Releases

Synapse 1.32.2 is out! Synapse now requires Python 3.6 (or later) and we've made a few small changes which you should be aware of before upgrading. These are documented in the upgrade notes.

Note: We scrubbed the releases of Synapse 1.32.0 and 1.32.1 as we discovered a pair of regressions including a bug with Prometheus metrics after tagging the release. These have been resolved.

On Monday, humankind flew a helicopter on Mars. And while our pursuit of Space(s) is considerably more modest, it is nevertheless progressing apace: Synapse 1.32 includes an experimental implementation of MSC3083.

This release also includes a new Synapse module for routing of presence updates, which can allow devices to share presence information without requiring that they also share a room. Please note there are some nuances to worker configuration when using this module which we hope to iron out in a future release.

The Admin API is newly able to manage rate limits, and the user listing endpoint can finally sort its results by a variety of criteria.

Otherwise, this is again a very internals-focused release: many additional type hints, improvements to structured logging, and small cleanups, especially those possible now that we've left Python 3.5 behind. We've made changes to how we check whether accounts are exempt from rate limits to avoid cases where we mistakenly applied limits to Application Services which should have been exempt, and we've fixed a bug with sharded federation senders which could occasionally pin the CPU.

See the Upgrading Instructions and Release Notes for further information.

Thank You

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including dklimpel, languitar, ShadowJonathan, and xmunoz.

We've released Synapse 1.31.0!

Mainly internal changes this time (type hints, code lints, etc.) but we've also landed some initial work on MSC2946: Spaces Summary. And speaking of MSCs, Synapse 1.31 has an experimental flag which can enable support for the draft MSC3026: "busy" presence state.

Synapse 1.31 can now restrict OpenID Connect logins based on userinfo attributes (Thanks, HubbeKing!).

This release fixes a rare infinite loop when fetching cross-signing keys or handling device list updates, and further improves the speed of federation catchup. It also makes Admin APIs around user reactivation behave correctly when account passwords are disabled.

See the Release Notes for further information.

The Final Python 3.5 Release

This is the last release of Synapse to support Python 3.5 or PostgreSQL 9.5, and the last release of official packages for Debian 9 (Stretch) and Ubuntu 16.04 LTS (Xenial).

Future releases of Synapse will follow upstream end-of-life dates for Python and Postgres.

Accordingly, we anticipate ending support for Python 3.6 and PostgreSQL 9.6 in December of this year. We will also cease producing packages for Ubuntu 18.04 LTS (Bionic) at that time.

Thank You

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including ankitdobhal, blakehawkins, dklimpel, fuzzmz, HubbeKing, languitar, sandhose, and ShadowJonathan.

Synapse 1.30.1 is now available. This release is identical to Synapse 1.30.0, with the exception of explicitly setting a minimum version of the Python Cryptography library to ensure that users of Synapse are protected from yesterday's OpenSSL security advisories, especially CVE-2021-3449.

Note that Cryptography defaults to bundling its own statically linked copy of OpenSSL, which means that you may not be protected by your operating system's security updates.

It's also worth noting that Cryptography no longer supports Python 3.5, so admins deploying to older environments like Debian 9 (Stretch) or Ubuntu 16.04 (Xenial) may not be protected against this or future vulnerabilities.

The next release of Synapse will be the last to support Python 3.5.

We've released Synapse 1.30.0!

A key theme of this release was stability and resilience around federation. We've landed changes to be less eager about entering catch up mode and to retry on HTTP 500 errors, while also rejecting transactions which arrive before we've completed processing earlier transactions from that same server. We've significantly optimized how we handle missing events when receiving incoming federation traffic, and we've found a way to re-use the chain cover index (from Synapse 1.26) when responding to the state_ids endpoint.

That last one turns out to be a pretty big deal: we've seen an order of magnitude improvement in both the CPU and DB cost of the state_ids endpoint. For example, the average CPU usage by that endpoint on matrix.org dropped from few seconds to well under 100ms:

Enjoy. 🙂

This release also includes further improves to our SSO support, including allowing spam checkers to distinguish between new registrations and first-time SSO users and fixing account reactivation when local passwords are disabled. Now that MSC2858: Multiple SSO Identity Providers has passed its Final Comment Period, we've also updated Synapse to respond to the stable versions of endpoints introduced by that MSC.

