continuwuation/continuwuity
continuwuation/continuwuity
13
35
Fork 34
Code Issues 103 Pull requests 19 Releases 20 Packages 3 Activity Actions
20 releases 23 tags
  • v0.4.5 c29197b3f4

    v0.4.5 Stable

    girlbossceo released this 2024-07-16 04:44:47 +00:00 | 1798 commits to main since this release

    conduwuit

    Release 0.4.5

    Hi everyone! conduwuit 0.4.5 has been released. This is primarily a bug fix release with some misc improvements.

    • Some edge-case federation issues were found only with servers that use SRV records for delegation, this regression has been fixed and it's recommended to update to 0.4.5.
    • A potential race condition on membership updates (e.g. joins, leaves, invites, etc) was fixed
    • Potential unclean shutdown issues that were in the form of panics during high-load activity was fixed
    • When using outgoing presence, empty presence EDUs were identified to be erroneously sending to other servers. This release fixes this, and has been found to improve the performance of outgoing presence overall.
    • For the console feature, a command tab completion feature was implemented
    • If conduwuit encounters a runtime panic, it can now fully catch and recover the panic, improving the reliability of conduwuit
    • Access control checks were added for room directory publishing
    • Static binaries and OCI images are now built with --all-features, which noticeably gains the console feature for everyone to use without building conduwuit
    • Static binaries and OCI images are also now built with CPU optimisations, which will help improve performance overall. aarch64 binaries are optimised for ARM cortex-a55 (minimum requires ARMv8.2-a). x86_64 binaries are built for x86-64-v2 (minimum requires SSE 4.2).
    • RocksDB was updated to v9.4.0
    • For NixOS users, the empty version string regressed in v0.4.4 and was fixed
    • Misc logging improvements
    • Various code cleanup, refactors, improvements, etc which may result in improved performance
    • A force join room admin command was added
    • A make server admin command was added to make the specified local user an admin of your server

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.4.4...v0.4.5

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.4.4 17a3ed4c56

    v0.4.4 Stable

    girlbossceo released this 2024-07-04 22:15:54 +00:00 | 1941 commits to main since this release

    conduwuit

    Release 0.4.4

    Hi everyone! conduwuit 0.4.4 has been released. This release introduced significant code cleanups, misc bug fixes, major performance optimisations tailored to database-functions, the deletion of the SQLite backend, Room Summary API support (MSC3266), OpenID routes to make Element Integration Manager work, and the SHA256 media feature integrated in a forwards-compatible way.

    A breaking change that shouldn't affect anyone is that SQLite support was fully removed from conduwuit. This was done due to SQLite being used incorrectly as an extremely inefficient and slow key-value store with no proper schema, SQLite in general not being very suitable for a Matrix homeserver, the rusqlite library was holding back some necessary future database refactoring and improvements, and being a burden to maintain for something that almost no one uses. Because the SQLite usage was little to none, no automatic migration path was provided, but conduit_toolbox provides a SQLite -> RocksDB migration tool if you are impacted. RocksDB is the only supported database backend for conduwuit, and as always we intend on closing the feature gap that SQLite may have provided over RocksDB as much as possible.

    Removal of SQLite along with some feature refactoring now makes the --all-features Rust build flag work for conduwuit.

    A long-standing edge-case database bug was fixed that had the small possibility of causing mild jank upon room joins for the specific room being joined. The chances of this happening were low, but it was more likely on high-load servers and/or very fast servers. It's recommended to update to v0.4.4 to prevent the possibility of this issue happening.

    More significant code cleanups, simplifications/minifications, refactoring, etc were done that also significantly improved database performance and performance on some hot code paths. Ping times have been found to be even better than before. Memory usage may also be improved from this.

    MSC3266 support aka "Room Summary API" was added, just lacking federation bits at the moment but is functional for most uses of it. The OpenID routes were also added which is primarily used to make Element's "Integration Manager" functional.

    The long-time optional sha256_media conduwuit feature has been fully integrated into conduwuit in a Conduit database forwards-compatible way through filesystem symlinks and startup media scans/checks. This prevents the upstream media bug on filesystems that don't allow long file names in the form of "File name too long (os error)" due to upstream using base64 for file names while still retaining upstream database compatibility. Users who used this optional feature are transparently migrated to the same database version as everyone else.

    If you do not ever intend on moving back to Conduit, you can disable the 2 config options that retain database compatibility to speed up startup times and reduce media directory clutter: media_compat_file_link and media_statup_check in the example config.

