Here is two messages from Hugo Leisink (Hiawatha developer). You'll note that the first has a newer date than the later, that's because I delete it, and I asked Hugo to send it to me again :P
Thought that his words could be useful. Greetings. ---------- Forwarded message ---------- From: Hugo Leisink <[EMAIL PROTECTED]> Date: Dec 7, 2007 10:02 AM Subject: Re: Hiawatha To: Andris <[EMAIL PROTECTED]> Andris wrote: > Could you please send your first e-mail to me again? I forgot to save > it to forward it later :P > > Greetings. > Sure, here it is: Hi Andres, I saw your post about Hiawatha in OpenBSD. I'd like to respond to the remarks about "Hiawatha's source code is free of security-bugs" on the Hiawatha website. First of all, you have to take a look at the webserver market. You use Apache, IIS, Lighttpd or you don't use anything at all. If you want people to use your software, you have to 'beat Goliath'. People use Apache, because everybody else does, even when Apache is the worse fit for their purposes. I think Hiawatha has become a really good webserver. It's faster then Apache, is more secure then Apache and definitly more easy to configure then Apache. But people don't use it because 'it ain't Apache'. So, to draw people's attention and to make them at least try Hiawatha once, I have to make 'dangerous' statements like 'free of security bugs'. Second, the reponses to your message are typical for the OpenBSD community. It's like they own the word 'security'. Only OpenBSD is secure, the rest is not. But I guess I don't have to remind you about http://pwnie-awards.org/winners.html#lamestvendor Yes, Hiawatha has had bugs too. And guess what, Hiawatha will have bugs in the future. But none of the found bugs could have been used to take over the webserver or deface websites. And unless someone proves me wrong, my claim that "Hiawatha is the most secure webserver" stands. greetings, Hugo ---------- Forwarded message ---------- From: Hugo Leisink <[EMAIL PROTECTED]> Date: Dec 7, 2007 4:33 AM Subject: Re: Hiawatha To: Andris <[EMAIL PROTECTED]> Hi Andres > Hi, thanks for the comments. I have two questions for you: > > 1. Would you let me forward this to [EMAIL PROTECTED] > I have no problems with that, but I think there will be enough OpenBSD people not able to have a fair discussion about it (especially after my second remark). > 2. Would you relicense Hiawatha? > I will never abandon the GPL license. So if it's possible for a piece of software to have two licenses, I'm not negative towards using the BSD license for Hiawatha. But of course, I first have to think about the consequenses before actually doing so. > Even if OpenBSD does not prefer Hiawatha, a project goal still stands: > "We strive to make our software robust and secure, and encourage > companies to use whichever pieces they want to." > > And, IMHO, it applies to any project which seeks security. > I agree. And I think the OpenBSD project has done some really good jobs. But it's the we-are-untouchable attitude of too many OpenBSD people that keeps me away from it. I've had some discussions with OpenBSD people before and too many of them weren't very pleasant. If someone finds a bad thing in Hiawatha or has some good points about how things can be done better, I'm the first one to say he's right. But if someone starts saying that "Hiawatha is insecure and sucks because my coding style doesn't match his" then the discussion is over for me. And let's be honest, critizing a piece of software by only looking at it's project website and not having the guts to even look at the source code, THAT is 'sheer stupidity'. So, yes, I'm willing to talk again with the OpenBSD community. And if they choose Hiawatha, I will be very proud. And if they don't, I will try to improve Hiawatha until they do like it. BUT.... not if words like 'sucks', 'crap' and 'sheer stupidity' are being used. So, it's up to the OpenBSD community. greetings, Hugo
