On Wed, Apr 6, 2022 at 2:15 PM Niall Douglas via Boost
On 06/04/2022 12:42, Dominique Devienne wrote:
I'd quickly mention [Fossil-SCM-based forum]
I don't want lots of stuff in one overarching solution. I want one thing solved well, and I want it to plug nicely into the most popular tooling. Which is git for SCM and github for issue tracking.
Well, when that overarching solution weighs less than most Boost libraries :) Some people are using Fossil solely for the forum. Ignore the rest. Heck, you could even subset the code needed, if you wanted. The ML is not integrated with Git or GitHub, yet works fine. Think of it that way.
So that's a big turnoff for me at least, it reminds me of that all-in-one integrated thingy which Boost had yonks ago and we were never able to get off some very ancient version of it full of known security holes. I **really** don't want to go back to that.
It's actually because Mr Hipp cares a lot about security that he controls the whole stack... I can guarantee you, from having witnessed it, that he's very reactive to any report about issues. And if you actually look into the sources of althttpd, you'd see clearly stated the code is kept simple on purpose, to make it auditable from A to Z in a single sitting of a couple hours. All requests are handled in a forked child on purpose (works best/fastest on Linux for that reason), with the whole thing running in a chroot jail by default. I.e. the attack surface is kept small on purpose. I'm sure it could further be secured in a container or nanovm or whatever the Cloud'y people will invent next. Again, I doubt Fossil will gain traction here. And I'm just a (happy) user of it, I have no skin in this game. But please don't go about writing about security holes or abondonware or bloat for things Dr Hipp does...