I'm reposting the article with the developing discussions around it as it probably deserves more reach. Devs are 50% "it's impossible to do anyways, sensationalism it's FUD", the other 50% is in disarray and being wtf. I'm not a cryptographer though

More discussion here, where Nheko devs refuse to update to Vodozemac: https://github.com/Nheko-Reborn/nheko/issues/1786

Others discussions: https://github.com/quotient-im/libQuotient/issues/780

https://github.com/mautrix/go/issues/262

https://github.com/NixOS/nixpkgs/pull/334638

https://github.com/krille-chan/fluffychat/issues/1258

https://github.com/NixOS/nixpkgs/pull/334638/commits/e4767b4727589567da29a90a71947c2bdbe43988

OP's old gist about Matrix: https://web.archive.org/web/20240606031827/https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b

Matrix developer reply: https://news.ycombinator.com/item?id=41249371

From what I understand, for now, Vodozemac, the new Rust implementation, is unusable in other languages than Rust because its bindings are broken. FluffyChat developers seem to be working on fixing them, though.

I think what's more worrying than the exploits is the attitude of the client developers, and the Matrix developer that replied.

  • farting_weedman [none/use name]
    ·
    3 months ago

    Many years ago, security meant association with groups powerful enough to ensure it.

    As the simple field sabotage methods applied to open source projects reach their culmination, consider ensuring that any security you rely on is backed up by that old concept.