Technical blogs from infrastructure companies used to serve two purposes: demonstrate expertise and build trust. When the posts start overpromising, you lose both.
I don't know enough about this specific implementation to say whether "implemented Matrix" is accurate or marketing stretch. But the pattern of "we did X" blog posts that turn out to be "we did a demo of part of X" is getting tiresome across the industry.
The fix is boring: just be precise about what you built. "We prototyped a Matrix homeserver on Workers with these limitations" is less exciting but doesn't erode trust.
They can't do that though. If they did, it would make the shareholders and CEOs mad because it would demonstrate that LLMs cannot (yet) deliver on all the promises these CEOs have been claiming for this entire time.
My charitable read on this is that an individual vibe-coded both the post and repository and was able to publish to the Cloudflare blog without it actually being reviewed or vetted. They also are not an engineer and when the agent hallucinated “I have built and tested this and it is production grade,” they took it at face value.
You can tell since the code is in a public repository and not Cloudflare’s, which IMO is the big giveaway that this is a lesson for Cloudflare in having appropriate review processes for public comms and for the individual to avoid making claims they cannot substantiate or verify independently.
This person works for Cloudflare. What else are they "vibe coding?" How long until Cloudflare shuts off half the internet due to a "mistake" again? How much longer are we going to accept that these are mistakes?
I don't know why it being potentially vibe coded or vibe written exonerates the author. "Your job is to deliver code you have proven to work [1]." It is your duty to ensure your work works, no matter what tools you used. You don't get to pass the blame on an AI agent any more than you get to blame intellij autocomplete for your buggy code.
Furthermore, I don't see why we are extending the principle of charity to cloudflare, a billion dollar enterprise controlling a significant part of internet traffic self identifying as a "utility." If cloudflare deserves more of something from us, it is scrutiny and accountability, not charity and deference.
I agree, but it's probably not just about being "able to" do it, but about what the incentives and pressures are in that organization.
Cloudflare apparently considers blog posts to be a key deliverable for many roles. Not just marketing or devrel but engineering too. That sets up a lot of incentives for slop. And then all you need for a disaster is a high trust environment with insufficient controls, which they probably have since the process had worked for a decade without an insufficiently reviewed article blowing up in their face.
Going forward there will be just a little bit less trust, more controls, and more friction that will make it harder to get a post out in a timely manner. It's just the way all organizations evolve. You can see from the scar tissue where problems existed in the past.
What I can't believe is that they haven't retracted the whole post by now, but are allowing the author to make an even bigger mess trying to fix the initial problems.
I'd love to see a root cause analysis post by Cloudflare for this one. The ones they do after outages are always interesting to read.
How did this make it into the blog? What is the review process for these posts and what failed this time? What measures will be taken to restore Cloudflare blog's reputation?
Days after the fake story about Cursor building a web browser from scratch with GPT-5.2 was debunked. Disbelief should be the default reaction to stories like this.
Btw, after I wrote that initial article ("Cursor's latest "browser experiment" implied success without evidence"), I gave it my own try to write a browser from scratch with just one agent, using no 3rd party crates, only commonly available system libraries, and just made a Show HN about it: https://news.ycombinator.com/item?id=46779522
The end result: Me and one agent (codex) managed to build something more or less the same as Cursor's "hundreds of agents" running for weeks and producing millions of lines of code, in just 20K LOC (this includes X11, macOS and Windows support). Has --headless, --screenshot, handles scaling, link clicking and scrolling, and can render basic websites mostly fine (like HN) and most others not so fine. Also included CI builds and automatic releases because why not.
The outrageous part of this is nowhere in the blog post or the repository indicates it's vibe coded garbage (hopefully I didn't miss it?). You expect some level of bullshit in AI company's latest AI vibe coding announcements. This can be mistaken for a classical blog post.
I get vibe coding a feature or news story or whatnot but how do you go about not even checking if the thing actually works, or fact checking the blog post?
It's clear that on Hacker News many people have made absurdly deep investments into this "technology." There's going to be a long period of pearl clutching we have to dig out of until we get back to the standard hacker ethic of not believing anything published by corporations.
it seems as if literally everyone associated with "AI" is a grifter, shill (sorry, "Independent Researcher"), temporarily embarrassed billionaire, or just a flat out scammer
> This post was updated at 11:15 a.m. Pacific time to clarify that the use case described here is a proof of concept. Some sections have been updated for clarity.
But then the bottom still says:
> Our team is using Matrix on Workers, handling real encrypted communications. It is fast, it is cheap, and it is arguably one of the most secure ways to deploy a homeserver today.
