1. 41

The last paragraph is great :)

  1.  

  2. 34

    It’s a hipster-free

    This may just be the most hipster thing I’ve seen since COBOL on Cogs

    1. 6

      COBOL on Wheelchair also exists.

      1. 5

        do not forget bash on balls: https://github.com/jneen/balls

      2. 22

        just hope you don’t have to do any string manipulation :)

        1. 13

          This. I have a good amount of experience writing C code and maintaining larger C applications, and C can be a real pain to deal with. Not to mention that it exposes a whole host of nasty security vulnerabilities. Finally, it seems a bit too low-level for these kinds of applications. I’m very confused by the choice of C here.

          1. 3

            I’m guessing it’s because C is the main API for SQLite? I do I agree that C is an interesting choice here, maybe something more like Lua?

          2. 4

            I agree. Writing secure C is hard. Sure, you can pledge your way out of it, but that doesn’t help if sensitive data is stolen. But what would be a reasonable alternative? Rust is probably too complex a language for the taste of OpenBSDers. Go?

            1. 2

              you can pledge your way out of it,

              You can’t. Their kernel and firmware still processes network-facing data. It might still do damage. How much is an unknown until the setup gets the kind of rigorous pentesting we see on Windows, Chrome, the SFI schemes, and recently x86 CPU’s. It does have a nice security by obscurity benefit on top of methods that provably increase work for attackers.

            2. 1

              There’s no string manipulation in HTTP servers, right?

              Right?

            3. 6

              This is your code. Read it: it’s exactly what’s going to happen. No mysticism.

              if (-1 == pledge("stdio", NULL))

              1. 4

                It bears noting that the OpenBSD project’s man page viewer is actually a CGI program written in C.

                1. 4

                  It’s fast, too. I wonder if it would be faster if they did something really hardcore like write it in a language that’s less tame. Like this.

                2. 4

                  This isn’t even a funny joke.

                  1. 1

                    Are there any benchmarks for this?

                    1. 2

                      Only thing I see is the the performance graph on the author’s page here: https://kristaps.bsd.lv/kcgi/

                      1. 1

                        I’ve long wanted to update these with some good measurements against, say, PHP. (And on OpenBSD, too.) It’s important to have a solid measure of the performance trade-off between CGI with a compiled binary and the FastCGI clones (Python’s, PHP’s, etc.) alongside the security benefits of ephemeral processes.

                        1. 1

                          Wow. Thanks for that.

                          15msec response sounds like an eternity. My server responds in micros over loopback, so what’s going on?

                          Is there an easy way to test this?