
Matrix 1.0 and the Matrix.org Foundation - Arathorn
https://matrix.org/blog/2019/06/11/introducing-matrix-1-0-and-the-matrix-org-foundation
======
mikenew
The not-so-talked-about but killer feature of Matrix is that you can bridge
other services into it. I'm currently able to send and receive messages from
Hangouts, iMessage, SMS, and Slack all from within Matrix. If I'm working on
my laptop I can put my phone in my bag and not even touch it for 8 hours,
because there's no need. I have Riot running on my laptop with a full keyboard
and access to all my communication platforms.

It's not exactly easy to do (iMessage requires a dedicated Mac, for example),
but it's possible. And it works pretty well. Pulling out my phone to tap out
an SMS when I have a full keyboard in front of me seems silly at this point.
Hopefully the bridging will continue to evolve and become more accessible to
the average user, because it's amazing.

~~~
wishinghand
> iMessage requires a dedicated Mac, for example

You had me really excited until this part. I'm moving away from a Macbook soon
and my most missed feature will be desktop texting.

~~~
mikenew
Yeah sorry :/ There isn't an iMessage API to talk to, so the only way that
anyone has found to bridge with iMessage is to have an instance of macOS
running, logged in as you, and to send messages through the iMessage app via
AppleScripts and to watch the filesystem for incoming messages. It would be
great if there were some API you could use to send messages through, but Apple
has worked hard to keep iMessage locked down to Apple devices.

Having said that, I bought an old Mac Mini off of ebay for about $100, and
it's been working pretty well for the past year or so. It's not an easy
solution, but as far as I know it's the only solution for using iMessage on an
Android or non-macOS desktop.

~~~
tbrock
I’ve been wanting to do this since I run a Linux desktop and laptop.

What software did you use to make it work?

~~~
Arathorn
[https://github.com/matrix-hacks/matrix-puppet-
imessage](https://github.com/matrix-hacks/matrix-puppet-imessage) is the main
one; i've used it at points and it worked pretty well :)

------
rschulman
I am thrilled to be one of the newly announced Guardians of the non-profit
foundation. I'm happy to answer any questions people may have, though bearing
in mind that I'm going to be a little distracted for the next while until my
son goes to bed.

~~~
ngcc_hk
Finally read through the faq. It is a bit 1990s.

In those days we worry about how to talk with each other. Share info. In fact
find friends. Or server.

Whilst the the technology moves on you have E2E in beta and bridge to join
other communication technology but is this addressing the more fundamental
question of today’s real internet.

<driver of my worry you can skip>

The internet now is fragmented by either firm (Facebook) or country bloc (Eu
data and copyright law; china e-wall).

The internet is great to share but also a great way to isolate and record and
arrest people. China is a good example of what is great and nasty of this IP
protocol in the real world. Social credit system where you are not allowed to
sit in train (or lately bus) and suppressing of freedom of speech is hard in
the real world but with internet it is so much easier.

A global communication media without firm and country is what we dream of. Yes
there would be troll. But we can find ways to anti-spam, may be using lisp
like Paul has done. But we can dream to hack our way back to the original free
internet.

I use this to measure everything. Can it help us or empower us to program, to
hack, to share and just to chat freely

<end of driver>

Can you work in today world?

Have you listened to the call for national internet by supreme leader of china
or the cut off of internet link by Russia. Can you work in Eu data privacy and
copyright law?

Can you empower individual... is there essentially a tor mode there?

Or even better can client talk to client direct without server so no one can
have a record of what any guy (or girl as trinity would have said) said so to
arrest him (or her).

Can we interop freely is my real question?

~~~
Iv
First, for the record, I find it unfair to compare EU copyright laws to China
e-wall. China blocks connections. People who block connections because of GPRD
are people who oppose it, without good reasons IMO. To be in compliance, don't
invade people privacy. That's it. Things only get complicated if you do.

"Or even better can client talk to client direct without server so no one can
have a record of what any guy (or girl as trinity would have said) said so to
arrest him (or her)."

On Internet as we know it, even P2P does not implement that. Any router you
bounce on can be an eavesdropping server. Actually we now know that some of
them are, thanks to wikileaks and Snowden.

Server-less is just a guarantee against a narrow range of blocking techniques.
To prevent eavesdropping by governments, you need end-to-end encryption. If
you have a good encryption technique, using gmail is not a problem.

