Heads up to all users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see

To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.

@fdroidorg @matrix Who's behind Matrix? How does it compare to Mastodon? Is it safe?

@pj @fdroidorg @matrix Behind matrix: a company called New Vector Ltd, now also selling enterprise services. Compares to mastodon: Synapse is quite resource-intensive when you join large rooms, but it works. Client-side there is a lot of choice, but the only "good" choice is the electron client. Safe: E2E is not the default, but it can be enabled, but if I'm up to date, no client beside Riot can do it. Still, I'm a fan.

@pj @matrix @fdroidorg

Matrix is more real-time / group chat oriented where Mastodon is more for micro-blogging. For now the two don’t federate between them.

It has a robust spec, featuring optional end-to-end encryption which −IMHO− is very secure, despite the recents attacks that only impacted the “official” implementation but not the core itself (and they showed good response).

Behind Matrix is which is a non-profit organization that runs the spec, and there are some for-profit organizations too that makes the implementations, and other collaborators since it’s Free Software (disclaimer: I’m not very sure of that last bit).

It's secure enough from the client to server standpoint, but there are lots of trivial and obvious, unfixed exploits that just about anyone should pick up on in short order, so "robust spec" is something of an overstatement. The encryption is good enough, except that one has to verify all devices in e2ee rooms, or blindly trust everyone there (and no encryption of attachments)
@matrix @fdroidorg @pj

As far as the last part, the community actually fractured a while back over (apparently) fundamental disagreement about how development priorities should be set, and potential mismanagement of funds by NV (or some such thing). The fork (The Grid) still aims to retain some compatibility afaik, but who's a "collaborator" and who's a "competitor" got a lot more muddied.
@matrix @fdroidorg @pj

@pj @matrix @fdroidorg They can't really be compared since Mastodon focuses on micro-blogging while Matrix is for secure chatting, but as of right now, the protocol is fine enough but quite inefficient, and there's a severe lack of clients for it that aren't feature complete or just dropped development altogether. As for safety, that depends on your host as always, was hacked but all other instances were unaffected.

@pj @fdroidorg @matrix
Matrix serves another purpose compared to mastodon. While mastodon is a sort of Twitter replacement in cool, matrix is a sort of WhatsApp and slack but federated and decentralize (except for the identity servers). Also there are bridges to a lot of other wallet wardens.

@pj @fdroidorg @matrix
.Who is behind it? Well there are a lot of companies using it and investing in it and also the French government. Then there is a foundation and there are the developers who had problems administrating their dev setup.

@pj @fdroidorg @matrix

Is it safe? You probably mean secure. Apart from the recent problems with the dev setup, ad always, it depends on your thread.
Nothing is 100% secure. It has its pros and it's cons and if you wanna know if it is better for you personally than other solutions, you will have to compare them in detail

Matrix' biggest feature is its bridging to Telegram, Discord, several IRC networks, Slack, and possibly others (nice for using Freenode over Tor, in particular). It's sort of analogous to irccloud-like bouncing services, except more generalized. It's essentially just http and json, so it's useful for blogging, image and file galleries, pastebins, and a lot of other things just waiting to be thought of.
@fdroidorg @matrix

As far as being "safe", then yes, if you avoid the electron app (or at least firejail it; electron has a horrible security record). Most of the difficulty happens at the homeservers, and seem to be mostly the result of naive and insecure federation code. One gotcha to note is that while messages can be encrypted, attachments NEVER are, and worse, they're world-accessible (a "feature" for some uses though)
@fdroidorg @matrix

@fdroidorg @matrix
Small update: according to the Matrix folks, attachments ARE encrypted these days, and cues in Riot's interface would appear to support that statement, but I haven't had a chance to look under the hood and verify personally (so ymmv)

@fdroidorg How do you decide what to sign? Do you manually vet all APKs you sign? If not, wouldn't your offline signature just act as transport security for your store - but be rather useless in preventing a malicious APK being supplied with correct credentials?

@robin @fdroidorg only signs what it has built itself from the source code. And yes, signing is a manual step here. But that doesn't prevent your going to and load some malicious APK of some (other) app, no 😉

@IzzyOnDroid @fdroidorg ah, i didn't know fdroid builds the packages themself - that's good to know

@robin that's one of the core features! We only allow apps that are fully open source (i.e. no proprietary components), so we can build them from the source and you (the users) know "what's inside". This also means everone can review the code and deduce from that to the APK. And a potential security audit would also tell how secure the app you install is. No trackers in the code = no trackers in the app, etc.pp.

I'm confused. If it didn't affect the F-Droid version, then why did the signing key change?

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!