I guess they're dogfooding something that's wildly insecure and incomplete internally. Kind of surprising that's allowed on CloudFlare's internal network if true, but I guess shadow-IT is everywhere.
It is worrying to see a major vendor release code that does not actually work just to sell a new product. When companies pretend that complex engineering is easy it makes it very hard for the rest of us to explain why building safe software takes time. This kind of behavior erodes the trust that we place in their platform.
The real concern is that we've been doing this race to the bottom for so long that it's becoming almost trivial to explain why they are wrong. This over simplification has existed before AI coding and it's the dream AI coding took advantage of. But this market of lemons got too greedy
Since cloudflare are busy editing this blog post to say something completely different from what it originally said, I feel that this archive link is relevant
Hah. The coward even deleted the telltale "not just X; Y" LLM dead-giveaway line from the blog, after someone vomit emoji quoted it in the mastodon thread.
“This architecture shifts the paradigm for self-hosting. It turns "running a server" from a chore into a utility. You get the sovereignty of owning your data without the burden of owning the infrastructure”
Yeah, this is just shameful. Obviously written by an LLM with zero oversight. If this engineer doesn't get fired I'll lose all trust in Cloudflare.
He shouldn't get fired. For all we know he might actually be a decent employee who had a, ekhm, temporary lapse of reason. He didn't destroy anything (except damaging CF brand).
The best CF can do is to post a post-mortem and improve procedures so that can't happen anymore.
That the original post to HN linked in the blog was done on a throwaway kind of implies a level of awareness (on the part of the dev) that the code/claims were rubbish :)
This appears to be the author's first blog post for Cloudflare, Cloudflare being the author's first post-military employer. For his sake and Cloudflare's, this deserves an AAR that I hope becomes a teachable moment for both.
> Traditionally, operating a Matrix homeserver has meant accepting a heavy operational burden. You aren't just installing software; you are becoming a system administrator. You have to provision virtual private servers (VPS), tune PostgreSQL for heavy write loads, manage Redis for caching, configure reverse proxies, and handle rotation for TLS certificates. It’s a stateful, heavy beast that demands to be fed time and money, whether you are sending one message a day or one million.
I have limited experience with Matrix, but you don't actually need Synapse (reference homeserver) which is quite a resource hog and not even remotely easy to setup/administer.
You can just use the lightweight Continuwuity homeserver for the Matrix part, and Caddy for the reverse proxy/TLS/ACME part, installed on a VPS. Both require minimal configuration, and provide packages for many Linux distributions, as well as Docker images.
(Continuwuity is a fork of conduwuit which was a fork of Conduit. Conduit was abandoned, but is now active again, and there are also other active forks as well. However, it seems to me that Continuwuity is currently the most active fork.)
Honestly I like Cloudflare's CDN and DNS but beyond that I don't really trust much else from them. In the past though their blog has been one of the best in the space and the information has been pretty useful, almost being a gold standard for postmortems, but this seems especially bad. Definitely out of line compared to the rest of their posts. And with the recent Cursor debacle this doesn't help. I also don't really get their current obsession with porting every piece of software on Earth to Workers recently...
>I also don't really get their current obsession with porting every piece of software on Earth to Workers recently...
Because their CDN/DNS is excellent software but it's not massive moat. Workers on other hand is.
It's like difference between running something on Kubernetes vs Lambdas. One you can somewhat pivot with between vendors vs other one requires massive rewrites to software that means most executives won't transition away from it due to high potential for failure.
Yeah, I like that I can just upload a static html and host it there for free, but anything more I dunno. Its all about vendor lock-in with their products.
Wildebeest ceased maintenance one month after the article's publication, adding a similar comment several months later[1]:
> :warning: This project has been archived and is no longer actively maintained or supported. Feel free to for this repository, explore the codebase, and adapt it to your needs. Wildebeest was an opportunity to showcase our technology stack's power and versatility and prove how anyone can use Cloudflare to build larger applications that involve multiple systems and complex requirements.
I don't know why cloudflare jumps on any bandwagon with a cloudflare workers version rather then implementing the "classics", like a blog or a forum that you can host with cloudflare workers.
Um what's up with companies trying to recreate really big projects using vibe coding.
Like okay, I am an indie-dev if I create a vibe coded project, I create it for fun (I burn VC money of other people doing so tho but I would consider it actually positive)
But what's up with large companies who can actually freaking sponsor a human to do work make use of AI agents vibe code.
