Releases

Hey all,

We’ve just pushed out Matrix 1.9! Our last release was Matrix 1.8 and brought us a whole new room version. Matrix 1.9 continues a theme of an annual maintenance release, bringing with it mostly clarifications and bug fixes.

Today’s release sees just 1 MSC formally merged to the specification, though this is expected for a maintenance release. For the last 2 months (and beyond), we have largely been focused on changes which haven’t settled enough to be MSCs yet, such as interactions with the More Instant Messaging Interoperability (MIMI) working group at the IETF.

This post covers a lot of what we’ve been up to for the last few months, and what we expect to get done for the Matrix 1.10 release cycle. As always, the full changelog for Matrix 1.9 is at the bottom of the post :)

Messaging interoperability

One of the major features of Matrix is its ability to connect multitudes of messaging providers with a common communications fabric - a feature that is extremely useful in light of the EU’s Digital Markets Act (DMA) which requires gatekeepers to interoperate with other messaging providers.

We’ve been working with the MIMI working group at the IETF to establish a federation protocol for DMA-style messaging alongside our own experiments like MSC3995: Linearized Matrix. The proposed protocol for MIMI is based upon the Linearized Matrix work, but is primarily designed for an MLS-centric environment.

Discussions and experiments will continue over the next several months, and you can read all about our progress so far in TWIM 2023-11-10.

Custom emoji/stickers

We mentioned in Matrix 1.8’s release that we’d be taking a look at MSC2545, MSC1951, MSC4027, and MSC3892 - a family of MSCs collectively called “custom emoji/stickers”. Our review started relatively late in the Matrix 1.9 release cycle (sorry), and we started thinking about interactions with MSC3916/MSC3911 where media is linked to a specific event.

We haven’t had a chance to really dig into the specific possible concerns on these two features overlapping, but do welcome feedback and suggestions for what might impact custom emoji/stickers over on our dedicated tracking issue. We’ll continue working through the problem space in the Matrix 1.10 release cycle, and hope to get both linked media and custom emoji/stickers up for FCP.

Upcoming in Matrix 1.10

With each release we aim to have a plan for what the next release will look like, giving us a direction or theme to follow. Noting that the next release cycle has a lot of holidays (and FOSDEM) in it, we’ve got an initial list of things to look at, grouped by theme:

• Authenticated media
  • MSC3916 - Authentication for media
  • MSC3911 - Linking media to events
• Custom emoji/stickers
  • MSC2545 - Image packs
  • MSC1951 - Different style of image packs
  • MSC4027 - Images in reactions
  • MSC3892 - Encrypted emotes
• MSC4074 - Server-side annotation aggregation
• MSC4048 - Authenticated key backup
• Extensible Events
  • MSC3954 - Text emotes
  • MSC3955 - Replacement for notice messages
  • MSC3551 - Files
  • MSC3552 - Images and Stickers
  • MSC3553 - Videos
  • MSC3927 - Audio
• Encrypted Appservices
  • MSC2409 - Sending EDUs to appservices
  • MSC3202 - Encrypted appservices
• MSC2702 - Content-Disposition semantics for media
• MSC3939 - Account locking

This list is not final and will be iterated upon over the next couple of weeks. If you’ve got an MSC to add or remove, let us know in the SCT Office on Matrix. For all of the MSCs above, we aim to get them to a FCP-accepted state at a minimum, and merged to the spec if time permits (and makes sense - looking at you, Extensible Events).

The full changelog

Matrix 1.9 is a relatively light maintenance release, but it still has a changelog! Read on for full details.

