Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers.
-
[U-turn in the readme, too](https://github.com/nkuntz1934/matrix-workers/commit/fd412f41f98c0f3f360f5c4034443ef80680de49), and an employee trying to do damage control on lobsters too
https://lobste.rs/s/csxfc6/cloudflare_claimed_they_implemented#c_gychiy
Quoting from one of my chat rooms:
> Distributed protocols get extra complex once cryptography and security get in the mix and without a domain expert
authentication isn't "extra complex", you literally removed signature checking. and hashes. And fucking authentication.
> ensure this handles the myriad of edge cases that regularly plague Matrix implementations
YOU REMOVED. AUTHENTICATION. THIS ISN'T SOME WEIRD EDGE CASE WITH STATE RESETS. YOU REMOVED AUTHENTICATION AND VALIDATION.
-
This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)
They just have TODO comments, and happily accept anything, even if it's blatantly forged
@JadedBlueEyes Eeek. That
||instead of??is just painful to see. Repeatedly.At my previous company we had one of our mid-level devs fall into this trap last year. Ended up failing in production in almost exactly this type of scenario, where the dev expected an array or undefined, but got
true.I have to wonder if this is an artifact of the initial training for these systems being on Python, which doesn't have a strong equivalent for
??. And, you know, the fact that these things don't actually understand the code they generate, as much as anyone may claim otherwise. -
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes don't worry
"* This post was updated at 11:45 a.m. Pacific time to clarify that the use case described here is a proof of concept and a personal project. Some sections have been updated for clarity."
-
Oh and to top things off, they make trivially false claims in their post. Tuwunel and its predecessors do not and have never used Postgres or Redis.
@JadedBlueEyes They updated their post, it now says Synapse instead of Tuwunel.
-
https://lobste.rs/s/csxfc6/cloudflare_claimed_they_implemented#c_gychiy
Quoting from one of my chat rooms:
> Distributed protocols get extra complex once cryptography and security get in the mix and without a domain expert
authentication isn't "extra complex", you literally removed signature checking. and hashes. And fucking authentication.
> ensure this handles the myriad of edge cases that regularly plague Matrix implementations
YOU REMOVED. AUTHENTICATION. THIS ISN'T SOME WEIRD EDGE CASE WITH STATE RESETS. YOU REMOVED AUTHENTICATION AND VALIDATION.
I swear every iteration of the blogpost is somehow worse. No, your starting point wasn’t Synapse either. Your starting point was the claude opus chatbox
-
@JadedBlueEyes They updated their post, it now says Synapse instead of Tuwunel.
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes thank you for your work on continuwuity. An actually good matrix implementation.
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes lol
-
@JadedBlueEyes oh sorry I missed that!
-
@JadedBlueEyes oh sorry I missed that!
@JadedBlueEyes ah we posted around the same time. I did check
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes I am so glad we are well invested, giving all of the moneys to Cloudflare.
-
This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)
They just have TODO comments, and happily accept anything, even if it's blatantly forged
@JadedBlueEyes it’s post-quantum security: if you observe it it’s not there
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes Is this "blue screen of death" cloudflare?
-
@JadedBlueEyes From "vibe coding" to "vibe security".
@DDRitter@neopaquita.es @JadedBlueEyes@tech.lgbt puts a paper plate on top of your server
Yeah that feels secure enough -
@petunia @JadedBlueEyes so like, on an emotional level I understand why people hate ORMs, but on a "people are very bad at databases" level ..................
@bitofabother in fairness, people are also very bad at ORMs...
-
I’m not gonna be trusting anything Cloudflare after this.
as if you should've been doing this in the first place@tauon @JadedBlueEyes true but this is the giant rock excavator hitting a whole new substrate of rock bottom -
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
-
Oh look, they’re trying to cover up what they did too
https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463
Archive link for posterity:
@JadedBlueEyes did anyone fork thier repo?
-
For those of you that don't know, I develop https://continuwuity.org - a Rust based Matrix homeserver that actually works, and that you can run on a Raspberry Pi, rather than someone else's centralized cloud infrastructure
@JadedBlueEyes does it scale? does it have the ability to delete CSAM when stupid edgelords device to upload it to your homeserver and then get you swatted?
as always I want to believe there is a usable matrix homeserver... but it seems there is always a catch.
-
Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar
https://blog.cloudflare.com/serverless-matrix-homeserver-workers/
@JadedBlueEyes I stopped reading after:
"But there is a "tax" to running it. Traditionally, operating a Matrix homeserver has meant accepting a heavy operational burden. You have to provision virtual private servers (VPS), tune PostgreSQL for heavy write loads, manage Redis for caching, configure reverse proxies, and handle rotation for TLS certificates. It’s a stateful, heavy beast that demands to be fed time and money, whether you’re using it a lot or a little."Mine runs on a small NAS
️
