If you'd like to know more, come chat to the folk in #yggdrasil:matrix.org, and read https://yggdrasil-network.github.io
New Vector (the startup which the original Matrix team founded in order to hire folks to work on Matrix as their day job) are currently hiring people so if you ever wanted to work on Matrix full time get in touch.
Neil says:
You can read all about it here but we are particularly keen to speak to people who want to hack on Synapse or work in Operations.
We are remote friendly though find it easier to hire people in some territories than others, so if you have any questions just ask.
You can apply via the site, or alternatively reach out to @neilj:matrix.org (engineering) or @nadonomy:matrix.org (design).
On top of this, Neil Alexander, creator of Seaglass and maintainer of Yggdrasil, will be joining New Vector. He said:
I shall most likely be working with the backend team on Synapse/Dendrite and I think there's a couple of other things like the coap-proxy too
Tulir said:
I made two pull requests to Sorunome's mx-puppet-bridge projects:
- A relaybot mode in mx-puppet-bridge. Basically means any mx-puppet-bridge can be used as a relaybot bridge.
- OAuth login flow for mx-puppet-slack. Should be useful for those in slack workspaces that disallow legacy tokens.
Half-Shot offered:
My fellow comrades, today we have released 0.14.0-rc1 of the IRC bridge. The changes are massive and vast, and frankly it probably could have been done in 2 or 3 releases. At any rate, this release contains support for PostgreSQL Datastores and Sentry monitoring, amongst other small quality of life changes. The bridge has also had a total refactor using Typescript, and it's a little bit nicer to look at now.
Annie told us:
- Ditto is now redesigned with a fresh new look!
- Functionality:
- Login, send / receive messages, logout
- On Deck:
- Notifications, writing a new message (in that order)
Come chat about UX and things you'd like to see in Ditto!
Matrix room: #ditto:elequin.ioiOS: https://testflight.apple.com/join/9M0ERlKd
Website: https://dittochat.org
Feedback: https://plan.dittochat.org
swedneck asked if being purple in colour, the project used libpurple? The answer is no, it uses React Native, and he was widely rebuked for doing so.
kilian offered:
I spent the last few days building my Matrix client Nio 😄 Apple just approved a very early first alpha for TestFlight distribution. It really doesn't do a lot aside from account authentication and displaying recent chats and messages. It is able to handle e2e encryption, but unfortunately doesn't persist the encryption keys right now (meaning it loses them and re-requests them from other clients on being restarted). It's built on SwiftUI and runs on iOS (iPhone and iPad). The app will likely not run as-is on macOS in the future, but I'd love to also build a separate version of Nio for macOS once the iOS app is functional.
Website: https://nio.chat Repo: https://github.com/kiliankoe/nio TestFlight: https://testflight.apple.com/join/KlXr3kKz
Note that this is not connected to the existing Matrix project, matrix-nio.
yuforia reported:
koma, Kotlin library:
- Start replacing Retrofit with Ktor, which is JetBrain's HTTP library for building projects that can be compiled to Native, JVM, and JavaScript. Currently, coexistence of both libraries causes the package size of applications based on Koma to increase to some extent, this will no longer be the case after the transition is complete.
Continuum, desktop client based on koma, version 0.9.31:
- Implement minimal XML parsing without adding additional dependencies to extract user ID and name from
formatted_body
used by Riot- Display mentioned users with highlight and avatar.
Ryan reported:
- Continued work on setting up cross-signing and secret storage keys in labs
- Device verification is moving to the user info panel and happening via DMs also in labs
- Fixes for system theme and read receipts
- Improved signing for Windows builds
- Converting tests towards native promises
From Manu:
We have a new bottom sheet that we are going to use a lot in the coming designs. We used it in the widget permission screen. Meanwhile we are working on user verification by DM
From Manu:
We made a release this week with all the work around privacy for the use of an Integration Manager and widgets.
From Manu:
All flows for registration and login are now supported. Please test them on your specific homeserver configuration in case we miss something. We are also working on user verification by DM.
Mathijs reported:
mvgorcum/docker-matrix:v1.6.1 is now on docker-hub
Slavi announced:
matrix-docker-ansible-deploy has switched from the bubuntux/riot-web Docker image to the official vectorim/riot-web image. There should be no visible changes for users. We're just hoping for faster releases by keeping closer to upstream.