    Miscellaneous bugs were fixed related to spaces/hierarchy, redactions, restricted room joins, preventing infinite well-known caching, etc. And the usual dependencies were updated, including RocksDB to v9.3.1 from v9.2.1.

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.4.3...v0.4.4

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.4.3 d875e0c1c0

    v0.4.3 Stable

    girlbossceo released this 2024-06-23 13:52:16 +00:00 | 2066 commits to main since this release

    conduwuit

    Release 0.4.3

    Hi everyone! conduwuit 0.4.3 has been released. This release features admin room infrastructure improvements, some new admin commands, general maintenance, small logging cleanup, a brand new console interface, and the ability to run admin commands in any room.

    This server-side CLI console feature can be activated by building conduwuit with the console feature and sending CTRL+C. This is subject to change and may be included as a default feature soon, or offer console builds. In this console interface (prefixed with uwu> ), you can run standard admin commands and receive coloured outputs. To exit, send CTRL+D. To shutdown your server after exiting the console, send CTRL+\ (SIGQUIT). The server will continue functioning as normal with the console open.

    Screenshot of a coloured terminal interface where I ran the echo and ping admin debug commands from the console featureyes this is the Minecraft monospace font called Monocraft, yes I use it

    To run admin commands and receive their outputs in the same room and as yourself ("public admin escaped commands"), you must be an admin on your server, and enter any admin command as you usually would with the backslash prefix. Either \!admin or \\!admin followed by your command. This feature can be disabled if desired in your config via admin_escape_commands = false.

    This feature also does not work in encrypted rooms. In theory though, you might be able to send an unencrypted message in an encrypted room to run these commands.

    Screenshot of SchildiChat (Element) where I run the echo command with the input 'hiiiiii' and I ping the server puppygock.gay

    Admin commands to check your uptime, shutdown your server, restart your server (works with systemd!), echo a message/input, and send a message to the admin room were added in !admin server and !admin debug.

    Screenshot of SchildiChat (Element) where I get my server uptime of 30 seconds, run the server restart command, and check my uptime again which reads 11 seconds

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.4.2...v0.4.3

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.4.2 d0069cc100

    v0.4.2 Stable

    girlbossceo released this 2024-06-12 18:04:47 +00:00 | 2144 commits to main since this release

    conduwuit

    Release 0.4.2

    Hi everyone! conduwuit 0.4.2 has been released. This is a relatively huge update along with an upstream security fix which may result in local privilege escalation that primarily impacts public homeservers, and some various new features, performance optimisations, and bug fixes. It is very important to update to the latest as soon as possible if you are hosting a public homeserver, or generally have untrusted users on your server. A few database bugs were also fixed that may clear up various jank.

    If you are unable to upgrade your server immediately, a mitigation for the vulnerability is provided below which is registering a fake/shim appservice (!admin appservices register) with the following contents:

    id: temp-mitigation
as_token: <CHANGEME>
hs_token: <CHANGEME>
namespaces:
  users:
    - exclusive: true
      regex: "@.*"
  aliases:
    - exclusive: true
      regex: "#.*"
  rooms: []
rate_limited: false
sender_localpart: <CHANGEME>

    This fake appservice can be deleted after upgrading to 0.4.2. Change the values to something random.

    List of notable changes include:

    • "See history" button in Element on state events "view source" to see their history now work
    • Fixed 3 long-standing database bugs that resulted in various jank, including room joins issues, federated invites not working fully, member counts being out of sync, some push notification issues, and likely some client room name calculation not working
    • Admin commands for viewing some room info such as joined members in a room and seeing the room topic were added
    • An experimental implementation of Dendrite's AdminDownloadState (/admin/downloadState/{serverName}/{roomID}) admin API endpoint was added as a debug command to download and use a room's state from a remote server in the room
    • UNIX socket support has been fixed and is fully functional now
    • conduwuit now logs the client IP on some requests (will be extended more in the future)
    • Deactivations now leave all rooms by default (including admin room deactivation), along with removing your display name and profile picture like Synapse
    • Fix not allowing various federation endpoints for world readable rooms
    • Add guest/unauthenticated user support for TURN (turn_allow_guests) like Synapse
    • Add a --force argument for deleting past remote media admin command to skip errors, and fixed a logic bug with it
    • Fix emergency password not working
    • Log out all sessions of the server service account when emergency password is unset
    • Add some additional room alias checks and allow creators to delete their own created room aliases like Synapse
    • Add Element spec-compliance client hack for password changes and deactivations not working on legacy Element iOS and Android
    • Use a more strict and secure CSP apart of a recent Matrix spec proposal
    • conduwuit spec compliance with media on Content-Disposition and Content-Type handling is now corrected
    • Remove unnecessary PDU exists check on receiving read receipts, slightly speeding up transaction handling for read receipts
    • Fix some edge-case client search bugs
    • Disable URL previews by default in new admin room creations
    • Add support for listening on multiple addresses similar to listening on multiple ports
    • Default to listening on both IPv4 localhost (127.0.0.1) and IPv6 localhost (::1)
    • Allow "world readable" read receipt EDUs again
    • Fix some potential shutdown hanging issues
    • General dependency updates/bumps
    • Lots and lots of code cleanups, dedupes, optimisations, refactors, and such