"Can we interop freely is my real question?"

It took me a while to realize that no technical hackery will ever guarantee
that. This is not a technical problem. The incredible power of asymmetric
cryptography gave us the dream that we could evade any kind of surveillance,
but in the end, a government can always outlaw crypto and arrest people who
use it. There is no technical way around it. Using Tor in China may protect
your data but will put you on a suspect list.

A government may install spyware on every communication device that are sold
nationally (as Syria did on smartphones) and record screenshots or cleartext
messages as they are typed.

You can't solve this problem without doing some politics. Crypto needs to stay
legal, governments need to refrain from installing spyware and privacy
violations need to be seriously prosecuted.

We have the tools to get around surveillance in a state that guarantees some
kind of freedoms, or that is clumsy in its implementation of surveillance
techniques, but the gap between hackers and authorities have closed in many
dictatorships and is very small in democracies as well.

If the problems you mention are of real concern to you, get involved in
politics, donate to EFF and FSF.

------
elagost
This is exciting. Glad to know they're focusing on making a stable, secure
protocol, and that development is going strong. Great job and keep up the
great work!

~~~
xj9
there are some big security and performance holes in the DAG resolution
algorithm, but hopefully more funding will give them the resources to revisit
some of their dangerous assumptions.

~~~
Arathorn
If you are aware of security holes in the DAG resolution algorithm please let
us know asap at security@matrix.org as per [https://matrix.org/security-
disclosure-policy/](https://matrix.org/security-disclosure-policy/).

As far as we know, we have addressed all known issues in the original
algorithm - which is why we have declared ourselves out of beta. Matrix 1.0
has an entirely new state resolution alg, as well as many other security
fixes.

Performancewise there are still issues, but we know what needs to be done to
fix them, and this will be landing shortly now 1.0 is out.

------
c487bd62
Honest question. What's stopping Matrix from being adopted by, say, Google or
Facebook, and then pulling a XMPPEEE? Imagine Matrix gets really popular, more
even than Discord. So they offer their own "version" but add features like
free 250GB on Google Drive or things like that. After they get everybody on
board they do what they do best and cease control of it.

~~~
upofadown
XMPP was not really extended by Google in any way that mattered. Their
federation hardly even worked even in the beginning.

XMPP has hardly been extinguished. There are something like 8 server
implementations and zillions of client implementations. With OMEMO and Let's
Encrypt it has has actually undergone a sort of resurgence lately. There are
100+ public XMPP servers out there. Matrix could only hope to be so
extinguished...

So I am not really sure how you could EEE Matrix even if you wanted to do so
for some reason. Something like this is hard to extinguish. If the network of
servers was functional before it would still be functional after some entity
pulled their server. Decentralization is sort of the point here.

~~~
phicoh
My experience with Matrix compared to XMPP, is that Matrix is way ahead in
usabiliy. I wanted to get people to use XMPP for years, but I always found too
much lacking.

Matrix is not there yet, cross device signing has to land. But the way it is
moving is way more promising than XMPP.

(I also remember that federating with Google was always painful)

------
est31
Looking forward to seeing performant server implementations. Especially
looking forward to ruma maturation:
[https://github.com/ruma/ruma](https://github.com/ruma/ruma)

~~~
cyphar
Or even dendrite. The Ruma author said on Reddit that they are waiting for
async/await to stabilise in Rust before they continue working on Ruma because
they'd likely need to rewrite it later if it was written without async from
the start.

~~~
est31
async/await is right around the corner. Meaning few months give or take until
it's on stable. The 1.37 goal [1] will most likely be missed though.

[1]: [https://boats.gitlab.io/blog/post/await-decision-
ii/](https://boats.gitlab.io/blog/post/await-decision-ii/)

~~~
cyphar
Yup, I've been following the Rust discussion too. I am quite excited to see
this happen -- as someone who tried to wrap their head around tokio two years
ago I'm glad something more akin to other languages is around the corner.

------
avinium
Matrix has been on my to-do list for some time - I'm interested in exploring
it as a replacement for team Slack.

As a side-note, I think the copy on the Matrix website could use some love -
it's a little wordy and not immediately clear what Matrix is, and why/how you
would use it. I've read a few other commenters make the same point.

Are you open to some suggested wording? If so, how would you prefer to receive
it?

~~~
Arathorn
So we just reworded some of the site, but agreed it needs more love. We're
(hopefully) much better at writing communication protocols than describing
them to a broad audience.

