20 KiB
+++ date = "2024-05-17T19:00:00Z" title = "This Week in Matrix 2024-05-17" path = "/blog/2024/05/17/this-week-in-matrix-2024-05-17"
[taxonomies] author = ["MTRNord"] category = ["This Week in Matrix"] +++
Matrix Live
{{youtube_player(video_id="E-sbHy9iA7k")}}
Dept of elections 🗳️
Josh Simmons (away, back May 9th) announces
Voting has started for the Governing Board elections and runs till May 31 – but don't delay, vote today! 🗳 Huge thanks to all of the nominees who have thrown their hat in the ring.
All eligible voters should have received an email from the election system. All of the results will be published on the blog on June 3. Read our announcement post or visit our election center for more info.
Dept of Spec 📜
Andrew Morgan (anoa) says
Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at https://spec.matrix.org/proposals.
MSC Status
New MSCs:
MSCs in Final Comment Period:
Accepted MSCs:
Closed MSCs:
- MSC1951: Custom sticker packs and emoji (mk II)
- Superseded by MSC2545
- MSC2461: Proposal for Authenticated Content Repository API
- Superseded by MSC3916
Spec Updates
As an early heads up, Trust & Safety at the Foundation is working on an important update to Matrix, MSC3916 - Authenticated Media. This change will mean that all clients (and servers) will need to present a valid access token in their Authentication header to access media - which is critical to ensure that URLs are only visible to the correct users, and prevents abuse of Matrix for hosting binaries. More details will be published as we work to get everything released - we wanted to get the information out there as early as possible in the meantime. Let us know if you have any questions.
Matrix.org plans to freeze unauthenticated media endpoints within a couple of months after the spec release, which is expected in the next few weeks. "Freezing" means that media uploaded or cached before the freeze will remain accessible via unauthenticated endpoints indefinitely, but any media cached or uploaded after the freeze will require authentication. The unauthenticated endpoints will be deprecated but will still serve old media on matrix.org.
To ensure a smooth transition, we encourage you to start testing against the unstable endpoints and unreleased server builds. The changes for Synapse are being developed here, and for MMR here. Both are expected to release their changes soon. Once MSC3916 passes FCP, stable endpoints will become available. While releasing unstable support to users isn't required, having patches ready will help speed up the rollout.
We know this is a quicker rollout than usual, but with your help, we can improve user safety and security across the ecosystem. Most clients should find this update straightforward, but if issues are encountered, please reach out in #matrix-client-developers:matrix.org or on the MSC discussion. The team is monitoring the room to help clients adopt the change.
Web browser clients might face the most challenges, given the need to specify an Authentication HTTP header on media requests, so reviewing this pull request and its dependencies could provide useful implementation insights.
Thank you for your support. If you have any questions, let us know. We look forward to a smooth transition with minimal user-visible impact 🙂
Dept of Servers 🏢
conduwuit (website)
strawberry🍓 (it/pup/she/they) 🏳️⚧️ 🦴💜🩷 reports
Release 0.3.4 and Release 0.3.3
Hi everyone! conduwuit 0.3.4 has just been released, and 0.3.3 was released last week. Both releases have been focused on security and some small maintenance things, vastly improved documentation on maintenance, moderation, usability, and admin commands, and a new moderation feature for proactively deactivating bad users on your homeserver.
conduwuit was officially added to Complement, and support for conduwuit running the
Content-Disposition
safety tests was added there too: https://github.com/matrix-org/complement/pull/723Some of the new changes include:
- Send various security-related HTTP headers for all conduwuit responses by default, most importantly a strong
Content-Security-Policy
- Perform additional sanitisation on the uploaded attachment file name for the browser
Content-Disposition
header- Return
inline
browser Content-Disposition based on our own detection of the file, only returninline
on safe multi-media files, and fully distrust theContent-Type
header with safe and secure fallbacks- Fix non-functional user event homeserver reports
- Fix non-functional unbans due to incorrect upstream code
- New moderation config option to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
- Fix Debian packaging
- Don't send the target user's avatar_url or display name on ban events
- Forget all the rooms when leaving all rooms for a user upon account deactivation
- Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
- Fix incorrect appservice namespace alias check
- Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
- Fix using conduwuit on NixOS without flakes
- Resolve various arithmetic and type casting correctness
- And bump all the dependencies
GitHub Releases | Docker Hub | NixOS
Liberapay | GitHub Sponsors | Ko-fi
Chat with us in #conduwuit:puppygock.gay
Synapse (website)
Synapse is a Matrix homeserver implementation developed by the Element
Andrew Morgan (anoa) says
This week Synapse v1.107.0 was released.