Rank | Hostname | Median MS |
---|---|---|
1 | room409.xyz | 477.5 |
2 | aime.lesmatric.es | 483 |
3 | hackerspaces.be | 642 |
4 | maunium.net | 662 |
5 | matrix.vgorcum.com | 676 |
6 | finallycoffee.eu | 704 |
7 | uraziel.de | 710 |
8 | thomcat.rocks | 829 |
9 | dodsorf.as | 911 |
10 | datenverein.de | 1002 |
See you next week, and be sure to stop by #twim:matrix.org with your updates!
Synapse 1.6.0 has landed and is here to brighten your day!
1.6.0's most notable feature is that of label based filtering. It allows for messages to be tagged with a given label so that clients can filter on the label, this means that clients can subscribe to specific topics in a room, such as #lunch.
Completely separately, from here on in new rooms will be version 5 by default, all this means in practice is that servers will respect server signing key validity periods. This won't make a lot of difference in day to day operation, but it is an important security consideration and we now have sufficient penetration across the federation to make version 5 the default.
Aside from that there are a bunch of bug fixes and improvements, including fixing a bug that in some cases prevented messages being decrypted shortly after a restart (#6363) and generally improving the room upgrade experience (#6232, #6235).
As ever, you can get the new update here or any of the sources mentioned at https://github.com/matrix-org/synapse. Also, check out our Synapse installation guide page
The changelog since 1.5.1 follows:
/sync
and /messages
(MSC2326). (#6301, #6310, #6340)git
is not installed. (#6284)/purge_room
admin API. (#6307)hidden
field in the devices
table for SQLite versions prior to 3.23.0. (#6313)rc_login
ratelimiting would prematurely kick in. (#6335)to_device
stream ID getting reset every time Synapse restarts, which had the potential to cause unable to decrypt errors. (#6363)private key
and public key
to secret key
and site key
respectively. Contributed by Yash Jipkate. (#6257)INSTALL.md
Email section to talk about account_threepid_delegates
. (#6272)account_threepid_delegates
configuration option. (#6273)synapse_port_db
script. (#6140, #6276)persist_events
out from main data store. (#6240, #6300)if
statement. (#6269)isort
over the scripts
and scripts-dev
directories. (#6270)logger.warn
method with logger.warning
as the former is deprecated. (#6271, #6314)flake8
step. (#6277)federation_server.py
to async/await. (#6279)lint.sh
for code style enforcement & extend it to run on specified paths only. (#6312)resource
module. (#6318, #6336)OpenPush is Marcus' project to remove the need for Google to be involved with push notifications on Android. We chat in some detail here about his work, the Prototype Fund, and other great topics.
Neil reported:
Those following closely will know that the matrix.org home server has been having some problems with our hosting provider. This really came down to I/O provision and stability therein. It turns out that running a homeserver is harder when it can’t talk to the db.
We have now fully migrated to our new provider (with improved hardware specs) and you should notice everything feeling much much snappier.
https://twitter.com/matrixdotorg/status/1197828358664589312?s=20
https://twitter.com/matrixdotorg/status/1197576886278393856?s=20
Neil reported:
We have also taking the time to upgrade all of our community rooms to modern room versions. This should mean an end to state resets and other unintuitive behaviour associated with large public rooms.
kitsune offered:
I have been dismantling my habitat in Japan and will spend a couple of weeks in Moscow, Russia before moving further west to the Netherlands. Due to this, expect very low activity on Quotient front in December; but I still intend to release the first beta of libQuotient 0.6 in the remaining week, breaking the half-year span without releases.
Good luck!
anoa told us:
Here's your weekly spec update on what happened last week in spec land.
New MSCs:
Entered Final Comment Period:
- MSC 1756: cross-signing devices using a master identity key
- MSC 2313: Moderation policies as rooms (ban lists)
Merged:
This week, the Spec Core Team is focusing on the following 3 MSCs: 2241 (DM key verification), 2324 (new spec process), and 2326 (label-based filtering).
Neil told us:
This week released Synapse v1.6.0rc1 and will release the real deal next week. 1.6.0 contains a lot of ground work for e2ee cross signing, supporting multiple databases (to aid db sharing) as well as a bunch of bug fixes and perf improvements.
Aside from that we’ve been working on room retention support and ephemeral messages which should be ready to merge rsn.
Finally we’ve been working on improving config granularity for caching, such that individual caches can be configured via homeserver.yaml. Experimenting with this approach to caching has proved to be very powerful in tuning performance, expect to see it on mainline shortly. Further down the line we'd like to make it more dynamic so that manual tuning is unnecessary.
This is also now available from Mathijs' docker hub repo.
