matrix.org/content/blog/2024/05/2024-05-17-twim.md

+++
date = "2024-05-17T19:00:00Z"
title = "This Week in Matrix 2024-05-17"
path = "/blog/2024/05/17/this-week-in-matrix-2024-05-17"

[taxonomies]
author = ["MTRNord"]
category = ["This Week in Matrix"]
+++


## Matrix Live

{{youtube_player(video_id="E-sbHy9iA7k")}}

## Dept of elections 🗳️

[Josh Simmons (away, back May 9th)](https://matrix.to/#/@josh:josh.tel) announces

> Voting has started for the Governing Board elections and runs till May 31 – but don't delay, vote today! 🗳 Huge thanks to [all of the nominees](https://matrix.org/governing-board/elections/2024/#nominees) who have thrown their hat in the ring.
>
> All eligible voters should have received an email from the election system. All of the results will be published on the blog on June 3. Read our [announcement post](https://matrix.org/blog/2024/05/voting-begins/) or visit our [election center](https://matrix.org/governing-board/elections/2024/) for more info.

## Dept of Spec 📜

[Andrew Morgan (anoa)](https://matrix.to/#/@andrewm:element.io) says

> Here's your weekly spec update! The heart of Matrix is the specification - and this is modified by Matrix Spec Change (MSC) proposals. Learn more about how the process works at <https://spec.matrix.org/proposals>.
>
>
> ### MSC Status
>
> **New MSCs:**
>
> * [MSC4145: Simple verified accounts](https://github.com/matrix-org/matrix-spec-proposals/pull/4145)
>
> **MSCs in Final Comment Period:**
>
> * [MSC3967: Do not require UIA when first uploading cross signing keys](https://github.com/matrix-org/matrix-spec-proposals/pull/3967) (merge)
>
> **Accepted MSCs:**
>
> * [MSC4132: Deprecate Linking to an Event Against a Room Alias](https://github.com/matrix-org/matrix-spec-proposals/pull/4132)
> * [MSC3939: Account locking](https://github.com/matrix-org/matrix-spec-proposals/pull/3939)
>
> **Closed MSCs:**
>
> * [MSC1951: Custom sticker packs and emoji (mk II)](https://github.com/matrix-org/matrix-spec-proposals/pull/1951)
>   * Superseded by [MSC2545](https://github.com/matrix-org/matrix-doc/pull/2545)
> * [MSC2461: Proposal for Authenticated Content Repository API](https://github.com/matrix-org/matrix-spec-proposals/pull/2461)
>   * Superseded by [MSC3916](https://github.com/matrix-org/matrix-doc/pull/3916)
>
> ### Spec Updates
>
> As an early heads up, Trust & Safety at the Foundation is working on an important update to Matrix, [MSC3916 - Authenticated Media](https://github.com/matrix-org/matrix-spec-proposals/pull/3916). **This change will mean that all clients (and servers) will need to present a valid access token in their Authentication header to access media** - which is critical to ensure that URLs are only visible to the correct users, and prevents abuse of Matrix for hosting binaries.  More details will be published as we work to get everything released - we wanted to get the information out there as early as possible in the meantime. Let us know if you have any questions.
>
> Matrix.org plans to freeze unauthenticated media endpoints within a couple of months after the spec release, which is expected in the next few weeks. "Freezing" means that media uploaded or cached before the freeze will remain accessible via unauthenticated endpoints indefinitely, but any media cached or uploaded after the freeze will require authentication. The unauthenticated endpoints will be deprecated but will still serve old media on matrix.org.
>
> To ensure a smooth transition, we encourage you to start testing against the unstable endpoints and unreleased server builds. The changes for Synapse are being developed [here](https://github.com/element-hq/synapse/pull/17172), and for MMR [here](https://github.com/t2bot/matrix-media-repo/pull/509). Both are expected to release their changes soon. Once MSC3916 passes FCP, stable endpoints will become available. While releasing unstable support to users isn't required, having patches ready will help speed up the rollout.
>
> We know this is a quicker rollout than usual, but with your help, we can improve user safety and security across the ecosystem. Most clients should find this update straightforward, but if issues are encountered, please reach out in [#matrix-client-developers:matrix.org](https://matrix.to/#/#matrix-client-developers:matrix.org) or on the MSC discussion. The team is monitoring the room to help clients adopt the change.
>
> Web browser clients might face the most challenges, given the need to specify an Authentication HTTP header on media requests, so reviewing [this pull request](https://github.com/element-hq/element-web/pull/27326) and its dependencies could provide useful implementation insights.
>
> Thank you for your support. If you have any questions, let us know. We look forward to a smooth transition with minimal user-visible impact 🙂