    A conduwuit community code of conduct was also added that tailors to at least our Matrix community: https://conduwuit.puppyirl.gay/conduwuit_coc.html

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.4.1...v0.4.2

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.4.1 b8b93a2e86

    v0.4.1 Stable

    girlbossceo released this 2024-05-27 22:16:23 +00:00 | 2320 commits to main since this release

    conduwuit

    Release 0.4.1

    Hi everyone! conduwuit 0.4.1 (and 0.4.0) has been released. The most important change were the various medium and high severity federation security fixes from inherited upstream code. It's strongly recommended users update to 0.4.1 as soon as possible.

    These fixes impact the federation endpoints /send_join, /make_join, /send, /send_leave, /make_leave, /invite, and fix indirect bypass of room ACLs, and accepting inbound EDU impersonation such as read receipts, typing indicators, device messages, etc (except e2ee master key). Some Complement tests were also fixed as part of this that were loosely security related.

    Due to the volume of fixes, the details and specific changes can be found here: https://github.com/girlbossceo/conduwuit/pull/406

    Other various changes in this release include CI/testing and Nix infrastructure improved, io_uring and jemalloc are enabled by default and in static binaries, Complement in CI is now enforcing, some misc logging improvements, and various code simplifications, improvements, removals, etc.

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.3.4...v0.4.1

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.4 6ef4781050

    v0.3.4 Stable

    girlbossceo released this 2024-05-17 07:42:25 +00:00 | 2432 commits to main since this release

    conduwuit

    Release 0.3.4

    Hi everyone! conduwuit 0.3.4 has been released. This is a small maintenance release in preparation for the upcoming v0.4.0 release later this week. No new features were added.

    conduwuit was officially added to Complement, and support for running the Content-Disposition safety tests was added there too. (https://github.com/matrix-org/complement/pull/723)

    Through those Complement tests, we found one more edge-case Content-Type being allowed as inline (image/svg+xml) and currently we now pass all 3 Content-Disposition Complement tests after fixing that.

    In addition, we now fully distrust the client or remote server's Content-Type for all media (uploads, thumbnails, and downloads) and return what we detected the file is (with a valid fallback to application/octet-stream).

    Both of these further improve client security by making sure we detect the true file fully, and we send the correct behaviour to web browsers.

    The Debian packaging has been fixed as it's been broken for a while and partially in upstream, some CI improvements were made, and cleaned up some documentation and example configs in our repo.

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.3.3...v0.3.4

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.3 fe637f481d

    v0.3.3 Stable

    girlbossceo released this 2024-05-11 18:29:00 +00:00 | 2468 commits to main since this release

    conduwuit

    Release 0.3.3

    Hi everyone! conduwuit 0.3.3 has been released. This is a security-enhancement focused release along with lots of bug fixes and a new moderation feature.

    List of changes include:

