[opensuse] Time is running out for NTP
Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives. http://www.infoworld.com/article/3144546/security/time-is-running-out-for-nt... -- Per Jessen, Zürich (-0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers. http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/ Roger Oberholtzer RST Systems Office: +46 (0)10-615 6020 Mobile: +46 (0)70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se ________________________________________ From: Per Jessen [per@computer.org] Sent: Wednesday, December 07, 2016 11:14 AM To: opensuse@opensuse.org Subject: [opensuse] Time is running out for NTP Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives. http://www.infoworld.com/article/3144546/security/time-is-running-out-for-nt... -- Per Jessen, Zürich (-0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Yes, I've been following that project too, giving ntp a good work-over is not a bad idea. https://www.ntpsec.org/ It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github. -- Per Jessen, Zürich (0.3°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 7, 2016 at 6:06 AM, Per Jessen <per@computer.org> wrote:
Roger Oberholtzer wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Yes, I've been following that project too, giving ntp a good work-over is not a bad idea.
It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github.
Too bad, but this is one of the few times I think one of the suse staff needs to get in the loop and get fixes pushed upstream. Factory is a better place for initiating a discussion. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 6:06 AM, Per Jessen <per@computer.org> wrote:
Roger Oberholtzer wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Yes, I've been following that project too, giving ntp a good work-over is not a bad idea.
It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github.
Too bad, but this is one of the few times I think one of the suse staff needs to get in the loop and get fixes pushed upstream.
I get the impression it is still pretty new stuff, but anyone can create a project and start building. Upstream seems to be ESR only at the moment. If you ask me, it ought to be introduced as an alternative, not an immediate replacement. -- Per Jessen, Zürich (0.6°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I get the impression it is still pretty new stuff, but anyone can create a project and start building. Upstream seems to be ESR only at the moment.
Correction - https://www.ntpsec.org/core-team.html -- Per Jessen, Zürich (-0.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed 07 Dec 2016 12:06:44 PM CST, Per Jessen wrote: <snip>
It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github.
Hi Hmm, no troubles building it here... openSUSE Leap 42.2, there are a couple of funnies, man page install location and it doesn't like the revision number (-1) in VERSION. -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 7 days 17:33, 4 users, load average: 2.18, 2.11, 1.85 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Malcolm wrote:
On Wed 07 Dec 2016 12:06:44 PM CST, Per Jessen wrote: <snip>
It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github.
Hi Hmm, no troubles building it here... openSUSE Leap 42.2, there are a couple of funnies, man page install location and it doesn't like the revision number (-1) in VERSION.
Weird - I just went with the default: ./waf configure ./waf build The latter fails: [ 98/157] Processing VERSION error: No repo or cache detected. Waf: Leaving directory `/home/per/workspace/ntpsec-master/build/main' Build failed -> task in '/home/per/workspace/ntpsec-master/pylib/version.py,../wafhelpers/.autorevision-cache,../wafhelpers/autorevision.sh' failed with exit status 1 (run with -v to display more information) -- Per Jessen, Zürich (0.8°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed 07 Dec 2016 07:57:15 PM CST, Per Jessen wrote:
Malcolm wrote:
On Wed 07 Dec 2016 12:06:44 PM CST, Per Jessen wrote: <snip>
It's not quite ready for prime time yet - version 0.9.5 doesn't build on leap422 for instance. Nor does the master from github.
Hi Hmm, no troubles building it here... openSUSE Leap 42.2, there are a couple of funnies, man page install location and it doesn't like the revision number (-1) in VERSION.
Weird - I just went with the default:
./waf configure ./waf build
The latter fails:
[ 98/157] Processing VERSION error: No repo or cache detected.
Waf: Leaving directory `/home/per/workspace/ntpsec-master/build/main' Build failed -> task in '/home/per/workspace/ntpsec-master/pylib/version.py,../wafhelpers/.autorevision-cache,../wafhelpers/autorevision.sh' failed with exit status 1 (run with -v to display more information)
Hi Try python3 python3 waf configure --prefix=/usr python3 waf build --verbose -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 7 days 20:05, 5 users, load average: 1.99, 1.97, 1.73 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
Have installed python3 and python3-devel - with ntpsec-0.9.5, same result: [ 99/164] Processing VERSION error: No repo or cache detected. Waf: Leaving directory `/home/per/workspace/ntpsec-0.9.5/build/main' Build failed -> task in '/home/per/workspace/ntpsec-0.9.5/pylib/version.py,../wafhelpers/.autorevision-cache,../wafhelpers/autorevision.sh' failed with exit status 1 (run with -v to display more information) With ntpsec-master: [ 98/163] Processing VERSION error: No repo or cache detected. Waf: Leaving directory `/home/per/workspace/ntpsec-master/build/main' Build failed -> task in '/home/per/workspace/ntpsec-master/pylib/version.py,../wafhelpers/.autorevision-cache,../wafhelpers/autorevision.sh' failed with exit status 1 (run with -v to display more information) -- Per Jessen, Zürich (0.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
Have installed python3 and python3-devel - with ntpsec-0.9.5, same result:
[ 99/164] Processing VERSION error: No repo or cache detected.