First it was cursor who spent almost 3-5 million$ (Just came here after watching a good yt video about it) and now Cloudflare.
Like, large corpos, if you are so much interested in burning money, atleast burn it on something new (perhaps its a good critique of the browser thing by Cursor but yeah)
I am recently in touch with a person from UK (who sadly got disabled due to an accident when he was young) guy who is a VPS provider who got really impacted by WHMCS increase in bill and He migrated to 1200 euros hostbill. Show him some HN love (https://xhosts.uk/)
I had vibe coded a golang alternative. Currently running it in background to create it better for his use cases and probably gonna open source it.
The thing with WHMCS alternatives are is that I made one using gvisor+tmate but most should/have to build on top of KVM/QEMU directly. I do feel that WHMCS is definitely one of the most rent seeking project and actually writing a golang alternative of it feels sense (atleast to me)
Can there not be an AI agent which can freaking detect what people are being charged for (unfairly) online & these large companies who want to build things can create open source alternatives of it.
I mean I am not saying that it stops being slop but it just feels a good way of making use of this tech aside from creating complete spaggeti slop nobody wants, I mean maybe it was an experiment but now it got failed (Cursor and this)
A bit ironic because I contacted the xhosts.uk provider because I wanted to create a cloudflare tunnels alternative after seeing 12% of internet casually going through cf & I saw myself being very heavily reliant on it for my projects & I wasn't really happy about my reliance on cf tunnels ig
LLMs made them twice as efficient: with just one release, they're burning tokens and their reputation.
It's kinda mindblowing. What even is the purpose of this? It's not like this is some post on the vibecoding subreddit, this is fricken Cloudflare. Like... What the hell is going on in there?
Well that is an interesting idea and proof of concept. I agree that the post is not the best I have seen from Cloudflare, and it shouldn't suggest that the code is production ready, but it is an interesting use-case.
what? that's like saying "you should implement TLS instead of HTTP"!
They do entirely different things: MLS is a key agreement protocol, equivalent to the Double Ratchet that Matrix uses for E2EE today. Matrix can use both.
Blog post now says: "* This post was updated at 11:15 a.m. Pacific time to clarify that the use case described here is a proof of concept. Some sections have been updated for clarity." But parts of it are still misleading.
I hope this isn't in bad taste, but I applied for the editor-in-chief position at Cloudflare back in August when they had it open. I'm still very interested in the role. If anyone at cf is reading this, my email is bro @ website in bio.
I think it's a pretty big deal for a major company to put out a blog post about something that is "production grade" and pushing customers to use it without actually making it production grade.
augusteo|1 month ago
I don't know enough about this specific implementation to say whether "implemented Matrix" is accurate or marketing stretch. But the pattern of "we did X" blog posts that turn out to be "we did a demo of part of X" is getting tiresome across the industry.
The fix is boring: just be precise about what you built. "We prototyped a Matrix homeserver on Workers with these limitations" is less exciting but doesn't erode trust.
palata|1 month ago
ethin|1 month ago
wlonkly|1 month ago
ampersandy|1 month ago
You can tell since the code is in a public repository and not Cloudflare’s, which IMO is the big giveaway that this is a lesson for Cloudflare in having appropriate review processes for public comms and for the individual to avoid making claims they cannot substantiate or verify independently.
themafia|1 month ago
pibaker|1 month ago
Furthermore, I don't see why we are extending the principle of charity to cloudflare, a billion dollar enterprise controlling a significant part of internet traffic self identifying as a "utility." If cloudflare deserves more of something from us, it is scrutiny and accountability, not charity and deference.
[1] https://simonwillison.net/2025/Dec/18/code-proven-to-work/
babelfish|1 month ago
jsnell|1 month ago
Cloudflare apparently considers blog posts to be a key deliverable for many roles. Not just marketing or devrel but engineering too. That sets up a lot of incentives for slop. And then all you need for a disaster is a high trust environment with insufficient controls, which they probably have since the process had worked for a decade without an insufficiently reviewed article blowing up in their face.
Going forward there will be just a little bit less trust, more controls, and more friction that will make it harder to get a post out in a timely manner. It's just the way all organizations evolve. You can see from the scar tissue where problems existed in the past.
