Package: wnpp
Severity: wishlist
Owner: Kai Hendry

* Package name : nostromo
Version : 1.8.6
Upstream Author : Marcus Glocker
* URL : http://www.nazgul.ch/dev.html
* License : MIT
Programming Lang: C
Description : small, simple, fast and secure httpd

Runs as a single process, handling connections with select. For CGIs
and directory listing it forks. Supports HTTP/1.1, CGI/1.1, chroot,
setuid, basic authentication, SSL, IPv6, custom repsonses, aliases, and
virtual hosts.


A prerelease test version of the package resides on:
http://hendry.iki.fi/debian/unstable

Seems smaller than lighttpd and looks on first impressions more secure
than thttpd. At least nicer looking code. I have in mind embedding
nhttpd on small low powered devices.

-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)



--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 2008-08-03 at 21:09 +0100, Kai Hendry wrote:
> Package: wnpp
> Severity: wishlist
> Owner: Kai Hendry
>
> * Package name : nostromo
> Version : 1.8.6
> Upstream Author : Marcus Glocker
> * URL : http://www.nazgul.ch/dev.html
> * License : MIT
> Programming Lang: C
> Description : small, simple, fast and secure httpd

"Secure"? Even though it allows parent directory traversal? As has
been said time and time again, Debian doesn't need yet another tiny
httpd that inevitably turns out to have such flaws.

It doesn't get URI decoding right either.

Ben.

--
Ben Hutchings
Nothing is ever a complete failure; it can always serve as a bad example.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBIl4RN79ZNCRIGYgcRAiJZAJ4k0j3GEXjPbx/r4uNu3dTIOJysdgCfZcFt
pPnrvGcFTbpv9RXKVBuXpdQ=
=DjGk
-----END PGP SIGNATURE-----

> On Sun, 2008-08-03 at 21:09 +0100, Kai Hendry wrote:
> > Package: wnpp
> > Severity: wishlist
> >
> > * Package name : nostromo
> > * URL : http://www.nazgul.ch/dev.html
> > Programming Lang: C
> > Description : small, simple, fast and secure httpd
>
[..]
> As has been said time and time again, Debian doesn't need yet another
> tiny httpd that inevitably turns out to have such flaws.

For those who needs to choose a (light) webserver, this page is meant to
gather pros and cons of each one :
http://wiki.debian.org/WebServers

(Contributions are welcome.)

Franklin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Aug 25, 2008 at 08:43:16AM +0200, Franklin PIAT wrote:

> For those who needs to choose a (light) webserver, this page is meant to
> gather pros and cons of each one :
> http://wiki.debian.org/WebServers
>
> (Contributions are welcome.)

Both boa and lighttpd require much more installed size than apache2?
Interesting.

--
Tzafrir Cohen | tzafrir@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tzafrir@cohens.org.il | | best
ICQ# 16849754 | | friend


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> On Mon, Aug 25, 2008 at 08:43:16AM +0200, Franklin PIAT wrote:
>
> > For those who needs to choose a (light) webserver, this page is meant to
> > gather pros and cons of each one :
> > http://wiki.debian.org/WebServers
> >
> > (Contributions are welcome.)
>
> Both boa and lighttpd require much more installed size than apache2?
> Interesting.

Funny... Unfortunately Lenny's apache2.2-common now depends on perl so
it's wrong ;-(

Franklin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 27-Aug-08, 16:06 (CDT), Franklin PIAT wrote:
> > On Mon, Aug 25, 2008 at 08:43:16AM +0200, Franklin PIAT wrote:
> >
> > > For those who needs to choose a (light) webserver, this page is meant to
> > > gather pros and cons of each one :
> > > http://wiki.debian.org/WebServers
> > >
> > > (Contributions are welcome.)
> >
> > Both boa and lighttpd require much more installed size than apache2?
> > Interesting.
>
> Funny... Unfortunately Lenny's apache2.2-common now depends on perl so
> it's wrong ;-(

Yeah, but perl is pretty much required on Debian anyway, so shouldn't
count against it.

OTOH, the lighttpd includes all its modules, and might have more
functionality than Apache2 without any of its optional modules. Or not;
I've not done a detailed look.

Anyway, I'm not sure "package install size" is all that interesting a
comparison number; the main reason for looking at variant webservers is,
I'd guess, memory usage. Of course, that's a pain to quantify.

Steve


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Steve Greenland wrote:
> On 27-Aug-08, 16:06 (CDT), Franklin PIAT wrote:
>> > On Mon, Aug 25, 2008 at 08:43:16AM +0200, Franklin PIAT wrote:
>> >
>> > > For those who needs to choose a (light) webserver, this page is
>> meant to
>> > > gather pros and cons of each one :
>> > > http://wiki.debian.org/WebServers
>> > >
>> > > (Contributions are welcome.)
>> >
>> > Both boa and lighttpd require much more installed size than apache2?
>> > Interesting.
>>
>> Funny... Unfortunately Lenny's apache2.2-common now depends on perl so
>> it's wrong ;-(
>
> Yeah, but perl is pretty much required on Debian anyway, so shouldn't
> count against it.

> Anyway, I'm not sure "package install size" is all that interesting a
> comparison number;

Yes... Unless you want to build a tiny (debian-live) system (about 35Mb)
for netbooting.

Franklin



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org