Hey all,

Matrix 1.7 has just been released! The last spec release was about 3 months ago, keeping us on track for regular quarterly releases. Unlike Matrix 1.6 though, today’s release is packed with plenty of features, some of which we’d like to call out here. Not all implementations will have support for these features yet though, and that’s okay (expected, even).

Adding support for a spec release can be a significant body of work. Instead of implementations having everything ready for spec release day, the idea is that they gain support over the next few months. If you’re able, please help those projects get v1.7’s features.

Today, we see 15 MSCs achieve their formally adopted status. All of them bring forward some much-needed features to Matrix, and a few highlights are below. Read on to the full changelog for a complete overview, and for a sneak peak at what the Spec Core Team (SCT) is planning to look at for v1.8 👀

🖼️ Finally, improvements to media in Matrix

The media repo has been largely unchanged since it was first released in 2015 as r0.0.0 - the only change being the addition of URL previews in r0.3.0 (released in 2017). Thankfully, the folks over at Beeper have been busy changing this situation!

MSC3860 and MSC2246 are both available as of today in the spec, improving how much bandwidth media repos need to offer and fixing a long-standing issue where uploading large files can be a challenge. MSC3860, specified here as allow_redirect, allows clients to opt-in to HTTP redirects on downloads, avoiding slowdowns from the server having to proxy and move the media twice. It’s particularly useful if your server uses a CDN like S3 to host media - just tell clients to go grab media directly from S3 instead.

Meanwhile, MSC2246 (largely specified here) gives clients an ability to upload their media after sending the associated event. The MSC was originally designed with bridges in mind, where message order and delays are very perceivable problems for users, however clients like Element X are thinking about using the feature to improve local echo on uploads as well. We’re excited to see uploads finally be reliable, and non-blocking for the conversation flow!

History would indicate that we’ve got several years to go before the next major improvement to media, but we’re looking to change that: MSC3916: Authentication for media, MSC4016: Streaming E2EE file transfers, and MSC3870: Upload direct to URL are all fairly promising MSCs we’re planning to take a look at in the next year or so.

💖 Reactions are here

Reactions have actually been in use for quite some time already, but the MSC struggled to make it into the spec formally. With Matrix 1.7 though, MSC2677 is merged.

MSC2677 was the last part of the MSC1849 saga, with MSC2674 (relationships) and MSC2675 (server-side aggregation) landing in Matrix 1.3, and MSC2676 (edits) landing in Matrix 1.4 back in September 2022. There’s still some work to be done in this area though, and certainly some quality of life improvements asking to be written up as MSCs - watch this space for progress on those fronts.

🎉 Achievement: First MSC merged

One of the best parts about writing an MSC is eventually seeing it released in the spec, and these folks saw their MSCs reach this milestone for the first time. Congratulations everyone, and please keep them coming!

In no particular order:

• benkuly with MSC3925 (their first ever MSC!).
• Fizzadar with MSC3758 and MSC3860.
• hughns with MSC3970 and MSC3882.
• Johennes with MSC3873.

Anyone can contribute MSCs, improving the whole of Matrix for everyone. If you have an idea (or bugfix), check out the guidelines and let us know if you run into any questions in #matrix-spec:matrix.org on Matrix - we’re always happy to help.

🔜 Early considerations for Matrix 1.8

The SCT aims to cut a release in the middle of each calendar quarter, largely to avoid most conflicts with regional holidays, and since Matrix 1.1 the releases have been getting less and less organic. Instead of looking at MSCs whenever they’re raised, the SCT has been aiming to hear about which MSCs will need looking at. This is a very subtle difference, but one that dramatically changes how the quarterly releases are structured.

With each spec release, the SCT has slowly been working towards a place where the majority of MSC work is thought about in advance, and Matrix 1.8 is another milestone along this journey. Over the next couple weeks we’ll be working on a roadmap based on the MSCs that are raised to us in the SCT Office room on Matrix, starting with the ideas we raised ourselves earlier in the year.

As of writing, our current plan for Matrix 1.8 includes:

• Further work on adopting OIDC (namely progress on MSC3824, MSC2965, and other similar proposals).
• Pushing the MSC3995 suite of MSCs towards acceptance/merge status.
• Continuing the improvements of VoIP (MatrixRTC) as we work towards Matrix 2.0.
• Various improvements to event relationships, such as MSC3981, and push in general, such as MSC3958 and MSC3391.

