Cloudflare just published a vibe coded blog post claiming they implemented Matrix on cloudflare workers. They didn't, their post and README is AI generated and the code doesn't do any of the core parts of matrix that make it secure and interoperable. Instead it's littered with 'TODO: Check authorisation' and similar

https://blog.cloudflare.com/serverless-matrix-homeserver-workers/

Let me just pick a few examples from the code, because this is so bad

This is a core part of the protocol, that's not exactly simple (https://spec.matrix.org/v1.17/server-server-api/#authorization-rules)

They just have TODO comments, and happily accept anything, even if it's blatantly forged

Rather than implementing the critical state resolution algorithm that's the core of Matrix, they just directly insert the latest state into the database. That'll instantly lead to diverging views of the room and incompatibility with every other implementation - and it's also a massive security hole.

Oh and to top things off, they make trivially false claims in their post. Tuwunel and its predecessors do not and have never used Postgres or Redis.

Honestly this is almost insulting to me, as someone who has spent a nontrivial amount of effort developing a Matrix homeserver, with how low effort it is. And what’s the point? Marketing? I’m not gonna be trusting anything Cloudflare after this.

The pricing comparisons are stupid, by the way, too - a bunch of us in the matrix chatrooms got out how many HTTP requests per day we were serving and the per-request cost of Workers would be more expensive than dedicated VPSs - not even counting CPU time or storage costs!

@JadedBlueEyes

I might just be missing it, but since they made a point about how it's post-quantum: where's the megolm implementation?

For those of you that don't know, I develop https://continuwuity.org - a Rust based Matrix homeserver that actually works, and that you can run on a Raspberry Pi, rather than someone else's centralized cloud infrastructure

I'm also giving a talk about some of the actual work that goes into building this software in a few days at FOSDEM, if you want to learn more:

https://tech.lgbt/@JadedBlueEyes/115956965835059690

Oh look, they’re trying to cover up what they did too

https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

Archive link for posterity:

https://web.archive.org/web/*/https://github.com/nkuntz1934/matrix-workers/commit/2d3969dd5e795caa3641d0e237e2b52ca0502463

@JadedBlueEyes

I’m not gonna be trusting anything Cloudflare after this.

as if you should’ve been doing this in the first place

@JadedBlueEyes I recently learned that GitHub allows one to view the activity on a repo, and you can limit it to show force pushes only, which in turn allows you to view the diff between the two states too, even if they span multiple commits.

It's fun to see what kind of things some companies try to hide. (edit: like the original history, which has some fun commits in there!)

@JadedBlueEyes more cover up - now making changes removing the claims of Production Ready and adding It is meant to serve as an example prototype and not endorsed as ready for production at this point.

@JadedBlueEyes aewwwww2 crap

@JadedBlueEyes The comments under this commit make it at least a bit funnier

@wyldtom @JadedBlueEyes for me the funniest part is

> a serverless architecture where operations disappear, costs scale to zero when idle, and every connection is protected by post-quantum cryptography by default.

I don't know about the post-quantum cryptography, but I'll grant them that their homeserver is serveless and costs scale to zero (on account of it not existing)

@elilla @wyldtom @JadedBlueEyes Not even a quantum computer can get your data from the system without authorisation.

@flesh @wyldtom @JadedBlueEyes Cloudflare truly has mastered the definite Matrix security approach (not sending messages at all)

@JadedBlueEyes

"build a serverless home server" is the most fucking brainrot, dipshit, nonsense thing ive read in a while

@JadedBlueEyes lol, "unknown error" should imply the existence of a known error

@JadedBlueEyes what a stupid time to be alive.

@JadedBlueEyes This takes it from "lazy and disappointing" to "actively malicious". One quick apology blogpost would fix this, but they're doubling down, aren't they?

@herzog first rule of corporate comms: never, ever apologise.

