Mastodawn

Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar

https://blog.cloudflare.com/serverless-matrix-homeserver-workers/

Building a serverless, post-quantum Matrix homeserver

As a proof of concept, we built a Matrix homeserver to Cloudflare Workers — delivering encrypted messaging at the edge with automatic post-quantum cryptography.

The Cloudflare Blog

Let me just pick a few examples from the code, because this is so bad

This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)

They just have TODO comments, and happily accept anything, even if it's blatantly forged

Rather than implementing the critical state resolution algorithm that's the core of Matrix, they just directly insert the latest state into the database. That'll instantly lead to diverging views of the room and incompatibility with every other implementation - and it's also a massive security hole.

Oh and to top things off, they make trivially false claims in their post. Tuwunel and its predecessors do not and have never used Postgres or Redis.

Honestly this is almost insulting to me, as someone who has spent a nontrivial amount of effort developing a Matrix homeserver, with how low effort it is. And what’s the point? Marketing? I’m not gonna be trusting anything Cloudflare after this.

The pricing comparisons are stupid, by the way, too - a bunch of us in the matrix chatrooms got out how many HTTP requests per day we were serving and the per-request cost of Workers would be more expensive than dedicated VPSs - not even counting CPU time or storage costs!

For those of you that don't know, I develop https://continuwuity.org - a Rust based Matrix homeserver that actually works, and that you can run on a Raspberry Pi, rather than someone else's centralized cloud infrastructure

Continuwuity

A community-driven Matrix homeserver

I'm also giving a talk about some of the actual work that goes into building this software in a few days at FOSDEM, if you want to learn more:

https://tech.lgbt/@JadedBlueEyes/115956965835059690

Oh look, they’re trying to cover up what they did too

https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

Archive link for posterity:

https://web.archive.org/web/*/https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

For those coming in now, they updated the blog post to include a disclaimer. Original post:
https://archive.is/AbxU5

[U-turn in the readme, too](https://github.com/nkuntz1934/matrix-workers/commit/fd412f41f98c0f3f360f5c4034443ef80680de49), and an employee trying to do damage control on lobsters too

Revise README for clarity on project status and purpose · nkuntz1934/matrix-workers@fd412f4

Updated README to clarify the status and purpose of the Matrix homeserver implementation. Added information about assistance received and encouraged community contributions.

GitHub

https://lobste.rs/s/csxfc6/cloudflare_claimed_they_implemented#c_gychiy

Quoting from one of my chat rooms:

> Distributed protocols get extra complex once cryptography and security get in the mix and without a domain expert

authentication isn't "extra complex", you literally removed signature checking. and hashes. And fucking authentication.

> ensure this handles the myriad of edge cases that regularly plague Matrix implementations

YOU REMOVED. AUTHENTICATION. THIS ISN'T SOME WEIRD EDGE CASE WITH STATE RESETS. YOU REMOVED AUTHENTICATION AND VALIDATION.

Cloudflare claimed they implemented Matrix on Cloudflare workers. They didn't

3 comments

Lobsters

I swear every iteration of the blogpost is somehow worse. No, your starting point wasn’t Synapse either. Your starting point was the claude opus chatbox

@JadedBlueEyes a bit later in the posts it's still

> The key insight from porting Tuwunel

instead of Synapse

walnut 🌱Jan 27

@JadedBlueEyes
They probably asked claude or chatgpt or whatever the name of the latest slop machine that's just gpt with a different initial prompt is to fix the blogpost, too.

@JadedBlueEyes it's just a proof of concept, get off your high horse🙃

itsWoland Jan 28

Are they upload the code to public repo AS IS?

If so, we are in a deep shit.
If not, maybe they publish the open-source boilerplate, when the auth was proprietary

@JadedBlueEyes that'll fix it!

64 Islands Aroha Cooperative Jan 27

@kieran @JadedBlueEyes addressed todos, ready to ship!

@JadedBlueEyes The comments under this commit make it at least a bit funnier

outsidecontext 🇺🇦🕊️Jan 27

@JadedBlueEyes Oh yes, great fix. I also always resolve TODO comments by just deleting them. It'll be fine.

@outsidecontext Same. It’s the fastest way to resolve it, and that means it’s the best, right?

Jens Zalzala Jan 28

@JadedBlueEyes @outsidecontext I mean, if it breaks, we can always fill out a Jira ticket, then close the ticket in a year.

Leo Herzog Jan 27

@JadedBlueEyes This takes it from "lazy and disappointing" to "actively malicious". One quick apology blogpost would fix this, but they're doubling down, aren't they?

Matt Palmer Jan 27

@herzog first rule of corporate comms: never, ever apologise.