While this doesn’t represent a commitment to have these MSCs merged, these are the areas that the SCT is likely to be thinking about for the next 3ish months. If you have MSCs that might be possible to merge before roughly August, let us know in the SCT Office room (even if those MSCs aren’t on-theme with the above - we still want to hear about them!).

Critically, our release planning does not just include MSCs that are on track for being merged. We are also aiming to track that a given MSC needs technical review (for example), or that it might be receiving attention external to the SCT (such as implementation). We’d love to hear what you’re working on so we can start bringing those MSCs to the top of the list - let us know in the SCT Office room.

As is the theme for this section, if you have any questions about what the release process looks like (or where a given MSC currently sits in the roadmap), let us know in the SCT Office room.

The full changelog

There’s so many more things than what we covered in this blog post - flip through the changelog below for a full idea of what’s landed. Special thanks to MichaelKohler, zecakeh, and Cadair for contributing clarification & bug fix PRs in this release - we greatly appreciate it!

Client-Server API

• POST /_matrix/media/v1/create (#1499)
• PUT /_matrix/media/v3/upload/{serverName}/{mediaId} (#1499)
• POST /_matrix/client/v1/login/get_token (#1530)

• Changes to the server-side aggregation of m.replace (edit) events, as per MSC3925. (#1440, #1525)
• Add new push rule conditions event_property_is and event_property_contains, as per MSC3758 and MSC3966. (#1464)
• Add m.annotation relations (reactions), as per MSC2677. (#1475, #1531)
• Support asynchronous media uploads, as per MSC2246. (#1499, #1510)
• Document the m.mentions property; the .m.rule.is_user_mention and .m.rule.is_room_mention push rules; and other notification behaviour, as per MSC3952. (#1508)
• Improve VoIP signaling, as per MSC2746. (#1511, #1540)
• Update the scope of transaction IDs, as per MSC3970. (#1526)
• Add an ability to redirect media downloads, as per MSC3860. (#1529)
• Add an ability to use an existing session to log in another, as per MSC3882. (#1530)

• Clarify the sections of the specification concerning aggregation of child events. (#1424)
• Fix various typos throughout the specification. (#1432, #1442, #1447, #1455, #1465, #1500, #1509)
• Clarify that reply chain fallback for threads might not be present. (#1439)
• Clarify what event property the content-specific push rules match against. (#1441)
• Clarify the semantics that make requests idempotent. (#1449)
• Improve documentation of how clients use push rules. (#1461)
• Clarify that servers should enforce a default limit on a filter if one is not specified. (#1463)
• Disambiguate using property names with dots in them during push rule processing, as per MSC3873 and MSC3980. (#1464)
• Fix phrasing & typography in the registration endpoint description. Contributed by @HarHarLinks. (#1474)
• Remove outdated text saying that state_default is 0 if there is no m.room.power_levels event in a room. (#1479)
• Remove fictitious token parameter on /keys/query endpoint. (#1485)
• Fix rendering of properties with a list of types. (#1487)
• Clarify parts of the cross-signing signature upload request. (#1495)
• Remove the dont_notify and coalesce push rule actions, as per MSC3987. (#1501)
• Clarify m.location scheme by partially reverting f1f32d3. Contributed by @HarHarLinks. (#1507)
• Add missing knock_restricted join rule to the m.room.join_rules schema. (#1535)

Server-Server API

• Fix various typos throughout the specification. (#1431, #1447, #1466, #1518)
• Fix PDU examples by removing invalid OpenAPI reference to examples/minimal_pdu.json. (#1454)
• Remove leftover {key_id} from /_matrix/key/v2/server/. (#1473)
• Remove extraneous age_ts field from the reference hash calculation section. (#1536)

Application Service API

• POST /_matrix/app/v1/ping (#1516)
• POST /_matrix/client/v1/appservice/{appserviceId}/ping (#1516)

• Add homeserver->appservice ping mechanism, as per MSC2659. Contributed by @tulir at @beeper. (#1516, #1541)

• Fix various typos throughout the specification. (#1447)

Identity Service API

• Corrections to the response format of /_matrix/identity/v2/store-invite. (#1486)

Push Gateway API

No significant changes.

