This Week in Matrix 2022-10-21

21.10.2022 19:33 — This Week in Matrix Thib
Last update: 21.10.2022 19:20

Matrix Live

This week

Dept of Status of Matrix 🌡️

Gwmngilfen reports

AnsibleFest 2022 happened this week, and the work the community has been doing with Matrix got quite some attention! We got a mention during the Day 1 Keynote (YouTube) and again during an interview with theCUBE.net. Both are worth watching 🙂

Thanks to the shoutout from Adam in the Keynote, we've had 40 new people join the #social:ansible.com room 🚀 and lots of interest in Matrix at the Fest Community Booth. Huge thanks to @maxamillion:one.ems.host and @cybette:ansible.im for their time! ❤️

Dept of Spec 📜

Andrew Morgan (anoa) says

Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://matrix.org/docs/spec/proposals.

MSC Status

New MSCs:

MSCs in Final Comment Period:

Closed MSCs:

Accepted MSCs:

  • No MSCs were accepted this week.

Spec Updates

The Spec Core Team are continuing to work on spec maintenance in the run up to Matrix v1.5 (due next month!). Again, if you'd like to help out with small fixes and corrections to the spec, feel free to take a look at the list of open spec clarification issues. Thank you!

Random MSC of the Week

The random MSC of the week is... MSC2700: Thumbnail requirements for the media repo!

This MSC has the goal of clarifying the mimetypes of media that a homeserver both MUST and SHOULD support thumbnailing for. The intention is to give clients a clearer picture of what file formats will receive a proper thumbnail before they are uploaded to the homeserver.

Comments on the MSC seem to suggest that the MSC as it stands does not completely solve the problem: while it does give clients an explicit list of supported mimetypes, the list is quite short. And the list of SHOULD mimetypes cannot be relied on.

The MSC also clarifies that encrypted media should always be uploaded with a mimetype of application/octet-stream, instead of the original media's mimetype, which seems like a welcome and uncontentious point. And finally, it defines 501 M_UNSUPPORTED to be returned instead of an internal server error on thumbnailing failure.

I believe the next step for this MSC is for the current threads to be incorporated into the text; so don't miss the threads when reading it!

Dept of Servers 🏢

Synapse (website)

Synapse is a Matrix homeserver implementation developed by the matrix.org core team

Brendan Abolivier announces

This week we've released Synapse 1.69! It comes with improved caching tools for third-party modules, and support for a bunch of experimental features, such as thread-aware read receipts (MSC3771) and an approval flow for new registrations (MSC3866). As part of this release, we've also laid out the removal schedule for the long-deprecated legacy Prometheus metric names, and the generate_short_term_login_token module API method. Read all about it on the matrix.org blog: https://matrix.org/blog/2022/10/17/synapse-1-69-released

Another big thing in Synapse 1.69 is experimental support for faster remote room joins! You can read more about it on the blog: https://matrix.org/blog/2022/10/18/testing-faster-remote-room-joins but briefly, we are ready for server admins to begin testing, with some caveats. If you've read the post and feel confident, turn it on, give it a spin and let us know how it goes!

Alongside 1.69, we're also disclosing a moderate severity vulnerability that we fixed back in Synapse 1.62. If your deployment runs a Synapse version older than 1.62, and is openly federating, please update to a more recent version of Synapse at your earliest convenience. More info on this in advisory GHSA-jhjh-776m-4765 and CVE-2022-31152.

This week we've also released the first release candidate for Synapse 1.70 (1.70.0rc1). This release will include experimental support for thread-aware notifications (MSC3773) and filtering (MSC3874), improved validation, advertising support for Matrix 1.3 and 1.4, and the usual load of bugfixes and internal improvements. We're very grateful to anyone helping us make Synapse more stable by testing and running release candidates, and reporting bugs to the issue tracker and general feedback to #synapse:matrix.org 🙂

Dendrite (website)

Second generation Matrix homeserver

neilalexander announces

This week we released Dendrite 0.10.4 which contains the following features and fixes:

  • Various tables belonging to the user API will be renamed so that they are namespaced with the userapi_ prefix
    • Note that, after upgrading to this version, you should not revert to an older version of Dendrite as the database changes will not be reverted automatically
  • The backoff and retry behaviour in the federation API has been refactored and improved
  • Private read receipt support is now advertised in the client /versions endpoint
  • Private read receipts will now clear notification counts properly
  • A bug where a false leave membership transition was inserted into the timeline after accepting an invite has been fixed
  • Some panics caused by concurrent map writes in the key server have been fixed
  • The sync API now calculates membership transitions from state deltas more accurately
  • Transaction IDs are now scoped to endpoints, which should fix some bugs where transaction ID reuse could cause nonsensical cached responses from some endpoints
  • The length of the type, sender, state_key and room_id fields in events are now verified by number of bytes rather than codepoints after a spec clarification, reverting a change made in Dendrite 0.9.6

As always, please feel free to join us in #dendrite:matrix.org for more related discussion.

