Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kevin Chadwick]

> No, don't use a form;- the site can't be static HTML with scripts to
> process the form.

I used PHP and lock it down pretty tight with suhosin. Not sure I would
do it the same way now or not (use a cgi or something) but I am happy
with it and it is another reason why I avoid online CMS systems as they
often require many PHP functions and often think of security as an after
thought.

-- 

KISSIS - Keep It Simple So It's Securable

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Craig Skinner]

Hi David,

On 2016-04-27 Wed 00:54 AM |, David Lou wrote:
> 
> a blog. Honestly, for now I just want a piece of the web that I own,
> where I can just post whatever I want. It could just be that I have
> something I want to share with friends or colleagues, and I can
> direct them to a URL that points to a web server that belongs to
> *me*, where I'm in complete control, instead of Facebook or tumblr.
> 

Use a WYSIWYG HTML editor on your desktop, such as:
LibreOffice, KompoZer or Seamonkey's Composer.

Then simply scp the flat pages to your server.

Done.

If your site gets popular, you can do other stuff later!

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Craig Skinner]

Hi David,

On 2016-04-27 Wed 00:54 AM |, David Lou wrote:
> Instead of a comment section, which seems
> like a headache, I'll just replace it with an email address so a
> reader can reach me if he/she really wanted to. Though I'm not sure
> what's the best way to prevent spam (or other ways in which an email
> address can be abused)? The best idea I can come up with would be to
> not publicly show the email address but create a contact form with a
> capcha.
> 

No, don't use a form;- the site can't be static HTML with scripts to
process the form. Much spam comes from abused web mail forms. The VPS
might suspend your account on complaints.

Just use a plain HTML mailto: tag.

Change the address within the tag to something like this if you like:
david [dot] lou (at) outlook [dot] com [dot] nospam

If people can't figure it out from there, you don't need their mail!

Cheers!
-- 
I'm always looking for a new idea that
will be more productive than its cost.
-- David Rockefeller

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Mihai Popescu]

Folks, move the cheap chat bazar to somewhere else, please.
I am pretty sure anyone is a blog expert those days. I damn hope you
will not bring in the Google Ad Sense program or other crazy thing
related.

Thank you.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kevin Chadwick]

> So, given all the feedback I got, I'm gonna adjust my proposed
> project a bit. It's just gonna be a web server, and a bunch of static
> content pages. You guys proposed many different solutions for these--
> I haven't had the chance yet but I'll need to assess which one I'm
> going to use

I just write the code from scratch myself with self created header and
footer boiler plate templates etc. as CMS always do things I hate like
using javascript even for simple things when it is not required or
"mobile" versions and make sites which aren't very fast. I do wonder
what gov.uk are using these days though as it's actually quite nice,
fast and jsless capable. Amazon is also jsless capable. Nowadays I
usually code in netbeans but I usually can't host my friends websites
as I don't want the dangers of CMS (writing it's own content) on my
server but I'm interested in these template systems myself as I have
considered using a CMS offline and then copying a secured staticised
version over to the live server but there is still some work (fighting
with the ports or developers defaults like permissions) to make that
viable and secure but it maybe worth considering.

p.s. If you know what you are doing then the browser web tools such as
in chrome make editing far faster and more powerful than using a CMS and
mean you can do anything. CMS are really for allowing you to pay many
people lower wages and make it easy to give them limited power or allow
the masses to make simple changes regularly.

-- 

KISSIS - Keep It Simple So It's Securable

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Steve Shockley]

On 04/26/2016 04:47 AM, Erling Westenvik wrote:

$ pkg_info blogsum


I use(d) Blogsum, but last I looked it pulled in Apache 1.3.  I tried 
and failed to get it working under the new httpd chroot (too many Perl 
dependencies).  I have a better understanding of httpd now, but I've 
lost enthusiasm for getting it working, so I'll probably switch to 
something else.  If you want to give it a shot, 
https://github.com/reyk/httpd/wiki/Migrating-a-Perl-CGI-application-such-as-Bugzilla 
may be helpful.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Michael McConville]

David Lou wrote:
> (btw, isn't the "built-in" httpd webserver just Apache? Google seems
> to tell me that they're synonyms)

Nope, Apache was bundled a long time ago and was replaced with Nginx,
which was replaced with httpd in July 2014. httpd is an HTTP server that
is developed in the OpenBSD source tree.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[David Lou]

Hello,

Wow, thank you for all responses. I did not expect this many. You
guys are really helpful!

I had a feeling my original plan was too complicated. I appreciate
that you guys are pointing it out. Honest feedback is good feedback.
No need to spare any feelings if I'm doing something wrong. :)

I think some people here are wondering what I'm "trying to do" with
a blog. Honestly, for now I just want a piece of the web that I own,
where I can just post whatever I want. It could just be that I have
something I want to share with friends or colleagues, and I can
direct them to a URL that points to a web server that belongs to
*me*, where I'm in complete control, instead of Facebook or tumblr.

