Heads up to all #Riot users: with the recent attack on @matrix' infrastructure, it's possible that Riot's Google Play version got compromised. This doesn't affect Riot's F-Droid version. Just as Riot started to do now, F-Droid has always signed all its apps on an inaccessible, offline machine. For more information, see https://riot.im/reinstall
To avoid maintenance overhead, however, it's likely to happen that F-Droid users must also change the app in near future. Still, there's no need to act now.
To make "change the app" more clear: Riot had to change its package name in order to be able to sign the app with a new certificate. This results in a new app entry in Google Play.
@fdroidorg could theoretically keep the original package name with upcoming versions, but this would introduce a maintenance overhead on the already overloaded F-Droid maintainers. Therefore, F-Droid aims to be as close to upstream as possible which means in this case switching to the new package name, too.
@pj @fdroidorg @matrix Behind matrix: a company called New Vector Ltd, now also selling enterprise services. Compares to mastodon: Synapse is quite resource-intensive when you join large rooms, but it works. Client-side there is a lot of choice, but the only "good" choice is the Riot.im electron client. Safe: E2E is not the default, but it can be enabled, but if I'm up to date, no client beside Riot can do it. Still, I'm a fan.
Matrix is more real-time / group chat oriented where Mastodon is more for micro-blogging. For now the two don’t federate between them.
It has a robust spec, featuring optional end-to-end encryption which −IMHO− is very secure, despite the recents attacks that only impacted the “official” implementation but not the core itself (and they showed good response).
Behind Matrix is Matrix.org which is a non-profit organization that runs the spec, and there are some for-profit organizations too that makes the implementations, and other collaborators since it’s Free Software (disclaimer: I’m not very sure of that last bit).
It's secure enough from the client to server standpoint, but there are lots of trivial and obvious, unfixed exploits that just about anyone should pick up on in short order, so "robust spec" is something of an overstatement. The encryption is good enough, except that one has to verify all devices in e2ee rooms, or blindly trust everyone there (and no encryption of attachments)
@matrix @fdroidorg @pj
As far as the last part, the community actually fractured a while back over (apparently) fundamental disagreement about how development priorities should be set, and potential mismanagement of funds by NV (or some such thing). The fork (The Grid) still aims to retain some compatibility afaik, but who's a "collaborator" and who's a "competitor" got a lot more muddied.
@matrix @fdroidorg @pj
Is it safe? You probably mean secure. Apart from the recent problems with the dev setup, ad always, it depends on your thread.
Nothing is 100% secure. It has its pros and it's cons and if you wanna know if it is better for you personally than other solutions, you will have to compare them in detail
Matrix' biggest feature is its bridging to Telegram, Discord, several IRC networks, Slack, and possibly others (nice for using Freenode over Tor, in particular). It's sort of analogous to irccloud-like bouncing services, except more generalized. It's essentially just http and json, so it's useful for blogging, image and file galleries, pastebins, and a lot of other things just waiting to be thought of.
As far as being "safe", then yes, if you avoid the electron app (or at least firejail it; electron has a horrible security record). Most of the difficulty happens at the homeservers, and seem to be mostly the result of naive and insecure federation code. One gotcha to note is that while messages can be encrypted, attachments NEVER are, and worse, they're world-accessible (a "feature" for some uses though)
@robin that's one of the core features! We only allow apps that are fully open source (i.e. no proprietary components), so we can build them from the source and you (the users) know "what's inside". This also means everone can review the code and deduce from that to the APK. And a potential security audit would also tell how secure the app you install is. No trackers in the code = no trackers in the app, etc.pp.
This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!
We adhere to an adapted version of the TootCat Code of Conduct and follow the Toot Café list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators.
Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!