What I can't believe is that they haven't retracted the whole post by now, but are allowing the author to make an even bigger mess trying to fix the initial problems.
renyicircle|1 month ago
unknown|1 month ago
[deleted]
TehShrike|1 month ago
renyicircle|1 month ago
Should have just nuked the whole thing to be honest, the blog post and the repo.
rideontime|1 month ago
corvad|1 month ago
rideontime|1 month ago
embedding-shape|1 month ago
The end result: Me and one agent (codex) managed to build something more or less the same as Cursor's "hundreds of agents" running for weeks and producing millions of lines of code, in just 20K LOC (this includes X11, macOS and Windows support). Has --headless, --screenshot, handles scaling, link clicking and scrolling, and can render basic websites mostly fine (like HN) and most others not so fine. Also included CI builds and automatic releases because why not.
The repository itself is here and should run out of the box on most modern OSes, downloads can be found at the Releases page: https://github.com/embedding-shapes/one-agent-one-browser
oefrha|1 month ago
Although the tell is obvious if you spent one second looking at https://github.com/nkuntz1934/matrix-workers. That misaligned ASCII diagram, damn.
Why is Cloudflare paying this guy again, just to vibe a bunch of garbage without even checking above the fold content in the README?
bentcorner|1 month ago
themafia|1 month ago
blibble|1 month ago
I have yet to see a counter-example
ronsor|1 month ago
ncruces|1 month ago
> This post was updated at 11:15 a.m. Pacific time to clarify that the use case described here is a proof of concept. Some sections have been updated for clarity.
But then the bottom still says:
> Our team is using Matrix on Workers, handling real encrypted communications. It is fast, it is cheap, and it is arguably one of the most secure ways to deploy a homeserver today.
Which one is it?
ncruces|1 month ago
> I have been experimenting with the implementation and am excited for any contributions from others interested in this kind of service.
A few of the versions of the blog are available at: https://archive.ph/https://blog.cloudflare.com/serverless-ma...
corvad|1 month ago
philipwhiuk|1 month ago
rsynnott|1 month ago
... Oh, dear.
huckery|1 month ago
So many failures coming out of Cloudflare these days, feels like they peaked a while ago and are slowly declining into incompetence.
blibble|1 month ago
I wonder if there's a particular new fad that could be causing this
dfajgljsldkjag|1 month ago
godelski|1 month ago
tamirzb|1 month ago
https://archive.ph/AbxU5
qqvga|1 month ago
evilc00kie|1 month ago
https://github.com/nkuntz1934/matrix-workers/commit/fd412f41...
soulofmischief|1 month ago
Yeah, this is just shameful. Obviously written by an LLM with zero oversight. If this engineer doesn't get fired I'll lose all trust in Cloudflare.
subscribed|1 month ago
The best CF can do is to post a post-mortem and improve procedures so that can't happen anymore.
tsujamin|1 month ago
https://news.ycombinator.com/item?id=46780837
OsrsNeedsf2P|1 month ago
unknown|1 month ago
[deleted]
Arathorn|1 month ago
etchalon|1 month ago
CharlesW|1 month ago
selfawareMammal|1 month ago
sva_|1 month ago
watermelon0|1 month ago
I have limited experience with Matrix, but you don't actually need Synapse (reference homeserver) which is quite a resource hog and not even remotely easy to setup/administer.
You can just use the lightweight Continuwuity homeserver for the Matrix part, and Caddy for the reverse proxy/TLS/ACME part, installed on a VPS. Both require minimal configuration, and provide packages for many Linux distributions, as well as Docker images.
(Continuwuity is a fork of conduwuit which was a fork of Conduit. Conduit was abandoned, but is now active again, and there are also other active forks as well. However, it seems to me that Continuwuity is currently the most active fork.)
corvad|1 month ago
stackskipton|1 month ago
Because their CDN/DNS is excellent software but it's not massive moat. Workers on other hand is.
It's like difference between running something on Kubernetes vs Lambdas. One you can somewhat pivot with between vendors vs other one requires massive rewrites to software that means most executives won't transition away from it due to high potential for failure.
hoppp|1 month ago
palata|1 month ago
cxplay|1 month ago
Welcome to Wildebeest: the Fediverse on Cloudflare https://blog.cloudflare.com/welcome-to-wildebeest-the-fedive...
Wildebeest ceased maintenance one month after the article's publication, adding a similar comment several months later[1]:
> :warning: This project has been archived and is no longer actively maintained or supported. Feel free to for this repository, explore the codebase, and adapt it to your needs. Wildebeest was an opportunity to showcase our technology stack's power and versatility and prove how anyone can use Cloudflare to build larger applications that involve multiple systems and complex requirements.