@JadedBlueEyes worst game of spot the difference i have ever played

@petunia @JadedBlueEyes so like, on an emotional level I understand why people hate ORMs, but on a "people are very bad at databases" level ..................

@bitofabother in fairness, people are also very bad at ORMs...

@algernon @JadedBlueEyes "Remove PII" is always a banger of a commit to have public. 👌 😂

@JadedBlueEyes

Thank you for bringing your attention to this matter.

This #slopshard

@JadedBlueEyes does it scale? does it have the ability to delete CSAM when stupid edgelords device to upload it to your homeserver and then get you swatted?

as always I want to believe there is a usable matrix homeserver... but it seems there is always a catch.

@GossiTheDog @JadedBlueEyes fucking OUCH

@JadedBlueEyes Granted I don't know shit about serverless or quantum blablabla but that blog read like lorem ipsum text??? I guess if the project is underspecified and sufficiently novel Opus will just shit the bed. I think I want to write a bunch of .md files less than I want to write code which is already very little...

@JadedBlueEyes seems like the sort of thing @davidgerard would like to read

@JadedBlueEyes This is almost a minor criticism in comparison to all the other crap, but I am so sick of companies calling things 'serverless' when what they really mean is "servers, but only ours and they're really opaquely billed and impossible to replace with someone else's servers so you're stuck with us, and also they're managed in a totally custom way so none of your normal sysadmin skills are portable to it but you still have to learn how to manage it"

@JadedBlueEyes not to pile on matrix, but "Matrix is the gold standard for decentralized, end-to-end encrypted communication" also seems bold. I have never had a good experience using matrix, nor heard anyone describing one 😅

@danvolchek @JadedBlueEyes

True (it's also my experience) but it’s still a huge deal that the German and French militaries are actually putting their weight behind Matrix...

@JadedBlueEyes to be very fair, I tried it a few times and do not interact with people who use it, so my sample size and experience is low. I would love if it overcame usability issues and replaced discord!!!

@JadedBlueEyes We published a response on the Matrix side at https://matrix.org/blog/2026/01/28/matrix-on-cloudflare-workers/

@JadedBlueEyes why am I not surprised that the biggest #RogueISP (#ClownFlare) does such shite?

• Oh right, they are the prime defender of #CyberCrime operators and #Daesh propaganda sites, #doxxing #AbuseReports to the abusers they host!

#CloudFlare #AIslop #AI #documentation #bullshit #Enshittufication #sarcasm #commentary

@JadedBlueEyes

What in absolute fuck is a serverless server

@ivan @JadedBlueEyes someone elses server

@ariadne @JadedBlueEyes IMO it scales well, i have about 250 users and its really quick and uses only ~1.3 gb of ram

@ariadne @JadedBlueEyes and yes you can delete local media by a certain user or clear remote media etc

@QuadRadical @JadedBlueEyes neat. what is the catch then? 😂

@JadedBlueEyes

Holy crap. I would not expect this from an industry giant (Though I guess I should.)

That certainly shatters my trust in cloudflare a bit. #devops #programming #networking

@silo_bear @JadedBlueEyes

Seeing two basically back-to-back Cloudfare outages is a span of a month last year, both of which had a really good technical blog posts - that boiled down to being a minor programmer error, got me suspicious that LLMs are involved.

I mean, I remember like 1 other CF outage before that, and two major outages in a month?

This kind of explains it. It's what happens when you turn to LLMs for your development (see i.e recent Windows bugs).

Tech will suck so much now :(

@JadedBlueEyes

Leaving aside dives into the technical:
How does serverless homeserver?
If homeserver not serverless. And vice versa.

Also there is no serverless, just other people's servers.

@JadedBlueEyes Two paragraphs into the blog post and I'd normally be clicking away to...anything else an the internet.
Note the groups of three: "widget Z does THING, THING and THING." Plus the construction, "For the PERSON/GROUP, blah blah blah..."
AI crap announcing AI crap.