The Matrix.org homeserver suffered from an outage on Monday 22 April, between 08:00 UTC and 10:00 UTC, followed by slowness for the next 2 hours.
The outage occurred during scheduled maintenance with no expected downtime. It included upgrading the base OS of the machines running Matrix.org’s deployment.
Update: the terms of the board have been updated with the follow changes:
Welcome to the first ever Governing Board election season for the Matrix.org Foundation! We start with a one week nomination period that opens on Saturday, April 20th and closes on Friday, April 26th AOE time.
We’ll be doing our best to reach out to every constituent group to let them know they are eligible to nominate candidates for the election. That said, this is our first election and we don’t yet have contact information for everybody who is eligible, so we want your help getting the word out.
If you are interested in nominating someone – or yourself – to be a candidate in this election, read this post in its entirety.
To learn about what the Governing Board is, what it does, and the context it operates in, read this blog post from last December. You are also welcome to read the Governing Board’s current bylaws.
Hi folks,
The events of the last week have been utterly terrifying as we’ve seen a highly sophisticated targeted attack on open source infrastructure play out in public, in the form of the liblzma backdoor. Matrix is not impacted by the attack (none of our code or infrastructure is using liblzma or xz 5.6), but it has been a massive wakeup call in terms of understanding the risks posed by overstretched open source maintainership.
Matrix self-defines as the go-to protocol for "open, secure, decentralised communications". The Matrix.org Foundation defines "maximising […] the number of online servers in the open federation" as a key objective in its mission. So why is the Matrix.org homeserver, probably the largest homeserver in the whole federation, still in open registration mode?
Let's dive into the technical, and user experience choices behind it.
Since the Foundation got itself a Managing Director at the end of last summer, it has been working on its independence. With lines more clearly defined between its major supporter Element and itself, the Foundation has been able to clarify its role. The Foundation's major goal, alongside stewarding the specification, is to fill in the gaps where there is no direct organisational interest, to make the Matrix ecosystem grow.
There are two levels where the Foundation can have an impact: at the governance level, in the form of the Governing Board; and at the hands-on level, with working groups and projects.
See below what the coming year holds for us.
The Matrix.org website is the public face of the Foundation, and the first thing you stumble upon when looking up “matrix chat” on a search engine. It’s a very important step in people’s Matrix journey.
A lot of thought has been put into making a website that talks to the various audiences visiting it, but we still have a lot of room for improvement!
The website is only maintained by community member MTRNord in a volunteer way, and part-time by me, Thib. We could use an extra pair of hands or two, but to make the most of people’s desire to help we need to let them know where they can have the most impact depending on their skill set, and how we can accept their help!
Today we launch a new fundraising drive, talk about the scope of the Foundation's work, and begin to unpack our emerging roadmap for the future. There is a lot going on and we need your help to keep it going!
At the end of 2022 Matthew and Amandine sounded the alarm: the Foundation needed more support. To deliver that, they launched the Foundation's membership program. They also introduced open governance, and committed to hiring a Managing Director to act as a robust, neutral steward.
You can help: If you are already sold on Matrix, become a member today. To find out how the last year has gone, and how your support helps us to serve the Matrix ecosystem, read on.
Over the last year, there are lots of positive, healthy signs for Matrix. New members like Beeper and gematik — and hundreds of individuals — boosted our annual revenues from £82K to £364K. The open network has grown from 80.3M to 115M addressable users. We've invested in long-term interoperability efforts at the IETF. And we've shifted focus from experiments to polish, usability, and advocacy.
We've supported development of core libraries, and subsidize hosting for FOSS communities like GNOME and KDE. The Foundation runs the Matrix.org homeserver, with over 250K daily active users, and operates several public bots and bridges. And indeed, the Foundation hired a Managing Director 👋.
You'll find a full accounting of our 2023 activity and finances in our first Annual Report, slated to come out around April 2024.
We join our voices to technology companies, trade associations and other supporters in asking EU member states to align the Council's position on the CSA Regulation to the position agreed by the Parliament.
Safeguarding encryption should be a priority in negotiations, ensuring the protection of rights and freedoms around privacy and security of communications.
A copy of the open letter sent to ministers can be read below.
Dear Ministers of the Interior, Justice, and Economy of EU Member States,
We write to you as small and medium-sized companies and organizations from Europe, concerned about the proposal for a Regulation on Child Sexual Abuse (CSA). Collectively, we call on you to ensure that your country’s position on this file is brought as close as possible to the European Parliament’s (EP) one. We all agree that ensuring children are safe online is one of the most important duties of tech companies and for this reason, we find the European Commission’s proposed Regulation extremely worrying. If it were implemented as proposed, it would negatively impact children’s privacy and security online, while also having dramatic unforeseen consequences on the EU cybersecurity landscape, on top of creating an ineffective administrative burden1. The European Parliament recently adopted its position on the file, acknowledging that scanning technologies are not compatible with the aim of having confidential and secure communications. The crucial changes it therefore puts forward for the proposal reflect the opinions of the European Data Protection Supervisor (EDPS), the Council legal services as well as countless experts in cryptography and cybersecurity2. It also reflects the opinion of between 63% and 69% of the companies, public authorities, NGOs and citizens consulted by the European Commission in its Impact Assessment3. As small and medium-sized tech companies and organizations, we share their concerns as we know that looking for specific content – such as text, photos and videos – in an end-to-end encrypted communication would require the implementation of a backdoor, or of a similar technology called “client-side scanning”. Even if this mechanism is created with the purpose of fighting crime online, it would also quickly be used by criminals themselves, putting citizens and businesses more at risk online by creating vulnerabilities for all users alike.
