Merge branch 'matrix-org:main' into main

.github/_typos.toml

@@ -8,3 +8,4 @@ OTKs = "OTKs"
 [default.extend-words]
 OTK = "OTK"
 OTKs = "OTKs"
+Iy = "Iy"

.github/workflows/spell-check.yaml

@@ -14,6 +14,6 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Check spelling of proposals
-      uses: crate-ci/typos@9be36f97fdbe645ee9a12449fb13aca856c2516a
+      uses: crate-ci/typos@f2c1f08a7b3c1b96050cb786baaa2a94797bdb7d # v1.20.10
       with:
         config: ${{github.workspace}}/.github/_typos.toml

CONTRIBUTING.md

@@ -69,19 +69,8 @@ include the line in your commit or pull request comment:
 
     Signed-off-by: Your Name <your@email.example.org>
 
-...using your real name; unfortunately pseudonyms and anonymous contributions
-can't be accepted. Git makes this trivial - just use the -s flag when you do
-``git commit``, having first set ``user.name`` and ``user.email`` git configs
-(which you should have done anyway :)
-
-### Private sign off
-
-If you would like to provide your legal name privately to the Matrix.org
-Foundation (instead of in a public commit or comment), you can do so by emailing
-your legal name and a link to the pull request to dco@matrix.org. It helps to
-include "sign off" or similar in the subject line. You will then be instructed
-further.
-
-Once private sign off is complete, doing so for future contributions will not be required.
+Git allows you to add this signoff automatically when using the `-s`
+flag to `git commit`, which uses the name and email set in your
+`user.name` and `user.email` git configs.
 
 [1]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request

MSC_CHECKLIST.md

@@ -11,40 +11,42 @@ MSC authors, feel free to ask in a thread on your PR or in the
 [#matrix-spec:matrix.org](https://matrix.to/#/#matrix-spec:matrix.org) room for
 clarification of any of these points.
 
