Two years ago, I took on the maintenance of thttpd, a web server written by Jef Poskanzer at ACME Labs . The code hadn’t been update in about 10 years and there were dozens of accumulated patches on the Gentoo tree, many of which addressed serious security issues. I emailed upstream and was told the project was “done” whatever that meant, so I was going to tree clean it. I expressed my intentions on the upstream mailing list when I got a bunch of “please don’t!” from users. So rather than maintain a ton of patches, I forked the code, rewrote the build system to use autotools, and applied all the patch. I dubbed the fork sthttpd. There was no particular meaning to the “s”. Maybe “still kicking”?
I put a git repo up on my server , got a mail list going , and set up bugzilla . There hasn’t been much activity but there was enough because it got noticed by someone who pushed it out in OpenBSD ports .
Today, I finally pushed out 2.27.0 after two years. This release takes care of a couple of new security issues: I fixed the world readable log problem, CVE-2013-0348 , and Vitezslav Cizek <firstname.lastname@example.org> from OpenSUSE fixed a possible DOS triggered by specially crafted .htpasswd. Bob Tennent added some code to correct headers for .svgz content, and Jean-Philippe Ouellet did some code cleanup. So it was time.
Web servers are not my style, but its tiny size and speed makes it perfect for embedded systems which are near and dear to my heart. I also make sure it compiles on *BSD and Linux with glibc, uClibc or musl. Not bad for a codebase which is over 10 years old! Kudos to Jef.