Top of the list of features is declaring support for Matrix v1.10, adding support for both MSC3823: Account Suspension and MSC4115: membership metadata on events. This is alongside the usual host of bugfixes, doc updates and dependency bumps.
Dept of Clients 📱
Commet (website)
airyz announces
Hello all, today we released a minor update: v0.2.1! This update is fixing some minor bugs found with last weeks release, as well as adding a few smaller feature requests:
- Added saving of images/videos from messages
- Added an option to follow the system theme
- Formatting of timestamps now follows system format
- Added support for UI scale on mobile
Thanks to everyone who stopped by with feedback and support of last weeks release!
kazv (website)
nannanko says
kazv 0.2.0 has been released.
Added
- Implement removing local echo. https://lily-is.land/kazv/kazv/-/merge_requests/70
- Support sending stickers. https://lily-is.land/kazv/kazv/-/merge_requests/71
- Support dragging files into send message box to upload them. https://lily-is.land/kazv/kazv/-/merge_requests/72
- Implement rich text formatting. https://lily-is.land/kazv/kazv/-/merge_requests/74
- Support mentioning user. https://lily-is.land/kazv/kazv/-/merge_requests/78
- Support filtering by room name and id. https://iron.lily-is.land/D10
- Get rid of spin-wait Promises. https://iron.lily-is.land/D12
- Support filtering unnamed rooms by heroes. https://iron.lily-is.land/D11
Fixed
- Fix image overflow in event view. https://lily-is.land/kazv/kazv/-/merge_requests/73
- Fix creates wrong subdirectory when set cache directory. https://lily-is.land/kazv/kazv/-/merge_requests/75
- Use constant time cursors for MatrixRoomTimeline. https://lily-is.land/kazv/kazv/-/merge_requests/76
- Fix room name overflow in room list. https://lily-is.land/kazv/kazv/-/merge_requests/77
- Fix join room page. https://lily-is.land/kazv/kazv/-/merge_requests/79
- Fix translations display on Windows. https://lily-is.land/kazv/kazv/-/merge_requests/80
- Fix download result bar display on upload file event. https://lily-is.land/kazv/kazv/-/merge_requests/81
Internal changes
- Rework on code review process. https://lily-is.land/kazv/kazv/-/merge_requests/84
Nheko (website)
Desktop client for Matrix using Qt and C++17.
Nico announces
Heya, short update from the Nheko side.
checkraisefold has been pretty busy getting video calls to work on Windows. Now you probably won't be able to get to use them in the near future because we haven't solved the packaging problem. But if you build Nheko yourself and spend a bit of extra effort, you can get it to work. (Linux calls of course still work as before and macOS hasn't been touched yet.)
q234rtc is also busy pointing all my faults in the activation token logic and it should now work much better with the latest sway changes.
Bulby has fixed some emoji confusion, where some emojis had their description swapped, which while funny, isn't really that useful. They also cleaned up the code around the emoji completer code generation a lot, which is great!
A few people also pointed out that our flatpak nightly repo was broken for the last few weeks, but luckily that was easily resolved by updating a few packages. So if you are a nightly user (the unstable builds, not because you sleep during the day), you should be able to get automatic updates again for the flatpak packages!
We also put quite some work into fixing up rough corners in our explicit mentions support. Not only did we disable the normal mentions rules even on servers that don't support the new ones, we also had our logic the wrong way around... Replies also now include an explicit mention, however it isn't recursive. See MSC4142 for details!
Nep fixed the image copying on Windows. Nheko has a copy button for copying the currently opened image to your clipboard. On Windows that didn't work, because Windows has stricter requirements which thread is allowed to access the clipboard.
We also had a computer guy cleanup our flatpak builds. Over the time our app metadata files have acquired quite some cruft and various tooling started to complain. In most cases even rightfully so!
And lastly, if a message contains a spoiler, you won't get spoiled anymore by having to read the message with the spoiler revealed in the sidebar or notifications! Instead the whole message will just say it contains spoilers and you need to open the room and manually reveal the spoilers. The specification actually suggests a different behaviour where you link to a text file in the media repo, however we couldn't find a way to make that work in encrypted rooms, so we just decided to implement the other side of the stick and hide spoiler messages where possible in the client. Probably we should bring that up as a specification issue at some point.
For now though, that is all I have. Various board meetings and elections have been quite exciting the last few weeks and I hope I have something cool to share with you soon about that (not about the Matrix Foundation board before you go and speculate)! And it has been a pleasure seeing so many contributions all the time, thanks a lot to everyone involved! But until then, see ya later!
Element X iOS (website)
A total rewrite of Element-iOS using the Matrix Rust SDK underneath and targeting devices running iOS 16+.