Tulir reported:
Facebook decided to break everything and switch from long polling to MQTT over websockets, but mautrix-facebook has already been updated with initial support for the new protocol. It's still a bit buggy though, e.g. reconnecting after a disconnection doesn't seem to work properly
Bruno offered:
I have started deploying Brawl, you can try it at https://bwindels.github.io/brawl/
Also few small new features and fixes since the last TWIM mention a while back:
- make initial sync faster: it uses the lazy load members feature to not load a lot of room state on initial sync as that isn't used yet anyways.
- more useful room list: room aliases and are now recognized for the room name, and DMs are named after the user id.
- some smaller bugs fixed
yuforia announced:
koma, Kotlin library:
- Update Kotlin to latest release 1.3.60
- Start making use of kotlinx.serialization, making the first step toward multi-platform support (which enables a Kotlin project to be compiled to native, JavaScript, or JVM)
Continuum, desktop client based on koma:
- Implement pop-up and sound, which will be used to show notifications
https://matrix.org/_matrix/media/r0/download/matrix.org/TJlhyKntaXngkHJvdgPIhOsK
Manu announced:
We are almost done in our privacy work around integrations and integrations manager. While we were working on widgets, we made some improvements on them. They now have a menu with some actions (refresh, open in Browser, remove). The jitsi widget now displays the room name, user avatar and name.
@poljar:matrix.org told us:
The PR for matrix-react-sdk has finally landed, the PR for riot-web needed some documentation and is waiting for final review. Work on the UI for our indexer inside of riot has started and some more functionality to load events that are files has been added inside of Seshat as well.
@valere35:matrix.org reported:
Privacy work related to Integration Manager about to be released (SDK + App). Also a couple of bug fixed (including the infinite app restart after SSO token expiration)
Bruno reported:
riot web just gained in-app notifications for verification requests on /develop. See PR at https://github.com/matrix-org/matrix-react-sdk/pull/3661 . All of this is behind the verification over DM labs flag!
Check out these docs, very nice!
@kb1rd:kb1rd.net said:
matrix-notepad It's been a slow two weeks for matrix-notepad since I've been a bit busy.
- The core "Logootish" algorithm was documented
- "Logootish" was separated out into its own repo (
logootish-js
) and converted to TypeScript.- TypeDoc was used to document the
logootish-js
algorithm- Fixed some wonderful spelling errors in the algorithm code
- Nothing has changed for the main Matrix Notepad repo, so there's no user difference. It just makes the core algorithm a bit easier to read.
My plan in the future is basically to work out rich text and JSON object collaboration (clearly, this is far away!) and create some kind of "universal client" that can load up web apps to use the algorithm in a single Matrix room. The result would be that it's much easier to create collaboration apps.
Obviously, that's a far-off goal, but my point in documenting the algo is to get ahead of the game a bit
TravisR announced:
v0.4.0 has been released of the matrix-bot-sdk. Last week was beta 15, and now it's out for real. There's quite a few changes from v0.3.9, but here's an overview:
Support for encryption through Pantalaimon
Support for metrics
Finished support for appservices
Better support for bridges (storage, mappings, and utility functions)
Classes for events and other structures in Matrix
Utility classes for permalinks, profile caching, Synapse admin APIs, and server ACLs (globs)
Improved logging support
Various bug fixes and improvements
Give it a test, and report any issues in #matrix-bot-sdk:t2bot.io ! The full diff is available here: https://github.com/turt2live/matrix-js-bot-sdk/compare/v0.3.9...v0.4.0
@swedneck:permaweb.io said:
I made a really simple matrix library for python, and a couple of utility scripts that make use of it! https://gitlab.com/Swedneck/simplematrixlib, https://gitlab.com/Swedneck/py-matrix-utils
Tulir announced:
Maubot will now automatically follow room upgrades. In addition to that, plugins storing room IDs in the database have been updated to automatically update the database when the room is upgraded.
In other maubot news, the PR by lorico to rewrite my old GitLab bot as maubot plugin was finally merged.
Rank | Hostname | Median MS |
---|---|---|
1 | aime.lesmatric.es | 453 |
2 | room409.xyz | 477.5 |
3 | tedomum.net | 516 |
4 | dmnd.sh | 597 |
5 | maunium.net | 597 |
6 | matrix.vgorcum.com | 723.5 |
7 | kolosowscy.pl | 766 |
8 | datenverein.de | 780 |
9 | cadair.com | 819 |
10 | dodsorf.as | 892 |
Impressive progress on the PinePhone, Martijn Braam has been showing off various apps running, particularly interesting is that they are showing Quaternion.