I'm not too concerned with attracting an audience or search engine
rankings right now---though maybe in the future I will. I think it's
wonderful if other people visits my website but it's not why I'm
trying to do all of this.

So right now I'm considering a cheap VPS hosting service where I run
OpenBSD because I really like OpenBSD's founding principles. I'm
leaning towards VPS instead of just a webhost because having root
access to a machine makes me *feel* like the machine is mine and I
can do whatever the heck I want. My hope is that the sysadmin aspect
doesn't turn out to be a nightmare.

So, given all the feedback I got, I'm gonna adjust my proposed
project a bit. It's just gonna be a web server, and a bunch of static
content pages. You guys proposed many different solutions for these--
I haven't had the chance yet but I'll need to assess which one I'm
going to use. Simplicity and stability (i.e. correct, secure, not
buggy) will be my criteria. Instead of a comment section, which seems
like a headache, I'll just replace it with an email address so a
reader can reach me if he/she really wanted to. Though I'm not sure
what's the best way to prevent spam (or other ways in which an email
address can be abused)? The best idea I can come up with would be to
not publicly show the email address but create a contact form with a
capcha. A contact form also has the benefit that all the emails I get
have a consistent format. Though I'm not sure if contact forms are
really the best idea.

(btw, isn't the "built-in" httpd webserver just Apache? Google seems
to tell me that they're synonyms)

David

Fwd: Re: Creating a blog using OpenBSD: technology choices and security considerations

[rain1]

On 2016-04-26 14:24, Kamil Cholewiński wrote:

On Tue, 26 Apr 2016, ra...@openmailbox.org wrote:

If you want to make a dynamic "web application" then consider using
ur/web [1]. The programming language itself protects against SQL
injection, XSS attacks, CSRF attacks.


I hate to bring the bad news, but this language / framework has close 
to

zero chances of being used in a commercial product.

- ML / Haskell are too abstract for the 99% of Python/Ruby/JS/NameIt
  programmers out there. You or me love ML, the next guy will run away.


Let him run!


- The website itself looks horrible. You or me don't mind, because we
  focus on content and not presentation, but we're not in the 99%. Also
  it takes actual effort to make a website look this horrible...


I didn't create this software or the website, you could tell the author 
but do we really care about people that focus on presentation above 
content?



- The documentation is lacking horribly. First off, these days if your
  TLDR to a "200 OK Hello world" is not in 10 lines and on your landing
  page, you probably have already lost 90% of the potential audience.
  The remainder got lost in incomplete examples and a terse reference
  manual.


I can point you to hello world example: 
http://www.impredicative.com/ur/demo/



- Nobody is interested in writing the most elegant qsort, because
  Python/Ruby/JS/NameIt already have a working implementation in their
  standard libraries. They also focus on helping you solve more real
  world problems (pushing HTML or JSON to browsers), which, skimming
  over the docs, I didn't see explained.


not sure what you mean about qsort.

You wouldn't normally be pushing HTML, instead data that is rendered 
into HTML on the client side. Check React demo for an example.


It is possible to do JSON but there is no example code. I agree with you 
this is a serious missing bit of documentation.



Sorry, but few people today judge a product based solely on its
theoretical merits; they need a toy to play with, and to see that it 
can

help them solve their problems.


Let's be in the few that do!


A "half-secure" product that is easy to use, is more secure than a
secure product that nobody cares to use, because it provides a typical,
real-world user with a viable, real-world alternative over a completely
insecure product that is also easy to use.


Yes it has a steeper learning curve but I believe anyone can get past 
that if they choose to, and create a higher quality site with it.



String based scripting languages like {node, php, python, perl, ruby}
have added on frameworks that try to 'prepare' sql queries or template
HTML to get it to do the various different levels of quoting for you.
It's possible to make secure sites in them if you do everything right.
problems still slip through.


Not necessarily. Consider a function prototype:

query(template: string, param1: mixed, ...) -> result: mixed

Whether this function is correct or secure or not, does not depend on
the language it was implemented or used in. Using it securely is still
up to the caller. Good interfaces can help good programmers write good
code, but you can't stop a bad programmer from writing bad code...


The key to the tool I recommended is that templates are not strings - 
they are functions that take some parameters and produce HTML.


Some of the points you raised are really strong and definitely room for 
improvement on the presentation and documentation of the tool. I don't 
see any substantial reasons not to use the software though just because 
99% of people prefer broken garbage.



That's why I recommend a programming language designed to remove these
issues entirely by parsing and understanding the sublanguages involved
in making a website (instead of having them as strings in your code).


