Determine how long the ability to re-enable unauthenticated media (i.e. enable_authenticated_media: False) will be supported

[reivilibre]

In the future we will drop the enable_authenticated_media option, making all media access need authentication in the future.

But which version of Synapse should do this?

cc @element-hq/trust-safety @element-hq/synapse-core

[turt2live]

I suggest arbitrarily waiting 2 months at minimum, making this an early 2025 thing to happen.

[clokep]

This means dropping old spec versions, correct?

[turt2live]

No, it means the config flag disappears. The freeze would be enabled by default, and cannot be turned off.

[wrjlewis]

Thanks - in which case we'd like to propose end of Feb to remove this.

[turt2live]

Sounds great! I don't expect anything to come up which delays it, but will raise loudly if that changes.

[RUzOfuz5m]

I understand I might be unique but unauthenticated access to files is one of the features that I use a lot. I allow large files on my selfhosted server and send these links to other people all the time. On top of that, my experience with trying to bridge these (large) files to other tools/services I often find I hit their limits and they wont send. In this case I'll send a link instead of the file so the people on the other end still get it.

I agree that by default unauthenticated access to files is a bad thing and it shouldn't be enabled by default but to remove this all together is a bad idea.

[ShadowRZ]

@RUzOfuz5m It's at all possible to use a small proxy server to serve medias at your homeserver unauthenticated, I found no reason why unauth media support must belongs in Synapse