Client-Server API

Backwards Compatible Changes

• Add the m.rule.suppress_edits default push rule, as per MSC3958. (#1617)

Spec Clarifications

• Fix m.call.negotiate schema and example. (#1546)
• Clarify that the via property is required for m.space.parent and m.space.child as per MSC1772. Contributed by @PaarthShah. (#1618)
• Add a note to the /publicRooms API that the server name is case sensitive. (#1638)
• Clarify that an m.room.name event with an absent name field is not expected behavior. (#1639)
• Fix schemas used for account data and presence events in GET /initialSync. (#1647)
• Fix various typos throughout the specification. (#1658, #1661, #1665)
• Fix .m.rule.suppress_notices push rule not being valid JSON. (#1671)
• Add missing properties for event_property_is and event_property_contains push conditions to PushConditions object. (#1673)
• Indicate that fallback keys should have a fallback property set to true. (#1676)
• Clarify that thread roots are not considered within the thread. (#1677)

Server-Server API

Spec Clarifications

• Fix schema of m.receipt EDU. (#1636)
• Fix various typos throughout the specification. (#1661)
• Clarify that federation requests for non-local users are invalid. (#1672)

Application Service API

No significant changes.

Identity Service API

No significant changes.

Push Gateway API

No significant changes.

Room Versions

No significant changes.

Appendices

Spec Clarifications

• Clarify timestamp specification with respect to leap seconds. (#1627)
• Fix various typos throughout the specification. (#1652)

Internal Changes/Tooling

Backwards Compatible Changes

• Add more CI checks for OpenAPI definitions and JSON Schemas. (#1656)
• Generate server-server OpenAPI definition. (#1657)

Spec Clarifications

• Replace all mentions of Swagger by OpenAPI. (#1633)
• Fix enum types in JSON schemas. (#1634)
• Fix schema of m.mentions object. (#1635)
• Fix rendering of m.receipt event in Client-Server API. (#1637)
• Remove required fieldname in appservice Protocol definition. (#1646)
• Fix github action workflow responsible for releasing of @matrix-org/spec package. (#1648)
• Upgrade GitHub actions. (#1660)

Hey all,

Matrix 1.8 is out now! The last release, Matrix 1.7, was full of features and laid out a plan for what Matrix 1.8 was expected to become. We spent most of our time focusing on the MSC3995-related MSCs from that original plan, but made an effort to get the other stuff looked at as well.

With this release we see a total of 9 MSCs achieve their formally adopted status. The full changelog at the bottom has all the details, but please read on for what’s new in room version 11, and Matrix 1.9’s roadmap :)

Room version 11

Matrix 1.8 features a new room version! Normally a room version wouldn’t have a particular theme, but for v11 we aimed to clean up the different algorithms and event format details. After 10 prior room versions there were some artifacts of the past sticking around (but not causing problems necessarily) - many of them are cleaned up here.

Specified originally as MSC3820, v11 introduces the following changes:

• MSC2174 - Move redacts to the content of m.room.redaction events.
• MSC2175 - Remove creator from m.room.create events (use sender instead).
• MSC3989 - Remove origin from events.
• MSC2176, MSC3821 - General updates to redaction algorithm.

Alongside being a cleanup room version, v11 is the initial base we used for our efforts in the IETF world. It provides an easier starting point for new server implementations, particularly when paired with Linearized Matrix (described as both an IETF Internet-Draft and MSC3995).

In future room versions the cleanup effort will continue, alongside additional features for supporting the IETF use cases. Watch this space for updates.

Upcoming in Matrix 1.9

We’re continuing the trend of planning ahead and have the following themes planned for work in Matrix 1.9:

• Anything required by the MIMI/IETF efforts we’re undertaking. This currently includes:
  • Extensible Events
  • Role-Based Access Control (RBAC; new MSC expected)
  • Next generation of Linearized Matrix (already)
  • MSC4044 and MSC4045
  • Binary-encoded events (maybe, but probable)
  • Canonical DMs (maybe)
  • Sending events as rooms/servers instead of just users (maybe)
  • Further room version cleanup as needed
• Merging MSC3939.
• Accepting a combination of MSC2545, MSC1951, MSC3892, and MSC4027. This may involve creating a new MSC to cover the functionality of each, plus the needful for IETF and Extensible Events efforts.
• Merging MSC3391 (time permitting).

A lot of this stuff might take the shape of opening MSCs or thinking about the problems, but we’re also very optimistic about getting them through FCP before November 2023. Watch this space for updates :)

The full changelog

There’s so many more things than what we covered in this blog post - flip through the changelog below for a full idea of what’s landed.