Context-sensitive templating languages are a thing in mainstream tools.
I'm not a frontend web developer, but some quick googling brought this
up:

http://www.slideshare.net/adonatwork/efficient-contextsensitive-output-escaping-for-javascript-template-engines

K.


yep golang has it for example. also a good choice. but again you have to 
use it all the time to ensure safety. If you slip up once in urweb you 
get a compile error instead of a potentially vulnerable website.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[lists]

Tue, 26 Apr 2016 09:29:30 +0200 Kamil Cholewiński 
> On Tue, 26 Apr 2016, David Lou  wrote:
> > Hello,
> >
> > This is my first post. :) I suppose this is a high level kind of
> > question.

And can have way too many answers, not that many of them OpenBSD related.

> > When I say 'blog', I'm referring to a website that contains
> > essentially many pages of content. Each content page has attributes
> > such as title, date, category, tags, and so on. When a user browsers
> > this website, the content pages are served in a visually attractive
> > layout, with possible bells and whistles such as Facebook/Twitter
> > share buttons, and comment sections. Additional features may include
> > a search bar and an archive page.

You are drafting a far too complex set of requirements for a 1 man show.
You can abandon reading now & order it from a commercial support vendor.

> > I'm shying away from popular solutions such as WordPress because
> > (1) I'm not sure if it even installs on OpenBSD and more importantly
> > (2) I'm not convinced that it adheres to the OpenBSD principles of
> > correctness and proactive security.

These solutions save lots of time and costs, if you can handle them with
proper management, accept there are known hidden expenses and figure out
when to stop before it gets unjustified according to your planned budget.

> Use a static site generator. Nothing beats a bunch of static files when
> it comes to keeping your backend secure. No code is best code.

Reality check, structured text presentation beats any sort of generator:

[https://en.wikipedia.org/wiki/Lightweight_markup_language]

I can recommend one of these, but I would not, so just brainstorm to
find what suits you best.  Some of these mix well with your text or
other editor, some even have export to the static site generators
'harry666t' mentions below, and some of them even directly put your
edits in the dynamic site content management and presentation mishmash
of system you want to replicate in your design specification.  Why not
just use a popular system like Drupal, Wordpress, Bloody-logger, adds
sponsored futu-Rama-steam-ol-we-blog-roll-yer & rehash them for static
site output and publish that?  Too much work?  Exactly that, use cash!

For text edit you only need your choice of text editor, a web browser
can have an additional feature to open your preferred editor for you.

With the proper use, you don't even need markup of any sort, just plain
text structured so it can have line oriented edits for better revisions.

The rcs(1) and cvs(1) revision and version management tools work fine:

[http://man.openbsd.org/rcs]
[http://man.openbsd.org/cvs]

An httpd(8) server is in the base system, can server pages immediately:

[http://man.openbsd.org/httpd]

You can choose to use a text (pre-)processor, template system, etc the
entire load of pain and you're better on a pay as you go web service.

> Don't try to roll your own, unless you're prepared to deal with CSRF,
> XSS, comment spam, blah blah blah.

No, actually, try it as best as you can, and what you can create and
enhance is exactly what you're capable of actually managing yourself.

> Try one of these: https://www.staticgen.com/

Good luck finding one that will not shoot you in the foot in the long
run if you are not trained to handle it inside out from the internals.

> If you need comments, try https://disqus.com/

And prepare some cost and a person to dedicate to handling the comments.
AI is pretty stagnant plus the personal e-assistants still don't get it.

> > So going forward I'm planning to learn how to do all of these things.

Well, it all shrinks down to cost per feature, justification and profit.

> > Does this sound like a good plan? What would you say is a good way
> > to learn the correct and secure way of using these technologies?

Frankly, NO.  Your specs are way off your budget.  This looks like a
bait question for advertising your preferred service as a final post.

If you're just starting with OpenBSD, start with the basics and work up
from a single text file up to where your effort and budget may lead you.

> > Lastly, just a side question. Not sure if this is an FAQ: Running a
> > webserver on OpenBSD probably means I'll need to stay up to date with
> > security patches. Is there an automatic script I can run so I don't
> > have to constantly worry about this aspect of running a website?
>
> For OS security updates: https://stable.mtier.org/

That's cool, and worthwhile mention, it's also perfectly good to just
run the upgrade from release to -release, -stable via patches or even
follow snapshots for close to -current very fine outlined in the FAQ:

[http://www.openbsd.org/faq/faq5.html#Flavors]

> If you install packages from third-party sources (pip, gem, npm, go get,
> whatever), you need to come up with some sort of strategy. Best if you'd
> subscribe to some sort of security@ or announce@ mailing list for each

Re: Creating a blog using OpenBSD: technology choices and security considerations

[lists]

Tue, 26 Apr 2016 12:36:32 +0200 Kamil Cholewiński 
> On Tue, 26 Apr 2016, li...@wrant.com wrote:
> > Reality check, structured text presentation beats any sort of generator:
> >
> > [https://en.wikipedia.org/wiki/Lightweight_markup_language]
>
> I agree with using an LML, but that's just one piece of the puzzle.