I threw together a very quick packaging attempt. It fails similar to what Per is seeing: === [ 129s] [110/205] Processing VERSION [ 129s] 20:53:57 runner ' VCS_EXTRA=`cat ../VERSION` ../wafhelpers/autorevision.sh -e VERSION -o /home/abuild/rpmbuild/BUILD/ntpsec-NTPsec_0_9_5-190ee039df6230c12d459bac73a1d75e99455ebd/build/main/wafhelpers/.autorevision-cache -e VERSION -t python >version.py ' [ 129s] [111/205] Compiling attic/sht.c [ 129s] 20:53:57 runner ['/usr/bin/gcc', '-Wall', '-Wextra', '-std=gnu99', '-Wstrict-prototypes', '-Isht', '-I..', '-I../../include', '-I../../libisc/include', '-DPYTHONDIR="/usr/lib/python3.5/site-packages"', '-DPYTHONARCHDIR="/usr/lib64/python3.5/site-packages"', '-DHAVE_PYEMBED=1', '-DHAVE_PYEXT=1', '-DHAVE_PYTHON_H=1', '../../attic/sht.c', '-c', '-o/home/abuild/rpmbuild/BUILD/ntpsec-NTPsec_0_9_5-190ee039df6230c12d459bac73a1d75e99455ebd/build/main/attic/sht.c.1.o'] [ 129s] [112/205] Compiling tests/unity/unity.c [ 129s] error: No repo or cache detected. === You can find my failed effort in: https://build.opensuse.org/package/show/home:gregfreemyer:Tools-for-forensic... Likely, there is a dependency missing, but I think I added all that were shown in the INSTALL file. I have: BuildRequires: python3 BuildRequires: python3-devel BuildRequires: bison BuildRequires: libcap2 libcap-devel BuildRequires: gnuplot BuildRequires: python3-psutil BuildRequires: libevent libevent-devel BuildRequires: libseccomp-devel BuildRequires: openssl-devel BuildRequires: asciidoc BuildRequires: liberation-fonts Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed 07 Dec 2016 03:57:56 PM CST, Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
<snip> Hi Try just the 0.9.5-1 release, that works for me on local builds. AFAIK, some are only needed later as requires, eg libevent, libcap2, liberation-fonts. Need to let rpm figure things out ;) I have it building, but trying to workout why it won't respect the ctx.env.MANDIR settings and use, something funky in the scripts... -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 7 days 23:14, 5 users, load average: 1.38, 1.52, 1.56 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed 07 Dec 2016 04:23:37 PM CST, Malcolm wrote:
On Wed 07 Dec 2016 03:57:56 PM CST, Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
<snip>
Hi Try just the 0.9.5-1 release, that works for me on local builds.
AFAIK, some are only needed later as requires, eg libevent, libcap2, liberation-fonts. Need to let rpm figure things out ;)
I have it building, but trying to workout why it won't respect the ctx.env.MANDIR settings and use, something funky in the scripts...
Still needs rpmlint warning fixed, so fails to finish, but does build... https://build.opensuse.org/package/show/home:malcolmlewis:TESTING/ntpsec -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 7 days 23:35, 4 users, load average: 1.72, 1.61, 1.57 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Malcolm wrote:
On Wed 07 Dec 2016 03:57:56 PM CST, Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
<snip>
Hi Try just the 0.9.5-1 release, that works for me on local builds.
Still weird - python3 ./waf configure --prefix=/usr Setting top to : /home/per/workspace/ntpsec-0.9.5-1 Setting out to : /home/per/workspace/ntpsec-0.9.5-1/build Traceback (most recent call last): File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 120, in waf_entry_point run_commands() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 181, in run_commands ctx=run_command(cmd_name) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 172, in run_command ctx.execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Configure.py", line 85, in execute super(ConfigurationContext,self).execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 88, in execute self.recurse([os.path.dirname(g_module.root_path)]) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 129, in recurse user_function(self) File "/home/per/workspace/ntpsec-0.9.5-1/wscript", line 55, in configure cmd_configure(ctx, config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/configure.py", line 15, in cmd_configure parse_version(config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/util.py", line 52, in parse_version "NTPSEC_VERSION_REV" : int(rev) ValueError: invalid literal for int() with base 10: '5-1' -- Per Jessen, Zürich (-0.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu 08 Dec 2016 12:12:22 AM CST, Per Jessen wrote:
Malcolm wrote:
On Wed 07 Dec 2016 03:57:56 PM CST, Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
<snip>
Hi Try just the 0.9.5-1 release, that works for me on local builds.