Room Versions

• Clarifications of event ID formats in early room versions (#1484)

Appendices

• Clarify that the term "Canonical JSON" is a specific thing within the Matrix specification. (#1468)
• Remove references to groups. (#1483)
• Clarifications of event ID formats in early room versions. (#1484)

Internal Changes/Tooling

• Update references to Inter font. (#1444)
• Endpoint disclosures now hide everything but the URL. (#1446)
• Wrap $ref in allOf where other attributes are present, to improve OpenAPI compliance. (#1457)
• Minor cleanups to the GitHub Actions workflows (#1476)
• Fix generation of anchors for additional properties. (#1488)
• Fix various typos throughout the specification. (#1534)
• Document more of the spec release timeline/process. (#1538)

Today we are issuing security releases of matrix-js-sdk and matrix-react-sdk to patch a pair of High severity vulnerabilities (CVE-2023-28427 / GHSA-mwq8-fjpf-c2gr for matrix-js-sdk and CVE-2023-28103 / GHSA-6g43-88cp-w5gv for matrix-react-sdk).

Affected clients include those which depend on the affected libraries, such as Element Web/Desktop and Cinny. Releases of the affected clients should follow shortly. We advise users of those clients to upgrade at their earliest convenience.

The issues involve prototype pollution via events containing special strings in key locations, which can temporarily disrupt normal functioning of matrix-js-sdk and matrix-react-sdk, potentially impacting the consumer's ability to process data safely.

Although we have only demonstrated a denial-of-service-style impact, we cannot completely rule out the possibility of a more severe impact due to the relatively extensive attack surface. We have therefore classified this as High severity and strongly recommend upgrading as a precautionary measure.

We found these issues during a codebase audit that we had previously announced in an earlier security release of matrix-js-sdk and matrix-react-sdk. The earlier release had already addressed a set of similar vulnerabilities that were assigned CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 and CVE-2022-36060 / GHSA-2x9c-qwgf-94xr, which we had initially decided not to disclose until the completion of the audit. Now that the audit is finished, we are disclosing those previous advisories as well.

Greetings Matrix fans! We've published Synapse version 1.78 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience. Please take a look at the upgrade notes for any important information about upgrading.

Announcements

Please note that Synapse 1.78.0 replaces the /_synapse/admin/v1/media/<server_name>/delete admin API with an identical endpoint at /_synapse/admin/v1/media/delete. Please update your tooling to use the new endpoint. The deprecated version will be removed in a future release.

The new stuff

In case you were unaware, Synapse has a command line export data command which allows administrators to export data for a specific user (you can read more about this command here). Synapse 1.78.0 updates this command adding account data to the user information that is returned by the export data command.

This version of Synapse also features a few changes to push rules, with implementations for MSC3758: Add event_property_is push rule condition kind, MSC3966: event_property_contains push rule condition, and the removal of the spurious dont_notify action from the defaults for the .m.rule.reaction pushrule. These changes empower end users to more fully customise their notification rules - MSC3758 allows users to ask to be notified when a field in an event contains any type of value, rather than only matching on strings, and MSC3966 provides crucial scaffolding for MSC3952: Intentional Mentions, which aims to eliminate unintentional mentions and improve the experience of mentions in general.

Synapse v1.78.0 includes some fixes for faster-joins related bugs as we work out the kinks. Some of these include a fix for a bug introduced in Synapse 1.76.0 where partially-joined rooms could not be deleted using the purge room API, and a fix for a bug introduced in Synapse 1.75 where the portdb script would fail to run after a room had been faster-joined. We continue to work to polish faster joins, and thank everyone who filed an issue.

Finally, for those deployments using workers, v1.78.0 fixed a bug introduced in Synapse 1.76 where 5s delays would occasionally occur.

Everything else

See the full changelog for a complete list of changes in the release. Also please have a look at the upgrade notes.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to this release, including (in no particular order): jahway603, williamkray, 999lakhisidhu, hari01584, saddfox, dklimpel, realtyem V02460, and thezaidbintariq.

We are also grateful to anyone helping us make Synapse better by sharing their feedback and reporting issues, or helping with community support questions.

Greetings Matrix fans! We've published Synapse version 1.77 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience.

The new stuff

Experimental support for intentional mentions (MSC3952)

Mentioning other users on Matrix is difficult: it is not possible to know if mentioning a user by display name or Matrix ID will count as a mention, but is also too easy to mistakenly mention a user.

