> It's similar to saying that Linux could not have become a serious project because of the way Linus communicated in his emails.
Linus being rude was actually contributing for Linux becoming a serious project. Because that changed the quality of the code and the seriousness of the contributions. If you were sloppy or did not do good job, Linus became rude. So there is a correlation, and this is an excellent demonstration how it goes to opposite direction. Whether it was professional or not, it correlated for the quality of the project. For that reason, it is not ad hominem.
> This is false, it was done many months before (Nov 20 2025). There is some irony in your comment being in reply to a thread about verifying claims before posting them...
There is no evidence for this. It is integration PR to support fuzzing with one tool. The public repository does not have CI pipeline for it. Fuzzing is done privately somewhere, and the first linked issues are around April.
I agree that ""an outright fabrication" is a bit too much.
But also the claims about the fuzzing in the original blog post are kinda too misleading. Fuzzing harness is basically just coverage-guided random bytes towards Bun's JS APIs and it will not really catch anything in depth from the code. Just the most obvious from the surface. And 24/7 fuzzing is introduced likely around the same time when Rust rewrite seemed to be main focus, as then the first issues were created. Current fuzzing does not give much trust about the code stability, but indeed the fuzzing has been started and likely improves in the future if someone puts some work for the harness.
> Countering the accusation of "an outright fabrication" on the other hand is worthwhile because it's a claim that can be countered.
Hmm, fuzzing integration was merged 8 months ago. First found bug mentioned 3 months ago. Bun is 4 years old. I think both arguments can be true at the same time based on this evidence. It is entirely possible that for more than 3 years team has said that no fuzzing was done, and the first fuzzing was done just 3 months ago, and this information did not travel.
> Type checking and lifetime ownership eliminate some, but not all of them.
They actually remove certain classes completely. E.g. lifetime ownership in Rust removes all bugs related to the reason why it is in the code syntax (a.k.a. lifetime markers remove use-after-free completely in Rust.)
Can you criticize a project which is mainly contributed and managed by one person without criticizing the same person who does the decisions that cause criticisms?
> Most extensive test suites are exactly production scars: every time you have a bug or a regression, you write a test that confirms correct behaviour.
If you can be 100% guaranteed that there indeed is a test for every occurred bug. Sometimes maintainers are not so strict about it.
And some programmers are so good that some issues are self-explanatory and they write good code to note a thing but don't write a test, because implementing the test is more expensive.
> - No LTS support for the Zig version regarding CVEs etc.
Every release would have tons of CVEs and would take so much effort. E.g. the example from blog with memory issues. Better just think that Zig version was not there what comes to security. Use at your own risk.
> Jarred basically keeps operating as if he was a lone hacker working on his personal project.
They have right to do it, however. It is expected, especially if company owns it.
> The second is the Apple style on-device CSAM scanner?
This is exactly what has been proposed. E.g. WhatsApp has a piece of code that scans images and texts before sending. After that, they are "encrypted".
Rolling auth by yourself is very messy. Storing tokens correctly, rotating and using correct tokens, with correct parameters and so on. Endless footguns.
> A lot of these US vendors have data centers in the EU operating under EU law via legal entities in the EU.
Didn’t even Microsoft say that they can’t guarantee that they can follow these laws? Because the US laws take over. So, legal entities are just some smoke screen. They don’t help if the US government wants access to something.
Based on what has been already going on there, not even surprised anymore.