-- [ ] Are [appropriate
-      implementation(s)](https://spec.matrix.org/proposals/#implementing-a-proposal)
-      specified in the MSC’s PR description?
+- [ ] Are [appropriate implementation(s)](https://spec.matrix.org/proposals/#implementing-a-proposal)
+  specified in the MSC’s PR description?
 - [ ] Are all MSCs that this MSC depends on already accepted?
 - [ ] For each new endpoint that is introduced:
-    - [ ] Have authentication requirements been specified?
-    - [ ] Have rate-limiting requirements been specified?
-    - [ ] Have guest access requirements been specified?
-    - [ ] Are error responses specified?
-        - [ ] Does each error case have a specified `errcode` (e.g. `M_FORBIDDEN`) and HTTP status code?
-            - [ ] If a new `errcode` is introduced, is it clear that it is new?
+  - [ ] Have authentication requirements been specified?
+  - [ ] Have rate-limiting requirements been specified?
+  - [ ] Have guest access requirements been specified?
+  - [ ] Are error responses specified?
+    - [ ] Does each error case have a specified `errcode` (e.g. `M_FORBIDDEN`) and HTTP status code?
+      - [ ] If a new `errcode` is introduced, is it clear that it is new?
 - [ ] Will the MSC require a new room version, and if so, has that been made clear?
-    - [ ] Is the reason for a new room version clearly stated? For example,
+  - [ ] Is the reason for a new room version clearly stated? For example,
           modifying the set of redacted fields changes how event IDs are calculated,
           thus requiring a new room version.
 - [ ] Are backwards-compatibility concerns appropriately addressed?
 - [ ] Are the [endpoint conventions](https://spec.matrix.org/latest/appendices/#conventions-for-matrix-apis) honoured?
-    - [ ] Do HTTP endpoints `use_underscores_like_this`?
-    - [ ] Will the endpoint return unbounded data? If so, has pagination been considered?
-    - [ ] If the endpoint utilises pagination, is it consistent with [the
-          appendices](https://spec.matrix.org/v1.8/appendices/#pagination)?
+  - [ ] Do HTTP endpoints `use_underscores_like_this`?
+  - [ ] Will the endpoint return unbounded data? If so, has pagination been considered?
+  - [ ] If the endpoint utilises pagination, is it consistent with
+    [the appendices](https://spec.matrix.org/v1.8/appendices/#pagination)?
 - [ ] An introduction exists and clearly outlines the problem being solved.
-      Ideally, the first paragraph should be understandable by a non-technical
-      audience
+      Ideally, the first paragraph should be understandable by a non-technical audience.
 - [ ] All outstanding threads are resolved
-    - [ ] All feedback is incorporated into the proposal text itself, either as a fix or noted as an alternative
-- [ ] While the exact sections do not need to be present, the details implied by the proposal template are covered. Namely:
-    - [ ] Introduction
-    - [ ] Proposal text
-    - [ ] Potential issues
-    - [ ] Alternatives
-    - [ ] Security considerations
-    - [ ] Dependencies
+  - [ ] All feedback is incorporated into the proposal text itself, either as a fix or noted as an alternative
+- [ ] While the exact sections do not need to be present,
+  the details implied by the proposal template are covered. Namely:
+  - [ ] Introduction
+  - [ ] Proposal text
+  - [ ] Potential issues
+  - [ ] Alternatives
+  - [ ] Dependencies
 - [ ] Stable identifiers are used throughout the proposal, except for the unstable prefix section
-    - [ ] Unstable prefixes [consider](README.md#unstable-prefixes) the awkward accepted-but-not-merged state
-    - [ ] Chosen unstable prefixes do not pollute any global namespace (use “org.matrix.mscXXXX”, not “org.matrix”).
+  - [ ] Unstable prefixes [consider](README.md#unstable-prefixes) the awkward accepted-but-not-merged state
+  - [ ] Chosen unstable prefixes do not pollute any global namespace (use “org.matrix.mscXXXX”, not “org.matrix”).
 - [ ] Changes have applicable [Sign Off](CONTRIBUTING.md#sign-off) from all authors/editors/contributors
+- [ ] There is a dedicated "Security Considerations" section which detail
+  any possible attacks/vulnerabilities this proposal may introduce, even if this is "None.".
+  See [RFC3552](https://datatracker.ietf.org/doc/html/rfc3552) for things to think about,
+  but in particular pay attention to the [OWASP Top Ten](https://owasp.org/www-project-top-ten/).

proposals/0000-proposal-template.md

@@ -85,14 +85,21 @@ idea.
 
 ## Security considerations
 
+**All proposals must now have this section, even if it is to say there are no security issues.**
+
+*Think about how to attack your proposal, using lists from sources like
+[OWASP Top Ten](https://owasp.org/www-project-top-ten/) for inspiration.*
+
 *Some proposals may have some security aspect to them that was addressed in the proposed solution. This
 section is a great place to outline some of the security-sensitive components of your proposal, such as
 why a particular approach was (or wasn't) taken. The example here is a bit of a stretch and unlikely to
 actually be worthwhile of including in a proposal, but it is generally a good idea to list these kinds
 of concerns where possible.*
 
-By having a template available, people would know what the desired detail for a proposal is. This is not
-considered a risk because it is important that people understand the proposal process from start to end.
+MSCs can drastically affect the protocol. The authors of MSCs may not have a security background. If they
+do not consider vulnerabilities with their design, we rely on reviewers to consider vulnerabilities. This
+is easy to forget, so having a mandatory 'Security Considerations' section serves to nudge reviewers
+into thinking like an attacker.
 
 ## Unstable prefix
 

proposals/1711-x509-for-federation.md

@@ -174,7 +174,7 @@ certificates comes with a number of downsides.
 
 Configuring a working, federating homeserver is a process fraught with
 pitfalls. This proposal adds the requirement to obtain a signed certificate to
-that process. Even with modern intiatives such as Let's Encrypt, this is
+that process. Even with modern initiatives such as Let's Encrypt, this is
 another procedure requiring manual intervention across several moving parts.
 
