Dye

@YuriRDev BRB, shutting the company down, turns out we were just an overly engineered if-statement all along

"bypasses Cloudflare natively". The bypass:

@nickfloats Why does every AI "artist" also happen to have a complete lack of taste?

1) what

Buy the company too, please 😍

@JoltPicks @vxunderground So your reading comprehension is poor. Maybe that's why you couldn't stop your job from getting sent overseas.

@dye_dev @vxunderground “Slave wages” “opportunity they have to better their lives” Asides from not understanding economic arbitrage, you just contradicted yourself. You have this weird idea they dont pose the same risk to their own local companies. Guess what, it’s a third world shithole.

I have a bunch of people from India being mean to me because I wrote the Insider Threats that hurt some companies were worked off-shored to India What do you want me to do? Lie? It's objectively true. I'm sorry large companies exploit your country, dawg

@vxunderground These replies are crazy. Why are they not mad at the companies using foreign labour and paying slave wages, rather than the workers in these poor countries taking any opportunity they have to better their lives.

But no seriously, it's despicable how much large companies exploit workers in different countries. When someone is paid as low as $2.50/hr, how do you think they feel when offered $10,000?

@vmfunc most reasonable people would say providing exact line numbers to the issues you're mentioning is more than fair. won't sway the brainrotten though :(

@dye_dev he's once again going to claim that i'm making this review not in good faith but to attack him or something idk man

tetsuo still has me blocked and his team says that kind of bs.. alright then, i just looked at the repo that he published, and took the time to review the code again: found 12+ critical security vulnerabilities. executable stack enabled via setjmp/longjmp with comments claiming "modern kernels enforce nx regardless". that's completely false. cmakelists.txt line 15-19 literally enables code injection vulnerabilities while telling users it's "safe" arena allocator has textbook toctou race conditions (arena.c:117-134), integer overflows in allocation checks (156-166), missing bounds validation in aligned allocs (283-300). memory is never freed back to os in most paths, just accumulates until oom. "arena-based memory management" is broken claims "complete dns resolver with dnssec".. grep -r "DNSSEC" returns nothing. no dnssec validation exists. dns has no source port randomization, vulnerable to cache poisoning. no rebinding protection, no rate limiting compiler flags are INSANE: -wno-return-type, -wno-error=return-type, -fno-strict-aliasing, -wno-implicit-int. literally suppressing critical warnings to hide undefined behavior. no stack protector, no fortify source, no relro, no pie. basically zero security hardening websocket mask keys use weak prng (socketws-frame.c:38), violates rfc 6455. http/2 has no hpack bomb protection, unbounded header decompression is classic dos. no stream id exhaustion handling, no flow control validation, priority tree manipulation unchecked tls implementation skips ocsp stapling verification, missing hostname verification in multiple paths, no downgrade protection. ssl_secure_clear_buf gets optimized away by compiler. thread-local exception stack has zero synchronization, thats literal undefined behavior in c11 io_uring uses sqpoll without capability checks (socketpoll_uring.c:149), buffer registration has no bounds checking, submission queue overflow unhandled, multishot poll races everywhere claims "zero dependencies except openssl" but requires liburing, zlib, brotli, pthread. claims "all custom. no libcurl. no libuv" while using multiple external libs readme says "http/3 + quic (in progress)".. it's just string constants, no implementation. "simple api layer" mentioned but doesn't exist. "fuzz harnesses" claimed - zero fuzz files in repo. "examples folder (30+ demo programs)" but no examples directory exists. "unit/integration test suite" but no tests found lack of input validation: no url validation, header injection vulns, integer overflows in size calcs, no bounds checking on user inputs. curl_main.c:249-260 header validation incomplete this isn't "hand-rolled from scratch", it's false advertising. executable stack alone makes it unsuitable for any use. 8 critical vulns, 4 high severity, multiple memory corruption bugs, broken protocol implementations, and straight up lies about features the readme claims "the code shown is battle-tested" while having zero tests. "passes full test suite" that doesn't exist. "fuzzed (not full coverage)" with no fuzz harnesses i would also like to add that @tetsuoai and @dreamworks2050 claim that me and laurie were acting in bad faith with "unreleased code": the code was public when both of us posted the tweet. shortly after the gist got deleted along all the other tweets he posted arguing with us about this. don't twist the situation. before you tell me to just submit issues and PRs instead of posting this: i took the time to make this review because i am sincerely upset and do not accept getting slandered like this for just criticizing false claims. i will not spend more time fixing a vibe-coded codebase that is falsely advertised. i don't care/mind that this is vibecoded, my problem is that this is falsely advertised to a following base of over 200k people who will not take their time to do their due dilligence like i did. i do not feel okay with you and your team claiming that i posted that code review "for engagement" thank you, if you truly care about making this good then look at the issues i mentioned and fix them, if you're just doing this for engagement then so be it finally, before you claim that you don't have me blocked, you keep blocking me and unblocking me, conveniently you blocked me again right after you released that repo, i wonder why

@vmfunc Oh, also not sending URLs in the correct format.