See the Release Notes for further information.

Python / Platform Deprecations

As a reminder, the next release of Synapse (1.31, scheduled for April 5th) will be the last to support Python 3.5 or PostgreSQL 9.5, both of which have reached their upstream end of life.

We will also cease building packages for Ubuntu 16.04 (Xenial) and Debian 9 (Stretch) at the same time.

Application Service Registration Changes

Note that Application Services must provide a type parameter with the value "m.login.application_service" when calling POST /_matrix/client/r0/register. Synapse currently allows registration without an explicit type, but this divergence from the spec will be resolved in a future release.

Thanks

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including dklimpel, ShadowJonathan, and tlvb.

Synapse 1.29.0 is now available!

This release includes several useful new configuration options for administrators of federated home servers. In all cases, the defaults match Synapse's prior behavior.

• AndrewFerr implemented include_profile_data_on_invite and allow_profile_lookup_over_federation which can limit disclosure of your users' profile information. These both default to True.
• We've also implemented user_directory.prefer_local_users which weights users on the same homeserver higher in directory searches. This defaults to False.

Synapse is now easier to run in proxied environments, with tzyl implementing support for the NO_PROXY environment variable, as well as recognizing lowercase variants of that and related proxy variables.

Under the hood, we've been steadily improving our type hints, especially in light of the recent release of Twisted 21.2.0 which includes its own type annotations. We've also landed some improvements which reduce the amount of work Synapse does when presence is enabled and you join a room for the first time. Oh, and the media repository now regenerates missing thumbnails on demand.

Lastly, if you deploy Synapse behind a reverse proxy, Synapse now expects to receive an X-Forwarded-Proto header on incoming requests and will log a warning if it is missing. See the upgrade notes for more information. The full changelog has more information on what's in this release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including aaronraimist, AndrewFerr, dklimpel, ShadowJonathan, and tzyl.

Synapse 1.28.0 is now available!

This release comes with several further improvements to the user experience of single sign-on and numerous bugfixes and stability improvements.

For admins, Synapse 1.28 adds a new Admin API for retrieving event context and implements new spam checker hooks which enable checking file uploads and remote downloads. We've also improved memory usage of media repository workers.

Lastly, we have marked an undocumented Admin API for deprecation. If any of your tools use /_synapse/admin/v1/users/<user_id> to get account information, please replace that with the V2 List Accounts API, which has been available since Synapse 1.7.0.

There are no special upgrade instructions for 1.28.0. See the full changelog for more details on what's in this release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including arya2331, auscompgeek, bubu, compu42, dklimpel, dykstranet, and shadowjonathan.

We'd also like to thank yoric for thoroughly reviewing and re-organizing the Synapse CONTRIBUTING.md file.

Synapse 1.27.0 is now available!

We're especially proud of this release, as this is the version of Synapse that powered FOSDEM 2021 on Matrix. As such, our main focus was on stability, performance, and long-awaited support for social login.

What's New

To our surprise, nearly half of all people who created accounts on the FOSDEM homeserver did so via a social login method. Full support for those methods is included in Synapse 1.27.0, and already available for all users on the matrix.org homeserver.

We've also changed how we use Redis in larger deployments, making Synapse more resilient to lost connections and eliminating delays when restarting with multiple federation senders.

Our Server Admin APIs saw a few tweaks, including new APIs to query and delete forward extremities or list the current state of a room.

See the full changelog for more.

Breaking Changes for SSO

If you use Single Sign-On (SSO) via SAML, OAuth2, or OpenID Connect you must adjust your provider's configuration before upgrading to Synapse 1.27.0, as some endpoint URLs have changed. See the upgrading notes for more information.

Dropping ARMv7 Docker Images

We were unable to produce ARM-based Docker images for this release due to problems with cross-compilation. As a result, we have made the difficult decision to cease building 32-bit ARMv7 Docker images as part of our release process. We will resume publishing ARM64 images with the next Synapse release.

Users on ARMv7 platforms (most notably Raspberry Pis) should consider building images locally using Synapse's Dockerfile or switching to installing Synapse directly as a Python module. Users with Raspberry Pi 3's or newer also have the option of installing a 64-bit Linux distribution and using an ARM64 Docker image.

