Hacker News new | past | comments | ask | show | jobs | submit login

I've been using Nanoblogger, a Bash-based static website generator, for about ten years. It hasn't been updated in the last four, and indeed is still hosted on SourceForge.

I could switch to something newer and better, but why bother?




> I could switch to something newer and better, but why bother?

Since it's not maintained, personally I'd be tempted to try transitioning to something that is (with minimal change to content and structure/configuration required) to save dealing with it when you're just trying to publish new content and suddenly run up against some bug.


OTOH, if it's worked fine for ten years, the risk of headaches seems lower than anything else.

And for any given static site generator, there's a pretty high risk it will be more or less unmaintained two years from now...


Security updates for instance.


Maybe it's a failure of imagination but I'm struggling to think of how a static site generator could need a security update?


The basic problem of security: They just need to find one attack path. You need to defend all, even the ones you don't know.


Any attack against nanoblogger would be an "on the other side of this airtight hatchway" attack https://blogs.msdn.microsoft.com/oldnewthing/20100114-00/?p=...

Nanoblogger is a bash script in my home directory. To add an entry, I ssh into the web server, give it the text of the post, and it generates a bunch of HTML and writes it to /srv. It is only run to create a new post. It doesn't listen on a port, or talk to the outside world at all.

An attacker could theoretically edit the bash script to do something nefarious... but if they had write access to my home directory they would just edit .bashrc. An attacker could leverage some kind of hole in nginx, (plus a permission elevation vuln, since www-user can't do much) but by then you already own the box, and don't need to bother with nanoblogger. You could ssh in as me, then do something tricky with the script... but if you're logged in as me you own the box. Etc etc etc.

Nanoblogger has about as much attack surface as a rock.


Well, because we have never seen any exploits with bash (Shellshock anybody?) or ssh (Heartbleed rings a bell?).

You just don't know the weird ways things can be exploited. And if an exploit is discovered you'll be just as happy as everybody else if you don't need to implement a fix yourself but can rely on others implementing, testing and reviewing fixes that they provide to you as an update.


> we have never seen any exploits with bash [..] or ssh[..]?

Sure we have, and they have nothing to do with the static site generator. You're talking about compromising the web server in general. Totally unrelated.

And you don't even need a web server with an SSG. I use a one locally and upload to S3. Maybe I "just don't know the weird ways things can be exploited", but I simply can't think of any conceivable angles on that.

References to mysterious unknowable hacking superpowers aren't really useful. Paranoia is to be encouraged in security, but sometimes it really is just plain secure!


An exploit in bash or ssh would be fixed by a patch to bash/ssh, and has nothing to do with any given bash script.


>static

Interested if/how this could be exploited




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: