RE: https://furry.engineer/@soatok/116088639302283341
I’m not qualified to comment on the alleged security vulnerability in #Matrix, but 'the entire Matrix community sucks because one user once disagreed with me on the Internet' is such a wild take.
Discussion
Loading...
@daniel I haven’t seen any comments about the Matrix community, only about the project’s vulnerability response. Even if it’s one user, it’s the user handling security reports. If they reject legitimate vulnerabilities as “not relevant in practice” – that is very concerning. If Matrix is supposed to be considered secure, they need working processes for handling vulnerability reports. If on the other hand they have a hobbyist approach to security then their product cannot be considered secure.
Note: It may in fact be “not relevant in practice” yet. Still, an important building block of the protocol is compromised. It needs to be fixed, preferably before somebody figures out how to make this issue relevant in practice. Because somebody inevitably will.
@WPalant @daniel but they did not reject it, even if there's no vuln they accepted that it would be good in terns of defense in depth.
https://matrix.org/blog/2026/02/analysis-of-reported-issues-in-vodozemac/
@soatok @WPalant @daniel i don't see how your addemdum adds anything, if a group participant is malicious, they already are getting the keys and can decrypt everything.
They said they'd add the check but clearly there's no pressure to do it in any kind of urgency as there's no vuln. There's no need to start an inflamatory post based on this either.
I mean even Signal added the check only last week (do you have something to do with it? 😝)
@daniel ...one? lol, lmao