<!-- more -->

## Dept of Servers 🏢

### conduwuit ([website](https://github.com/girlbossceo/conduwuit))

[strawberry🍓 (it/pup/she/they) 🏳️‍⚧️ 🦴💜🩷](https://matrix.to/#/@strawberry:puppygock.gay) reports

> #### _[Release 0.3.4](https://github.com/girlbossceo/conduwuit/releases/tag/v0.3.4)_ and _[Release 0.3.3](https://github.com/girlbossceo/conduwuit/releases/tag/v0.3.3)_
>
> Hi everyone! conduwuit 0.3.4 has just been released, and 0.3.3 was released last week. Both releases have been focused on security and some small maintenance things, vastly improved documentation on maintenance, moderation, usability, and admin commands, and a new moderation feature for proactively deactivating bad users on your homeserver.
>
> conduwuit was officially added to [Complement](https://github.com/matrix-org/complement/), and support for conduwuit running the `Content-Disposition` safety tests was added there too: <https://github.com/matrix-org/complement/pull/723>
>
> Some of the new changes include:
>
> * Send various security-related HTTP headers for all conduwuit responses by default, most importantly a strong `Content-Security-Policy`
> * Perform additional sanitisation on the uploaded attachment file name for the browser `Content-Disposition` header
> * Return `inline` browser Content-Disposition based on our own detection of the file, only return `inline` on safe multi-media files, and fully distrust the `Content-Type` header with safe and secure fallbacks
> * Fix non-functional user event homeserver reports
> * Fix non-functional unbans due to incorrect upstream code
> * New moderation config option to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
> * Fix Debian packaging
> * Don't send the target user's avatar_url or display name on ban events
> * Forget all the rooms when leaving all rooms for a user upon account deactivation
> * Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
> * Fix incorrect appservice namespace alias check
> * Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
> * Fix using conduwuit on NixOS without flakes
> * Resolve various arithmetic and type casting correctness
> * And bump all the dependencies
>
> **[GitHub Releases](https://github.com/girlbossceo/conduwuit/releases) | [Docker Hub](https://hub.docker.com/repository/docker/girlbossceo/conduwuit/general) | [NixOS](https://conduwuit.puppyirl.gay/deploying/nixos.html)**
>
> [Liberapay](https://liberapay.com/girlbossceo/) | [GitHub Sponsors](https://github.com/sponsors/girlbossceo) | [Ko-fi](https://ko-fi.com/puppygock)
>
> Chat with us in [#conduwuit:puppygock.gay](https://matrix.to/#/#conduwuit:puppygock.gay)

### Synapse ([website](https://github.com/element-hq/synapse/))

Synapse is a Matrix homeserver implementation developed by the Element

[Andrew Morgan (anoa)](https://matrix.to/#/@andrewm:element.io) says

> This week [Synapse v1.107.0](https://github.com/element-hq/synapse/releases/tag/v1.107.0) was released.
>
> Top of the list of features is declaring support for [Matrix v1.10](https://matrix.org/blog/2024/03/22/matrix-v1.10-release/), adding support for both [MSC3823: Account Suspension](https://github.com/matrix-org/matrix-spec-proposals/pull/3823) and [MSC4115: membership metadata on events](https://github.com/matrix-org/matrix-spec-proposals/pull/4115). This is alongside the usual host of bugfixes, doc updates and dependency bumps.

