https://learnbchs.org - The web framework consisting of OpenBSD, C, httpd and SQLite.
What do you think? Not sure if I should call C-webdevs insane or genius (maybe both).
I think the code will either end up very secure or with more severe bugs than any PHP website ever had. Please talk me out of trying it.

  • 6
    The one time I worked with a high performance backend, the bottleneck wasn't really compute, but IO. Given that you get exactly no advantage with using C and all the disadvantages. I'd still vote for .net core as the best balance between performance and productivity.
  • 0
    @RememberMe I think the main reason to use BCHS is not necessarily speed, one could probably achieve comparable computation speed with golang for example, but security. OpenBSD has a bunch of interesting security features and minimal software is generally said to be more secure. But although C can be very secure, it can obviously also be very insecure, especially if someone doesn't exactly know what they're doing.
  • 2
    @lucaIO so...your point being...? You'd never use C for secure stuff unless you have a lot of time and verification. OpenBSD being rock solid doesn't add much practical security to my web stack because stable Linuxes are quite secure already and many use OpenBSD software (like OpenSSH), but sure, I'll give it that. SQLite is okayish for read-heavy smaller databases but that's it, anything more and you're going to need a DB server (and server DBs are better for application security because separation).

    The biggest attack surface in a web stack is generally the web application code because heavily used libraries etc. have already been thoroughly vetted, and if that's in C I'm going to give that a hard no for security.
  • 1
    @RememberMe First of all I need to clarify that I am very sceptical of the idea as well, but I thought it would be interesting enough to be worth sharing.
    Thr OpenBSD security I was speaking of is nit limited to the kernel, it also has some modifications to clang which make using C on OpenBSD generally safer than on other platforms. Examples are the removal of outdated functions known to be vulnerable to overflows or the great pledge() which is pretty neat if you ask me.
  • 2
    @lucaIO I know, but it doesn't really compare to a better designed language (for this stuff anyway) in my experience. Besides, productivity for web type stuff is very high in a standard modern framework.

    I'm not shitting on it unconditionally, I'd try it out for the lols, but I don't see how it improves anything in an area that actually was a problem, that's all I'm saying.
  • 2
    C doesn't have security issues if (and that's a big "if") you code that stuff with attackers and deliberately evil input in mind from the beginning, and if (another big "if") you have the experience to pull that off.

    The problem is that you will take a lot longer for the same amount of features in comparable quality than you would in more suited languages.

    If your dev time isn't for free, the cost analysis will pan out badly for C in this use case, which is why C isn't widespread for that.

    Especially the initial MVP needs to have secure code quality already because bolting it on later will not work. That would degrade into a "whack-a-mole" game of endless patches.

    I don't think it's too good of an idea.
  • 2
    @RememberMe @Fast-Nop I agree, I'm not sure if it even is anything but a joke. The website looks a little like it but it is still an interesting idea, I wouldn't use it but some diehard C users would probably have some fun with it
Add Comment