Proposals for changes are very welcome (although we can't guarantee we'll
accept them verbatim); the new site lives at [https://github.com/matrix-
org/matrix.org](https://github.com/matrix-org/matrix.org). PRs welcome.

~~~
avinium
Great. If I have any suggestions once I've actually had a chance to take it
for a spin, I'll make sure to submit it for consideration via Github.

------
sandGorgon
Congratulations for the release.

We were seriously evaluating Matrix as a replacement for Hipchat (about a few
months back) through their hosted service modular.im . We didn't end up going
for it because it didn't have privacy controls (there's no concept of an org
like Slack) and integration with Auth mechanisms like SAML/Google,etc.

I'm glad that matrix.org is now a very different organisation than New Vector.
Hopefully it should allow you to focus on polishing the user facing _product_
, Riot.im

I have already used the re-designed Riot - it's nice from a UI perspective,
but there's a lot of enterprise use cases that are missing.

------
driminicus
Congratulations on this huge milestone!

~~~
Arathorn
thanks :D we are applying beer and shipping cookies

~~~
cvwright
Congrats Matthew and your team!

------
Iv
Is there a docker image of synapse (Matrix's reference server implementation)
that is updated with 1.0 version?

I found this [https://github.com/matrix-
org/synapse/tree/master/docker](https://github.com/matrix-
org/synapse/tree/master/docker)

but the last update is 21 days ago.

I guess for now, installing from source is the only option to get 1.0?

~~~
bn8t
The docker image got updated to 1.0 yesterday. See:
[https://hub.docker.com/r/matrixdotorg/synapse/tags](https://hub.docker.com/r/matrixdotorg/synapse/tags)

~~~
Iv
Thanks!

------
dwb
Congratulations, it's very heartening to see a new open application-layer
protocol get to a stable v1.0 :)

------
zaarn
Did 1.0 fix the crippling resource consumption of their "reference
implementation" or are they still tinkering on something half done?

Did they fix the barely working and maintained bridge ecosystem (ie,
everything other than IRC)?

I'm someone who ran a Matrix server in the past and got burned by it, the
announcement doesn't seem to address any of the issues I encountered running
my server or make the UI any more discoverable for non-technical users
compared to alternatives like Discord.

It feels more like this 1.0 announcement was done so they could have 1.0 and
declare to have done it, without actually fixing the glaring issues in the
Matrix ecosystem. At this point, the ActivityPub Ecosystem (Pleroma, Misskey,
Mastodon) offers more versatile and user friendly experiences. I hope someone
builds a chat server on top of AP.

~~~
larkeith
> Did 1.0 fix the crippling resource consumption of their "reference
> implementation" or are they still tinkering on something half done?

From the fourth paragraph: "...we have deliberately not focused on performance
or features in the 1.0 release - so I’m afraid that synapse’s RAM footprint
will not have got significantly better..."

"Crippling resource consumption" is an interesting viewpoint, however - I'm
federating to the four largest rooms currently available and using <.75g RAM,
so unless you consider every modern browser "crippling"...

~~~
zaarn
I did run a Matrix server for a while. It continously consumed between 4 and 6
Gigabytes of RAM with about 5-10 users active at all times. Joining on of the
larger rooms took 3 days, 2 days unil I didn't just receive plain errors and
then another day until it would let me open the room without timeouting. While
joining large room sit consumed almost all available CPU and several database
connections for IO.

This was less than 3 months ago on a fresh install based on Docker with no
modifications to the code other than instructed in the installation guide.

~~~
Arathorn
Well, sounds like you hit a bug. my personal server sits at 600MB RSZ,
including lots of large room. Were you using sqlite or postgres?

~~~
zaarn
I was using Postgres.

------
nullwasamistake
Matrix works great once setup but they really need to work on install process.
All the "easy ways" are unofficial. Some of the clients, like Riot, appear to
be really well written, but the server itself gives me pause. Just from
looking at the configuration, the codebase appears to be a mess.

They also built the thing without specifying a protocol which was the original
goal. I once attempted to implement a matrix client and the majority of doc
pages on the protocol are "TDB" or "look at server source"

~~~
Arathorn
the client-server API has been stable and fully docced since early 2016, which
explains why there are so many matrix clients out there. you must have been
attempting a long time ago...