See you next week, and be sure to stop by #twim:matrix.org with your updates!
This week I spoke to Annie from the Ditto project.
Find out more:
#ditto:elequin.io
Testflight: https://testflight.apple.com/join/9M0ERlKd
Feedback: https://ditto.upvoty.com
Mathijs offered:
I opened my first MSC, to use webrtc for streaming file transfers from device to device (rather than account to account)
anoa said:
New MSCs
In Final Comment Period
Merged MSCs
The Spec Core Team's focused MSC's continue to be MSC1756 (cross-signing), MSC2324 (new spec process), and MSC2313 (ban lists).
anoa said:
This week saw work on implementing message retention policies, the continuation of migrating matrix.org to new hardware and some other little fixes.
The public rooms directory is also set to private by default now. Please read the accompanying blog post for the reasoning behind it.
We missed it at the time, but the Ruma project has some updates to share, focused on the ruma-events projects.
https://www.ruma.io/news/new-releases-2019-11-05/
Over in #matrixservers:raim.ist, grin provided this list-of-lists of Matrix public home servers:
Tulir reported:
mautrix-whatsapp now has basic relaybot support. Since WhatsApp doesn't have usable bots, relaybot in this case means using a normal account as a relay. To enable the relaybot in your bridge instance, copy this config block into your config, update is as needed, and simply log in normally in the configured relaybot management room.
Half-Shot announced:
Hey all, matrix-appservice-slack 1.0.2 has been released. This contains a small number of bug fixes and doc changes.
Wilko announced:
A new version has been made available and should soon be on Google Play!
Note that this version will not be on TestFlight (yet) because notifications are currently only implemented on Android (using Firebase, so same goes for F-Droid for the time being).
Changes
- Show notifications when receiving a new message!
- Username is not checked whether it's available anymore
This was done for a future feature (registration), however, a different approach will probably be taken.
Get Pattle
Issues or suggestions
If you stumble upon any issues or would like to suggest features, please do so here! You can login via GitHub and Gitlab.com!
Follow development
Follow development in #app:pattle.im!
yuforia told us:
koma, Kotlin library:
- Implement timeout in coroutines instead of waiting for timeout errors from HTTP library, which makes it easier to change the timeout on demand and may improve performance to some degree
- Make use of experimental feature
contracts
in Kotlin 1.3 to avoid cast errors when inline class is used in non-local returns- Add API for getting thumbnails
Continuum, desktop client based on koma, version 0.9.28:
- Use thumbnails of images and avatars to reduce data usage
https://matrix.org/_matrix/media/r0/download/matrix.org/GMyoaOATXbdcgKnGXCgpDnEA
Bruno said:
Riot web should gain a new design for the member panel, with a UX more suited for a world where cross-signing is a thing. Will land today or early next week behind a feature flag on /develop.
There are some screenshots on the PR: https://github.com/matrix-org/matrix-react-sdk/pull/3620
benoit offered:
Riot-Android: we are working on widget permission: new widget permission UX and use integration manager defined on the homeserver by default.
Manu offered:
Riot iOS: We have fixed the display of terms for integrations. Riot iOS 0.10.2 is on his way to the App Store
benoit offered:
RiotX: We are working on registration and login flow. Also spoiler are rendered and can even be sent using /spoiler command. It's also possible to block (ignore) and unblock users. Performance have been improved, and we are now using the new FragmentFactory. We are working on room detail screen, sticker rendering, and lots of other fun features. We schedule a release at the beginning of next week.
TravisR reported:
v0.4.0-beta.15 of the matrix-bot-sdk has been released. v0.4.0 final is a themed release for lightweight bridges, and so far much of the common functionality is there. Some of the more niche and large features have yet to land, but the final release is still on the horizon (see what's left here). Please give it a test (
npm install [email protected]
) and report any issues to #matrix-bot-sdk:t2bot.io.
BETA FIFTEEN
@poljar:matrix.org offered:
Seshat got a new release 🎉. Seshat now supports transparent index encryption. The PRs for Riot-desktop have been updated and encryption has been enabled for the index. The PRs are currently awaiting review, encrypted search will come to a place near you really soon™.
@ptman:feneas.org offered:
I (and hopefully others) feel that matrix needs more home servers. That's why I wrote a guide for setting one up using free resources and @benpa was kind enough to include it on matrix.org: https://matrix.org/docs/guides/free-small-matrix-server/
Regarding the recent discussions about room security, Slavi has been thinking about default settings for his ansible playbooks:
I wasn't entirely convinced what we should do about it. For my own personal (family & friends) homeserver, I have a few rooms published (this room being one of them), which are all public and OK to be published publicly. I was okay with the old defaults. Still, I can see how people may expect stricter defaults though. I've leaned on following this advice and making it not publish by default. I've made that change here.