Dept of Bridges 🌉

matrix-hookshot (website)

A multi purpose multi platform bridge, formerly known as matrix-github

Andrew F reports

matrix-hookshot 2.4.0 is here with yet more features!

Good news everyone. This release adds improved JIRA & GitHub event support. Here are some highlights:

  • Multiple JIRA connections may now be added to a single room (as well as across multiple rooms).
  • JIRA widgets now properly support adding listeners for issue creation -- a small bug prevented it from working last release.
  • JIRA widgets now support adding listeners for issue updates. This was technically already supported, but it wasn't shown in the widget -- now it's there for the world to see.
  • JIRA connections now support version events. So far, this includes version creation, updates, and releases.
  • GitHub connections now support workflow completion events.
  • The stability of GitHub login sessions has been improved overall.

As usual, feel free to join #hookshot:half-shot.uk for setup advice & feedback.

Dept of Clients 📱

Nheko (website)

Desktop client for Matrix using Qt and C++17.

red_sky (nheko.im) says

Nheko now has native builds for Apple silicon macs! No need for Rosetta! If you have an Apple silicon device, please check out the latest nheko nightlies so we can get feedback on how it’s working!

Element Web/Desktop (website)

Secure and independent communication, connected via Matrix. Come talk with us in #element-web:matrix.org!

Danielle reports

  • The new release candidate is available in staging ahead of the release early next week. Try it out!
    • The new WYSIWYG (What You See Is What You Get) composer is available in Labs soon; It’s in active development and we’ll be adding more functionality soon.
  • Notifications research is near conclusion; We trawled hundreds of GitHub issues, discussions, looked at competitors and interviewed some users. We’re really excited to bring improvements to your experience.
  • We’re beginning work on integrating the Rust matrix_sdk_crypto into Element Web (to replace the existing libolm-based implementation of encryption)

In labs (you can enable labs features in settings on develop.element.io or on Nightly):

  • Threads is making great progress and we’re hoping you’ll start seeing these improvements in the next few weeks! Keep your eyes open for updates.

Element iOS (website)

Secure and independent communication for iOS, connected via Matrix. Come talk with us in #element-ios:matrix.org!

Manu announces

  • Element-iOS RC 1.9.9 available on the public TestFlight with under labs settings:
  • New device manager
  • WYSIWYG editor
  • Voice Broadcast is on heavy development. We have recording and playback working.
  • ElementX work is resumed with full support of iOS16 and XCode14

Element Android (website)

Secure and independent communication for Android, connected via Matrix. Come talk with us in #element-android:matrix.org!

benoit announces

  • Release candidate 1.5.4 is available for the tester on the PlayStore. It includes a lot of new features, most of them behind lab flags: new device management, new WYSIWYG editor, Voice broadcast, etc. Also the application is now targeting Android 13 devices. Please refer to the full changelog for more details.
  • We are working to migrate from the Realm Java SDK to the Realm Kotlin SDK. This is a big change, which should simplify developers' lives, but also reduce the number of crashes related to Realm.

Element (website)

Everything related to Element but not strictly bound to a client

Danielle reports

Community testing

  • Help us test the WYSIWYG editor and other new features at 4pm on Wednesday 26th Oct
  • For more info on our next testing sessions (sync or async), you can join us at #element-community-testing:matrix.org!

Dept of Non Chat Clients 🎛️

Populus Viewer (website)

A Social Annotation Tool Powered by Matrix

gleachkr says

It's been a little while since our last update, but Populus development continues! In addition to the usual bugfixes, we've made a number of ergonomics improvements suggested by the experiences of other users at my university. These include:

  1. Buttons for message actions (react, redact, reply, and so on) are now displayed in a way that doesn't overlap with sender names

  2. Avatar images for discussions can now up uploaded simultaneously with discussion creation.

  3. Older collections of discussions can be "archived" using m.lowpriority

  4. Moar tootips!

We've also made some minor graphical improvements: loading messages are now indicated with a nice low-contrast SVG hint, rather than the literal-minded "loading message" message. Some icons have been improved, and the bartab (lines in the margins) display logic has been improved. And, we're now on the latest JS-SDK version.

Dept of VoIP 🤙

Element Call (website)

Native Decentralised End-to-end Encrypted Group Calls in Matrix, as a standalone web app

Florian Heese says

👋 Hello form the VoIP team. This week we have a bunch of news. 1) We released Element Call version 0.3 with a lot of UX polishing including i18n (thx to the great community) and paving the way for a proper 2) integration into Element Web and Desktop. If you want to give it a try:

  • Use https://develop.element.io or Element Desktop Nightly
  • Enable in Settings -> Labs -> Calls
    • Element Call Videorooms
    • New group call experience
  • Now you can create
    • A new video room backed by Element Call or
    • Enable Calls in the Rooms settings of a room and just press the regular call button
  1. And by the way we also added screen-sharing with Element Desktop Nightly using the embedded Element Call.

