Hiawatha is an advanced and secure webserver for Unix. It has been written with 'being secure' as its main goal. This resulted in a webserver which has for example SSL, DoS protection, connection control and traffic throttling. It has of course also thoroughly been checked and tested for buffer overflows.
Created attachment 40332 [details] hiawatha-3.1.ebuild
(this is an automated message based on filtering criteria that matched this bug) 'EBUILD' is in the KEYWORDS which should mean that there is a ebuild attached to this bug. This bug is assigned to maintainer-wanted which means that it is not in the main tree. Hello, The Gentoo Team would like to firstly thank you for your ebuild submission. We also apologize for not being able to accommodate you in a timely manner. There are simply too many new packages. Allow me to use this opportunity to introduce you to Gentoo Sunrise. The sunrise overlay[1] is a overlay for Gentoo which we allow trusted users to commit to and all users can have ebuilds reviewed by Gentoo devs for entry into the overlay. So, the sunrise team is suggesting that you look into this and submit your ebuild to the overlay where even *you* can commit to. =) Because this is a mass message, we are also asking you to be patient with us. We anticipate a large number of requests in a short time. Thanks, On behalf of the Gentoo Sunrise Team, Jeremy. [1]: http://www.gentoo.org/proj/en/sunrise/ [2]: http://overlays.gentoo.org/proj/sunrise/wiki/SunriseFaq
Created attachment 179031 [details] Updated ebuild for hiawatha 6.11 with some improvements
Created attachment 179783 [details] New init script to make use of Gentoo specific tools
Created attachment 190129 [details] Hiawatha 6.12 ebuild Here is the updated ebuild for Hiawatha 6.12. The init script is now installed from within the ebuild.
Created attachment 190641 [details] Hiawatha 6.13 ebuild
Created attachment 193930 [details] Hiawatha 6.14.1 ebuild Here is an updated ebuild for Hiawatha 6.14.1
Created attachment 196934 [details] Hiawatha 6.15 ebuild Updated ebuild, installs now also gentoo-specific php-fcgi init script.
Created attachment 196935 [details] gentoo-specific php-fcgi init script Is installed starting hiawatha-6.15 ebuild.
Created attachment 199583 [details] Hiawatha 6.16 ebuild New ebuild for hiawatha 6.16. httpd.conf gets renamed! Use updated init script.
Created attachment 199585 [details] Updated init script starting hiawatha-6.16
Created attachment 207306 [details] hiawatha.initd gento-style init.d-script for hiawatha. hopefully this will lower the barrier for adding this to the tree. Thx.
hiawatha 6.17.1 is released -- just rename the ebuild to update
Hello Could someone please be kind to update this ebuild. Current version is 7.6 ty.
Created attachment 293861 [details] hiawatha-7.8.2.ebuild
Can someone please update init script too.. as one above doesn't work ty.
Created attachment 300863 [details] bump ebuild
Created attachment 300865 [details] cmake patch
Hugo, please review cmake patch and add possibility support system library
Hi Hugo, Special for you Gentoo has proxy maintainers project [1]. It can help you maintain your own package with help of dev. I can be your commiter if you agree to be maintainer. [1] http://www.gentoo.org/proj/en/qa/proxy-maintainers/index.xml
Hygoo, I can help you in writing the ebuild and the right gentoо polices
What is the idea of the CMake patch? Is the current CMakeLists.txt not working on Gentoo? Just like to know the reason for the suggested CMakeLists.txt changes.
(In reply to comment #22) > What is the idea of the CMake patch? Is the current CMakeLists.txt not working > on Gentoo? Just like to know the reason for the suggested CMakeLists.txt > changes. current cmake use bundled library ( patch fix it ) - polarssl and install files in /usr/var/... - it's fix in configure phase
The CMake patch doesn't work for me. You say that the CMake patch 'fixes' that the bundled PolarSSL library is used. Well... that is intended. So, why fix what is already correct? If the patch is better for Gentoo, it's of course ok if you do so. But I'm not going to apply the patch to the mainstream package. In an earlier message, I was asked to be 'the maintainer'. I guess you mean the maintainer of the ebuild. I don't use Gentoo, so I don't know much about Gentoo. Therefor I don't think that would be a good idea.