Possibly and quite probably, the only one.  Helps the brain to text dump
process, and serves as the original prepared form for further processing.
Once mastered is discarded easily, does not change anything in your text.

> > And prepare some cost and a person to dedicate to handling the comments.
> > AI is pretty stagnant plus the personal e-assistants still don't get it.
>
> If you want comments on your website, you need this person either way.

Mail.

> Personally, if I cared about comments, I'd insert a mailto: link in the
> footer.

Edit where you like, copy to web server, done.  Can be combined together.

Regards and good luck.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Alex Poslavsky]

On 04/26, David Lou wrote:

When I say 'blog', I'm referring to a website that contains
essentially many pages of content. Each content page has attributes
such as title, date, category, tags, and so on. When a user browsers
this website, the content pages are served in a visually attractive
layout, with possible bells and whistles such as Facebook/Twitter
share buttons, and comment sections. Additional features may include
a search bar and an archive page.


Hugo: http://gohugo.io/ might be a good fit. Go installs from packages, 
hugo you can simply build. It has all the bells and whistles a regular

site needs.


So with that said, I'd like to solicit some feedback on how such a
blog website should be built. Personally I'm thinking of some kind
of homegrown solution. First I'd design my own database that stores


Building it iyourself is great, but all the static site generators mentioned
have all their posts in plain text, so you can always switch later.

cheers!

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, ra...@openmailbox.org wrote:
> If you want to make a dynamic "web application" then consider using 
> ur/web [1]. The programming language itself protects against SQL 
> injection, XSS attacks, CSRF attacks.

I hate to bring the bad news, but this language / framework has close to
zero chances of being used in a commercial product.

- ML / Haskell are too abstract for the 99% of Python/Ruby/JS/NameIt
  programmers out there. You or me love ML, the next guy will run away.

- The website itself looks horrible. You or me don't mind, because we
  focus on content and not presentation, but we're not in the 99%. Also
  it takes actual effort to make a website look this horrible...

- The documentation is lacking horribly. First off, these days if your
  TLDR to a "200 OK Hello world" is not in 10 lines and on your landing
  page, you probably have already lost 90% of the potential audience.
  The remainder got lost in incomplete examples and a terse reference
  manual.

- Nobody is interested in writing the most elegant qsort, because
  Python/Ruby/JS/NameIt already have a working implementation in their
  standard libraries. They also focus on helping you solve more real
  world problems (pushing HTML or JSON to browsers), which, skimming
  over the docs, I didn't see explained.

Sorry, but few people today judge a product based solely on its
theoretical merits; they need a toy to play with, and to see that it can
help them solve their problems.

A "half-secure" product that is easy to use, is more secure than a
secure product that nobody cares to use, because it provides a typical,
real-world user with a viable, real-world alternative over a completely
insecure product that is also easy to use.

> String based scripting languages like {node, php, python, perl, ruby} 
> have added on frameworks that try to 'prepare' sql queries or template 
> HTML to get it to do the various different levels of quoting for you. 
> It's possible to make secure sites in them if you do everything right. 
> problems still slip through.

Not necessarily. Consider a function prototype:

query(template: string, param1: mixed, ...) -> result: mixed

Whether this function is correct or secure or not, does not depend on
the language it was implemented or used in. Using it securely is still
up to the caller. Good interfaces can help good programmers write good
code, but you can't stop a bad programmer from writing bad code...

> That's why I recommend a programming language designed to remove these 
> issues entirely by parsing and understanding the sublanguages involved 
> in making a website (instead of having them as strings in your code).

Context-sensitive templating languages are a thing in mainstream tools.
I'm not a frontend web developer, but some quick googling brought this
up:

http://www.slideshare.net/adonatwork/efficient-contextsensitive-output-escaping-for-javascript-template-engines

K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[rain1]

On 2016-04-26 10:03, Rubén Llorente wrote:

On Tue, 26 Apr 2016 06:15:22 +, David Lou wrote:

When I say 'blog', I'm referring to a website that contains 
essentially

many pages of content. Each content page has attributes such as title,
date, category, tags, and so on. When a user browsers this website, 
the
content pages are served in a visually attractive layout, with 
possible

bells and whistles such as Facebook/Twitter share buttons, and comment
sections. Additional features may include a search bar and an archive
page.

I'm shying away from popular solutions such as WordPress because (1) 
I'm
not sure if it even installs on OpenBSD and more importantly (2) I'm 
not

convinced that it adheres to the OpenBSD principles of correctness and
proactive security.


Hello, and welcome.