Mauro Romito reports
- version 1.6.7 is out (but soon a new version 1.6.8 with a quick hotfix for voice message recording will be out)
- Permalink support is completed and available!
- mentioning now works when the rich text editor is disabled
- the UI for room dm and members details has been completely revamped, to provide a better user experience
- QR Code Login has made great progress and is working great, and will probably be ready for the next month!
Dept of SDKs and Frameworks 🧰
libkazv
nannanko reports
libkazv 0.4.0 has been released.
Security
- Do not calculate transaction id from event content. https://iron.lily-is.land/D28
Added
- Implement removing local echo. https://lily-is.land/kazv/libkazv/-/merge_requests/70
- Add constant-time cursors for room timeline. https://lily-is.land/kazv/libkazv/-/merge_requests/72
- Support getting read receipts. https://lily-is.land/kazv/libkazv/-/merge_requests/73
- Add reader for related events in Room. https://lily-is.land/kazv/libkazv/-/merge_requests/74
- Add heroMemberEvents function to RoomModel. https://iron.lily-is.land/D9
- Support posting read receipts. https://iron.lily-is.land/D15
Fixed
- Fix an event event shown not decrypted when it is being sent. https://lily-is.land/kazv/libkazv/-/merge_requests/71
- Fix PostReceiptAction sending out a null json body. https://iron.lily-is.land/D16
Removed
- Remove unused util.hpp. https://iron.lily-is.land/D8
Internal changes
- Rework on code review process. https://lily-is.land/kazv/libkazv/-/merge_requests/75
matrix-rust-sdk (website)
Next-gen crypto-included SDK for developing Clients, Bots and Appservices; written in Rust with bindings for Node, Swift and WASM
dkasak says
Security release: We've released matrix-sdk-crypto 0.7.1 (the crypto crate which is part of the Matrix Rust SDK project; Github tag, crates.io release), which is a security release fixing a Moderate severity issue (CVE-2024-34353/GHSA-9ggc-845v-gcgv). See the linked advisory for details.
Dept of Interesting Projects 🛰️
Homeserver-Spec-Versions Dashboard
clokep announces
I made a dashboard to track the support for Matrix spec versions across homeserver implementations. It includes charts for how long it took homeserver implementations to support a new version after it was published, as well as historically when each version was supported.
It works by fetching the repository of each homeserver and crawling changes to particular files and checking the supported versions at each change. It notes whenever the supported versions changes and then visualizes the data.
If you see an issue or have a suggestion, please open an issue on the repo.
Matrix Federation Stats
Aine announces
collected by MatrixRooms.info - an MRS instance by etke.cc
As of today,
9459
Matrix federateable servers have been discovered by matrixrooms.info,2841
(30.0%
) of them are publishing their rooms directory over federation. The published directories contain159566
rooms.Stats timeline is available on MatrixRooms.info/stats
Final Thoughts 💭
Writing a good "This Week in Matrix" entry
MTRNord announces
Hello fellow TWIM posters and yet to become TWIM posters.
There is now a guide available for rules and suggestions around writing your next TWIM entry. You can find this guide at https://matrix.org/twim-guide/
Going forward we expect people to follow the rules stated in this and hope that people also apply the mentioned recommendations on the formatting.
If you have any questions, please reach out over in the TWIM Room
Dept of Ping 🏓
Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by pingbot, a maubot that you can host on your own server.
#ping:maunium.net
Join #ping:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.
Rank | Hostname | Median MS |
---|---|---|
1 | doctoruwu.uk | 218.5 |
2 | girlboss.ceo | 220.5 |
3 | nerdhouse.io | 263.5 |
4 | daedric.net | 278 |
5 | synapse.rntpts.de | 283.5 |
6 | boehm.sh | 366 |
7 | craftingcomrades.net | 379 |
8 | bunkerbu.de | 398 |
9 | lewd.social | 407 |
10 | sulian.eu | 457 |
#ping-no-synapse:maunium.net
Join #ping-no-synapse:maunium.net to experience the fun live, and to find out how to add YOUR server to the game.
Rank | Hostname | Median MS |
---|---|---|
1 | spritsail.io | 68 |
2 | doctoruwu.uk | 83.5 |
3 | girlboss.ceo | 122 |
4 | synapse.rntpts.de | 152 |
5 | aguiarvieira.pt | 178 |
6 | transfem.dev | 192 |
7 | sulian.eu | 201.5 |
8 | shiftsystems.net | 208 |
9 | matrix.its-tps.fr | 234.5 |
10 | uwu.sulian.eu | 259 |
That's all I know
See you next week, and be sure to stop by #twim:matrix.org with your updates!
To learn more about how to prepare an entry for TWIM check out the TWIM guide.