Still weird -
python3 ./waf configure --prefix=/usr Setting top to : /home/per/workspace/ntpsec-0.9.5-1 Setting out to : /home/per/workspace/ntpsec-0.9.5-1/build Traceback (most recent call last): File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 120, in waf_entry_point run_commands() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 181, in run_commands ctx=run_command(cmd_name) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 172, in run_command ctx.execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Configure.py", line 85, in execute super(ConfigurationContext,self).execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 88, in execute self.recurse([os.path.dirname(g_module.root_path)]) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 129, in recurse user_function(self) File "/home/per/workspace/ntpsec-0.9.5-1/wscript", line 55, in configure cmd_configure(ctx, config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/configure.py", line 15, in cmd_configure parse_version(config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/util.py", line 52, in parse_version "NTPSEC_VERSION_REV" : int(rev) ValueError: invalid literal for int() with base 10: '5-1'
OK, so in the VERSION file remove the -1 so it's only 0.9.5 -- Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890) openSUSE Leap 42.1|GNOME 3.16.2|4.1.34-33-default up 8 days 0:48, 5 users, load average: 1.79, 1.76, 1.66 CPU AMD Athlon(tm) II X4 635 @ 2.90GHz | GPU Nvidia GeForce 8800 GT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Malcolm wrote:
On Thu 08 Dec 2016 12:12:22 AM CST, Per Jessen wrote:
Malcolm wrote:
On Wed 07 Dec 2016 03:57:56 PM CST, Greg Freemyer wrote:
On Wed, Dec 7, 2016 at 2:19 PM, Per Jessen <per@computer.org> wrote:
Malcolm wrote:
Hi Try python3
python3 waf configure --prefix=/usr python3 waf build --verbose
<snip>
Hi Try just the 0.9.5-1 release, that works for me on local builds.
Still weird -
python3 ./waf configure --prefix=/usr Setting top to : /home/per/workspace/ntpsec-0.9.5-1 Setting out to : /home/per/workspace/ntpsec-0.9.5-1/build Traceback (most recent call last): File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 120, in waf_entry_point run_commands() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 181, in run_commands ctx=run_command(cmd_name) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Scripting.py", line 172, in run_command ctx.execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Configure.py", line 85, in execute super(ConfigurationContext,self).execute() File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 88, in execute self.recurse([os.path.dirname(g_module.root_path)]) File "/home/per/workspace/ntpsec-0.9.5-1/.waf3-1.9.5-e9e36ebc81cc860d8a25c4c34f0b27ec/waflib/Context.py", line 129, in recurse user_function(self) File "/home/per/workspace/ntpsec-0.9.5-1/wscript", line 55, in configure cmd_configure(ctx, config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/configure.py", line 15, in cmd_configure parse_version(config) File "/home/per/workspace/ntpsec-0.9.5-1/wafhelpers/util.py", line 52, in parse_version "NTPSEC_VERSION_REV" : int(rev) ValueError: invalid literal for int() with base 10: '5-1'
OK, so in the VERSION file remove the -1 so it's only 0.9.5
Ah, much better - it's building now, also with python2.7. -- Per Jessen, Zürich (-0.8°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 7, 2016 at 5:26 AM, Roger Oberholtzer <Roger.Oberholtzer@ramboll.se> wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Reading both articles I wonder if openSUSE Tumbleweed should jump to the new project now? Worth discussing on the factory list? Greg
________________________________________ From: Per Jessen [per@computer.org] Sent: Wednesday, December 07, 2016 11:14 AM To: opensuse@opensuse.org Subject: [opensuse] Time is running out for NTP
Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives.
http://www.infoworld.com/article/3144546/security/time-is-running-out-for-nt...