## Dept of Clients 📱

### Commet ([website](https://github.com/commetchat/commet))

[airyz](https://matrix.to/#/@airyz:matrix.org) announces

> Hello all, today we released a minor update: v0.2.1! This update is fixing some minor bugs found with last weeks release, as well as adding a few smaller feature requests:
>
> * Added saving of images/videos from messages
> * Added an option to follow the system theme
> * Formatting of timestamps now follows system format
> * Added support for UI scale on mobile
>
> Thanks to everyone who stopped by with feedback and support of last weeks release!
>
> [Join Our Room](https://matrix.to/#/#commet:matrix.org) · [GitHub](https://github.com/commetchat/commet)

### kazv ([website](https://lily-is.land/kazv/kazv))

[nannanko](https://matrix.to/#/@nannanko:tusooa.xyz) says

> kazv 0.2.0 has been released.
>
> #### Added
>
> * Implement removing local echo. <https://lily-is.land/kazv/kazv/-/merge_requests/70>
> * Support sending stickers. <https://lily-is.land/kazv/kazv/-/merge_requests/71>
> * Support dragging files into send message box to upload them. <https://lily-is.land/kazv/kazv/-/merge_requests/72>
> * Implement rich text formatting. <https://lily-is.land/kazv/kazv/-/merge_requests/74>
> * Support mentioning user. <https://lily-is.land/kazv/kazv/-/merge_requests/78>
> * Support filtering by room name and id. <https://iron.lily-is.land/D10>
> * Get rid of spin-wait Promises. <https://iron.lily-is.land/D12>
> * Support filtering unnamed rooms by heroes. <https://iron.lily-is.land/D11>
>
> #### Fixed
>
> * Fix image overflow in event view. <https://lily-is.land/kazv/kazv/-/merge_requests/73>
> * Fix creates wrong subdirectory when set cache directory. <https://lily-is.land/kazv/kazv/-/merge_requests/75>
> * Use constant time cursors for MatrixRoomTimeline. <https://lily-is.land/kazv/kazv/-/merge_requests/76>
> * Fix room name overflow in room list. <https://lily-is.land/kazv/kazv/-/merge_requests/77>
> * Fix join room page. <https://lily-is.land/kazv/kazv/-/merge_requests/79>
> * Fix translations display on Windows. <https://lily-is.land/kazv/kazv/-/merge_requests/80>
> * Fix download result bar display on upload file event. <https://lily-is.land/kazv/kazv/-/merge_requests/81>
>
> #### Internal changes
>
> * Rework on code review process. <https://lily-is.land/kazv/kazv/-/merge_requests/84>

### Nheko ([website](https://nheko-reborn.github.io))

Desktop client for Matrix using Qt and C++17.

[Nico](https://matrix.to/#/@deepbluev7:neko.dev) announces

> Heya, short update from the Nheko side.
>
> checkraisefold has been pretty busy getting video calls to work on Windows. Now you probably won't be able to get to use them in the near future because we haven't solved the packaging problem. But if you build Nheko yourself and spend a bit of extra effort, you can get it to work. (Linux calls of course still work as before and macOS hasn't been touched yet.)
>
> q234rtc is also busy pointing all my faults in the activation token logic and it should now work much better with the latest sway changes.
>
> Bulby has fixed some emoji confusion, where some emojis had their description swapped, which while funny, isn't really that useful. They also cleaned up the code around the emoji completer code generation a lot, which is great!
>
> A few people also pointed out that our flatpak nightly repo was broken for the last few weeks, but luckily that was easily resolved by updating a few packages. So if you are a nightly user (the unstable builds, not because you sleep during the day), you should be able to get automatic updates again for the flatpak packages!
>
> We also put quite some work into fixing up rough corners in our explicit mentions support. Not only did we disable the normal mentions rules even on servers that don't support the new ones, we also had our logic the wrong way around... Replies also now include an explicit mention, however it isn't recursive. See [MSC4142](https://github.com/matrix-org/matrix-spec-proposals/pull/4142) for details!
>
> Nep fixed the image copying on Windows. Nheko has a copy button for copying the currently opened image to your clipboard. On Windows that didn't work, because Windows has stricter requirements which thread is allowed to access the clipboard.
>
> We also had a computer guy cleanup our flatpak builds. Over the time our app metadata files have acquired quite some cruft and various tooling started to complain. In most cases even rightfully so!
>
> And lastly, if a message contains a spoiler, you won't get spoiled anymore by having to read the message with the spoiler revealed in the sidebar or notifications! Instead the whole message will just say it contains spoilers and you need to open the room and manually reveal the spoilers. The specification actually suggests a different behaviour where you link to a text file in the media repo, however we couldn't find a way to make that work in encrypted rooms, so we just decided to implement the other side of the stick and hide spoiler messages where possible in the client. Probably we should bring that up as a specification issue at some point.
>
> For now though, that is all I have. Various board meetings and elections have been quite exciting the last few weeks and I hope I have something cool to share with you soon about that (not about the Matrix Foundation board before you go and speculate)! And it has been a pleasure seeing so many contributions all the time, thanks a lot to everyone involved! But until then, see ya later!

