Heads up to all #Riot users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see riot.im/reinstall

To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.

Follow

@fdroidorg @matrix Who's behind Matrix? How does it compare to Mastodon? Is it safe?

@pj @fdroidorg @matrix Behind matrix: a company called New Vector Ltd, now also selling enterprise services. Compares to mastodon: Synapse is quite resource-intensive when you join large rooms, but it works. Client-side there is a lot of choice, but the only "good" choice is the Riot.im electron client. Safe: E2E is not the default, but it can be enabled, but if I'm up to date, no client beside Riot can do it. Still, I'm a fan.

@pj @matrix @fdroidorg

Matrix is more real-time / group chat oriented where Mastodon is more for micro-blogging. For now the two don’t federate between them.

It has a robust spec, featuring optional end-to-end encryption which −IMHO− is very secure, despite the recents attacks that only impacted the “official” implementation but not the core itself (and they showed good response).

Behind Matrix is Matrix.org which is a non-profit organization that runs the spec, and there are some for-profit organizations too that makes the implementations, and other collaborators since it’s Free Software (disclaimer: I’m not very sure of that last bit).

@GeoffreyFrogeye
It's secure enough from the client to server standpoint, but there are lots of trivial and obvious, unfixed exploits that just about anyone should pick up on in short order, so "robust spec" is something of an overstatement. The encryption is good enough, except that one has to verify all devices in e2ee rooms, or blindly trust everyone there (and no encryption of attachments)
@matrix @fdroidorg @pj

@darkmeson @pj Oh, I did not knew that. I guess « spec that has the best potential » would be more appropriate.
Yeah, E2E still has way to go but still it still better than services with no encryption at all or with encryption completely hidden.

@GeoffreyFrogeye
I don't know if I'd say "better than" since it's historically amounted to about the same thing in my case. Riot naively keys itself based on system information which, for hopefully obvious reasons, effectively makes it think it's on a completely different system each time (and there's no batch delete, so my device list is HUGE...one of those potential exploits since there doesn't appear to be a list length limit, LRU eviction, etc)
@pj

@darkmeson @pj Yeah, it is for me too. Hopefully this is just a fix on the client side (Riot Android, nheko and Quaternion don't have this issue at least for me).

@GeoffreyFrogeye
I've been meaning to check the Tensor build that I'd discovered was in the F-Droid repos a few days ago, but I have to unbork Package Installer first (expandable storage issues strike again)
@pj

@darkmeson @pj Honestly, don't bother. It's a 3 years old build, I couldn't make it work, and it doesn't even have a field for personal homeservers.

@GeoffreyFrogeye
That's unfortunate, but not surprising. The Matrix clients seemingly suffer from a lot of the same problems as I2P developments, which is to say that people are keen to start developing, but never quite seem to stick with it long enough to make anything generally usable. That being said, we could run Quaternion and others via X Server and a Ubuntu/Debian/Fedora/etc chroot, I guess (or Weechat with the Matrix script via Termux)
@pj

@GeoffreyFrogeye
As far as the last part, the community actually fractured a while back over (apparently) fundamental disagreement about how development priorities should be set, and potential mismanagement of funds by NV (or some such thing). The fork (The Grid) still aims to retain some compatibility afaik, but who's a "collaborator" and who's a "competitor" got a lot more muddied.
@matrix @fdroidorg @pj

@darkmeson @pj Did not knew that about The Grid. I just had a look about their overview, explaining the differences with Matrix. It's interesting. I now look forward this project (too).

@GeoffreyFrogeye
One small update: they claim attachments are actually encrypted now, and it looks like they might be, but I haven't had a chance to peek under the hood and verify yet (so ymmv)
@pj

@pj @matrix @fdroidorg They can't really be compared since Mastodon focuses on micro-blogging while Matrix is for secure chatting, but as of right now, the protocol is fine enough but quite inefficient, and there's a severe lack of clients for it that aren't feature complete or just dropped development altogether. As for safety, that depends on your host as always, matrix.org was hacked but all other instances were unaffected.

@pj @fdroidorg @matrix
Matrix serves another purpose compared to mastodon. While mastodon is a sort of Twitter replacement in cool, matrix is a sort of WhatsApp and slack but federated and decentralize (except for the identity servers). Also there are bridges to a lot of other wallet wardens.

@pj @fdroidorg @matrix
.Who is behind it? Well there are a lot of companies using it and investing in it and also the French government. Then there is a foundation and there are the developers who had problems administrating their dev setup.

@pj @fdroidorg @matrix

Is it safe? You probably mean secure. Apart from the recent problems with the dev setup, ad always, it depends on your thread.
Nothing is 100% secure. It has its pros and it's cons and if you wanna know if it is better for you personally than other solutions, you will have to compare them in detail

@pj
Matrix' biggest feature is its bridging to Telegram, Discord, several IRC networks, Slack, and possibly others (nice for using Freenode over Tor, in particular). It's sort of analogous to irccloud-like bouncing services, except more generalized. It's essentially just http and json, so it's useful for blogging, image and file galleries, pastebins, and a lot of other things just waiting to be thought of.
@fdroidorg @matrix

@pj
As far as being "safe", then yes, if you avoid the electron app (or at least firejail it; electron has a horrible security record). Most of the difficulty happens at the homeservers, and seem to be mostly the result of naive and insecure federation code. One gotcha to note is that while messages can be encrypted, attachments NEVER are, and worse, they're world-accessible (a "feature" for some uses though)
@fdroidorg @matrix

Sign in to participate in the conversation
Bitcoin Mastodon

A mastodon instance for Bitcoin Maximalists.
No scams, no shitcoin, no impersonation, no begging, and no illegal content.
Keep it civil and we should all survive :)