A static website generator is a safe bet. You can use bashblog or any
similar alternative, for example. Bashblog can be seen in action at
http://www.richard-falken.com

Bashblog might need some hacking in the code in order to include social
media buttons, but the CSS is easy enough to configure. No native 
comment

services exist, but it can integrate with external ones.

For the record, I don't like commentary mechanisms that work as an
external service to your website. In fact, I would not care for a
commentary mechanism unless you really needed it. A commentary 
mechanism
forces you to deploy anti-spam defenses, to police against trolls and 
is

one of those things that don't let you stop worrying about the
administrative aspects of being running a website.

Regards.


I wanted to second this because it's such a good idea. static site 
generation can turn even wordpress from a terrifying disaster into a 
secure site since you're only serving HTML/CSS/images.


If you want to make a dynamic "web application" then consider using 
ur/web [1]. The programming language itself protects against SQL 
injection, XSS attacks, CSRF attacks.


String based scripting languages like {node, php, python, perl, ruby} 
have added on frameworks that try to 'prepare' sql queries or template 
HTML to get it to do the various different levels of quoting for you. 
It's possible to make secure sites in them if you do everything right. 
problems still slip through.


That's why I recommend a programming language designed to remove these 
issues entirely by parsing and understanding the sublanguages involved 
in making a website (instead of having them as strings in your code).


[1] http://www.impredicative.com/ur/

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kristaps Dzonsons]

FWIW, I use my own http://kristaps.bsd.lv/sblg all the time.  It just
knits together HTML (XML style) articles via a Makefile.  No python or
markdown or any crap.  Not sure if it's in ports yet.  (I think A.
Bentley had one?)

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Pablo Méndez Hernández]

Hi David:

I'd recommend you using a static content generator like pelikan (which
is in ports). The generator is written in python but the content is
static.


Regards.
Pablo

On Tue, Apr 26, 2016 at 12:54 PM, Murk Fletcher 
wrote:
> Hi!
>
> Both Perl and PHP are dying languages. Python is nice, but Ruby on Rails is
> way nicer. That's just my opinion though, and I build tons of super cool
> web and mobile apps.
>
> Ruby on Rails vs PHP - Commercial #3 of 9:
> https://www.youtube.com/watch?v=p5EIrSM8dCA etc.
>
> --Murk
>
> On Tue, Apr 26, 2016 at 12:36 PM, Kamil Cholewiński 
> wrote:
>
>> On Tue, 26 Apr 2016, li...@wrant.com wrote:
>> > Reality check, structured text presentation beats any sort of generator:
>> >
>> > [https://en.wikipedia.org/wiki/Lightweight_markup_language]
>>
>> I agree with using an LML, but that's just one piece of the puzzle.
>> There are numerous converters available:
>>
>> - http://pandoc.org/
>> - https://pypi.python.org/pypi/Markdown
>> - etc
>>
>> Where's the line between a fully-fledged generator and a simple
>> converter?
>>
>> Eg. pandoc is quite versatile, but you need a little glue and a template
>> before you could call it a blog. Going with a simpler converter, and you
>> soon end up with enough glue to call it a framework. (Greenspun's tenth
>> law?)
>>
>> >> Try one of these: https://www.staticgen.com/
>> >
>> > Good luck finding one that will not shoot you in the foot in the long
>> > run if you are not trained to handle it inside out from the internals.
>>
>> Agree! 100% agree! I did look at a whole bunch before deciding it's not
>> worth it, and stitched something together using pandoc, make, and some
>> Python to generate indexes. That's for v2, v1 didn't even use pandoc.
>>
>> However same argument as with anything custom vs stock.
>>
>> > And prepare some cost and a person to dedicate to handling the comments.
>> > AI is pretty stagnant plus the personal e-assistants still don't get it.
>>
>> If you want comments on your website, you need this person either way.
>>
>> Disqus has an advantage, that you don't have to run a database and
>> handle user input on your backend. Of course if you're fine with Disqus,
>> you can probably also just go to Blogspot...
>>
>> Personally, if I cared about comments, I'd insert a mailto: link in the
>> footer.
>>
>> > The less the better, so edit where you like, copy to web server, done.
>>
>> Depends! It may be OK if you're exactly one person with exactly one
>> website, but this won't scale well, esp. when there's any sort of build
>> process involved. Storing artifacts in VC sucks horribly, even for a
>> small thing. Build servers are overkill for a blog.
>>
>> K.
>



--

Pablo Méndez Hernández

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Murk Fletcher]

> This is infantile, and stupid beyond acceptable. [...snip...] Bullshit.

Usually when people get this emotional it's because they either a) spent
their entire lifes learning one of these obsolete languages and are now
getting defensive, b) never actually built anything that people want to use.

P.S. I forgot to mention that Node.js also is great for blogs (ie.
http://hexo.io/). There's also Facebook's React
 for you front-end freaks out there, but in my opinion, it's still got a
lot of maturing to do.