Dept of SDKs and Frameworks 🧰

matrix-rust-sdk (website)

Next-gen crypto-included SDK for developing Clients, Bots and Appservices; written in Rust with bindings for Node, Swift and WASM

ben announces

While the sliding sync extensions are being tested and bugs found during the tests reported and fixed, the FFI for the new timeline API has been approved and merged this week. The third big chunk that was merged this week, was a refactoring to Replace QR with SAS verification and the yet to be merged signaling for SAS verification.

While forcing the (not clearly spec'ed) sending of authentication tokens for get_profile and get_display_name, we've also noticed a bug where we sometimes, unintentionally include the access_token in debug output - and fixed that. We will be providing a patch release and RustSec about this soon.

Other than that, this week has seen many smaller fixes, like making the store-setters on client-builder actually adhere to the builder pattern or removing string from storerrors, and improvements like the API to set local trust or setting workspace wide dependencies for uniffi and others.

👉 Wanna hack on matrix rust? Go check out our help wanted tagged issues and join our matrix channel at Matrix Rust SDK.

Dept of Events and Talks 🗣️

cos announces

Zoo 2022, a Commodore 64 Demoparty has decided to bridge it's various chat channels via Matrix. You can join via Matrix, Discord, IRC or Telegram and participate in the party programme. The actual party will be held 28.-30.10 in Orivesi, Finland. https://2022.zooparty.org/

Matrix in the News 📰

Matthew says

our friends at Bluesky announced their application protocol for building decentralised social media called AT. While not based on Matrix, there are some parallels, and some stuff we may be able to steal get inspiration from around portable identity :) https://blueskyweb.xyz/blog/10-18-2022-the-at-protocol

Dept of Ping

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.

#ping:maunium.net

Join #ping:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS
1nognu.de351
2maescool.be453
3mindlesstux.com939
4kittenface.studio1079
5alemann.dev1251
6zemos.net1399
7rom4nik.pl1581
8kit.edu2082
9projectsegfau.lt2292
10valha.la2639

#ping-no-synapse:maunium.net

Join #ping-no-synapse:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.

RankHostnameMedian MS
1dendrite.neilalexander.dev196
2dendrite.matrix.org223.5
3kumma.juttu.asia273.5
4rustybever.be496.5
5dendrite.s3cr3t.me655.5
6forlorn.day1297
7frai.se9140
8zemos.net15335

That's all I know

See you next week, and be sure to stop by #twim:matrix.org with your updates!

Testing faster remote room joins

18.10.2022 13:35 — General Richard van der Hoff

As of Synapse 1.69, we consider "faster remote room joins" to be ready for testing by server admins.

There are a number of caveats, which I'll come to, but first: this is an important step in a project which we've been working on for 9 months. Most people who use Matrix will be familiar with the pain of joining a large room over federation: typically you are just faced with a spinner, which is eventually replaced by a cryptic error. If you're lucky, the room eventually pops up in your room list of its own accord. The whole experience is one of the longest-standing open issues in Synapse.

Continue reading…

Synapse 1.69 released

17.10.2022 18:52 — Releases Brendan Abolivier
Last update: 17.10.2022 18:07

Hey everyone, it's time for a new Synapse release! Synapse 1.69 is out, fresh out of the oven. But before we take a look at it, here's a quick announcement:

We have recently disclosed a moderate severity security vulnerability, which was fixed in Synapse 1.62 (released on July 5th 2022). This issue affects all homeservers running a version of Synapse older than 1.62 with open federation. If this is the case for your deployment, please update to a more recent version of Synapse at your earliest convenience.

See advisory GHSA-jhjh-776m-4765 and CVE-2022-31152 for more information.

Now let's see what's new in Synapse 1.69!

Continue reading…

Upgrade now to address E2EE vulnerabilities in matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2

28.09.2022 17:41 — Security Matthew Hodgson , Denis Kasak , Matrix Cryptography Team , Matrix Security Team

TL;DR:

  • Two critical severity vulnerabilities in end-to-end encryption were found in the SDKs which power Element, Beeper, Cinny, SchildiChat, Circuli, Synod.im and any other clients based on matrix-js-sdk, matrix-ios-sdk or matrix-android-sdk2.
  • These have now been fixed, and we have not seen evidence of them being exploited in the wild. All of the critical vulnerabilities require cooperation from a malicious homeserver to be exploited.
  • Please upgrade immediately in order to be protected against these vulnerabilities.
  • Clients with other encryption implementations (including Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks and Pantalaimon) are not affected; this is not a protocol bug.
  • We take the security of our end-to-end encryption extremely seriously, and we have an ongoing series of public independent audits booked to help guard against future vulnerabilities. We will also be making some protocol changes in the future to provide additional layers of protection.
  • This resolves the pre-disclosure issued on September 23rd.

Continue reading…