Client-Server API

Backwards Compatible Changes

• Require callers to be joined to the room to report its events, as per MSC2249. (#1517)

Spec Clarifications

• Fix missing type property in the JSON schema definition of the m.reaction event. Contributed by @chebureki. (#1552)
• Make sure examples types match schema in definitions. (#1563)
• Allow null in room_types in POST /publicRooms endpoints schemas. (#1564)
• Fix broken header formatting. Contributed by @midnightveil. (#1578)
• Render binary request and response bodies. (#1579)
• Fix description of MAC calculation in SAS verification. (#1590)
• Update link to SAS emoji definition data. (#1593)
• Fix various typos throughout the specification. (#1597)

Server-Server API

Deprecations

• Deprecate matrix SRV lookup steps during server discovery, as per MSC4040. (#1624)

Backwards Compatible Changes

• Add matrix-fed SRV lookup steps to server discovery, as per MSC4040. (#1624)

Spec Clarifications

• Document why /state_ids can respond with a 404. (#1521)
• Fix response definition for POST /_matrix/federation/v1/user/keys/claim. (#1559)
• Fix examples in server keys definition. (#1560)
• Make sure examples types match schema in definitions. (#1563)
• Allow null in room_types in POST /publicRooms endpoints schemas. (#1564)
• Fix broken header formatting. Contributed by @midnightveil. (#1578)
• Remove spurious mention of a "default port" with respect to SRV record lookup. (#1615)
• Switch to ordered list for server name resolution steps. (#1623)

Application Service API

Spec Clarifications

• Fix type of custom fields in thirdparty lookup queries. (#1584)

Identity Service API

Spec Clarifications

• Make sure examples types match schema in definitions. (#1563)

Push Gateway API

No significant changes.

Room Versions

Backwards Compatible Changes

• Add room version 11 as per MSC3820. (#1604)
• Move redacts from top level to content on m.room.redaction events in room version 11, as per MSC2174. (#1604)
• Remove creator from m.room.creator events in room version 11, as per MSC2175. (#1604)
• Remove remaining usage of origin from events in room version 11, as per MSC3989. (#1604)
• Update the redaction rules in room version 11, as per MSC2176 and MSC3821. (#1604)

Appendices

Backwards Compatible Changes

• Allow + in Matrix IDs, as per MSC4009. (#1583)

Spec Clarifications

• Clarify spec re canonical JSON to handle negative-zero; also, give an example of negative-zero and a large power of ten. (#1573)

Internal Changes/Tooling

Backwards Compatible Changes

• Upgrade Swagger data to OpenAPI 3.1. (#1310)
• Create @matrix-org/spec npm package to ship the SAS Emoji data definitions & translations. (#1620)

Spec Clarifications

• Update the CI to validate the file extension of changelog entries. (#1542)
• Disclosure sections now only display their title when collapsed. (#1549)
• Fix the sidebar in recent versions of Hugo. (#1551)
• Bump jsonschema to validate JSON Schemas against Draft 2020-12. (#1556)
• Use Redocly CLI to validate OpenAPI definitions. (#1558)
• Use tag name as the OpenAPI definition version. (#1561)
• Make sure version in x-changedInMatrixVersion is a string. (#1562)
• Clarify usage of ABNF for grammar in the documentation style guide. (#1582)
• Remove unnecessary oneOfs in JSON schemas. (#1585)
• Update the version of Hugo used to render the spec to v0.113.0. (#1591)
• Fix rendered changelog with new version of towncrier. (#1598)
• Improve the layout of tables on desktop displays. Contributed by Martin Fischer. (#1601)

Hey all,

Matrix 1.7 has just been released! The last spec release was about 3 months ago, keeping us on track for regular quarterly releases. Unlike Matrix 1.6 though, today’s release is packed with plenty of features, some of which we’d like to call out here. Not all implementations will have support for these features yet though, and that’s okay (expected, even).

Adding support for a spec release can be a significant body of work. Instead of implementations having everything ready for spec release day, the idea is that they gain support over the next few months. If you’re able, please help those projects get v1.7’s features.

