| ▲ | evil-olive 7 hours ago | |
RustFS is the poster child in my mind for the worst kind of vibe-coded slop. it might be "simple" but it's not something I would ever trust with persistent data. last year they had a security vulnerability where they allowed a hardcoded "rustfs rpc" token to bypass all authentication [0] and even worse, if you read the resulting reddit thread [1] someone tracked down the culprit commits - it was introduced in July [2] and not even reviewed by another human before being merged. then the fix 6 months later [3] mentions fixing a different security vulnerability, and seemingly only fixed the hardcoded token vulnerability by accident. that PR was also only reviewed by an LLM, not a human. 0: https://github.com/rustfs/rustfs/security/advisories/GHSA-h9... 1: https://www.reddit.com/r/selfhosted/comments/1q432iz/update_... | ||
| ▲ | nikeee 7 hours ago | parent | next [-] | |
I am building an S3 client [1] where I have a test matrix that tests against common S3 implementations, including RustFS. That test matrix uncovered that post policies were only checked for exsitence and a valid signature, not if the request actually conforms to the signed policy. That was an arbitrary object write resulting in CVE-2026-27607 [2]. In the very first issue for this bug [3], it seemed that the authors of the S3 implementation didn't know the difference between the content-length of GetObject and content-length-range of a PostObject. That was kind of a bummer and leads me to advise all my friends not to use rustfs, though I like what they are doing in principal (building a Minio alternative). [1]: https://github.com/nikeee/lean-s3 [2]: https://github.com/rustfs/rustfs/security/advisories/GHSA-w5... [3]: https://github.com/rustfs/rustfs/issues/984 | ||
| ▲ | PunchyHamster 7 hours ago | parent | prev | next [-] | |
I recently submitted bug about how their own docs tell you to * create rustfs user * run the rustfs from root via systemd, but with bunch of privileges removed * write logs into /var/logs/ instead of /var/log Looks like someone told some LLM to make docs about running it as service and never looked at output | ||
| ▲ | rezonant 7 hours ago | parent | prev [-] | |
Ah, progress! | ||