[lists] Re: [clo-devel] Getting clhp installed on Apache

Nikodemus Siivola nikodemus at random-state.net
Fri Nov 14 12:34:42 UTC 2003

I'm answering to multiple mails here for the sake of convenience.

> As far as the project goes, I consider it vital to have the home
> page actually running on a clhp back-end.

I'm probably missing something obvious here... but why? What kind of
dynamic content do you need? 

Or do you mean vital in the sense of "prove it works"?

> As far as the overhead for Erik, the installation is pretty
> straightforward, 

I don't doubt this. But the only person who can gauge Erik's workload
is Erik.


> In my previous post I gave some of the potential
> problems, which are no more of a risk than running CGI scripts.

Very true. And unrestricted CGI is a Bad Idea on a production server
with multiple projects. All it takes is one project with one mistake
in one CGI script, and Common-lisp.net grinds to halt because the disk
gets written full, or all the time is spent swapping, or an attacker
uses the CGI to snoop the system, etc.

On a single project website this is not that much of a problem:
people can hurt themselves, but not others.

Like Mario pointed out, this is why chrooting is *vital*. It's not
about trust, but about security and robustness. And I'd add "running
as nobody" and "cmhod -R o-w" to the list. ;)

> As far as the infrastructure, I think that it would be a benifit to us
> all to have it available on the server. Sure we could use PHP to
> provide the same functionality, but I'd assume that most of us would
> rather use Lisp than PHP. 

Very true. But then I don't think we should be offering PHP either, ;)

> I'm not saying it's fit for a heavy load, but with the handful of
> hits /project/clhp gets daily, it's really not going to be
> noticable.

I'm not worried about anything as long as the number of hits is
moderate. What I am worried about is what will happen when the number
of hits increases. (Getting slahdotted being the worst-case scenario.)

This is why I think only projects that actually need dynamic content
on their pages should have the means for it. I'm not too interested in
starting to differentiate between varieties of "need", as long as a
clear case can be stated.


 -- Nikodemus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20031114/aae1e917/attachment.sig>

More information about the clo-devel mailing list