Yikes this looks good , how long did it take you build a framework around ML checkpoints an was their inspiration for using bit torrent , like you could have streamed changes other servers using consensus i believe simply with http2 ... would luv here your thoughts .

ドキュメントの記載が微妙に古いので 細かいところ色々修正要るし nginx http2とか、ね SELinuxの許可設定要るかどうかも微妙だし Silverblueだから rootが ／usr／shareになってたりするし どこでどう引っ掛かってるのか、ワヤ

Ada exploit baru yang harus lo tau kalau lo manage server, yaitu HTTP/2 Bomb. Intinya, satu client biasa (komputer rumah, 100Mbps) bisa bikin server lo mati dalam hitungan detik. Caranya? Abuse fitur standar HTTP/2 — HPACK header compression. 1 byte di jaringan jadi 1 full header allocation di server. Ribuan kali per request. Terus connection-nya ditahan terbuka, jadi memory ga pernah dibebaskan. Hasilnya, 32GB memory habis dalam 20 detik. Dari satu koneksi. Yang kena adalah NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora. Basically semua web server mayor. Yang bikin ngeri, exploit-nya ditemuin oleh OpenAI Codex — bukan manusia — dengan chaining dua teknik lama (HPACK bomb Slowloris). AI nemuin vuln yang manusia miss. Patch status: - NGINX → upgrade ke 1.29.8 (tambah max_headers directive, default 1000). Kalau belum bisa upgrade, `http2 off;` - Apache HTTPD → mod_http2 v2.0.41. Kalau belum, `Protocols http/1.1` - IIS, Envoy, Cloudflare Pingora → BELUM ADA PATCH. Kalau lo pake NGINX atau Apache, patch sekarang. Kalau lo pake IIS/Envoy/Pingora, good luck — sementara matiin HTTP/2 kalau bisa. Source: thehackernews.com/2026/06/ne…

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4.

Mám podozrenie, že tento http2 bomb je vonku už dlhšie, toto správanie na proxy som zaznamenal niekedy 11/2025 na apache. V logoch nič podozrivé, ze by išlo klasický DDoS, cez mod_status drzanie spojeni bolo vidiet.

i debugged sandbox command latency and reliability at high rollout concurrency and found the perf issues were attributable to the python client, not the underlying sandbox infra. the default client implementation in the agent framework used one origin per sandbox with a default low keepalive connection limit (far fewer than max connections). httpcore eagerly reaped connections before reuse to respect keepalive, so in-flight requests failed with spurious disconnects. an upstream fix migrated the client to using a single origin instead of per sandbox origins. this solves the reaping problem since there are far fewer connections, but introduces queuing. on http2 every request multiplexes over the same connection, so once concurrent requests exceed max_concurrent_streams, they queue. this manifests as tail sandbox tti/command latency. switching to http1 addresses queuing related tail latency since each request gets its own connection, but the client doesn’t expose a configurable transport, so we have no choice but to monkeypatch. also, the agent framework integration didn’t correctly subscribe to exit code events and instead only checked for command completion on receiving stdout or a fixed 10 second yield timeout. since the exit code usually lands a few ms after the final stdout write, the exit code check races and loses, and fast commands that should exit in less than a second appear to take 10 seconds. this can add minutes to long multi-step rollouts that round trip to the sandbox for each env interaction. this debugging session was a nice reminder that a lot of rl infra is boring old fashioned software engineering.

moqt も http2 もバグを潰しても潰しても出てくるな ... 。コツコツやるしかない。

「http2の接続に失敗してる」と言われたのでエンジニアとインフラでそれぞれcodex使って別々に調査してたんだけど、使う人によって調査の深さが違って面白かった サーバーコードは読んでないけど、原因切り分けて修正サンプルまで出したのであとは頑張れ…というとこまでやって終了

🚨 HIGH SEVERITY: CVE-2026-10725 (CVSS 7.5) Protocol::HTTP2 for Perl <1.13 vulnerable to HTTP/2 Bomb attacks. Small requests can expand into massive memory consumption causing DoS. ✅ Update to v1.13 immediately #CVE #Vulnerability #PatchNow

secret http2bomb patch: disable http2 | already implemented by @brenden_stahle

Same disease here, different target. I’m building toward zk/E2EE Git, so the primitives come first and they need to stay flexible on IDs and hash algorithms. Most of the validation was command-by-command against stock Git, with integration and e2e tests, not just nice-looking unit coverage. Current state: 100% on the command baseline I’m targeting, 1,520 tests in the active core/CLI slice. Improving memory and performance, some operations are slow yet, 20-100%. But most of, like commit, status, diff, push are faster 20-50%. Also have added http client to support http2/3 No Windows proof yet 🥲

some aspects have been an improvement tho. the p2p layer, the consensus mechanism (even when they were pow), the functionality (evm vs Script). it's like going from http1.1 to http2 - at least when viewed from afar. ethereum devs did benefit from bitcoins lessons, but, they built ethereum from the ground up. other than basic crypto primitives, they share no code.

そろそろ http2-rs を正式リリースできそう。凄い大変だった ... 。nghttp2 に凄い助けられた（e2e test)

🪟 MaxHeadersCount for HTTP/2 3 in HTTP.sys = Microsoft finally admits “one weird header” can be an attack surface. Great—now admins can choke abusive requests before IIS even sweats. #Windows #Microsoft #IIS #HTTP2 #HTTP3 #Security windowsforum.com/threads/max… #WindowsServer

🪟 MaxHeadersCount for HTTP/2 3 in HTTP.sys = Microsoft finally admits “one weird header” can be an attack surface. Great—now admins can choke abusive requests before IIS even sweats. #Windows #Microsoft #IIS #HTTP2 #HTTP3 #Security windowsforum.com/threads/max… #WindowsServer

Yep, latency is request to response time while throughput is how much data you can move. You can lower latency without raising throughput by cutting round trips, shrinking payloads, caching, and reusing connections. HTTP2 and CDNs help some paths, not the speed of light.

今話題になってるhttp2/BOMB攻撃についてAIに説明させたら超わかりやすい✨️ 要はちっちゃなデータをいっぱい小分けにしてメモリ領域を食いつぶして、かつクライアントのデータ処理容量がいっぱいって言ってメモリの解放もさせないわけだ わかりやすい…

おっ、予約するぞ！とヨドバシ（ yodobashi.com ）を開いたらHTTP2エラーとかでて落ちていた。例の「HTTP/2 Bomb」関連だろうか、単なる何かの予約の殺到なのだろうか。強制HTTP/1.1接続ってできたっけか…（と書いて後で予約するのを忘れないようにするメモ）

With http2, do you just use the transport as effectively tcp stream or retain req/resp semantics; in that case isn't the delta / status update overhead kinda annoying? Of the former, why not naked tcp stream or messages over wss, why http as transport?

Perl CPAN CVE-2026-10725: Protocol::HTTP2 through 1.12 is vulnerable to a HTTP/2 Bomb openwall.com/lists/oss-secur…