### Element X iOS ([website](https://github.com/vector-im/element-x-ios))

A total rewrite of Element-iOS using the Matrix Rust SDK underneath and targeting devices running iOS 16+.

[Mauro Romito](https://matrix.to/#/@mauro.romito:element.io) reports

> * version 1.6.7 is out (but soon a new version 1.6.8 with a quick hotfix for voice message recording will be out)
> * Permalink support is completed and available!
> * mentioning now works when the rich text editor is disabled
> * the UI for  room dm and members details has been completely revamped, to provide a better user experience
> * QR Code Login has made great progress and is working great, and will probably be ready for the next month!

## Dept of SDKs and Frameworks 🧰

### libkazv

[nannanko](https://matrix.to/#/@nannanko:tusooa.xyz) reports

> libkazv 0.4.0 has been released.
>
> #### Security
>
> * Do not calculate transaction id from event content. <https://iron.lily-is.land/D28>
>
> #### Added
>
> * Implement removing local echo. <https://lily-is.land/kazv/libkazv/-/merge_requests/70>
> * Add constant-time cursors for room timeline. <https://lily-is.land/kazv/libkazv/-/merge_requests/72>
> * Support getting read receipts. <https://lily-is.land/kazv/libkazv/-/merge_requests/73>
> * Add reader for related events in Room. <https://lily-is.land/kazv/libkazv/-/merge_requests/74>
> * Add heroMemberEvents function to RoomModel. <https://iron.lily-is.land/D9>
> * Support posting read receipts. <https://iron.lily-is.land/D15>
>
> #### Fixed
>
> * Fix an event event shown not decrypted when it is being sent. <https://lily-is.land/kazv/libkazv/-/merge_requests/71>
> * Fix PostReceiptAction sending out a null json body. <https://iron.lily-is.land/D16>
>
> #### Removed
>
> * Remove unused util.hpp. <https://iron.lily-is.land/D8>
>
> #### Internal changes
>
> * Rework on code review process. <https://lily-is.land/kazv/libkazv/-/merge_requests/75>

### matrix-rust-sdk ([website](https://github.com/matrix-org/matrix-rust-sdk))

Next-gen crypto-included SDK for developing Clients, Bots and Appservices; written in Rust with bindings for Node, Swift and WASM

[dkasak](https://matrix.to/#/@dkasak:termina.org.uk) says

> **Security release:** We've released matrix-sdk-crypto 0.7.1 (the crypto crate which is part of the Matrix Rust SDK project; [Github tag](https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-crypto-0.7.1), [crates.io release](https://crates.io/crates/matrix-sdk-crypto/0.7.1)), which is a security release fixing a Moderate severity issue (CVE-2024-34353/[GHSA-9ggc-845v-gcgv](https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-9ggc-845v-gcgv)). See the linked advisory for details.

