[Lispweb] Araneida

Edi Weitz edi at agharta.de
Thu Apr 21 14:21:11 CDT 2005 

On Thu, 21 Apr 2005 10:58:24 -0700, John Foderaro <jkf at franz.com> wrote:

> In what way is AllegroServe not sufficient for this?  One sample
> server we've been running here is at www.pandorabots.com which gets
> a constant load of 60,000 (non-trivial to handle) requests per hour.
> Yesterday we saw a peek rate of 300,000 requests per hour.  It's
> been doing this 24/7 for a few years now and survived two
> slashdottings without a problem.  And it does handle keep-alive
> connections.

That's impressive - I didn't know that.

> Doing http in lisp is possible and safer than using any popular
> C-based http server.  Apache and IIS are big juicy targets for
> crackers and many successful exploits have been written against them
> and will be written in the future.  Zero exploits have been written
> against AllegroServe because it's written in a language not prone to
> buffer overflow problems and because it's so rarely used that it's
> just not worth a cracker's time.

The original posting was about Portable AllegroServe, not about
AllegroServe.  The interesting question for me (and probably for
others) is whether Portable AllegroServe on LW, CMUCL, or whatever
will be able to be as performant and secure as AllegroServe although
it has to go through all the portability hoops.

I generally agree that a pure Lisp solution is nicer than, say, using
the FFI or interfacing with an external program but in the case of
Apache I think we're talking about a veritable warhorse that has been
tested endlessly in the "real" world.  Granted, there have been
security problems but there weren't many and they've always been fixed
quickly.  (Let's forget about IIS for a moment.)

For my projects I don't care that much about corporate acceptance but
if I expose data of my customers to the Internet I'd rather be safe
than sorry.  Regarding the security and scalability of Lisp-based HTTP
servers I can see only anecdotic evidence like yours at the moment and
this is not even about an implementation I'm currently deploying on.

Also, relying on the fact that cracks are unlikely because Lisp isn't
a "worthy" target for crackers seems a bit like security through
obscurity to me.

> Is there anything easier than this:
>
> (require :aserve)
> (net.aserve:start)

Installing and deploying Portable AllegroServe is a tad harder.  Not
everyone enjoys the luxury of using AllegroCL... :)

BTW, while we're talking about luxury - is anyone on this list
familiar with the HTTP capabilities of Scieneer Common Lisp 1.2?  Just
curious.

Cheers,
Edi.

More information about the lispweb mailing list