    • Send a strong[1] Content-Security-Policy HTTP header for all conduwuit response headers if not already present
    • Send various other security-related HTTP headers such as X-Content-Type-Options: nosniff, X-XSS-Protection: 0[2], X-Frame-Options: DENY, Origin-Agent-Cluster: ?1[3], and Permissions-Policy: interest-cohort=(),browsing-topics=()
    • Perform additional sanitisation on the filename for the Content-Disposition (this was already being URL-safe encoded, but we perform our own ad-hoc sanitisation for improved security)
    • Return inline Content-Disposition based on our own detection of the file type, only return inline on user multi-media MIME types, and not trust the Content-Type header. Always fallback to attachment
    • Fix user /report's incorrectly saying you are not in the room
    • Fix non-functional unbans due to broken upstream code
    • Moderation feature to automatically deactivate the accounts of any users who attempt to join any malicious room based on your global ACLs, banned rooms, etc
    • Don't send the avatar_url or user display name on ban events as they may be potentially offensive
    • Forget all the rooms when leaving all rooms for a user upon account deactivation
    • Resolve various arithmetic and type casting correctness
    • Fix user presence statuses showing up as empty strings (noticeable in at least FluffyChat as empty white pills on users)
    • Fix incorrect appservice namespace alias check
    • Lots and lots of documentation revamps and improvements, also link to transfem.dev's rules document, and add a contributing guide
    • Fix using conduwuit on NixOS without flakes
    • Enable io_uring/liburing as a default feature for performance improvements
    • Bump all the dependencies, and bump the MSRV to 1.77.0

    [1]: sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; style-src 'unsafe-inline'; object-src 'self'; frame-ancesors 'none'; (Note this only affects the content being loaded, not what's loading the content. Images should not have permission to execute JavaScript or across same-origin content to attempt XSS)
    [2]: Vulnerabilities caused by XSS filtering
    [3]: This is a browser sandbox security feature by requesting your browser to render content in their own dedicated isolated process, apart of improved origin isolation

    The addition of these security headers such as the CSP are not only apart of Matrix spec as a recommendation, untrusted user-uploaded content should be heavily isolated and sandboxed from, and not allowed any permissions, as a general recommendation (e.g. XMPP's XEP-0363). This is in response to the previous high severity security release to not only retain the filename as apart of the Content-Disposition header for browsers, we can still provide the improved UX of allowing inline Content-Disposition for user multi-media (images, videos, audio, etc) and still make sure the user is as secure as possible from any XSS concerns or exploits via the various HTTP security headers.

    Commit history: https://github.com/girlbossceo/conduwuit/compare/v0.3.2...v0.3.3

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.2 cb70d51e2b

    v0.3.2 Stable

    girlbossceo released this 2024-05-05 20:52:51 +00:00 | 2527 commits to main since this release

    This is a security release.

    The Content-Disposition HTTP header has always been set to inline which causes untrusted content opened in browsers to be rendered, including HTML files, instead of downloading. This release forces them to all be attachment. This has no impact on Matrix clients.

    Users who use a restrictive Content-Security-Policy are not affected by any XSS concerns here.

    Downloads
  • v0.3.1 42e3567153

    v0.3.1 Stable

    girlbossceo released this 2024-05-03 06:18:24 +00:00 | 2531 commits to main since this release

    conduwuit

    Release 0.3.1

    Hi everyone! conduwuit 0.3.1 has been released. This is a minor maintenance follow-up to last week's release which was very well received by many new users. This week was mostly cleanup, improvements, and some bug fixes. Some of the changes include:

    • Add Complement testing support to CI.
    • Optimize RocksDB compaction to further reduce database file count.
    • Improve concurrency on single-core systems.
    • Fix presence status results from /presence/{userId}/status. (/sync results unaffected).
    • Nix flake fixes and improvements; cache dependencies in binary cache and improve build performance.
    • Workaround room creation requests with non-spec compliant initial_state bodies (source was an appservice).
    • Start uploading container images to GitLab Container Registry.
    • Bump all the dependencies everywhere (maintenance)
    • General code cleanups, minor optimisations, and maintenance refactors before we transition out of feature-freeze and prepare for the next major release.

    GitHub Releases | Docker Hub | NixOS

    Liberapay | GitHub Sponsors | Ko-fi

    Chat with us in #conduwuit:puppygock.gay

    Downloads
  • v0.3.0 341bafb91e

    v0.3.0 Stable

    girlbossceo released this 2024-04-26 06:03:40 +00:00 | 2624 commits to main since this release

    The "first" official stable tagged release of conduwuit!

    what is conduwuit?

    conduwuit is a well-maintained, featureful, hard-fork of Conduit with tons of new features, many bug fixes, huge performance improvements, quality of life enhancements, moderation tools, and much more. It's fully database compatible with upstream, no migration path is necessary. You can switch between the two with no issues. Check out the full list of differences and features here! https://conduwuit.puppyirl.gay/differences.html

    First ever TWIM post: https://matrix.org/blog/2024/04/26/this-week-in-matrix-2024-04-26/#conduwuit-website

    Downloads