After all of the “excitement” I’ve resolved to embrace the KISS principle a little more. There are certainly limits — I can’t personally vouch for every line of code in Linux and Apache, but I’m pretty sure they’re safe bets. Same with mod_perl andPerl itself.
There are enough people using them on public production servers that the security problems are largely known and documented. If I had to put forward a guess as to where things went wrong it was probably with TWiki. It seems to have a tendency to be used behind corporate firewalls, and has a much smaller installed base than Linux or Apache.
Of course, it’s entirely likely that it was a more familiar demon (not daemon) at work — inexperience. That was perhaps my second TWiki installation, as opposed to the Linux or Apache installations I’ve done, which number in the thousands. It’s easy to imagine that I missed some important step in securing the installation. It may have even been one of those things that would have even a moderately-experienced TWiki-er rolling their eyes and saying “oh, you didn’t miss that huge, important step with all the blinking lights and police tape”.
That being said, I’m not too terribly interested in seeing how my third TWiki installation attempt would stand up to the world. I’m looking at some alternatives that I can vouch for. I trust my building blocks. I certainly don’t think that I can do large-scale software security better than the TWiki folks — indeed, I’d argue for their abilities over mine any day of the week. I don’t intend to do anything large-scale. I intend to do it as small and simple as I can get away with.
Someone who is a lot smarter me said something to the effect of there being two ways to build software. You can build complex software that has no obvious defects, or you can build simple software that obviously has no defects. I’m going to make a play at the latter. I’d sooner risk taking my lumps along the way and learn as I do it, rather than fiddle with a huge piece of software that I will use 15% of the capability of and don’t have the time to fully learn and understand.
So what’s next? Some software, obviously. But not before I bring back the blog entries that were on the wiki and make sure I can keep writing them. Where once there was TWiki there is now vi, and I can handle that. So first things first — the archives!