:) Well, I wouldn't necessarily make that statement either, although
now that I re-read his post, I realize I may have been putting word's
into Don's mouth. Oops.
Certainly, some part of the fact that no OpenACS sites are known to
have been hacked due to an AOLserver security failure must be due
simply to AOLserver's relative obscurity and thus unpopularity as a
target. Heck, remember when that Apache OpenSSL worm was making the
rounds? It was written to check for and attack only Apache, but AFAIK
there was no inherent reason that it couldn't work on AOLserver too -
it just never tried. That sort of accidental safety in anonymity
isn't what I'd really call "safety" at all, but it doesn't hurt.
Better security auditing, etc., is always nice, but at least so far I
haven't seen anything to indicate that AOLserver is in any dire need
of it. I'm not really the person to comment on Apache vs. AOLserver
security at all, neither empirically (reports of failures) nor based
on design and code review (especially since I've never read any Apache
code at all), but there are others here who probably are, and I
haven't heard any serious complaints along those lines from them...