 On the other hand: obtaining an SSL certificate should be a familiar process to

proposals/1884-replace-slashes-in-event_ids.md

@@ -88,7 +88,7 @@ right encoding.
    A potential extension would be to change *all* Base64 encodings to be
    URL-safe. This would address the inconsistency. However, it feels like a
    large job which would span the entire matrix ecosystem (far larger than
-   updating clients to URL-encode their URL prarameters), and again the
+   updating clients to URL-encode their URL parameters), and again the
    situation would be confusing while the transition was in progress.
 
 2. Incompleteness. Event IDs are certainly not the only identifier which can

proposals/2140-terms-of-service-2.md

@@ -34,7 +34,7 @@ way that Homeservers do.
 
 ## Proposal
 
-Throuhgout this proposal, $prefix will be used to refer to the prefix of the
+Throughout this proposal, $prefix will be used to refer to the prefix of the
 API in question, ie. `/_matrix/identity/v2` for the IS API and
 `/_matrix/integrations/v1` for the IM API.
 

proposals/2409-appservice-edus.md

@@ -0,0 +1,158 @@
+# MSC2409: Proposal to send typing, presence and receipts to appservices
+
+*Note: This proposal is a continuation of [MSC1888](https://github.com/matrix-org/matrix-doc/pull/1888)
+and deprecates that one.*
+
+The [appservice /transactions API](https://spec.matrix.org/v1.11/application-service-api/#put_matrixappv1transactionstxnid)
+currently supports pushing PDU events (regular message and state events)
+however it doesn't provision for EDU events (typing, presence and receipts). This means that bridges cannot
+react to Matrix users who send any typing or presence information in a room the service is part of.
+
+There is an interest amongst the community to have equal bridging on both sides of a bridge, so that
+read receipts and typing notifications can be seen on the remote side. To that end, this proposal
+specifies how these can be pushed to an appservice.
+
+## Proposal
+
+### Changes to the registration file
+
+In order that appservices don't get flooded with EDUs, appservices have to opt-in to receive them by
+setting `receive_ephemeral` to true. A registration file could look like following:
+
+```yaml
+id: "IRC Bridge"
+url: "http://127.0.0.1:1234"
+as_token: "30c05ae90a248a4188e620216fa72e349803310ec83e2a77b34fe90be6081f46"
+hs_token: "312df522183efd404ec1cd22d2ffa4bbc76a8c1ccf541dd692eef281356bb74e"
+sender_localpart: "_irc_bot"
+# We want to receive EDUs
+receive_ephemeral: true
+namespaces:
+  users:
+    - exclusive: true
+      regex: "@_irc_bridge_.*"
+  aliases:
+    - exclusive: false
+      regex: "#_irc_bridge_.*"
+  rooms: []
+```
+
+For now, receiving EDUs is all-or-nothing. A future MSC may add more granular
+filtering capabilities for appservices.
+
+### Changes to the /transactions/ API
+
+The `PUT /_matrix/app/v1/transactions/{txnId}` API currently supports sending PDUs
+via the `events` array.
+
+```json
+{
+  "events": [
+    {
+      "content": {
+        "membership": "join",
+        "avatar_url": "mxc://domain.com/SEsfnsuifSDFSSEF#auto",
+        "displayname": "Alice Margatroid"
+      },
+      "type": "m.room.member",
+      "event_id": "$143273582443PhrSn:domain.com",
+      "room_id": "!jEsUZKDJdhlrceRyVU:domain.com",
+      "sender": "@example:domain.com",
+      "origin_server_ts": 1432735824653,
+      "unsigned": {
+        "age": 1234
+      },
+      "state_key": "@alice:domain.com"
+    }
+  ]
+}
+```
+
+This proposal would extend the `PUT /_matrix/app/v1/transactions/` endpoint to include a new key
+`ephemeral` to behave similar to the various sections of the CS API `/sync` endpoint. The `ephemeral` key
+MAY be omitted entirely if there are no ephemeral events to send.
+
+```json
+{
+  "ephemeral": [
+    {
+      "type": "m.typing",
+      "room_id": "!jEsUZKDJdhlrceRyVU:domain.com",
+      "content": {
+        "user_ids": [