As tech companies operating within the European Union, we have built products and services in line with the strong data protection framework of the EU which still serves as an example and inspiration across the world.
The GDPR allowed for the creation of ethical, privacy-first tech companies in Europe, that would otherwise never have been able to compete against Big Tech. It gave European companies a strong competitive advantage in that field internationally and allowed consumers to finally be able to find alternatives to American and Chinese services. Our users, both within the EU and beyond, have come to trust our commitment to safeguarding their data and this trust is a key driver of our competitiveness. The learning curve for adapting to the necessary administrative burden brought about by the GDPR was high but was worth it. However, the CSA Regulation could threaten this unique selling point of European IT companies and would also add a new administrative burden which we fear could overwhelm both our companies and law enforcement bodies. Considering the volume of communications and content transiting through our services, even an insignificant error rate of the technologies applied to scan for abusive material would result in millions of false positives to be manually reviewed every day.
In a world where data breaches and privacy scandals are increasingly common, the EU's reputation for stringent data protection is a unique selling point for businesses operating within its borders. It provides us with a competitive edge, assuring our customers that their information is handled with the utmost care and integrity. This trust, once eroded, is challenging to rebuild, and any measures that compromise it such as mandatory scanning, or mandatory age verification have the potential to harm businesses both large and small. Furthermore, the EU has recently adopted Regulation 2023/2841, which mandates that EU Institutions and bodies to consider the use of end-to-end encryption among their cybersecurity risk-management measures. There are also multiple ‘cyber’ EU proposals currently on the table, such as the Cyber Resilience Act and the Cybersecurity Act. Supporting an opposite approach for the CSA Regulation would only undermine the EU cybersecurity framework creating a contradictory, incoherent and inefficient new set of measures that companies would not be able to enforce without putting citizens and businesses at risk.
Therefore, we applaud the European Parliament for its resolute stance in defending the European citizens' right to privacy and secure communication. The European Parliament’s commitment to these principles is not only a testament to its dedication to human rights, but also a beacon of hope for businesses like ours that prioritize data protection and security. The position of the Parliament includes alternatives to scanning which have a minimal impact on cybersecurity and data protection, and which experts believe would be both more effective and more efficient than mandatory scanning. Such changes of paradigm would mean going beyond the false dichotomy between privacy and security, while also making the proposal respect the proportionality principle, as requested by the Regulatory Scrutiny Board. Even if not perfect in our eyes, the changes the European Parliament made in its position are a good compromise to maintain digital security and confidentiality and to better protect children online. We believe that these changes strike the right balance between child protection and safeguarding privacy and cybersecurity.
As representatives of the vibrant European small businesses community, we encourage EU Member States to continue championing the values of privacy, cybersecurity and data protection. These principles not only align with the EU's commitment to human rights, but also serve as a foundation for a thriving and competitive business environment. Let us defend and strengthen these principles, ensuring that the EU remains an advocate of privacy in the global marketplace.
For these reasons we call on you to:
Signed,
Trade associations and supporters:
A detailed summary of the proposal, drafted by the NGO EDRi, is available here: https://edri.org/our-work/private-and-secure-communications-put-at-risk-by-european-commissions-latest-proposal/
For more information, you can read their statement from July 2023: https://edri.org/wp-content/uploads/2023/07/Open-Letter-CSA-Scientific-community.pdf
See in particular page 134 of the impact assessment: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022SC0209
As 2023 winds down and I find myself in the thick of planning for 2024, I’d like to start preparing all of us in the Matrix ecosystem for what is to come.
Next year will mark a number of important milestones in the history and evolution of Matrix: the protocol will mark its 10th birthday, we’ll see key initiatives in the spec cross the finish line, and we’ll seat the first ever community-elected Governing Board.
The election of our first Governing Board is what I’d like to focus on today, because it is a huge milestone on the path to an independent, self-sustaining, and self-governing ecosystem. When we celebrate Matrix’s 20th birthday, we’ll look back and our history will be divided much the same way it is in other ecosystems: before and after incorporating a foundation, and before and after introducing community governance.
Let’s talk about what the Governing Board is, why it matters, and how to get involved!
Hello, world! My name is Josh Simmons and it is a joy and a privilege to introduce myself as the first Managing Director of The Matrix.org Foundation. While I’m no stranger to open source and I have been a Matrix user for several years, I am new to the Matrix community and so I’d like to share a little about myself and the work we have ahead of us.