| 9 Sep 2024 |
|  Crepe joined the room. | 19:52:18 |
| Crepe left the room. | 19:52:32 |
| 14 Sep 2024 |
|  bolnav joined the room. | 19:09:45 |
| bolnav | Matrix now requires authentication to view Matrix-sent images and media. Details on the changes at the blog for a summary + MSC3911 for the new upload API + MSC3916 for the new download API.
The IRC/XMPP bridges sections of MSC3911 and MSC3916 say that bridges will need to be updated, because today IRC / XMPP users cannot receive images (they receive the now-broken https download URL) and very long text messages (to workaround the IRC limit, which is server-dependent, but usually around 512 bytes, the server converts to image and sends the https URL).
All this applies to newly uploaded media. The old uploaded media is still available unauthenticated via the previous, deprecated API. | 19:13:11 |
| bolnav | * IRC / XMPP issues with viewing Matrix-sent images
Until now, Matrix's API endpoints for viewing images and media were unauthenticated and accessible via an HTTPS URL. Whoever had the URL could see the picture.
IRC / XMPP bridges, as I read in MSC3911 and MSC3916, relayed the image's URL which points to the Matrix HS. Users downloaded the image directly from the Matrix HS. The bridges also auto-generated images in place of long text messages, to workaround the IRC limit (which is server-dependent, but usually around 512 bytes).
Now, authentication is mandatory on all endpoints to view images and media. This breaks the above uses, as noted in the `IRC/XMPP bridges` sections of MSC3911 and MSC3916.
All this applies to newly uploaded media. The old uploaded media is still available via the previous, unauthenticated, deprecated API.
Details on the changes are at [the blog](https://matrix.org/docs/spec-guides/authed-media-servers/) for a summary + [MSC3911](https://github.com/matrix-org/matrix-spec-proposals/pull/3911) for the new upload API + [MSC3916](https://github.com/matrix-org/matrix-spec-proposals/pull/3916) for the new download API.
(edited for clarity) | 21:08:21 |
| 15 Sep 2024 |
 linsui | 🤦 | 05:04:46 |
| linsui | So this feature doesn't only break old client but also bridge? | 05:05:08 |
 Eatham | In reply to @rdfg77:kde.org
So this feature doesn't only break old client but also bridge? Unauthenticated media was being abused by pedos to use morg for storage, it needed to be fixed | 05:14:08 |
| Eatham | But yeah, they could have waited for not support before enforcing it | 05:14:41 |
| Eatham | * But yeah, they could have waited for bot support before enforcing it | 05:14:54 |
| 16 Sep 2024 |
 enigma9o7 | So now pedos have to create a matrix account to access that storage? Great plan. | 00:20:22 |
| linsui | 🤣 | 05:42:43 |
| bolnav | It's a long-awaited requirement for proper server-side purging of orphan media and for GDPR compliance of universities and national bodies who self-host or have a contract with EMS. Yes the timing is a bit tight, maybe something happened that needed a quick reaction. | 06:47:55 |
| bolnav | * A breaking change was expected sooner or later, it's a requirement for *proper* server-side purging of orphan media and for GDPR compliance of universities and national bodies [who](https://en.m.wikipedia.org/wiki/Matrix_(protocol)#Adoption) self-host or have a contract with EMS. Yes the timing is a bit tight, maybe something happened that needed a quick reaction. | 06:52:14 |
| Eatham | In reply to @enigma9o7:envs.net
So now pedos have to create a matrix account to access that storage? Great plan. They still needed an account before, they were posting to matrix and using the link to spam somewhere else. (I forgot what platform, maybe discord?) | 12:22:50 |
| Eatham | Discord also did a similar thing but in a uniquely scuffed way a while back | 12:24:07 |
| Eatham | No clue why discord and matrix allowed linking it in the first place | 12:24:49 |
| Eatham | * No clue why discord and matrix allowed linking it in the first place, and both messed by fixing it | 12:25:20 |
| Eatham | * No clue why discord and matrix allowed linking it in the first place, and both messed up while fixing it | 12:25:32 |
| enigma9o7 | Right, but now the discord people won't be able to see it, they'll have to register for Matrix. | 15:19:01 |
| enigma9o7 | So we should be expecting an influx of pedos I imagine. | 15:19:30 |
| enigma9o7 | * Right, but now the discord people won't be able to see the stuff posted on matrix anymore, they'll have to register for Matrix. | 15:19:58 |
| bolnav | In reply to @eatham:waffle.tech
No clue why discord and matrix allowed linking it in the first place, and both messed up while fixing it Matrix was smaller at the time and it was known that "the URL is the password" was not going to scale. It has taken years of discussion before this proposal (linking images to events). | 18:12:44 |
| bolnav | If anyone is interested in the past attempts, check here. | 18:32:01 |
| Eatham | In reply to @enigma9o7:envs.net
So we should be expecting an influx of pedos I imagine. They were spamming in random discord servers to annoy people iirc. Unlikely the people who got annoyed are gonna join matrix. | 20:45:11 |
| enigma9o7 | Ah, well that's different. I thought they were sharing images, and used matrix servers as a filehost. | 22:31:57 |
|  lucas! ∞ changed their display name from lucasmz ∞ to im bitter (you wonder why). | 22:46:28 |
| lucas! ∞ changed their profile picture. | 22:53:54 |
| 17 Sep 2024 |
| lucas! ∞ changed their display name from im bitter (you wonder why) to bitter (you wonder why). | 10:00:08 |
| 18 Sep 2024 |
| lucas! ∞ changed their display name from bitter (you wonder why) to lucasmz. | 03:33:28 |