[1]: https://github.com/cloudflare/wildebeest/commit/b1be6a5c49be...
arctictony|1 month ago
ares623|1 month ago
nkalupahana|1 month ago
kalleboo|1 month ago
https://xcancel.com/eastdakota/status/2016357035064144309#m
> It’s a proof of concept. Get off your high horse.
amadeuspagel|1 month ago
rootxy|25 days ago
yapperish|1 month ago
Imustaskforhelp|1 month ago
Like okay, I am an indie-dev if I create a vibe coded project, I create it for fun (I burn VC money of other people doing so tho but I would consider it actually positive)
But what's up with large companies who can actually freaking sponsor a human to do work make use of AI agents vibe code.
First it was cursor who spent almost 3-5 million$ (Just came here after watching a good yt video about it) and now Cloudflare.
Like, large corpos, if you are so much interested in burning money, atleast burn it on something new (perhaps its a good critique of the browser thing by Cursor but yeah)
I am recently in touch with a person from UK (who sadly got disabled due to an accident when he was young) guy who is a VPS provider who got really impacted by WHMCS increase in bill and He migrated to 1200 euros hostbill. Show him some HN love (https://xhosts.uk/)
I had vibe coded a golang alternative. Currently running it in background to create it better for his use cases and probably gonna open source it.
The thing with WHMCS alternatives are is that I made one using gvisor+tmate but most should/have to build on top of KVM/QEMU directly. I do feel that WHMCS is definitely one of the most rent seeking project and actually writing a golang alternative of it feels sense (atleast to me)
Can there not be an AI agent which can freaking detect what people are being charged for (unfairly) online & these large companies who want to build things can create open source alternatives of it.
I mean I am not saying that it stops being slop but it just feels a good way of making use of this tech aside from creating complete spaggeti slop nobody wants, I mean maybe it was an experiment but now it got failed (Cursor and this)
A bit ironic because I contacted the xhosts.uk provider because I wanted to create a cloudflare tunnels alternative after seeing 12% of internet casually going through cf & I saw myself being very heavily reliant on it for my projects & I wasn't really happy about my reliance on cf tunnels ig
arthurcolle|1 month ago
That's one way to destroy the CF blog credibility!
biohazard2|1 month ago
Professionalism at its finest!
InsideOutSanta|1 month ago
It's kinda mindblowing. What even is the purpose of this? It's not like this is some post on the vibecoding subreddit, this is fricken Cloudflare. Like... What the hell is going on in there?
bob1029|1 month ago
https://github.com/nkuntz1934/matrix-workers/commits/main/
There exist only two commits. I've never seen a "real" project that looks like this.
oefrha|1 month ago
To the author: see my comment at https://news.ycombinator.com/item?id=46782174, please also clean up that misaligned ASCII diagram at the top of the README, it's a dead tell.
jtbaker|1 month ago
usefulposter|1 month ago
>Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security
>To emphasize, this is not "vibe coded".
>Every line was thoroughly reviewed and cross-referenced with relevant RFCs, by security experts with previous experience with those RFCs.
...Some time later...
https://github.com/advisories/GHSA-4pc9-x2fx-p7vj
godelski|1 month ago
https://www.linkedin.com/posts/nick-kuntz-61551869_building-...
corvad|1 month ago
esnard|1 month ago
guluarte|1 month ago
rideontime|1 month ago
armchairhacker|1 month ago
drrotmos|1 month ago
palata|1 month ago
rsynnott|1 month ago
erichocean|1 month ago
Arathorn|1 month ago
They do entirely different things: MLS is a key agreement protocol, equivalent to the Double Ratchet that Matrix uses for E2EE today. Matrix can use both.
corvad|1 month ago
catskull|1 month ago
Fokamul|1 month ago
Of course, this is done by a manager. Classic corporate mindset, I can do what these smelly nerds do every day, hold my bear.
He doesn't even know how git works, huh?
What a clown.
OsrsNeedsf2P|1 month ago
fleroviumna|1 month ago
[deleted]
palata|1 month ago
[deleted]
computerfriend|1 month ago
> A production-grade Matrix homeserver
this is engineering malpractice. It is also unethical to present the work of an LLM as your own.
wswope|1 month ago
Unequivocally yes.
Fraud is fraud, and if your first instinct is to defend it in this manner, check yourself in the mirror.
cortesoft|1 month ago
OsrsNeedsf2P|1 month ago
That's a generous read. From the actual article:
> We wanted to see if we could eliminate that tax entirely. Spoiler: We could.
rideontime|1 month ago
tjwebbnorfolk|1 month ago
[deleted]
guluarte|1 month ago