Today, we see 15 MSCs achieve their formally adopted status. All of them bring forward some much-needed features to Matrix, and a few highlights are below. Read on to the full changelog for a complete overview, and for a sneak peak at what the Spec Core Team (SCT) is planning to look at for v1.8 👀

Continue reading…

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a pair of High severity vulnerabilities (CVE-2023-28427 / GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv for matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients should follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The issues involve prototype pollution via events containing special strings in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's ability to process data safely.

Although we have only demonstrated a denial-of-service-style impact, we cannot completely rule out the possibility of a more severe impact due to the relatively extensive attack surface. We have therefore classified this as High severity and strongly recommend upgrading as a precautionary measure.

We found these issues during a codebase audit that we had previously announced in an earlier security release of matrix-js-sdk and matrix-react-sdk. The earlier release had already addressed a set of similar vulnerabilities that were assigned CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 and CVE-2022-36060 / GHSA-2x9c-qwgf-94xr, which we had initially decided not to disclose until the completion of the audit. Now that the audit is finished, we are disclosing those previous advisories as well.

Greetings Matrix fans! We've published Synapse version 1.78 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience. Please take a look at the upgrade notes for any important information about upgrading.

Continue reading…

Greetings Matrix fans! We've published Synapse version 1.77 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience.

Continue reading…

Hey all,

Matrix 1.6 is out there! Like Matrix 1.5 back in November, this release is largely a maintenance update. Matrix 1.1 through 1.4 have been relatively major upgrades, so a little time between features doesn’t feel like a bad idea :)

As with all spec releases, we encourage implementations to gradually update over the next few months rather than have support for everything on release day - please be kind to the projects you use, and help them gain support if able.

Matrix 1.6 sees just 7 MSCs get merged, though this is to be expected from a maintenance release. Check out Matthew’s Matrix 2.0 talk at FOSDEM for an idea of what’s expected over the next few releases.

We’ve covered a couple of the MSCs below, but read on to the full changelog for the full picture.

Continue reading…

Greetings Matrix fans! We've published Synapse version 1.76 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience. Please take a look at the upgrade notes for any important information about upgrading.

Continue reading…

We published Synapse version 1.75 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience. It seems like the blog post for version 1.74 was eaten by Santa's reindeer, so this post will also cover changes from it.

Continue reading…

And here is another update to your beloved Matrix homeserver implementation, Synapse 1.73.

Announcements

Legacy Prometheus metric names removed

When releasing Synapse 1.69 a couple of months ago, we also announced the removal of old Prometheus metrics that have been replaced by more aptly named ones. he list of these metrics can be found here.

Synapse 1.73 implements the final phase of this plan and entirely removes support for those metrics. As a result, the enable_legacy_metrics configuration option, which was introduced in Synapse 1.71, has also been removed.

Server administrators who are still relying on these legacy metric names are encouraged to update their dashboards at their earliest convenience. For more information, please refer to the upgrade notes.

The new stuff

Performance

A bunch of performance improvements have been included in this release, specifically around the /messages endpoint.

Improvements to event filtering on the client-server API gave the matrix.org homeserver a first nice bump as visible on this graph:

Various optimizations around fetching bundled aggregations resulted in yet another nice improvement:

Note that the graph from the first image, and the second graph from the second image are apdexes, which is a measure that shows improvement when it goes up (as opposed to e.g. response times, which improve when they go down).

Extensible Events experimental support

Experimental support for Extensible Events has landed in Synapse.

This is exciting since this global rework of events presentation has been in talks for a while, and having an implementation to experiment with greatly helps bringing the feature closer to completion.

Note that this support is still very much experimental as the related MSCs are still under review and could change at any time, and therefore not recommended for use in production.

Everything else

See the full changelog, for a complete list of changes in the release. Also please have a look at the upgrade notes for this version.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including (in no particular order) schmop, Ashish Kumar, realtyem, and Brennan Chapman as well as anyone helping us make Synapse better by sharing their feedback and reporting issues.