Leo Herzog Jan 27

@womble Cloudflare's blog has been, to date, the gold standard for technical deep-dives and postmortems. This is a rare miss.

Sven Slootweg, low-spoons mode ("still kinky and horny anyway")Jan 28

@herzog @womble Unfortunately a bit of a perception bias going on there. They pulled the exact same thing 2-3 years ago with Wildebeest, and never actually apologized for that either, nor for the many other missteps they've made over the years, and there were many.

You'll only ever see the postmortems for the things they're comfortable admitting, and that's usually the technical errors, but never anything that could call into question their ethics or the sociopolitical implications of what they do. It's been like that since at least 2013.

Cloudflare has never been a honest or ethical company, they just carefully shaped the appearance of one. It's marketing.

@joepie91 @herzog @womble it’s easy math: if (time-to-fix)<(time-to-author-postmortem) then publish() else Todo.delete(hush)

Headbanger Mouse Jan 27

@JadedBlueEyes I recently learned that GitHub allows one to view the activity on a repo, and you can limit it to show force pushes only, which in turn allows you to view the diff between the two states too, even if they span multiple commits.

It's fun to see what kind of things some companies try to hide. (edit: like the original history, which has some fun commits in there!)

Activity · nkuntz1934/matrix-workers

Contribute to nkuntz1934/matrix-workers development by creating an account on GitHub.

GitHub

phryk 🏴Jan 27

@algernon @JadedBlueEyes "Remove PII" is always a banger of a commit to have public. 👌 😂

NIGHTEͶ Jan 27

@JadedBlueEyes The comments on this commits are absolutely hilarious. Well deserved 😄

@JadedBlueEyes more cover up - now making changes removing the claims of Production Ready and adding It is meant to serve as an example prototype and not endorsed as ready for production at this point.

https://github.com/nkuntz1934/matrix-workers/commit/fd412f41f98c0f3f360f5c4034443ef80680de49

I was assisted by Claude Code Opus 4.5 for this implementation 🤮

buherator Jan 27

@alex @JadedBlueEyes Archive link: https://archive.ph/AbxU5

Jens Zalzala Jan 28

@alex @JadedBlueEyes That has to be one of the funniest commits I've ever seen.

Bredroll Jan 27

@JadedBlueEyes did anyone fork thier repo?

gkrnours Jan 28

@JadedBlueEyes lol

@JadedBlueEyes redraw by me, font by @mei

@elly @JadedBlueEyes @mei Here’s your Matrix unwrapped

Ariadne Conill 🐰

@JadedBlueEyes does it scale? does it have the ability to delete CSAM when stupid edgelords device to upload it to your homeserver and then get you swatted?

as always I want to believe there is a usable matrix homeserver... but it seems there is always a catch.

QuadRadical Jan 28

@ariadne @JadedBlueEyes IMO it scales well, i have about 250 users and its really quick and uses only ~1.3 gb of ram

QuadRadical Jan 28

@ariadne @JadedBlueEyes and yes you can delete local media by a certain user or clear remote media etc

Ariadne Conill 🐰

@QuadRadical @JadedBlueEyes neat. what is the catch then? 😂

🌸 lily 🏳️‍⚧️

θΔ ⋐ & ∞Jan 27

I’m not gonna be trusting anything Cloudflare after this.as if you should've been doing this in the first place

@tauon @JadedBlueEyes true but this is the giant rock excavator hitting a whole new substrate of rock bottom

Andrey [0xdc, 0x09];Jan 27

@JadedBlueEyes
I don't think anyone should've ever trusted cloudflare before

neocat_googly_shocked

@JadedBlueEyes Oh yeah. Wait what the fuck. Even i know this and I've never touched the codebase. It's rocksdb and there was at one point SQLite, right?

Andrey [0xdc, 0x09];Jan 27

@JadedBlueEyes
It has always been RocksDB, right?
Oh, Conduit also supports SQLite iirc

@darkcat09 Conduit started with Sled, and then moved to a KV abstraction that let them add RocksDB and SQLite support. Conduwuit then removed everything but RocksDB, which is what Tuwunel and Conduwuit are forked from

@JadedBlueEyes They updated their post, it now says Synapse instead of Tuwunel.

@h5e https://tech.lgbt/@JadedBlueEyes/115968861622285804

Jade (@[email protected])

I swear every iteration of the blogpost is somehow worse. No, your starting point wasn’t Synapse either. Your starting point was the claude opus chatbox

LGBTQIA+ and Tech

@JadedBlueEyes oh sorry I missed that!

@JadedBlueEyes ah we posted around the same time. I did check 😅