

What makes something secure?  - 140dbs
http://gwan.ch/blog/20120420.html

======
cd34
Companies that speak about certainty and their server being the fastest, need
to take the time to make sure it is.

[http://simonhf.wordpress.com/2012/04/26/g-wan-versus-sxe-
hel...](http://simonhf.wordpress.com/2012/04/26/g-wan-versus-sxe-hello-world/)
is a benchmark showing sxe, using gwan's benchmark code, as outperforming gwan
1.8x.

Years ago, there were two very fast servers - Zeus and Tux. Tux was a kernel
mode accelerator that avoided context switches and Zeus was the de-facto
standard of 'fastest userspace webserver'.

Chromium X-15 came along but skipped a few compatibility features, and was
labelled 'faster than tux, but in userspace'. Tornado did something similar,
very narrow purpose, but, as they started to bolt on all of the pesky RFC
stuff, became a top-midline application server.

While GWAN is certainly fast, but not fastest at running its own benchmark,
their boasts will ultimately affect public opinion. Language is a barrier -
perhaps some of their boastful attitude is merely rough translation.

GWAN's use case basically works around almost every webserver's dream - more
cores = odd setups to take advantage of those cores through cpu/irq affinity,
etc. GWAN handles that out of the box which is a definite advantage.

If you needed an app to do some calculations and hand back results with the
least hardware possible, GWAN would be a top contender. Hardware is still
fairly inexpensive that it would take a rather large company that would be
able to take true advantage of the cost savings of reducing their hardware
outlay based on GWAN's scaling.

------
ftoll
G-WAN.. secure.. oh wait!

[http://lonewolfer.wordpress.com/2011/10/10/intermezzo-
about-...](http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-
stability-and-compliance-part-2/)

and official response:

<http://gwan.ch/en_timeline.html>

Search for "New serve cache.c", as page does not have any anchors (and forbids
selecting text too).

In current post he also claims "Since 2009, the year of its first public
release, no parsing vulnerability of the HTTP protocol has beed found in
G-WAN", which is wrong.

Also, you can read official author statement about open source and security:
[http://forum.gwan.com/index.php?p=/discussion/106/open-
sourc...](http://forum.gwan.com/index.php?p=/discussion/106/open-source/p1)

Quote:

    
    
      2) Security would be better ensured when you have the scrutiny of other experts
      You mean, those experts who publish products that are full of security holes?
      "Sturgeon was an optimist. Way more than 90% of code is crap" (Al viro)
      Or those other experts who write reports about how to do it right?

------
CoffeeDregs
I benchmarked a bunch of web servers a few years ago and, in the process,
heard of GWAN. It seemed ridiculously fast, but also seemed quite limited. Can
anyone tell me when I would use GWAN? The description of GWAN lacked a
features-functions-benefits breakdown so I wound up avoiding it because I was
uncertain of its strengths/weaknesses. That said, it's fast enough to make me
wonder what other web servers are missing...

------
aidenn0
A few WTFs:

In 3 years nobody has found a vulnerability so you can be certain we are
secure

Furthermore the homepage seems to make the claim that it will make legacy code
transparently scale to parallel multiprocessor systems.

This really raised my snake-oil detector

------
kcbanner
I don't really understand what this is, he is comparing it to nginx but it
doesn't seem to be on the same level, is this a webserver that you stick in
front of your application like you would do with nginx?

------
gailees
As a budding developer, how should I begin going through the things I create
and making them more secure.

In other words, what gives me the most added security for my time spent
working on it?

~~~
140dbs
I'm a fan of his closing statement, though this sticks in particular:

"...there is room for indisputable certainty, that is, initial choices that
make unexpected events harmless."

I also code by the ideal that you should have a fine line between expected and
unexpected behavior, and generally avoid tacking on special cases as your
needs grow. Of course, various realistic constraints make can make this
difficult, but that's why it's an "ideal". :-D

------
petegrif
Spell 'seasoned' properly.

