You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've noticed a surge in people self hosting Element web, which is a good thing, but I also noticed that there's no recommended way to keep element up to date, I've been recommended downloading the tarball, extracting it, and changing the /version endpoint output and switching it up a version, which will trigger the cachebusting code to clear the cache and notify the user there's an update.
This is a super nice feature and seems to lend itself to exactly this kind of scenario, however after looking through the code and docs, and speaking to Matthew, what self hosted element users don't currently have is a way to ensure their element is always up to date with the GitHub releases. This is important for security reasons.
My proposal would be something like a bash script, to perform these steps automatically, combined with documentation for best practices on keeping the server up to date which would involve adding a cron job or similar with this bash script, the bash script would also check if the release is signed, etc.
This of course would be optional but recommended for most users.
Currently I'm under the impression (after speaking to several self-hosted element users) that these users believe this functionality already exists, and element-web once set up will keep itself up to date, which does not appear to be the case. This would allow admins to "set and forget" the service (as many do currently) without leaving their users at risk due to security issues in the code that may be patched out routinely, reported or similar.
Obviously this wouldn't be used by people who make large changes to Element as in the case of some matrix.org customers, but for general users and synapse admins who want to set up their own self hosted version of element (possibly to improve privacy, as is the case of privacytools changing the integration services to their own, etc.) this would improve security greatly.
Sorry in advance for any confusing sentences, writing this on my phone!
The text was updated successfully, but these errors were encountered:
My proposal would be something like a bash script, to perform these steps automatically, combined with documentation for best practices on keeping the server up to date which would involve adding a cron job or similar with this bash script, the bash script would also check if the release is signed, etc.
I've noticed a surge in people self hosting Element web, which is a good thing, but I also noticed that there's no recommended way to keep element up to date, I've been recommended downloading the tarball, extracting it, and changing the /version endpoint output and switching it up a version, which will trigger the cachebusting code to clear the cache and notify the user there's an update.
This is a super nice feature and seems to lend itself to exactly this kind of scenario, however after looking through the code and docs, and speaking to Matthew, what self hosted element users don't currently have is a way to ensure their element is always up to date with the GitHub releases. This is important for security reasons.
My proposal would be something like a bash script, to perform these steps automatically, combined with documentation for best practices on keeping the server up to date which would involve adding a cron job or similar with this bash script, the bash script would also check if the release is signed, etc.
This of course would be optional but recommended for most users.
Currently I'm under the impression (after speaking to several self-hosted element users) that these users believe this functionality already exists, and element-web once set up will keep itself up to date, which does not appear to be the case. This would allow admins to "set and forget" the service (as many do currently) without leaving their users at risk due to security issues in the code that may be patched out routinely, reported or similar.
Obviously this wouldn't be used by people who make large changes to Element as in the case of some matrix.org customers, but for general users and synapse admins who want to set up their own self hosted version of element (possibly to improve privacy, as is the case of privacytools changing the integration services to their own, etc.) this would improve security greatly.
Sorry in advance for any confusing sentences, writing this on my phone!
The text was updated successfully, but these errors were encountered: