Taggart Nov 19

Buried in this nicely-detailed RCA is a pretty damning fact:

Cloudflare left .unwrap() in mission-critical Rust code.

For non-Rustaceans, .unwrap() handles a type called Result that can either be Ok with a value, or an Err with an Error. The whole point is to gracefully handle errors and not let panics make it to production code. But unwrap() assumes there's a value to extract without safeguards.

I use .unwrap() sometimes! Usually when there's a logical guarantee that the result can never be an error. But I make sure to purge it from critical processes for exactly this reason.

https://blog.cloudflare.com/18-november-2025-outage/

Show threadEndlessMasonNov 19
@mttaggart
Isn't crashing the right choice when your rules enforcement engine can't fit all the rules into memory?
Show threadyalemanNov 19
@EndlessMason @mttaggart or you could... treat it as an error instead of just crashing out?
Show threadEndlessMason
@yaleman @mttaggart
How do you mean?
Nov 19 at 10:51pmWeb
Show threadyalemanNov 27

@EndlessMason @mttaggart

It had an error option in the result code, they could have just had a nice polite error instead of shitting the bed and dying?

Show threadEndlessMasonNov 27

@yaleman
Even if it politely logs "[error] isabot cant load the rules to decide if things are a bot or nah" (and it did that in the article) the next thing the service has to do is serve requests, which it can not do without the table...

It can either serve 500s until the table reloads in the background or actually be down until it restarts and loads the table successfully (CrashLoop-style).

Both play nice with health checks.

Both are still an outage.