## Dept of Interesting Projects 🛰️

### Homeserver-Spec-Versions Dashboard

[clokep](https://matrix.to/#/@clokep:matrix.org) announces

> I made [a dashboard](http://patrick.cloke.us/homeserver-spec-versions/) to track the support for Matrix spec versions across homeserver implementations. It includes charts for how long it took homeserver implementations to support a new version after it was published, as well as historically when each version was supported.
>
> It works by fetching the repository of each homeserver and crawling changes to particular files and checking the supported versions at each change. It notes whenever the supported versions changes and then visualizes the data.
>
> If you see an issue or have a suggestion, please [open an issue on the repo](https://github.com/clokep/homeserver-spec-versions).

## Matrix Federation Stats

[Aine](https://matrix.to/#/@aine:etke.cc) announces

> collected by [MatrixRooms.info](https://matrixrooms.info/?utm_source=twim&utm_medium=matrix&utm_campaign=federation-stats) - an [MRS](https://gitlab.com/etke.cc/mrs/api) instance by [etke.cc](https://etke.cc?utm_source=twim&utm_medium=matrix&utm_campaign=federation-stats)
>
> As of today, `9459` Matrix federateable servers have been discovered by matrixrooms.info, `2841` (`30.0%`) of them are publishing their rooms directory over federation.
> The published directories contain `159566` rooms.
>
> Stats timeline is available on [MatrixRooms.info/stats](https://matrixrooms.info/stats/?utm_source=twim&utm_medium=matrix&utm_campaign=federation-stats)
>
> [How to add your server](https://matrixrooms.info/indexing/?utm_source=twim&utm_medium=matrix&utm_campaign=federation-stats) | [How to remove your server](https://matrixrooms.info/deindexing/?utm_source=twim&utm_medium=matrix&utm_campaign=federation-stats)

## Final Thoughts 💭

### Writing a good "This Week in Matrix" entry

[MTRNord](https://matrix.to/#/@mtrnord:midnightthoughts.space) announces

> Hello fellow TWIM posters and yet to become TWIM posters.
>
> There is now a guide available for rules and suggestions around writing your next TWIM entry.
> You can find this guide at <https://matrix.org/twim-guide/>
>
> Going forward we expect people to follow the rules stated in this and hope that people also apply the mentioned recommendations on the formatting.
>
> If you have any questions, please reach out over in the [TWIM Room](https://matrix.to/#/#thisweekinmatrix:matrix.org)

## Dept of Ping 🏓

Here we reveal, rank, and applaud the homeservers with the lowest ping, as measured by [pingbot](https://github.com/maubot/echo), a [maubot](https://github.com/maubot/maubot) that you can host on your own server.

### [#ping:maunium.net](https://matrix.to/#/#ping:maunium.net)

Join [#ping:maunium.net](https://matrix.to/#/#ping:maunium.net) to experience the fun live, and to find out how to add YOUR server to the game.

|Rank|Hostname|Median MS|
|:---:|:---:|:---:|
|1|doctoruwu.uk|218.5|
|2|girlboss.ceo|220.5|
|3|nerdhouse.io|263.5|
|4|daedric.net|278|
|5|synapse.rntpts.de|283.5|
|6|boehm.sh|366|
|7|craftingcomrades.net|379|
|8|bunkerbu.de|398|
|9|lewd.social|407|
|10|sulian.eu|457|

### [#ping-no-synapse:maunium.net](https://matrix.to/#/#ping-no-synapse:maunium.net)

Join [#ping-no-synapse:maunium.net](https://matrix.to/#/#ping-no-synapse:maunium.net) to experience the fun live, and to find out how to add YOUR server to the game.

|Rank|Hostname|Median MS|
|:---:|:---:|:---:|
|1|spritsail.io|68|
|2|doctoruwu.uk|83.5|
|3|girlboss.ceo|122|
|4|synapse.rntpts.de|152|
|5|aguiarvieira.pt|178|
|6|transfem.dev|192|
|7|sulian.eu|201.5|
|8|shiftsystems.net|208|
|9|matrix.its-tps.fr|234.5|
|10|uwu.sulian.eu|259|

## That's all I know

See you next week, and be sure to stop by [#twim:matrix.org](https://matrix.to/#/#twim:matrix.org) with your updates!

To learn more about how to prepare an entry for TWIM check out [the TWIM guide](https://matrix.org/twim-guide).