| ▲ | dkyc 2 hours ago |
| One thing to keep in mind when judging what's 'appropriate' is that Cloudflare was effectively responding to an ongoing security incident outside of their control (the React Server RCE vulnerability). Part of Cloudlfare's value proposition is being quick to react to such threats. That changes the equation a bit: any hour you wait longer to deploy, your customers are actively getting hacked through a known high-severity vulnerability. In this case it's not just a matter of 'hold back for another day to make sure it's done right', like when adding a new feature to a normal SaaS application. In Cloudflare's case moving slower also comes with a real cost. That isn't to say it didn't work out badly this time, just that the calculation is a bit different. |
|
| ▲ | flaminHotSpeedo 2 hours ago | parent | next [-] |
| To clarify, I'm not trying to imply that I definitely wouldn't have made the same decision, or that cowboy decisions aren't ever the right call. However, this preliminary report doesn't really justify the decision to use the same deployment system responsible for the 11/18 outage. Deployment safety should have been the focus of this report, not the technical details. My question that I want answered isn't "are there bugs in Cloudflare's systems" it's "has Cloudflare learned from it's recent mistakes to respond appropriately to events" |
| |
| ▲ | vlovich123 an hour ago | parent [-] | | > doesn't really justify the decision to use the same deployment system responsible for the 11/18 outage There’s no other deployment system available. There’s a single system for config deployment and it’s all that was available as they haven’t yet done the progressive roll out implementation yet. | | |
| ▲ | edoceo 24 minutes ago | parent [-] | | Ok. Sure But shouldn't they have some beta/staging/test area they could deploy to, run tests for an hour then do the global blast? |
|
|
|
| ▲ | Already__Taken 2 hours ago | parent | prev | next [-] |
| the cve isn't a zero day though how come cloudflare werent at the table for early disclosure? |
| |
| ▲ | flaminHotSpeedo 2 hours ago | parent [-] | | Do you have a public source about an embargo period for this one? I wasn't able to find one | | |
| ▲ | charcircuit an hour ago | parent | next [-] | | Considering there were patched libraries at the time of disclosure, those libraries' authors must have been informed ahead of time. | |
| ▲ | Pharaoh2 an hour ago | parent | prev [-] | | https://react.dev/blog/2025/12/03/critical-security-vulnerab... Privately Disclosed: Nov 29
Fix pushed: Dec 1
Publicly disclosed: Dec 3 | | |
| ▲ | drysart an hour ago | parent [-] | | Then even in the worst case scenario, they were addressing this issue two days after it was publicly disclosed. So this wasn't a "rush to fix the zero day ASAP" scenario, which makes it harder to justify ignoring errors that started occuring in a small scale rollout. |
|
|
|
|
| ▲ | udev4096 2 hours ago | parent | prev [-] |
| Clownflare did what it does best, mess up and break everything. It will keep happening again and again |
| |
| ▲ | toomuchtodo 2 hours ago | parent [-] | | Indeed, but it is what it is. Cloudflare comes out of my budget, and even with downtime, its better than not paying them. Do I want to deal with what Cloudflare offers? I do not, I have higher value work to focus on. I want to pay someone else to deal with this, and just like when cloud providers are down, it'll be back up eventually. Grab a coffee or beer and hang; we aren't savings lives, we're just building websites. This is not laziness or nihilism, but simply being rational and pragmatic. |
|