MSC3952 proposes a solution. Its idea is to make the mentioning explicit in the protocol using a dedicated event property, instead of relying on searching the body of the message as before.

Synapse now implements this as an experimental feature.

Experimental support to suppress notifications from message edits (MSC3958)

Have you ever been annoyed by a noisy notification that keep coming back, but you can't pinpoint where it's coming from? This is usually because edits to a message where you are mentioned (or that mention @room) will retrigger a noisy notification. That can be pretty annoying when the message is edited 10 times!

MSC3958 is here to solve that, and Synapse now implements it as an experimental feature.

The quest for speed continues!

Some iterative optimizations have been implemented that should make joining or leaving large rooms even faster, and should also improve sending message.

Everything else

See the full changelog, for a complete list of changes in the release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to these releases, including (in no particular order) icp1994, dklimpel, Fizzadar and realtyem.

We are also grateful to anyone helping us make Synapse better by sharing their feedback and reporting issues, or helping with community support questions.

Hey all,

Matrix 1.6 is out there! Like Matrix 1.5 back in November, this release is largely a maintenance update. Matrix 1.1 through 1.4 have been relatively major upgrades, so a little time between features doesn’t feel like a bad idea :)

As with all spec releases, we encourage implementations to gradually update over the next few months rather than have support for everything on release day - please be kind to the projects you use, and help them gain support if able.

Matrix 1.6 sees just 7 MSCs get merged, though this is to be expected from a maintenance release. Check out Matthew’s Matrix 2.0 talk at FOSDEM for an idea of what’s expected over the next few releases.

We’ve covered a couple of the MSCs below, but read on to the full changelog for the full picture.

MSC3030: Jump to date API

It’s here! The time machine we’ve been waiting for!

Primarily part of the Gitter feature parity project (congratulations to the team going all-in on Matrix, by the way) to drive the Matrix Public Archive, the new API gives clients the ability to jump back in time to a nearby event. Being able to find something that was posted on a given day/week, but not being sure of which keywords to look for is a major usability improvement - many thanks to the Gitter team for making Matrix better!

MSC3706: Faster joins (part 1)

Matrix is going voom

Synapse 1.76 enabled faster joins by default, and while there’s a lot of Python going into making joins as fast as possible, the specification side is a relatively small change at the moment: just don’t send as many events during joins (omit_members).

There’s potentially more work on the horizon for making faster joins even faster and more robust, and some of that might involve spec work: keep an eye on Synapse releases and TWIM for updates as we make our way to faster joins in Matrix 2.0 :)

The full changelog

MSCs are how the spec changes in the way it does - adding, fixing, and maintaining features for the whole ecosystem to use. Check out the full changelog below, and the Spec Change Proposals page for more information on how these MSCs got merged (hint: they submitted a proposal, which anyone can do - take a look at the Matrix Live episode where Matthew covers the proposal process).

Client-Server API

• Add information on standard error responses for unknown endpoints/methods, as per MSC3743. (#1347)
• Add /rooms/<roomID>/timestamp_to_event endpoint, as per MSC3030. (#1366)
• Define hkdf-hmac-sha256.v2 MAC method for SAS verification, as per MSC3783. (#1412)

• Clarify the power levels integer range. (#1169, #1355)
• Clarify that /context always returns event even if limit is zero. Contributed by @sumnerevans at @beeper. (#1239)
• Clarify what fields are required when deleting a pusher (#1321)
• Improve the presentation of push rule kinds and actions. (#1348)
• Add missing description to m.call.answer schema. (#1353)
• Fix various typos throughout the specification. (#1363)
• Clarify parts of the end-to-end encryption sections. (#1381)
• Move login API definitions to the right heading. Contributed by @HarHarLinks. (#1382)
• Clarify which events will be included in Stripped State. Contributed by @andybalaam. (#1409)
• Add links to the spec for the definition of 3PID medium. (#1417)
• Correct the order of the default override pushrules in the spec. (#1421)
• Improve distinction between tags and their attributes in the rich text section. Contributed by Nico. (#1433)

Server-Server API

• Remove keyId from the server /keys endpoints, as per MSC3938. (#1350)