nothing for us to do here. CC proxy-maintainers bug if someone is interested in maintain it
Created attachment 345406 [details] hiawhatha-9.0 ebuild
Comment on attachment 345406 [details] hiawhatha-9.0 ebuild mycmakeargs: COMMAND does not exist anymore. The command channel was renamed to Tomahawk mycmakeargs: The DEBUG flag is not relevant for users. It's better to remove it here. s/serwer/server/ s/HOWTOO/HOWTO/
Created attachment 346108 [details] overhauled hiawatha-9.0 ebuild I took the liberty to revamp the ebuild. These are the (main) changes: * make hiawatha-monitor into its own package * (there:) shortened and fixed the postinst message * remove src_unpack -- unneeded * renamed 'xslt' to 'xsl' to fit the global useflag * renamed 'control' to 'tomahawk': 'control' is unspecific, and with 'tomahawk' one at least knows what to google for * remove 'tomahawk' as default: if one does not know what this is, one does not want it * renamed 'toolkit' to 'rewrite' to match other packages * make 'rewrite' a default set useflag, as one expects this functionality in a default webserver * removed the php-fcgi stuff: use php[fpm] instead * got the ebuild reviewed on #gentoo-sunrise I also took the chance to clean up the list of attachments in this bug :) Also: Please note, that hiawatha-9.1 can at the moment not be packaged for Gentoo, as Gentoo lacks polarssl-1.2.7
Created attachment 346110 [details, diff] hiawatha-9.0-no-bundled-polarssl.patch Overhauled patch to unbundle polarssl. Now also includes a description :) @Hugo: Bundled libs are bad. And not allowed in Gentoo.
Hiawatha always requires the latest version of PolarSSL. Since it is never available on any Linux or BSD distro, there is no other way than to ship it with Hiawatha.
> Hiawatha always requires the latest version of PolarSSL. Since it is never > available on any Linux or BSD distro, there is no other way than to ship it > with Hiawatha. With this requirement there won't be a way that Hiawatha will find it's way into the main portage tree. Why 'always the latest'? Hiawatha-9.0 for example will run just fine with polarssl-1.2.5 ...
Hiawatha uses the latest features that have been added to PolarSSL. Some have been implemented on my request.
But what are we talking about really? It's only one file 300kb in size. No big deal, right?
(In reply to comment #33) > But what are we talking about really? It's only one file 300kb in size. No > big deal, right? It's not about size. It's mainly about security considerations and also symbol collisions. Please see http://wiki.gentoo.org/wiki/Why_not_bundle_dependencies or http://blog.flameeyes.eu/2009/01/bundling-libraries-for-despair-and-insecurity. And in the end: It's Gentoo Policy. Full stop.
Well, in that case all Gentoo users are doomed to use Apache, nginx or some other monstrous web server. You want to be responsible for that? ;)
Well -- there now is a reasonable ebuild. So anyone interested can use it and/or put into an overlay. Getting into sunrise should be simple now. And FWIW: I put together the ebuild and only after this tested the server. It did not meet my requirements, so I honestly do not care about its further future in Gentoo.
Apologies if this was discussed already: why not create a polarssl rebuild and unbundle it from Hiawatha? As a side note: the distribution should not restrict the available packages to the ones the maintainer has use for. Nor is it productive to be rude to authors (Hugo I this case).
(In reply to comment #37) > Apologies if this was discussed already: why not create a polarssl rebuild > and unbundle it from Hiawatha? If you would have looked at the ebuild or the patch: It unbundles PolarSSL already. AND: There is a PolarSSL-ebuild in the tree. But just not as up-to-date as the one Hugo ships. All that was asked to support unbundling upstream too, because else one has to a) always ship and maintain an unbundling patch, and b) might get into trouble when Hiawatha modifies its internal version. All that is needed from upstream is: * The support for a system-wide PolarSSL installation. * An explicit dependency information ("needs at least version x.y.z") > As a side note: the distribution should not restrict the available packages > to the ones the maintainer has use for. First: I'm not a Gentoo dev. Just a user who wanted to fix broken ebuilds. Second: Being maintainer for a package one does not use is not helpful. How should one notice breakages or changes in behavior? Third: Everyone is doing the maintainership in their spare time. Hence everybody can restrict to these things that he likes. If you want to have it in the tree: Step up and find a dev as proxy-maintainer. Or at least bring it into sunrise. > Nor is it productive to be rude to authors (Hugo I this case). I didn't intend to be rude. If I were, please take my apologies.