@vmfunc Some additional issues are a completely broken SOCKS 5 implementation, not following HTTP/1.1 proxying conventions and occasionally just not parsing bodies. My only OSS PRs have been to improve proxying in big libraries but he's a ragebaiting scammer not worthy of the time.

@mebeim @alexgrenier I already see issues with his proxying. Doubt he tested it at all.

@alexgrenier @dye_dev That shit has been AI generated as well LMFAO. "Still under development" and "battle-tested" in the same sentence 😭

Amazing slop man! Can't even properly perform an empty POST request. It does a GET instead and somehow fails to read the response.

@alexgrenier @mebeim If they weren't functional, I didn't brag to the world about them replacing real software that actually works.

@dye_dev @mebeim You're actually retarded, I'm sure none of your code bases were anything close to functional on first commit.

@alexgrenier @mebeim This isn't an engineering issue. He fell at the first hurdle, he didnt even need some of HTTP/1s edge cases to trip him up.

@mebeim Yeah I'm sure if we go to your own repos and look at your first commits they're all engineering perfect 😂

@vmfunc Anyone whos ever implemented http/1.1 would know you can't do that in 470 lines. Let alone h2 and tls. Crazy so many people fell for this.

the grok curl drama is funny but everyone's focused on the wrong thing yes the cli flags are lies. but look at the library api signatures: http_post(url, content_type, data, len, resp) http_delete(url, resp) there's no headers parameter. ur "200k line socket library" literally cannot pass custom headers on POST/PUT/DELETE. this isn't fixable without rewriting the library api also -I does a full GET and drops the body instead of actual HEAD. binary output gets corrupted with appended newlines. response "headers" are reconstructed fakes that hardcode HTTP/1.1 those 470 lines are bad but they're a symptom because your "crazy ai generated low level lib" is architecturally broken

Had our intern build this when we needed a comprehensive list but couldn't find one. He's done a pretty good job imo.

@LukasHozda Same with python. Had a python service taking ~1.5 seconds to process 50k logs. Used py03 to do the processing in Rust. Processing took <0.1 seconds but transferring logs between rust and python took 9 seconds.

Most important: > On the technical side, the communication layer between Rust and the JavaScript runtime is much slower than doing things in plain JavaScript, plus it creates additional dependencies on the runtime Same reason why people avoid FFI in Go, it adds insane overhead

Not quite sure I belong given that the other guests are the creators of cURL, Tokio and Hyper but I'm happy to have been featured on the Netstack podcast. The final 20 minutes about TCP/IP fingerprinting are particularly interesting, IMO.

@_filtra Really good episode, much prefer the podcast format.

Parallel is the company you end up with when a bunch of former SpaceX Engineers turn their attention to railroading. We talked to their Director of Engineering all about it on the last episode of our podcast. Just one spoiler though… They love the Rust language! Link below 👇

@justalexoki Think its working lads

this is genuinely the worst advice i have ever read in my entire life. this guy is 100% a virgin

Golang HTTP/2 is fucking dreadful. Running into issues at 6k requests per second, even with 40 threads only @ 50%. Meanwhile, on the same server, at the same time, doing the same load, Rust's Hyper is chilling. Staying late in the office to help fix Go code is not it.

@stikves @charliermarsh The developers of those projects evaluated costs and benefits and decided Rust would benefit them. If users are unhappy, they should either become contributors to have a say in those discussions or use something else. But there's no agenda and its dumb as fuck to say there is.

@dye_dev @charliermarsh Git? Ubuntu? recently Debian APK? And the attitude is roughly: "If you cannot somehow have a working Rust ecosystem -- in other words port LLVM -- to your architecture, we will delete your code soon"

There are plenty of valid things to critique about Rust but the anti-Rust takes I see on this site are so weird and lowbrow. Totally detached from what it's actually like to write Rust day-in day-out (and why it's been so successful).

@stikves @charliermarsh Where is it forced upon anybody? Maybe people got a little over eager with saying RIIR, but nobody got forced to do anything.

To be fair most criticism is not technical, but a valid backlash of how Rust is forced upon existing established projects in other languages. Rust by itself is a nice language. The syntax might be debatable, but has some good ideas. Nevertheless, most people do not want to be subject to another language while working on their existing projects (or worse lose access to it)