Thanks!

--Murk

On Tue, Apr 26, 2016 at 1:15 PM,  wrote:

> Tue, 26 Apr 2016 12:54:53 +0200 Murk Fletcher 
> > Hi!
>
> Murk, you're a dying person too.
>
> > Both Perl and PHP are dying languages. Python is nice, but Ruby on Rails
> is
> > way nicer.
>
> This is infantile, and stupid beyond acceptable.
>
> > That's just my opinion though, and I build tons of super cool
> > web and mobile apps.
>
> Nobody cares about your particular case of opinions.
>
> > Ruby on Rails vs PHP - Commercial #3 of 9:
> > https://www.youtube.com/watch?v=p5EIrSM8dCA etc.
>
> Bullshit.
>
> P.S. Your way of thinking is obsoleted.  Get a refreshment.
>
> > On Tue, Apr 26, 2016 at 12:36 PM, Kamil Cholewiński  >
> > wrote:
> >
> > > On Tue, 26 Apr 2016, li...@wrant.com wrote:
> > > > Reality check, structured text presentation beats any sort of
> generator:
> > > >
> > > > [https://en.wikipedia.org/wiki/Lightweight_markup_language]
> > >
> > > I agree with using an LML, but that's just one piece of the puzzle.
> > > There are numerous converters available:
> > >
> > > - http://pandoc.org/
> > > - https://pypi.python.org/pypi/Markdown
> > > - etc
> > >
> > > Where's the line between a fully-fledged generator and a simple
> > > converter?
> > >
> > > Eg. pandoc is quite versatile, but you need a little glue and a
> template
> > > before you could call it a blog. Going with a simpler converter, and
> you
> > > soon end up with enough glue to call it a framework. (Greenspun's tenth
> > > law?)
> > >
> > > >> Try one of these: https://www.staticgen.com/
> > > >
> > > > Good luck finding one that will not shoot you in the foot in the long
> > > > run if you are not trained to handle it inside out from the
> internals.
> > >
> > > Agree! 100% agree! I did look at a whole bunch before deciding it's not
> > > worth it, and stitched something together using pandoc, make, and some
> > > Python to generate indexes. That's for v2, v1 didn't even use pandoc.
> > >
> > > However same argument as with anything custom vs stock.
> > >
> > > > And prepare some cost and a person to dedicate to handling the
> comments.
> > > > AI is pretty stagnant plus the personal e-assistants still don't get
> it.
> > >
> > > If you want comments on your website, you need this person either way.
> > >
> > > Disqus has an advantage, that you don't have to run a database and
> > > handle user input on your backend. Of course if you're fine with
> Disqus,
> > > you can probably also just go to Blogspot...
> > >
> > > Personally, if I cared about comments, I'd insert a mailto: link in
> the
> > > footer.
> > >
> > > > The less the better, so edit where you like, copy to web server,
> done.
> > >
> > > Depends! It may be OK if you're exactly one person with exactly one
> > > website, but this won't scale well, esp. when there's any sort of build
> > > process involved. Storing artifacts in VC sucks horribly, even for a
> > > small thing. Build servers are overkill for a blog.
> > >
> > > K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Martijn van Duren]

On 04/26/16 12:54, Murk Fletcher wrote:
> Hi!
> 
> Both Perl and PHP are dying languages. Python is nice, but Ruby on Rails is
> way nicer. That's just my opinion though, and I build tons of super cool
> web and mobile apps.

I'm looking forward to your reimplementation of pkg_* and dpb in ruby.
Hopefully it's here before Perl dies.
> 
> Ruby on Rails vs PHP - Commercial #3 of 9:
> https://www.youtube.com/watch?v=p5EIrSM8dCA etc.
> 
> --Murk

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Murk Fletcher]

Hi!

Both Perl and PHP are dying languages. Python is nice, but Ruby on Rails is
way nicer. That's just my opinion though, and I build tons of super cool
web and mobile apps.

Ruby on Rails vs PHP - Commercial #3 of 9:
https://www.youtube.com/watch?v=p5EIrSM8dCA etc.