• Add information on standard error responses for unknown endpoints/methods, as per MSC3743. (#1347)
• Add /timestamp_to_event/<roomID> endpoint, as per MSC3030. (#1366)
• Extend /_matrix/federation/v2/send_join to allow omitting membership events, per MSC3706. (#1393, #1398)
• Note that /_matrix/federation/v2/send_join should include heroes for nameless rooms, even when allowed to omit membership events, per MSC3943. (#1425)

• Include examples inline instead of using a reference for invite endpoint definitions. (#1349)
• Fix POST _matrix/federation/v1/user/keys/claim response schema. (#1351)
• Correct the default invite level definition in the "Checks performed on receipt of a PDU" section. (#1371)
• Clarify that CNAMEs are permissible for server names. (#1376)
• Fix edu_type in EDU examples. (#1383)

Application Service API

• Add information on standard error responses for unknown endpoints/methods, as per MSC3743. (#1347)

Identity Service API

• Add information on standard error responses for unknown endpoints/methods, as per MSC3743. (#1347)

Push Gateway API

• Add information on standard error responses for unknown endpoints/methods, as per MSC3743. (#1347)

Room Versions

• Update the default room version to 10, as per MSC3904. (#1397)

• Clarify the grammar for room versions. (#1422)
• Fix various typos throughout the specification. (#1423)

Appendices

No significant changes.

Internal Changes/Tooling

• Add link to the unstable spec to the README. (#1357)
• Improve safety of the proposals retrieval script in the event of failure. (#1368)
• Rename <content> to content in the OpenAPI files for content uploads. (#1370)
• Stop autogenerating examples where we already have an example. (#1384)
• Improve formatting of definitions in the Push Notifications section. (#1415)

Greetings Matrix fans! We've published Synapse version 1.76 as the new stable release this week. Synapse admins are encouraged to upgrade to it at their convenience. Please take a look at the upgrade notes for any important information about upgrading.

Announcements

The big news is that faster joins for all has arrived! When joining a room for the first time, Synapse 1.76.0 will request a partial join from the other server by default. Previously, server admins had to opt-in to this using an experimental config flag.

Server admins can opt out of this feature for the time being by setting

experimental:
    faster_joins: false

in their server config.

For everyone else, after a faster join Synapse considers that room "partially joined". In this state, you should be able to

• read incoming messages (on clients which support lazy-loaded members in /sync);
• see incoming state changes, e.g. room topic changes; and
• send messages, if the room is unencrypted.

Synapse has to spend more effort to complete the join in the background. Once this finishes, you will be able to

• send messages, if the room is encrypted;
• retrieve room history from before your join, if permitted by the room settings; and
• access the full list of room members.

Practically, this means that the experience of joining a large room over federation should be greatly improved. In past versions of Synapse, joining a large room such as Matrix HQ over federation could take up to 30 mins. This time has been cut to ~20-30 seconds to partially join in the new release. Those of you who have been watching this know this has been a huge undertaking, big shout out to the team for getting it over the line! We're excited the community to try it, as always if you encounter any problems you are encouraged to file an issue.

Changes to the account data replication streams

Please note that Synapse has changed the format of the account data and devices replication streams (between workers). This is a forwards- and backwards-incompatible change: v1.75 workers cannot process account data replicated by v1.76 workers, and vice versa.

Once all workers are upgraded to v1.76 (or downgraded to v1.75), account data and device replication will resume as normal.

The new stuff

The default room version has now been updated to v10

Room version 10 is now the default room version in Synapse 1.76.0. This room version builds on v9 to introduce a new knock_restricted join rule, allowing prospective members to more easily join such a room. The knock_restricted join rule allows for prospective members of a room to join either through knocking or through join_restrictions, which allows prospective members to join a restricted room based on whether they are a joined member of another room. You can read more about restricted rooms here.

Synapse now implements experimental support for MSC3930 Push rules for Polls

Synapse has added some new, default push rules for MSC3881-esque event types.

This allows for notifications from polls, ie when a poll starts or ends.

Everything else

See the full changelog, for a complete list of changes in the release.

Synapse is a Free and Open Source Software project, and we'd like to extend our thanks to everyone who contributed to these releases, including: katlol, thezaidbintariq, dklimpel, FSG-Cat, tjay27, emgrav, villepeh.

We are also grateful to anyone helping us make Synapse better by sharing their feedback and reporting issues, or helping with community support questions.