------
ntw1103
This is exciting. Great job! I've been using matrix for over a year now, and
I've been extremely happy with it, as have the users of my homeserver.

------
davefp
Fantastic! I know what I'll be doing this evening :D

------
sansnomme
What's the best option available for chat embedding right now? E.g. if I want
to build Facebook's chat feature or Fiverr's Inbox feature and have it
integrated into my main web app.

~~~
Arathorn
We haven't published an official embedded chat SDK for Matrix yet, but there
are a bunch of options from the community.
[https://gitlab.com/sanlox/tangent](https://gitlab.com/sanlox/tangent) is one,
which is very new and immature but looks to be headed in the right direction.

Alternatively, you could take a scalpel to matrix-react-sdk and strip it down
to do what's needed.

Maintaining UI SDKs like this is very time consuming, and we're currently
putting our time into ensuring matrix-react-sdk (and thus Riot) pull their
weight against Slack & Discord etc.

~~~
sansnomme
The biggest issue I have found is Auth, specifically session sharing. Any
advice for that?

------
slyrus
It's unfortunate that "Matrix" has nothing to do with actual matrices and that
"Synapse" has nothing to do with neuroscience or even neural networks. Makes
me want to name my next matrix (actual rows and columns of numbers) library
something like "advanced telephony and messaging" but a stupid name for a
stupid name makes the whole world utterly ungoogleable so I'll refrain.

~~~
mlevental
matrix

/ˈmeɪtrɪks/

noun

noun: matrix; plural noun: matrices; plural noun: matrixes

5.

an organizational structure in which two or more lines of command,
responsibility, or communication may run through the same individual.

"matrix structures are said to foster greater flexibility"

------
__david__
I note the announcement says this about things coming soon:

> \- Editable messages! (These are in Synapse 1.0 and Riot already, but still
> stabilising so not enabled by default)

Is there some way to enable editing on a locally hosted server to play with?
(In my case I don't care if federated servers don't handle it). I've poked
around the code a bit and I don't see anything obvious documented…

~~~
Arathorn
On Riot/Web, you’ll need to enable it in labs settings (in config.json) -
riot.im/develop already has it turned on. On synapse there is a config flag
called experimental_aggregation_support or something, but it’s optional (it
makes reactions/edits more efficient).

~~~
__david__
Thanks! In case anyone else is wondering, I added:

    
    
        "features": {
            "feature_message_editing": "labs"
        }
    

to my Riot's config.json and

    
    
        experimental_msc1849_support_enabled: true
    

to Matrix's homeserver.yaml.

~~~
Arathorn
that's the one :) Editing unsent/sending messages should land tomorrow, and
then the feature is pretty much done. Sorry for not having the right config
details when answering on my phone yesterday!

------
nerd7473
Matrix really is an awesome clinet/service. Really glad this Matrix exists and
allows for security and privacy.

------
intea
Are there decent Admin tools for hosting your own homeserver now? Last time I
checked it out I could neither disable file uploads completely nor remove
users from the server short of editing the database.

~~~
Arathorn
you can disable fileuploads completely from the config (set a max filetransfer
size of 0). however, we still need to build a proper admin web interface for
it. the admin API is improving however, but it's a matter of hitting the API
with curl currently (for removing users etc).

~~~
intea
Setting the max filetransfer size to 0 still showed the button and allowed
uploading of 0 byte files. Probably just a UX oversight but annoying
nonetheless. Not having a simple to use admin or even moderator interface
makes Matrix unusable for my purposes for the time being.

~~~
Arathorn
right, understood. this is why the original post explicitly says:

> so I’m afraid that synapse’s RAM footprint will not have got significantly
> better, and your favourite long-awaited features (automatically
> defragmenting rooms with lots of forward extremities, configurable message
> retention, admin management web-interface etc) have not yet landed

We know that admin management interfaces are critical, and we'll be adding
them now 1.0 is out asap.

Meanwhile, I filed [https://github.com/vector-im/riot-
web/issues/10025](https://github.com/vector-im/riot-web/issues/10025) for
"hide the upload button" feature req.

~~~
intea
Thanks!

------
megous
So where's the spec 1.0? All I see is old <1.0 versions.

