mrb's blog

3... 2... 1... Ignition^WBlogging!

Keywords: blog performance pivotx security

Hi, I just launched my blog! Check my profile for an idea of what type of content I will publish. Speaking of blogging, I was looking for a good blog CMS and discovered PivotX, which I decided to use for this blog as it appears to satisfy most of my requirements. Most, because it has the features I want (I love the mobile-optimized UI!), it seems powerful, flexible, and its developers have been through a round of trial and error via the 1.x code base so 2.x probably benefits from their experience. When researching an application to fill a need I usually do not go with the leaders —in this case WordPress, Joomla, etc— but instead try to find a small and growing competitor. I like to stay ahead of the curve and am an early adopter. Overall I like PivotX, however I already found some downsides related to security, slowness despite using a PHP opcode cacher, and no provision for a type of HA design for blog CMS which I describe below.

Here are the PivotX flaws that bother me:

  • Its security track record is not as bad as some competitors *cough*WordPress*cough*, but IMHO it is unacceptable nowadays to release a web app vulnerable to XSS, like these in Pivot 1.x. These instances were fixed in 2.x but they do not inspire me confidence. I do not want to have to audit their code.
  • It is slower than I would like due to dynamic PHP pages. The server hosting is a VM running on one core of a dual-core Athlon 4850e 2.5GHz, yet 10 request/sec were sufficient to max out CPU usage of the VM (as expected vmstat showed zero disk I/O because the flat-file DB fits easily in the buffercache in RAM). Configuring the PHP opcode cacher XCache now allows it to serve 30 request/sec but this is still 2 orders of magnitude below the 1000+ request/sec that I can achieve in the same VM with other blog CMS that pre-generate static pages. Pivot 1.x used to support generated static pages. I would need this feature if I ever get slashdot'd at 100 request/sec.
  • It is not designed for HA (high availability). I will soon have 2 servers colocated in 2 datacenters on 2 different continents, with having 2 A records for these 2 servers. Browsers try to connect to the 2nd if the 1st fails; and with DNS pinning they tend to stick with the one that works for the remaining of the browsing session. Doing it this way is a cheap way of providing HA for a website. In theory one could develop a simple blog CMS with a flat-file DB that allows users to concurrently post on the 2 servers and they would sync continuously with Unison or similar. AFAIK such a CMS has never been developed in the open source world. I may write a PoC for Blosxom as it seems ideally designed to demonstrate my idea: blog entries are stored in individual plain text files.
  • Finally, PivotX is large. 93k+ lines of PHP code. It may indicate unnecessary internal complexity or bloat. I believe a CMS meeting my requirements could be written in 1/10th the amount of code.

Anyway I will give PivotX a shot. As you can see I like to dive into low-level technical details, and sometimes lose focus of my primary goal —publishing a blog about security, hacking, tech, etc— so I promise the next post will not be about the intricacies of blogging :-)


<b>afwer</b> wrote: efwaef<b>test</b> 22 Nov 2017 12:33 UTC