Thank you to our contributors

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including dklimpel, intelfx, jcgruenhage, Oliver-Hanikel, rht, and y-pankaj.

Synapse 1.26.0 is now available!

Note: This release includes a new database schema version. If you need to roll back to Synapse 1.25.0, you will also need to follow the associated database downgrade instructions.

In addition to a truckload of refactoring and general improvements, Synapse 1.26.0 includes three major new features:

1. A brand new algorithm for calculating the auth chain difference, which should dramatically improve worst case performance during state resolution (#8622).
2. Initial support for enabling multiple OpenID Connect providers, paving the way for proper multi-provider social login workflows.
3. A significant speed-up to redaction performance in large rooms.

It also brings several improvements to Admin APIs:

• Specific media items can be protected from quarantine.
• The joined_rooms API now works for remote users.
• Deactivating a user can now optionally remove their avatar URL and display name.

We've also made it possible to offload several additional APIs to worker processes, including read receipts and account data persistence, further improving Synapse's scalability.

See the full changelog for more.

Lastly, a reminder: we have deprecated Python 3.5 and PostgreSQL 9.5 and will cease support at the end of March. Due to deprecations in our Python tooling, we were unable to produce a binary package for Ubuntu 16.04 LTS (Xenial) in time for this release. We have resolved this for 1.27.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including 0xflotus, chris-ruecker, dklimpel, emelie-qis, jerinjtitus, and tzyl.

Synapse 1.25.0 is now available! With this release, we are deprecating Python 3.5 and PostgreSQL 9.5 and will cease producing binary packages for Debian 9 (Stretch) and Ubuntu 16.04 (Xenial) after a transition period which lasts through March 2021. See the changelog for further details.

We are also deprecating the Purge Room and Shutdown Room Admin APIs and will remove them in a future release. Please update your code to use the Delete Room Admin API instead.

Synapse 1.25.0 brings over a month's worth of improvements, including:

• The ability for users to pick their own username when using Single Sign-On, right from within Synapse.
• Support for async Python methods in custom spam checker modules.
• New ways to restrict allowed IP address ranges for outgoing requests from Synapse.
• Significantly faster v2 state resolution on rooms with large numbers of power level events, which are common in some types of bridged IRC rooms.

See the full changelog and upgrade notes for more.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including @aaronraimist, @Bubu, @dklimpel, @edwargix, @fossterer, @jdreichmann, @jerinjtitus, and @MadLittleMods.

Synapse 1.24.0 is now available!

This release fixes a denial of service vulnerability (GHSA-hxmp-pqch-c8mm / CVE-2020-26257) in which a malicious homeserver could send malformed events into a room which would then break federation of that room.

This follows the disclosure of a denial of service vulnerability in OpenSSL (CVE-2020-1971). If you have installed Synapse from source, please ensure your host is up to date and then execute pip install 'cryptography>=3.3' inside your Synapse virtualenv.

We've also released Synapse 1.23.1 which includes that security fix and a small patch to maintain Python 3.5 compatibility. It is otherwise identical to 1.23.0. Note that Synapse 1.24.0 includes backwards incompatible changes which may affect a small number of users. See the notes on upgrading for more information.

Synapse 1.24.0 brings a pair of new Admin APIs, including a way to log in as users and to forcibly purge rooms when deleting them. We've also made numerous bug fixes and improvements to SSO support, especially around OpenID Connect and SAML providers.

This release includes an optional change to push notification badges: currently, the number in the badge is based on the count of rooms with unread messages. However, in some specialized cases you may want the badge to show the count of all unread messages, even if there are multiple unread messages in the same room. This behavior can now be toggled with a new configuration setting.

Additionally, for server admins, the deprecated /_matrix/client/*/admin Admin API endpoints have been removed. If you have tools which target these endpoints, please update them to use the /_synapse/admin URL prefix instead.

See the full changelog for more.

Installation instructions are available on GitHub, as is the v1.24.0 release tag.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including @angdraug, @chagai95, @daenney, @dklimpel, @jordanbancino, @localguru, @nchamo, @ShadowJonathan, @TeFiLeDo, @tulir, and @waylon531.