[https://matrix.org/docs/spec/](https://matrix.org/docs/spec/)

~~~
Arathorn
[https://matrix.org/docs/spec/#matrix-
versions](https://matrix.org/docs/spec/#matrix-versions). Matrix 1.0 is the
blanket term for the set of various specific API releases we just cut: CS API
0.5 etc. We could have bumped them all to 1.0 for the sake of it (and perhaps
we should have), but it felt cleaner to let each API version evolve
independently, and instead say “hey, as of this set of versions, we consider
the protocol stable”.

~~~
megous
Thanks for the clarification.

------
mxuribe
Congrats to everyone involved!!!

------
superfist
Good job!

------
bongobongo
This is exciting. A big thank-you to all involved in bringing this sorely
needed standard to life!

------
jbverschoor
I have no idea what matrix is, and it is not explained

~~~
TuringTest
Because it's a blog entry for a project milestone. The definition is at the
homepage and FAQ, one link away.

[https://matrix.org/](https://matrix.org/)
[https://matrix.org/faq/](https://matrix.org/faq/)

~~~
jbverschoor
Checked my history. Before I opened the matrix link in the top left iirc(
mobile) It took me to the try now page. Maybe not, but that’s where I ended up

~~~
jbverschoor
I pressed the hamburger menu on mobile. It took me to try now, which is also
on the top right:

[https://matrix.org/try-now](https://matrix.org/try-now)

------
nurettin
At least I learned a lot from the github issues their hacker opened. Wonder if
there are any surviving archives of those that the repo owners did not delete
in shame.

[https://news.ycombinator.com/item?id=19642554](https://news.ycombinator.com/item?id=19642554)

~~~
Arathorn
I (the repo owner) reposted them via links to archive.org after github deleted
them, actually: [https://github.com/matrix-
org/matrix.org/issues/367#issuecom...](https://github.com/matrix-
org/matrix.org/issues/367#issuecomment-482649539). See
[https://matrix.org/blog/2019/05/08/post-mortem-and-
remediati...](https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-
for-apr-11-security-incident/) for the full details of what happened, fwiw.

~~~
jancsika
Were the GPG signing keys the hacker found for signing official Debian
packages for Matrix-related software?

~~~
cyphar
They were for signing the Debian and Ubuntu packages of the matrix.org Debian
repos. But Debian also has its own packages for matrix-synapse (with the
latest version usually available in experimental) -- so you could just use
those instead.

------
s9w
Matrix is a very generic name.

~~~
k__
At least they didn't call it Tensor, lol

~~~
Arathorn
_cough_ [https://github.com/davidar/tensor](https://github.com/davidar/tensor)

also
[https://matrix.org/docs/projects/client/quaternion](https://matrix.org/docs/projects/client/quaternion)
O:-)

------
reizorc
End-to-end encryption is all well and good but until the app stores provide
verifiable builds I think promoting messaging apps such as Riot as "Secure
decentralised chat/VoIP" is unprovable and therefore somewhat misleading.

~~~
danShumway
Security isn't binary.

That's not to say that we shouldn't have verifiable builds (we totally
should), but if we follow this line of logic we will never be able to call
anything secure. By the time we have verifiable builds we will have identified
other security risks that also need to be addressed.

Apps like Riot are secure compared to the majority of alternatives available
today. Arguably we shouldn't use a binary term to describe that, but I'm
sympathetic to the idea that consumers think in those terms and that it's not
_too_ harmful to use them. Other metrics typically don't see this kind of
feedback (for example, you hardly ever see anyone complaining about someone
marketing their app as 'fast', even though performance is also not binary).

~~~
SI_Rob
Words like security and decentralization are indeed not binary, but referring
to them as being on "a continuum" or something similar is not particularly
helpful either. I wish I saw more application of them as modalities, such that
they refer to not to a perpetual state but a systemic tendency toward an ideal
(if asymptotic) structural equilibrium over time, as in "X tends toward
greater decentralization", "tends towards greater security" over time.

Even better if these claims could be backed, if not by a formal proof, at
least an informal definition of these terms as used in the claim and
reasonable justification as to why the models being promoted would not tend to
collapse into greater centralization, weaker security over time.

~~~
ChainOfFools
It's unfortunate that you posted this comment in a nearly drownvoted thread
under a story submission about a product announcement.

You make a very interesting point about recognizing whether the tendency of a
group coordination model is to drift toward one of the poles of centralization
over time (not sure I follow that same reasoning with regard to security
though).

This comment would have been much more relevant had it been made in the other
story about making efficient decisions in a flat hierarchy.

