[viccuad]

> Do the Matrix clients still phone-home to some centralized server (Vector, I think it's called)

There's no centralized server. There's a server with the majority of users for now (in matrix.org), but the network is decentralized, with many servers. The server implementation run by the majority is called Synapse, but there are others (Dentrite, Conduit, Construct..).

I'm puzzled by this comment. Can you elaborate on what you mean by phoning home?

Are you talking about https://element.io, which points to matrix.org homeserver and signing server, etc?

In that case, well, just use a different server and your own client. Or self-host, and select one of many clients: https://matrix.org/clients/. That's the whole point of federation.

You can even deploy your own web client pointing to whichever server default you want, many people do. E.g: element.debian.social, chat.mozilla.org, etc.

[sneak]

> I'm puzzled by this comment. Can you elaborate on what you mean by phoning home?

On first launch, it connects to multiple centralized servers before you have a chance to select your homeserver.

The issue was with the default client, in the default config.

Not sure if it's still happening, but it was concerning enough that it happened in the first place.

https://github.com/vector-im/element-web/issues/13942

https://github.com/vector-im/element-web/issues/12712

https://github.com/vector-im/element-web/issues/11655

https://github.com/vector-im/element-web/issues/11655#issuec...

It would also appear that it intends to maintain a Solarwinds-style remote code execution vulnerability on the machine on which it is installed:

https://github.com/vector-im/element-web/issues/11655#issuec...

[Arathorn]

As per my comment at https://github.com/vector-im/element-web/issues/11655#issuec..., we'll switch auto-update checks to require user confirmation.

[HotHotLava]

Did you maybe post the wrong link?

The comment you're linking to says that there are no current plans to change the default request to matrix.org from the login page, and that you explicitly plan to keep the current auto-updating behavior.

(also, of course "we will fix that" implies that it is currently still broken, which is what the original commenter was pointing out)

[Arathorn]

The comment i linked is me saying:

> we're going to fix this, and yes, imo, autoupdates need an opt-in.

i'm not sure how clearer i can be.

[HotHotLava]

The comment you linked says:

> As should be pretty clear from #11655 (comment), we're going to fix this, and yes, imo, autoupdates need an opt-in.

The comment #11655 says:

> Auto-updating for default Riot distributions will continue as before to ensure security fixes are delivered quickly

So at this point already it becomes unclear to the reader which of these has precedence.

So, assuming you're asking in good faith, if you wanted to be clearer you should have written something like:

"*Despite* what's written #11655 (comment), I disagree with the product teams assessment and think autoupdates need an opt-in, therefore I will make sure this is implemented."

(not sure if the content is 100% what you wanted to express in the comment, but you get the idea)

[sneak]

When can I install and run a matrix client without it connecting to you? I want to use your software but want to self-host it and not use any services whatsoever from your organization.

[Arathorn]

I suspect they're referring to https://matrix.org/blog/2019/09/27/privacy-improvements-in-s... and https://matrix.org/blog/2019/06/30/tightening-up-privacy-in-...

[ajayyy]

They could be referring to the vector identity server for email/phone number -> matrix matching. I believe this is enabled by default on synapse installations (self-hosted ones too), but the URL can be changed in the config.

https://matrix.org/legal/identity-server-privacy-notice-1

[medstrom]

The relevant thing is whether the client enables it by default. From my experience, Element iOS doesn't.