Whatever. I'm responsible for tracking down an annoying bug Antoine Jacoutot had with hiawatha on some machines. Namely, hiawatha was not starting up if you had 1024 file descriptors available, or something really weird like that.
Turns out the culprit was bad coding habits. Some system call was not checked correctly. I sent an email to Hiawatha author, who mostly dismissed the issue. (it's in the config file parser, prior to launching the server proper, and so is definitely not a security hole). I haven't looked at hiawatha code again, but in my mind it casts some doubts over its security. OpenBSD stance on security is about attention to details and robust coding practices. Unfortunately, we also have to deal with less than perfect external software (and legacy stuff in our tree that we try to improve all the time). At the time I looked at hiawatha, its coding practice was below our current standards. Even in the parsing configuration files, dismissing some errors like that is not acceptable. It's not our process for writing secure software (emphatically, writing secure software is NOT writing code any way you can, then fixing bugs and auditing the part that you think needs more attention... if there's anything we've learnt, it's that the most `innocuous' issues will come back to bite us). I'll let you draw your own conclusion...