Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hiawatha webserver to stop development
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hiawatha webserver to stop development

desfiredesfire Member
edited March 2019 in General

Everything that has a beginning, has an ending. In 2002, the Hiawatha webserver was born. It started as a small hobby project with no serious intentions. But in the years that followed, it grew to a mature webserver with unique and proven security features. Unfortunately, lack of interest in this project has always been a seamy side. Many times, I wondered whether I should keep going on with the project or not, but somehow I always found a reason to continue. But not this time. Recently, a serious issue was found in the Hiawatha webserver and the fact that I didn't care much, made me realize that it's time to stop.

Does this mean that the Hiawatha webserver will stop to exist? No. I still use it myself a lot and I will continue to do so in the future. I will make new releases available via this website and GitLab, but don't expect any more fancy. The most important change is that I will stop seeing and promoting it as an alternative webserver. For the time being, this website will remain online, but I will make the forum read-only. The contact form will be removed, I won't send any more newsletters (I will remove all e-mail addresses soon) and I will no long be available for support questions about the Hiawatha webserver. Security related issues can still be reported, of course.

The most important reason for this is that my spare time is only limited and I'd rather spend it doing other things than developing a webserver. I recently bought an electric guitar and many of my spare time now goes to playing music. And for quite some time, I found a more interesting challenge in organisational security-related subjects and privacy-related subjects than in technical security-related subjects. For the last 6 years, I developed a methodology for performing a risk analysis for information security (in Dutch) and for the last few months, that project is suddenly going very well. It's getting a lot of attention in the Netherlands. And with a friend, I started a weblog about privacy (also in Dutch). And that simply covers most of my spare time.

So, can you continue using the Hiawatha webserver? Well, that depends on what you want from a webserver. Clearly, Hiawatha will never support HTTP/2 or HTTP/3. If you're fine with that and Hiawatha serves your needs, you can continue using it. To be clear: I won't stop developing Hiawatha. But new features will be based on what I need, not on what is needed for a webserver in general.

I now come to the end of my, probably, final message at the Hiawatha weblog. While typing this message, I realize that it's still a serious step for me. But I think it's the right one. Thanks to all who have supported me and this project (you know who you are). Hopefully, Hiawatha will serve you well for as long as possible, but I won't blame you if you switch to another webserver. Thanks and stay safe!

Source: https://www.hiawatha-webserver.org/weblog/132

Thanked by 1NanoG6

Comments

  • Never heard of it, but seems a cool story.
    All the best to the developer. Maybe someone can pickup from where he is leaving.

  • jsgjsg Member, Resident Benchmarker

    Sad. Hiawatha was one of the very few http servers who really cares about security. Unfortunately it completely overlooked http/2 and is also largely thread based.

    But still: some final appreciation and a warm good-bye.

    Thanked by 3sin NanoG6 3606202
  • @gwnd1989 said:
    Never heard of it, but seems a cool story.
    All the best to the developer. Maybe someone can pickup from where he is leaving.

    it was the safest webserver

  • eoleol Member

    @desfire said:
    it was the safest webserver

    Of course it has to go...

  • @desfire said:

    @gwnd1989 said:
    Never heard of it, but seems a cool story.
    All the best to the developer. Maybe someone can pickup from where he is leaving.

    it was the safest webserver

    .

    Recently, a serious issue was found in the Hiawatha webserver

    .

    Hiawatha webserver to stop development

    .

    To be clear: I won't stop developing Hiawatha

    Thanked by 3eol angstrom netomx
  • sinsin Member

    yokowasis said: Recently, a serious issue was found in the Hiawatha webserver

    I don't remember there being any serious exploits or anything during Hiawatha's development until that security issue was found and not long after that Hugo decided to stop working on Hiawatha.

    It really is/was an awesome webserver and I'm really sad to see that he has decided to stop working on it :(.

  • eoleol Member

    It was too good.
    He got an offer he couldn't refuse.

    Thanked by 1sin
  • angstromangstrom Moderator

    It has always looked like an interesting web server.

    Unfortunately, it's not officially packaged by many distributions, which probably has had the effect of limiting its adoption/popularity. For example, as far as I know, it has never been officially packaged by Debian or Ubuntu or Fedora. Am not sure why it hasn't been, but I suspect that the fact that it uses mbed TLS (as opposed to OpenSSL) may be part of the reason.

    Thanked by 2eol sin
  • sinsin Member

    angstrom said: officially packaged by Debian

    It's not exactly official but a guy named Chris kept a debian repo with Hiawatha debian packages and it was advertised through the Hiawatha forums (plus he had a great guide on setting Hiawatha up to serve Wordpress and all that). I used it for a couple of Wordpress sites and I really liked it and the configuration was easy along with performance being really good.

    Thanked by 1angstrom
  • I used Hiawatha for years and always loved it. I was really sad when I heard the news... I understand Hugo and his decision. But I think that Hiawatha never got the recognition that it deserved. It's a pity.

    Thanked by 2eol angstrom
  • angstromangstrom Moderator

    @sin said:

    angstrom said: officially packaged by Debian

    It's not exactly official but a guy named Chris kept a debian repo with Hiawatha debian packages and it was advertised through the Hiawatha forums (plus he had a great guide on setting Hiawatha up to serve Wordpress and all that). I used it for a couple of Wordpress sites and I really liked it and the configuration was easy along with performance being really good.

    Yeah, I know about the unofficial Debian package.

    There's a list of unofficial packages, https://www.hiawatha-webserver.org/download , but for some reason Hiawatha hasn't really been officially picked up by major distributions (compare with Lighttpd, which has been much more so).

    Thanked by 2sin lazyt
  • jsgjsg Member, Resident Benchmarker

    Yes, the absence of packages for many distros may have kept the click-click (apt-get/yum/pkg ...) crowd away but frankly, building hiawatha was an easy trouble-free no brainer, so I don't think that caused a lot of missed users.

    mbedTLS has a quite good reputation, much better than OpenSSL anyway, so I don't think that was the cause either.

    Wildly guessing I think the killer factor was http/s, that and a not that major issue, with the latter being more of a kind of trigger. When that came up and looking at the massive work to make hiawatha http/2 capable, Hugo probably saw that at this point in his life he wasn't ready to invest that amount of work and that he'd rather focussed his energy on something else (also security related). Also keep in mind that http/3 is around the corner ...

    And, let's be honest: hiawatha wasn't a big success - as in "millions and millions using it" - for a reason: most people just don't care enough about security. Installing some "make your server more secure!" package (click-click) yes, but seriously scanning what's available, picking something outside the big 2 or 3, and learning something new and invest some work, nope.

    Thanked by 1lazyt
  • angstromangstrom Moderator

    @jsg said: Wildly guessing I think the killer factor was http/s, that and a not that major issue, with the latter being more of a kind of trigger. When that came up and looking at the massive work to make hiawatha http/2 capable, Hugo probably saw that at this point in his life he wasn't ready to invest that amount of work and that he'd rather focussed his energy on something else (also security related).

    The lack of support for HTTP/2 is very possibly Hugo's main reason for deciding to stop his work on Hiawatha, but I'm not sure that this would explain why the major distributions haven't officially packaged Hiawatha. If we take Lighttpd, which is packaged and is reasonably popular, note that it doesn't yet support HTTP/2.

    For the distributions, I'm still inclined to think that the different SSL/TLS base plays a significant role, but it's probably not the whole story.

Sign In or Register to comment.