@jaywink:federator.dev reported:
Matrix-Alertmanager, a bot that relays Prometheus Alertmanager alerts to Matrix rooms, gets a new release v0.1.0. Thanks to "daniego" the messages are now HTML formatted. Also dependencies have been bumped, Matrix JS SDK by "Lyr" and all the other deps by me. For more info: https://git.feneas.org/jaywink/matrix-alertmanager
aa13q offered:
I've made a presentation about Matrix at the local 2600 meetup at Saint Petersburg, Russia recently. And now translated the text retelling into English too. It's an introduction presentation in general but (thanks to kitsune! :) it also contains good comments about the parts I've missed :) Would be happy to get feedback about the typos/etc. I hope it could be helpful to somebody who is willing to tell about Matrix in other local places :) https://aa13q.ru/#!posts/2019-11-01-matrix-2600/meta.md
@jaywink:federator.dev reported:
Not a part of the organizers, but syncing here for wider reach. There is a "FediConf 2020" conference being planned to happen in Barcelona sometime between May and September next year. It will be a conference for a wide audience of federated folk, so Matrix people might be interested in joining up. There is a poll for dates, a forum and also a Matrix room: #fediconf:matrix.libertalia.world
kitsune said:
in a complete coincidence with aa13q, I also talked about Matrix at Tokyo LUG. Plenty of good discussion. TLUG folks are extremely interested in decentralised identities and data retention as next most important frontiers in Matrix evolution.
Rank | Hostname | Median MS |
---|---|---|
1 | dodsorf.as | 457 |
2 | neko.dev | 507 |
3 | tedomum.net | 545.5 |
4 | aime.lesmatric.es | 572.5 |
5 | maunium.net | 579 |
6 | dmnd.sh | 630 |
7 | freitrix.de | 641 |
8 | matrix.vgorcum.com | 647.5 |
9 | kolosowscy.pl | 780 |
10 | grin.hu | 822 |
See you next week, and be sure to stop by #twim:matrix.org with your updates!
Hi all,
Over the course of today we've been made aware of folks port-scanning the general internet to discover private Matrix servers, looking for publicly visible room directories, and then trying to join rooms listed in them.
If you are running a Matrix server that is intended to be private, you must correctly configure your server to not expose its public room list to the general public - and also ensure that any sensitive rooms are invite-only (especially if the server is federated with the public Matrix network).
In Synapse, this means ensuring that the following options are set correctly in
your homeserver.yaml
:
# If set to 'false', requires authentication to access the server's public rooms
# directory through the client API. Defaults to 'true'.
#
#allow_public_rooms_without_auth: false
# If set to 'false', forbids any other homeserver to fetch the server's public
# rooms directory via federation. Defaults to 'true'.
#
#allow_public_rooms_over_federation: false
For private servers, you will almost certainly want to explicitly set these to
false
, meaning that the server's "public" room directory is hidden from the
general internet and wider Matrix network.
You can test whether your room directory is visible to arbitrary Matrix clients on the general internet by viewing a URL like https://sandbox.modular.im/_matrix/client/r0/publicRooms (but for your server). If it gives a "Missing access token" error, you are okay.
You can test whether your room directory is visible to arbitrary Matrix servers on the general internet by loading Riot (or similar) on another server, and entering the target server's domain name into the room directory's server selection box. If you can't see any rooms, then are okay.
Relatedly, please ensure that any sensitive rooms are set to be "invite only" and room history is not world visible - particularly if your server is federated, or if it has public registration enabled. This stops random members of the public peeking into them (let alone joining them).
Relying on security-by-obscurity is a very bad idea: all it takes is for someone to scan the whole internet for Matrix servers, and then trying to join (say) #finance on each discovered domain (either by signing up on that server or by trying to join over federation) to cause problems.
Finally, if you don't want the general public reading your room directory, please also remember to turn off public registration on your homeserver. Otherwise even with the changes above, if randoms can sign up on your server to view & join rooms then all bets are off.
We'll be rethinking the security model of room directories in future (e.g. whether to default them to being only visible to registered users on the local server, or whether to replace per-server directories with per-community directories with finer grained access control, etc) - but until this is sorted, please heed this advice.
If you have concerns about randoms having managed to discover or join rooms which should have been private, please contact [email protected]