[vertex-four]

A reasonable upgrade path is to do "room versioning". Each server would have a maximum supported room version, and publish it to each room they participate in, and every room has a version. When every server in the room agrees on a new version, they can publish a message to update the room version, and start talking over the new protocol. Older servers then can't join the room unless they agree to the room's new protocol.

Clients can then warn when they're in rooms with older versions than the latest supported, and since nobody wants the people they're talking to to receive scary warnings about insecurity, they'll upgrade.

And, of course, we can do similar with client versioning.

[x0x0]

This is remarkably contrary to how people actually use software. What people see is "click this button to make annoying red flashing shit stop so I can do what I want to do".

ala http://i.imgur.com/H0uVqFe.jpg

[vertex-four]

There's a reason web browsers just don't allow users to easily get past the annoying pages when there is a chance they're being attacked. I see no reason that Matrix clients would be required to allow users to break security without having a persistent banner saying "this room is insecure".

[x0x0]

Which they will ignore.

[vertex-four]

Cool. If they ignore the great big banner which says "do not enter any personal info, bank info, etc etc into this window" and they're attacked, obviously they didn't care much. In the meantime, people who actually understand security can make a reasonable decision.

[x0x0]

Not cool.

First, that's why people like Signal: it just works (TM) encryption with no user gotchas.

Second, any communication is only as encrypted / safe as the minimum of the people with access to it. So if someone ignores warnings and enters that chatroom, he or she puts everyone at risk. Because sometimes she/he really is being MITM or surveilled by someone/oppressive government du jour.

[vertex-four]

The point is that you wouldn't be able to enter a chatroom at a higher version than your server+client supports - how would the old code be able to understand it, after all? You'd be in pre-upgrade chatrooms, which would display the banner for everyone until relevant people upgrade/get kicked, and you could possibly start new chats with people, which would display the banner for all participants, but if you were on version 5 and #megolm:matrix.org was on version 6, you just couldn't join it until you upgraded.