--Murk

On Tue, Apr 26, 2016 at 12:36 PM, Kamil Cholewiński 
wrote:

> On Tue, 26 Apr 2016, li...@wrant.com wrote:
> > Reality check, structured text presentation beats any sort of generator:
> >
> > [https://en.wikipedia.org/wiki/Lightweight_markup_language]
>
> I agree with using an LML, but that's just one piece of the puzzle.
> There are numerous converters available:
>
> - http://pandoc.org/
> - https://pypi.python.org/pypi/Markdown
> - etc
>
> Where's the line between a fully-fledged generator and a simple
> converter?
>
> Eg. pandoc is quite versatile, but you need a little glue and a template
> before you could call it a blog. Going with a simpler converter, and you
> soon end up with enough glue to call it a framework. (Greenspun's tenth
> law?)
>
> >> Try one of these: https://www.staticgen.com/
> >
> > Good luck finding one that will not shoot you in the foot in the long
> > run if you are not trained to handle it inside out from the internals.
>
> Agree! 100% agree! I did look at a whole bunch before deciding it's not
> worth it, and stitched something together using pandoc, make, and some
> Python to generate indexes. That's for v2, v1 didn't even use pandoc.
>
> However same argument as with anything custom vs stock.
>
> > And prepare some cost and a person to dedicate to handling the comments.
> > AI is pretty stagnant plus the personal e-assistants still don't get it.
>
> If you want comments on your website, you need this person either way.
>
> Disqus has an advantage, that you don't have to run a database and
> handle user input on your backend. Of course if you're fine with Disqus,
> you can probably also just go to Blogspot...
>
> Personally, if I cared about comments, I'd insert a mailto: link in the
> footer.
>
> > The less the better, so edit where you like, copy to web server, done.
>
> Depends! It may be OK if you're exactly one person with exactly one
> website, but this won't scale well, esp. when there's any sort of build
> process involved. Storing artifacts in VC sucks horribly, even for a
> small thing. Build servers are overkill for a blog.
>
> K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, li...@wrant.com wrote:
> Reality check, structured text presentation beats any sort of generator:
>
> [https://en.wikipedia.org/wiki/Lightweight_markup_language]

I agree with using an LML, but that's just one piece of the puzzle.
There are numerous converters available:

- http://pandoc.org/
- https://pypi.python.org/pypi/Markdown
- etc

Where's the line between a fully-fledged generator and a simple
converter?

Eg. pandoc is quite versatile, but you need a little glue and a template
before you could call it a blog. Going with a simpler converter, and you
soon end up with enough glue to call it a framework. (Greenspun's tenth
law?)

>> Try one of these: https://www.staticgen.com/
>
> Good luck finding one that will not shoot you in the foot in the long
> run if you are not trained to handle it inside out from the internals.

Agree! 100% agree! I did look at a whole bunch before deciding it's not
worth it, and stitched something together using pandoc, make, and some
Python to generate indexes. That's for v2, v1 didn't even use pandoc.

However same argument as with anything custom vs stock.

> And prepare some cost and a person to dedicate to handling the comments.
> AI is pretty stagnant plus the personal e-assistants still don't get it.

If you want comments on your website, you need this person either way.

Disqus has an advantage, that you don't have to run a database and
handle user input on your backend. Of course if you're fine with Disqus,
you can probably also just go to Blogspot...

Personally, if I cared about comments, I'd insert a mailto: link in the
footer.

> The less the better, so edit where you like, copy to web server, done.

Depends! It may be OK if you're exactly one person with exactly one
website, but this won't scale well, esp. when there's any sort of build
process involved. Storing artifacts in VC sucks horribly, even for a
small thing. Build servers are overkill for a blog.

K.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Craig Skinner]

On 2016-04-26 Tue 05:03 AM |, Jiri B wrote:
> or you can choose perl Template Toolkit
> 

This is a superb static page generator David:
http://www.template-toolkit.org/
OpenBSD ported & packaged as 'p5-Template'

Web experts say "write articles not blogs":
http://www.nngroup.com/articles/write-articles-not-blogs/

Comments can be better handled by a mailling list;
mlmmj is very good (http://www.mlmmj.org/),
also OpenBSD ported & packaged.

Cheers.
-- 
People in general do not willingly read
if they have anything else to amuse them.
-- S. Johnson

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Rubén Llorente]

On Tue, 26 Apr 2016 06:15:22 +, David Lou wrote:

> When I say 'blog', I'm referring to a website that contains essentially
> many pages of content. Each content page has attributes such as title,
> date, category, tags, and so on. When a user browsers this website, the
> content pages are served in a visually attractive layout, with possible
> bells and whistles such as Facebook/Twitter share buttons, and comment
> sections. Additional features may include a search bar and an archive
> page.
> 
> I'm shying away from popular solutions such as WordPress because (1) I'm
> not sure if it even installs on OpenBSD and more importantly (2) I'm not
> convinced that it adheres to the OpenBSD principles of correctness and
> proactive security.

Hello, and welcome.

A static website generator is a safe bet. You can use bashblog or any 
similar alternative, for example. Bashblog can be seen in action at 
http://www.richard-falken.com

Bashblog might need some hacking in the code in order to include social 
media buttons, but the CSS is easy enough to configure. No native comment 
services exist, but it can integrate with external ones.