I'll see what I can do to add some compiler options to build against an already installed version of PolarSSL. Shouldn't be too hard. But, the consequences of building against a lower version of PolarSSL than required are not mine to deal with of course. And about the 'being rude' thing: I haven't read any comment that could be seen as such. So apologies are not necessary.
(In reply to comment #39) > I'll see what I can do to add some compiler options to build against an > already installed version of PolarSSL. Shouldn't be too hard. That would be great. Something along the lines of "ENABLE_SYSTEM_POLARSSL=ON" should be sufficient. > But, the > consequences of building against a lower version of PolarSSL than required > are not mine to deal with of course. Of course. I think, at the moment there is no real consumer of PolarSSL in the tree, hence it lacks behind in releases. This could change as soon as there is a need of more recent versions.
Can you please test if this matches your needs? http://www.leisink.net/hiawatha-9.1.tar.gz Use -DUSE_INSTALLED_POLARSSL=on to ignore the PolarSSL library shipped with Hiawatha. It requires PolarSSL v1.2.0 or higher.
Created attachment 346510 [details] hiawatha-9.1.1.ebuild Thanks to Hugo, we now have a version of Hiawatha that does not depend on the bundled PolarSSL any longer. I modified the ebuild accordingly. Please note, that the version 9.1.1 is a somewhat 'Gentoo-only' release with only this change and has therefore not been advertised on the homepage. This new hiawatha-ebuild can now be found in the sunrise-overlay.
Created attachment 346594 [details] hiawatha-9.1.1.ebuild Other ebuild contained a few flaws. Things changed: * removed chroot useflag -- obsolete as per Hugo * renamed xsl to xslt * added warning that xslt is needed for directory listings -- made it default therefore * added missing passing of 'tomahawk' to cmake
Although I'm just a user, I want to make a comment about bundling polarssl :) 9.1 bundles 1.2.7, which is barely 2 weeks old. Portage contains version 1.2.5 as of this moment, which was released just last month. You need to give downstream some time ;) Either you can keep bundling bleeding edge versions of polarssl (why not also bundle latest glibc or other deps?), which is bad for the various reasons as described in the comments above, or you can just require a version that is less than the latest-and-greatest. IMHO it's better to just modify the build system to require and check for the version you want (>=1.2.0 or =1.2.7). Then it becomes the responsibility of downstream or the user to get that version into their distribution's tree. Oh, and don't say that too few distributions package polarssl :p Distributions distribute a boatload of obscure applications in their trees, so if they don't distribute a well maintained application like polarssl yet, their users just need to poke the maintainers more often ;)
"You need to give downstream some time ;)" If that's true, than it would also apply to Hiawatha itself. So, that not a reason to not include the latest PolarSSL in the latest Hiawatha. In fact, that would be a perfect reason to do so, because then both would mature in the same time. So, if you don't trust the latest PolarSSL, then you also don't trust the latest Hiawatha. There is a simple solution for it: don't use it. Simply download one that's a month old. However, bugs that are found in those version are always fixed in a later release. So, unless someone takes the time to apply bugfixes to those older version, there is really no point in using an older version. "...their users just need to poke the maintainers more often ;)" If you really think that's going to happen, please think again.
bundling security/crypto libs is wrong, wrong, wrong
also, polarssl is now actively maintained by myself anyone wants to step forward to proxy-maintain hiawatha? I don't see recent ebuilds anywhere
I made this block the "polarssl support in gentoo" bug, because afais this is the only webserver currently that has polarssl support. In the light of the recent openssl messups, it looks like a good alternative.
*hiawatha-9.5 (22 May 2014) 22 May 2014; Julian Ospald <hasufell@gentoo.org> +hiawatha-9.5.ebuild, +files/hiawatha.initd, +metadata.xml: initial import wrt #65259
