Hiawatha weblog

An independent researcher (SaltwaterC) has done a performance test on several PHP frameworks / CMSes and webservers, including Hiawatha. Although speed was never my highest priority while developing Hiawatha, I always did my best to make Hiawatha fast. And according to the results of this research, Hiawatha is doing quite well in terms of speed and performance.

The results of this research can be found in this document: PHP_web_serving_study.pdf.

Ever wondered what it's like to develop a webserver? Just take a look at this picture of me while I'm working on Hiawatha and you'll have an idea. Did you notice the serious look on my face? I'm probably working on something difficult... very difficult.

The second alpha of the Haiku OS has been released. I downloaded a VM image on my MacBook Pro and tried compiling and installing Hiawatha on it. I had to do some little tricks to get it done, but I managed to get Hiawatha up and running on Haiku!

These are the things I did after downloading and unzipping the Hiawatha 7.2 source tarball:

1. # cp /boot/common/share/libtool/config/config.* .
2. Add '#include <sys/time.h>' to cgi.c.
3. Add '#include <arpa/inet.h>' to libip.c.
4. # ./configure --disable-ssl --disable-xslt --disable-monitor --prefix=/boot/home/hiawatha
5. Edit Makefile and add '-lnetwork' to 'LIBS = ' on line 173.
6. # make && make install
7. # mkdir -p /boot/home/hiawatha/var/lib

If everything went well, Hiawatha is now installed in /boot/home/hiawatha. I had to disable SSL and XSLT support, because the required OpenSSL and XML/XSLT libraries were not present in the VM image. I have no idea yet if there are available as a package or something. But for an initial test it's not relevant, so I disabled those functionalities.

After starting Hiawatha, I pointed my browser to the IP address of the VM and there I saw Hiawatha's 'Congratulations' web page. I will do some more research in order to make Hiawatha 7.3 compile under Haiku without any tricks or code changing.

A Hiawatha user has performed a security audit on the Hiawatha source code. In his opinion, 'Hiawatha seems to be doing a great job as far as secure coding'. So, that's something to be proud of. Nevertheless, there were several findings.

Many of those findings concern the usage of strcpy(). I don't agree with the security auditor that it's better to replace all strcpy()'s with strncpy() or strlcpy(). Those functions need the length of the destination buffer as a parameter. If you already know the length of the destination buffer, you can check if the source string will fit in the destination buffer. If it won't fit, you shouldn't start copying, unless you have a good reason to truncate the source string. In my opinion, the best way to safely copy strings is to make sure there is enough space in the destination buffer. Which is what I do throughout the entire Hiawatha code.

Other findings were two array indexing issues and a few memory leaks. All of them would only occur in exceptional situations, so there's nothing to worry about for the current version of Hiawatha. Nevertheless, even a very small security bug is still a security bug, so they have been fixed. Those fixes will be available in Hiawatha 7.3.

I will contact the security auditor and see what more he's willing to do to further improve Hiawatha's security.

Although I'm working on the next release of Hiawatha, I think I ran out of ideas of new features to implement in Hiawatha. I believe Hiawatha has everything a modern webserver needs. The list of features that Apache has is much longer than Hiawatha's feature list, but for many of them counts that I totally disagree such feature should be implemented in a webserver instead of a webapplication.

Another reason to give Hiawatha less priority in my life is that after many years of trying to make Hiawatha more known, I found out that people simply stick to the webserver they know. No matter if that webserver is the best choice for what they need. I will keep on developing Hiawatha, but I will mainly focus on features that I and some friends of mine want in Hiawatha.

After 7.2 has been released, I will be more focussing on another project of mine: the Banshee PHP framework. I'm working on new features and writing some proper documentation. I'm also thinking about making a dedicated website for Banshee.