For the record, I don't like commentary mechanisms that work as an 
external service to your website. In fact, I would not care for a 
commentary mechanism unless you really needed it. A commentary mechanism 
forces you to deploy anti-spam defenses, to police against trolls and is 
one of those things that don't let you stop worrying about the 
administrative aspects of being running a website.

Regards.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Jiri B]

This thread is unreleated to OpenBSD. If you like to have a blog,
there is a trillion of template systems like one used by OpenBSD
to build web pages (perl, awk, shell) or you can choose perl Template
Toolkit, jinja2, whatever...

j.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Erling Westenvik]

On Tue, Apr 26, 2016 at 06:15:22AM +, David Lou wrote:
> Hello,

Hi there,

> This is my first post. :) I suppose this is a high level kind of
> question.
> 
> When I say 'blog', I'm referring to a website that contains
> essentially many pages of content. Each content page has attributes
> such as title, date, category, tags, and so on. When a user browsers
> this website, the content pages are served in a visually attractive
> layout, with possible bells and whistles such as Facebook/Twitter
> share buttons, and comment sections. Additional features may include
> a search bar and an archive page.
> 
> I'm shying away from popular solutions such as WordPress because
> (1) I'm not sure if it even installs on OpenBSD and more importantly

Wordpress appears to have been removed from ports. But there is Drupal.
And you may take a look at blogsum. The latter is unknown to me but it
popped up when I did some browsing in pkg_mgr.

$ pkg_info drupal
$ pkg_info blogsum

> (2) I'm not convinced that it adheres to the OpenBSD principles of
> correctness and proactive security.

That goes for a lot of ports. FAQ 15 states: "The packages and ports
collection does NOT go through the same thorough security audit that is
performed on the OpenBSD base system. Although we strive to keep the
quality of the packages collection high, we just do not have enough
human resources to ensure the same level of robustness and security."

> So with that said, I'd like to solicit some feedback on how such a
> blog website should be built. Personally I'm thinking of some kind
> of homegrown solution. First I'd design my own database that stores

Good luck with that but I'd say you're up for a steep learning curve and
potentially a tremendous amount of work..

> the attributes of all content pages. And then I'd use a web server---
> whenever a user visits a webpage, the web server would run some kind
> of script that queries the database for all the necessary information
> and wraps the content page in a nicely designed HTML document.

That pretty much sums up the absolute basic functionalities of any
"popular solution" out there, like above mentioned Drupal. Think twice
before trying to reinvent the wheel.

> OpenBSD seems to come with nginx in the port tree as its web server

Yes. And Apache. And a bunch of other webservers. But OpenBSD also comes
with its own "built-in" webserver, httpd(8). It's wonderful!

$ man httpd

> but right now I don't know what scripting options it provides for
> serving dynamic web content. So going forward I'm planning to learn
> how to do all of these things.

Most that matters are supported. Support for Perl and PHP is extensive.
 
> Does this sound like a good plan? What would you say is a good way
> to learn the correct and secure way of using these technologies?

Start with an existing solution like Drupal. It may be totally overkill
but you'll get to know the terminology and technologies involved.  If
you insist on developing a homegrown solution, keep in mind that people
easily get bored when things are not working. And content matters more
than design! If what you have to say is interesting, people will read it
almost regardless of the way you present it. If you got nothing to say
people will not care even if the pages are otherwise esthetically
pleasant.

> Lastly, just a side question. Not sure if this is an FAQ: Running a
> webserver on OpenBSD probably means I'll need to stay up to date with
> security patches. Is there an automatic script I can run so I don't
> have to constantly worry about this aspect of running a website?
> 
> David

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Kamil Cholewiński]

On Tue, 26 Apr 2016, David Lou  wrote:
> Hello,
>
> This is my first post. :) I suppose this is a high level kind of
> question.
>
> When I say 'blog', I'm referring to a website that contains
> essentially many pages of content. Each content page has attributes
> such as title, date, category, tags, and so on. When a user browsers
> this website, the content pages are served in a visually attractive
> layout, with possible bells and whistles such as Facebook/Twitter
> share buttons, and comment sections. Additional features may include
> a search bar and an archive page.

Use a static site generator. Nothing beats a bunch of static files when
it comes to keeping your backend secure. No code is best code.

Don't try to roll your own, unless you're prepared to deal with CSRF,
XSS, comment spam, blah blah blah.

Try one of these: https://www.staticgen.com/

If you need comments, try https://disqus.com/

> Lastly, just a side question. Not sure if this is an FAQ: Running a
> webserver on OpenBSD probably means I'll need to stay up to date with
> security patches. Is there an automatic script I can run so I don't
> have to constantly worry about this aspect of running a website?

For OS security updates: https://stable.mtier.org/

If you install packages from third-party sources (pip, gem, npm, go get,
whatever), you need to come up with some sort of strategy. Best if you'd
subscribe to some sort of security@ or announce@ mailing list for each
project you care about.

K.