Moving to Pelican

Posted on July 22, 2014 in Security • 4 min read

Obviously there’s a new look here, and a distinct lack of wordpress. also a distinct lack of old posts. That’s fine, there weren’t that many of them lying around anyways, and they were mostly just getting in the way. So we’ve done away with wordpress and the old posts in favor of…

Pelican…

Pelican is a static blog generator written in python. What is python? It’s a programming language. Do you live under a rock? What’s a static blog generator? Well, you can obviously be excused for not knowing that one…

In order to do static blog generators justice, first I need to go back to the age before wordpress. You see, far back in ancient history, we know from shards of pottery that everybody coded their websites in pure HTML (maybe with a tiny sprinkling of CSS) and maybe included some of this crazy stuff known as javascript, thus confusing their bosses forever when they insisted in referring to their webpages as “Java applications”[ref]This is a thing that bosspeople often do, I promise.[/ref].

However, this made it supremely cumbersome (and overly copy-paste heavy) to construct large websites, because you had to write each and every page in raw HTML or in some kind of editor that output HTML (and those often output code of dodgy quality). The next step in webby goodness was for people to start using solutions like wordpress and blogger, which keep all of the individual page data in a database and serve it up to users depending on which page they want. This was much better in terms of required coding time, because you only had to write the page ONCE, and it stayed written.

Seems like a great idea, but unfortunately it’s now become one great big

MESS

One of the problems with these types of websites (known as “dynamic” websites) is that the databases that contain their data are not web accessible. In order for the client’s machine to retreive the data it needs in order to render the page it needs to submit a request to a program on the server for that program to execute a query on the database and return the result to the client. This is typically done via what is known as CGI, which is a single word for an entire range of technologies to get information out of something that doesn’t have a web interface back into a web interface.

If you can see the problem, you have a future as a paranoid security dork.

The problem for those of you that didn’t see it, is that you are allowing whomever is allowed to access your website (often the general public) access to a much greater subsection of your server than you normally would serving just HTML. With static HTML pages, you provide file access only in specific folders only. With CGI, you’re basically allowed to do anything the CGI program lets you get away with. This elevates any bug in the CGI program to a site-wide security vulnerability. Wordpress security vulnerabilities, as tiny as they may be, have had catastrophic consequences, including allowing complete control over the machine hosting the software.

It seems like it might be time to look for something a little better, and thankfully the rapidly dropping price of storage might help a bit with the

Cleanup

This is where static blog generators really shine. Static blog generators take the traditional idea of a code compiler (that thing that takes programming source code and turns it into actual runnable programs made of ones and zeroes) and applies it to text documents. It takes these text documents (usually written with simple markup like you might have seen in an old email) and renders them into attractive, modern websites. The downside is that you have to re-compile every time you add a page, but the upside is that everything involved in using server -side languages goes away.

  • No databases to manage.
  • No security holes in your web application.
  • No configuration problems with your web application installation.
  • Added benefit: because the pages are pre-rendered (no database calls need to be made or server-side code executed), the pages are super fast and lightweight.
  • Added benefit: because the pages are pre-rendered, you can host your blog literally anywere. Free web hosting, some VPS somewhere, that old computer in your grandma’s basement. It takes almost nothing to host a static blog, and the installation requirements are…
    • A HTTP server.
    • There is no 2nd item. That’s it, that’s the whole list.

From a security and speed standpoint, static blog generators are a big win. From a storage size standpoint, they take up a bit more space (although not as much as you might think, since so many sites are mostly text). But they still have a long way to go, as their current user base is still mostly software developers. But I hope that some people might read this article on my static blog, read it a little, and think that it’s a good reason to give a static blog a try.

Feel free to drop me a line if you want some help!

Jason R.