It seems that I recreate my blog every few years, painstakingly migrating old posts to the new blog engine, ensuring that they continue to look decent, and generally improving things. It's no different this time: I've retired my Drupal-based blog, mainly because I'm tired of having to constantly make sure that it's updated to the latest version, so that newly discovered vulnerabilities in its codebase are fixed. Sure, its security is not nearly as bad as that of WordPress, but it's still annoying enough that I wanted something better.
Most blog engines out there must be kept updated because they run complex dynamic code and are thus potentially vulnerable to various attacks - anything from simple SQL injection to XSS and CSRF. (As an aside, if you make websites, you need to check out OWASP.) So, how can I have a blog and avoid having to keep its engine up to date to avoid security problems? By removing the dynamic on-the-fly processing! Enter the static site generator.
For those unfamiliar with this concept, it's pretty simple: you have a bunch of source files and an application that performs a one-time (offline) task of transforming those source files into a functioning website, complete with CSS, images, scripts, and whatever else a site needs - except for dynamically generated content such as PHP or ASP.NET or Rails code. You're left with just static HTML and resources, which dramatically reduces your website's attack surface. In addition to the improved security, you get more benefits like faster page loads and simpler, more effective caching. This is again due to the lack of dynamic content processing.
Of course, static sites do have their limitations. Any kind of user-generated content cannot be hosted on them (although things like comments can be outsourced quite effectively to services such as Disqus). Trivial functions like site search become impossible without relying on a third party to index your content.
I am willing to work around issues caused by the lack of dynamic processing, so a static blog works for me. Once I came to this realization, I needed to pick the right static site generator. There are quite a few choices out there, with varying degrees of maintenance, power, and flexibility, and many runtimes. I think it's safe to say that Jekyll is currently the most popular one, especially given that it powers GitHub Pages.
Unfortunately, I found Jekyll to be too restrictive in what it allows me to do, and most of the other generators ended up being just as restrictive, difficult to set up, or simply abandoned. All that made me come to the conclusion that I needed to write my own. So I did.
Genmaicha is a static website generator written in C# for .NET and Mono, using Markdown for content markup and Razor for templating. It currently has no official releases, because it's in active development and its APIs have not yet stabilized. But it's far enough along that it currently powers this blog. If you're wondering about the name, genmaicha is a delicious Japanese green tea with roasted rice.
I used an existing HTML to Markdown converter (and tweaked it a bit) to convert my old posts from my Drupal blog to Markdown files, and then I created a completely new design from scratch. I think it looks a lot better than the old blog. I would appreciate any feedback on Genmaicha or on the design of the new blog!
By the way, Genmaicha is licensed under the permissive, OSI-approved ISC License. I'm not a fan of strong copyleft licenses such as the GPL: my definition of software freedom, unlike that of the FSF, includes the freedom to make proprietary customizations to software.