+          "@alice:example.com"
+        ]
+      }
+    },
+    {
+      "type": "m.receipt",
+      "room_id": "!jEsUZKDJdhlrceRyVU:domain.com",
+      "content": {
+        "$1435641916114394fHBLK:matrix.org": {
+          "m.read": {
+            "@rikj:jki.re": {
+              "ts": 1436451550453
+            }
+          }
+        }
+      }
+    }
+  ],
+  "events": [
+    // ...
+  ]
+}
+```
+
+The reason for a new key rather than bundling the events into `events` is that
+existing appservices may mistake them for PDUs and might behave erratically.
+While `events` may now be a somewhat misleading name, this is an acceptable tradeoff.
+
+The array is effectively a combination of the `presence` and `ephemeral` sections of the
+client-server `/sync` API. User-defined ephemeral events don't exist yet, which means there are
+only three event types that can currently occur:
+[`m.presence`](https://spec.matrix.org/v1.11/client-server-api/#mpresence),
+[`m.typing`](https://spec.matrix.org/v1.11/client-server-api/#mtyping),
+and [`m.receipt`](https://spec.matrix.org/v1.11/client-server-api/#mreceipt).
+
+This proposal does not cover any other types of events which are sent as EDUs in the federation API,
+such as to-device events or other e2ee features. Those are left to a separate MSC.
+
+EDUs are formatted the same way as they are in C-S sync, with the addition of the `room_id` field
+for room-scoped EDUs (`m.typing` and `m.receipt`). `room_id` is not present in the C-S API because
+sync nests EDUs inside a room object, but appservices get a flat list of events in all rooms.
+
+### Expectations of when an EDU should be pushed to an appservice
+
+It is not clear at face value what should be pushed to an appservice. Appservices claim
+namespaces of users which registers "interest" in the rooms where those users reside, as
+well as claiming namespaces of rooms for explicit interest. However, not all EDUs are
+associated with a single room (presence, etc).
+
+If the EDU is capable of being associated to a particular room (i.e. `m.typing` and `m.receipt`),
+it should be sent to the appservice under the same rules as regular events (interest in the room
+means sending it). For EDUs which are not associated with a particular room, the appservice
+receives the EDU if it contextually *would* apply. For example, a presence update for a user an
+appservice shares a room with (or is under the appservice's namespace) would be sent to the
+appservice.
+
+For `m.receipt`, private read receipts (`m.read.private`) should only be sent for users within the
+appservice's namespaces. Normal read receipts and threaded read receipts are always sent.
+
+## Potential issues
+
+Determining which EDUs to transmit to the appservice could lead to quite some overhead on the
+homeserver side. Additionally, more network traffic is produced, potentially straining the local
+network and the appservice more. As such, appservices have to opt-in to receive EDUs.
+
+## Security considerations
+
+The homeserver needs to accurately determine which EDUs to send to the appservice, as to not leak
+any unnecessary metadata about users. Particularly `m.presence` could be tricky, as no `room_id` is present in
+that EDU.
+
+## Unstable prefix
+
+In the transaction body, instead of `ephemeral`, `de.sorunome.msc2409.ephemeral` is used.
+
+In the registration file, instead of `receive_ephemeral`, `de.sorunome.msc2409.push_ephemeral` is used.

proposals/2677-reactions.md

@@ -51,7 +51,7 @@ property should contains a `key` that indicates the annotation being
 applied. For example, when reacting with emojis, the `key` contains the emoji
 being used.
 
-An event annotating another with the thumbs-up emoji would therefore have the following `m.relates_to` propperty:
+An event annotating another with the thumbs-up emoji would therefore have the following `m.relates_to` property:
 
 ```json
 "m.relates_to": {