Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers.
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes
They seem to do there Global deployment this way... -
@wyldtom @JadedBlueEyes for me the funniest part is
> a serverless architecture where operations disappear, costs scale to zero when idle, and every connection is protected by post-quantum cryptography by default.
I don't know about the post-quantum cryptography, but I'll grant them that their homeserver is serveless and costs scale to zero (on account of it not existing)
@elilla@transmom.love @wyldtom@chaos.social @JadedBlueEyes@tech.lgbt Not even a quantum computer can get your data from the system without authorisation.
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes aewwwww2 crap
-
@elilla@transmom.love @wyldtom@chaos.social @JadedBlueEyes@tech.lgbt Not even a quantum computer can get your data from the system without authorisation.
@flesh @wyldtom @JadedBlueEyes Cloudflare truly has mastered the definite Matrix security approach (not sending messages at all)
-
@JadedBlueEyes I recently learned that GitHub allows one to view the activity on a repo, and you can limit it to show force pushes only, which in turn allows you to view the diff between the two states too, even if they span multiple commits.
It's fun to see what kind of things some companies try to hide. (edit: like the original history, which has some fun commits in there!)
@algernon @JadedBlueEyes "Remove PII" is always a banger of a commit to have public.
-
@JadedBlueEyes This is almost a minor criticism in comparison to all the other crap, but I am so sick of companies calling things 'serverless' when what they really mean is "servers, but only ours and they're really opaquely billed and impossible to replace with someone else's servers so you're stuck with us, and also they're managed in a totally custom way so none of your normal sysadmin skills are portable to it but you still have to learn how to manage it"
@joepie91@fedi.slightly.tech @JadedBlueEyes@tech.lgbt It seems minor in comparison, because we're so far down along the tracks, but it's still a line we never should have allowed to be crossed.
-
@JadedBlueEyes that'll fix it!
@kieran @JadedBlueEyes addressed todos, ready to ship!
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes It started off okay, mostly because they said it was a proof of concept and an experiment, but then I saw that "it is arguably one of the most secure ways to deploy a homeserver today" and just
lmfao -
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
"build a serverless home server" is the most fucking brainrot, dipshit, nonsense thing ive read in a while
-
@JadedBlueEyes It started off okay, mostly because they said it was a proof of concept and an experiment, but then I saw that "it is arguably one of the most secure ways to deploy a homeserver today" and just
lmfao@MarkAssPandi They updated the text
-
Oh look, they’re trying to cover up what they did too
https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463
Archive link for posterity:
For those coming in now, they updated the blog post to include a disclaimer. Original post:
https://archive.is/AbxU5 -
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes Serverless is exactly how matrix shouldve been built anyway. Cuz I dont wanna use this crap anymore.
-
This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)
They just have TODO comments, and happily accept anything, even if it's blatantly forged
@JadedBlueEyes lol, "unknown error" should imply the existence of a known error
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes I know someone Tibet works there that has openly admitted to changing their workflow to `while (testsFailing()) doLlmSlop()` and it really shows.
-
For those coming in now, they updated the blog post to include a disclaimer. Original post:
https://archive.is/AbxU5[U-turn in the readme, too](https://github.com/nkuntz1934/matrix-workers/commit/fd412f41f98c0f3f360f5c4034443ef80680de49), and an employee trying to do damage control on lobsters too
-
[U-turn in the readme, too](https://github.com/nkuntz1934/matrix-workers/commit/fd412f41f98c0f3f360f5c4034443ef80680de49), and an employee trying to do damage control on lobsters too
https://lobste.rs/s/csxfc6/cloudflare_claimed_they_implemented#c_gychiy
Quoting from one of my chat rooms:
> Distributed protocols get extra complex once cryptography and security get in the mix and without a domain expert
authentication isn't "extra complex", you literally removed signature checking. and hashes. And fucking authentication.
> ensure this handles the myriad of edge cases that regularly plague Matrix implementations
YOU REMOVED. AUTHENTICATION. THIS ISN'T SOME WEIRD EDGE CASE WITH STATE RESETS. YOU REMOVED AUTHENTICATION AND VALIDATION.
-
This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)
They just have TODO comments, and happily accept anything, even if it's blatantly forged
@JadedBlueEyes Eeek. That
||instead of??is just painful to see. Repeatedly.At my previous company we had one of our mid-level devs fall into this trap last year. Ended up failing in production in almost exactly this type of scenario, where the dev expected an array or undefined, but got
true.I have to wonder if this is an artifact of the initial training for these systems being on Python, which doesn't have a strong equivalent for
??. And, you know, the fact that these things don't actually understand the code they generate, as much as anyone may claim otherwise. -
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes don't worry
"* This post was updated at 11:45 a.m. Pacific time to clarify that the use case described here is a proof of concept and a personal project. Some sections have been updated for clarity."
-
Oh and to top things off, they make trivially false claims in their post. Tuwunel and its predecessors do not and have never used Postgres or Redis.
@JadedBlueEyes They updated their post, it now says Synapse instead of Tuwunel.
-
https://lobste.rs/s/csxfc6/cloudflare_claimed_they_implemented#c_gychiy
Quoting from one of my chat rooms:
> Distributed protocols get extra complex once cryptography and security get in the mix and without a domain expert
authentication isn't "extra complex", you literally removed signature checking. and hashes. And fucking authentication.
> ensure this handles the myriad of edge cases that regularly plague Matrix implementations
YOU REMOVED. AUTHENTICATION. THIS ISN'T SOME WEIRD EDGE CASE WITH STATE RESETS. YOU REMOVED AUTHENTICATION AND VALIDATION.
I swear every iteration of the blogpost is somehow worse. No, your starting point wasn’t Synapse either. Your starting point was the claude opus chatbox
