Just pushed the newest #flatpak version of #Riot to you 🙂
Expect the delivery within the next 24 hours. 📦
Just pushed the newest #flatpak version of #Riot to you 🙂
Expect the delivery within the next 24 hours. 📦
Wow…
So electron improved their security features with the recent version 5, but by doing this broke tons of applications because they either need User Namespaces or an SUID executeable (to launch proper isolated subprocesses).
#Signal Desktop noticed this problem and as well and "fixed" it in the worst way possible:
https://github.com/signalapp/Signal-Desktop/commit/1ca0d821078286d5953cf0d598e6b97710f816ef
On the other hand #Riot Desktop did a proper fix, which enables an SUID bit on this binary: https://github.com/vector-im/riot-web/commit/56674ea70849b3a793fa7b862945163aa10b36b8
By the way, there was an update for Riot yesterday.
When you use Gnome Software and have automatic updates for flatpaks activated, it's very likely you have it already installed.
Otherwise, go for it :)
For CLI users: `flatpak update` will do the job.
By the way, there was a nupdate for Riot yesterday.
When you use Gnome Software and have automatic updates for flatpaks activated, it's very likely you have it already installed.
Otherwise, go for it :)
For CLI users: `flatpak update` will do the job.
Riot v1.1.1 is on its way to your desktop 🎉
The Flatpak was updated. Just waiting for the build to finish and publishing to flathub.
When Gnome Software is configured properly on your system, you'll just get a notification that Riot was updated in Background as soon as it made it to your system 🚀
For everyone else: Run `flatpak update` tomorrow and it should wait for you to install 🙂
By the way, the Riot 1.1.0 flatpak is on its way 🎉
Just wait for the repository metadata to be updates and things will arrive on your workstation :)
If you are using #riot-android you should update to version 0.8.28a as this is a critical security update.
If you are a user of the matrix.org homeserver and have received an alert message stating that you should update to a version 0.8.99 from google play you can safely ignore that. This message was only targeted at google play users but accidentally sent to some #F-Droid users as well.
Heads up to all #Riot users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.
There are new keys for the official matrix repositories with the key ids:
CF45A512DE2DA058 (synapse)
D7B0B66941D01538 (riot)
Those come along with a new package that are build on fresh infrastructure. No details if they now sign packages offline, yet.
https://twitter.com/matrixdotorg/status/1118039725233909765
Updated my OpenPGP-signed Riot verification keys, now that I run an own homeserver.
https://shivering-isles.com/riot-signed.txt.asc
Just if you want to verify me without me being around :)
Since Matrix reset all logins recently, you may lost some of your E2EE keys. Those were erased when being forcefully logged out.
Those who used the Key Backup mechanism by Matrix.org can recover quite easily, those who didn't bother to set them up, might have a problem.
In #e2e:matrix.org we discussed that today and someone provided a detailed guide on how to recover using BTRFS:
After Matrix has restored its major services, they noticed that the GPG keys used for signing packages where compromised.
The key IDs are:
AD0592FE47F0DF61 (synapse)
E019645248E8F4A1 (Riot/Web)
Please make sure to no longer use those keys.
Matrix.org just announced they are back once more:
https://twitter.com/matrixdotorg/status/1116616382584475648
Let's hope things stay up as they are. There are definitely some new challenges to tackle, which came up in their issue tracker:
https://github.com/matrix-org/matrix.org/issues
Let's see if they got really rid of the attacker 🤞
Matrix.org just announced they are back once more:
https://twitter.com/matrixdotorg/status/1116616382584475648
Let's hope things stay up as they are. There are definitely some new challenges to tackle, which came up in their issue tracker:
https://github.com/matrix-org/matrix.org/issues
Let's see if they got really rid of the attacker 🤞
Too early to be happy, seems like the attacker found their way in and is still around on Matrix's infrastructure.
The attack has proven themselves to have shell access on their synapse instance, which is definitely bad. It means that all user accounts are compromised and have to be reset.
https://twitter.com/matrixdotorg/status/1116593380102852608
There will go a lot of efforts into figuring out the details and fixing the vulnerability.
Meanwhile, send some love to the people behind matrix!
The homeservers are back up 🎉
It seems like they are missing some pictures right now, I guess those will come back later.
Make sure you change your password (and NickServ passwords) and happy chatting!
See you around 👋
Matrix is coming back up! One of the first things happening was writing a new blog post about the incident which you can find here:
https://matrix.org/blog/2019/04/11/security-incident/
TL;DR: Some outdated software was discovered and cracked by an attack which then had access to various data points.
Important: Change your password ASAP (including NickServ when you used the IRC bridges)
Hint: The homeserver is not back up yet.
Seems like Matrix.org is getting ready to come back!
If you wonder where the CodiMD community channel went, here is a short text explaining it:
https://community.codimd.org/t/community-chat-down/26
TL;DR: Matrix.org is rebuilding their infrastructure from scratch after a security incident.
If you wonder where the CodiMD community channel went, here is a short text explaining it:
social.giorgiocomai.eu is a social network, courtesy of Giorgio Comai. It runs on GNU social, version 1.2.0-beta4, available under the GNU Affero General Public License.
All social.giorgiocomai.eu content and data are available under the Creative Commons Attribution 3.0 license.