From c4e81097e31a3426787296a93beddb1be2c9be50 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 26 Nov 2024 17:02:02 +0200 Subject: [PATCH] Upgrade Synapse (v1.119.0 -> v1.120.0) and enable authenticated media by default --- CHANGELOG.md | 19 +++++++++++++++++++ roles/custom/matrix-synapse/defaults/main.yml | 8 ++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb71f39de..eb1140930 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,22 @@ +# 2024-11-26 + +## (Backward Compatibility Break) Synapse now defaults to enabling authenticated media + +**TLDR**: with this update, your Synapse homeserver will start requiring authentication for newly-uploaded media files. While the majority of the ecosystem (clients, bots, etc.) should support this, certain software may lack support for it (and you may wish to turn it off, if it's causing issues). + +The default configuration for the Synapse homeserver now [enforces Authenticated media by default](https://element-hq.github.io/synapse/v1.120/upgrade.html#authenticated-media-is-now-enforced-by-default). + +Servers like `matrix.org` have already [sunset unauthenticated media](https://matrix.org/blog/2024/06/26/sunsetting-unauthenticated-media/) months ago. + +Now that **various clients, bots, bridges and extra services have caught up with authenticated media support**, Synapse developers seem confident that it's time to enable authenticated media by default. + +We're changing the playbook configuration for authenticated media to keep up with upstream defaults changing. + +Old and unmaintained bridges (like all mx-puppet bridges, etc.) do not support authenticated media. Other software may be similarly affected. If you experience issues with some Matrix-related software, you may wish to disable authenticated media and contact the software maintainers to let them know. + +You can disable authenticated media at any time by setting `matrix_synapse_enable_authenticated_media: false` in your `vars.yml` configuration file and re-running the playbook. + + # 2024-11-23 ## (Backward Compatibility Break) The playbook now defaults to Valkey, instead of KeyDB diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index e8c0441e7..8435ff8c0 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.119.0 +matrix_synapse_version: v1.120.0 matrix_synapse_username: '' matrix_synapse_uid: '' @@ -1010,10 +1010,10 @@ matrix_synapse_workers_media_repository_workers_container_arguments: [] # Adjusting this value manually is generally not necessary. matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}" -# matrix_synapse_enable_authenticated_media controls if authenticated media is enabled. If enabled all "old" media remains accessible over the legacy endpoints but new media is blocked. +# matrix_synapse_enable_authenticated_media controls if authenticated media is enabled. +# If enabled all "old" media remains accessible over the legacy endpoints but new media is blocked. # while this option is enabled all media access and downloads have to be done via authenticated endpoints. -# FIX_ME_WHEN_DEFAULT_TRUE: This option is going to become set to default true in Synapse at a later date. -matrix_synapse_enable_authenticated_media: false +matrix_synapse_enable_authenticated_media: true # matrix_synapse_media_instance_running_background_jobs populates the `media_instance_running_background_jobs` Synapse configuration used when Synapse workers are in use (`matrix_synapse_workers_enabled`). # `media_instance_running_background_jobs` is meant to point to a single media-repository worker, which is dedicated to running background tasks that maintain the media repository.