-- Per Jessen, Zürich (-0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
It may be interesting to offer it as an alternative to the traditional ntp so people can test it. Roger Oberholtzer RST Systems Office: +46 (0)10-615 6020 Mobile: +46 (0)70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se ________________________________________ From: Greg Freemyer [greg.freemyer@gmail.com] Sent: Wednesday, December 07, 2016 1:00 PM To: Roger Oberholtzer Cc: Per Jessen; opensuse@opensuse.org Subject: Re: [opensuse] Time is running out for NTP On Wed, Dec 7, 2016 at 5:26 AM, Roger Oberholtzer <Roger.Oberholtzer@ramboll.se> wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Reading both articles I wonder if openSUSE Tumbleweed should jump to the new project now? Worth discussing on the factory list? Greg
________________________________________ From: Per Jessen [per@computer.org] Sent: Wednesday, December 07, 2016 11:14 AM To: opensuse@opensuse.org Subject: [opensuse] Time is running out for NTP
Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives.
http://www.infoworld.com/article/3144546/security/time-is-running-out-for-nt...
-- Per Jessen, Zürich (-0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Roger Oberholtzer wrote:
It may be interesting to offer it as an alternative to the traditional ntp so people can test it.
I think that's the right approach. I got it building now, but for my setup, even with '--enable-classic-mode', sofar I'm missing 'broadcastclient' and 'multicastclient' - it's not a drop-in replacement. -- Per Jessen, Zürich (0.5°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Dec 8, 2016 at 12:30 PM, Per Jessen <per@computer.org> wrote:
I got it building now, but for my setup, even with '--enable-classic-mode', sofar I'm missing 'broadcastclient' and 'multicastclient' - it's not a drop-in replacement.
--><-- The broadcast/multicast scheme is deprecated in NTPsec due to irreparable security flaws. Client-side support has been removed. Server-side support remains present but may be removed in a future version, and its use is strongly discouraged. --><-- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Thu, Dec 8, 2016 at 12:30 PM, Per Jessen <per@computer.org> wrote:
I got it building now, but for my setup, even with '--enable-classic-mode', sofar I'm missing 'broadcastclient' and 'multicastclient' - it's not a drop-in replacement.
--><-- The broadcast/multicast scheme is deprecated in NTPsec due to irreparable security flaws. Client-side support has been removed. Server-side support remains present but may be removed in a future version, and its use is strongly discouraged. --><--
Yep, I posted on the ntpsec user list too, and ESR told me the same. I probably can't quite grasp all the security implications, but using those options in a closed network doesn't seem the be overly risky? -- Per Jessen, Zürich (0.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 8 Dec 2016 10:47, Per Jessen wrote:
Andrei Borzenkov wrote:
On Thu, Dec 8, 2016 at 12:30 PM, Per Jessen wrote:
I got it building now, but for my setup, even with '--enable-classic-mode', sofar I'm missing 'broadcastclient' and 'multicastclient' - it's not a drop-in replacement.
--><-- The broadcast/multicast scheme is deprecated in NTPsec due to irreparable security flaws. Client-side support has been removed. Server-side support remains present but may be removed in a future version, and its use is strongly discouraged. --><--
Yep, I posted on the ntpsec user list too, and ESR told me the same.
I probably can't quite grasp all the security implications, but using those options in a closed network doesn't seem the be overly risky?
I followed such a discussion some years ago, in the end the consent was: ... broadcast/multicast is "theoretically" acceptable for a closed, "management only" network. BUT, (and notice the capitals) how could we (as programmers) ensure that these conditions (closed, "management only") are kept in the reality out there? - The answer is: we can not, and thus for the safety of all, let's not include such potential security risk, other long lived projects (such as ntp, xorg, dns, ssl) have shown that such code will be the first to deteriorate and open the doors for attacks. IMHO, network traffic has become to cheap to ensure that the network-management people are trained enough to ensure a reliably safe setup in 'el-cheapo' (dsl-/docsis-/lte-)routers and gateways to allow such a potential risk to get in the base code at all. May be in a dedicated software (call it "ntp-mutlicast-server/client") with the appropriate warning, and a "never ever route at all, not even go over vpn" code. - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Yamaban wrote:
On Thu, 8 Dec 2016 10:47, Per Jessen wrote:
Andrei Borzenkov wrote:
On Thu, Dec 8, 2016 at 12:30 PM, Per Jessen wrote:
I got it building now, but for my setup, even with '--enable-classic-mode', sofar I'm missing 'broadcastclient' and 'multicastclient' - it's not a drop-in replacement.
--><-- The broadcast/multicast scheme is deprecated in NTPsec due to irreparable security flaws. Client-side support has been removed. Server-side support remains present but may be removed in a future version, and its use is strongly discouraged. --><--
Yep, I posted on the ntpsec user list too, and ESR told me the same.
I probably can't quite grasp all the security implications, but using those options in a closed network doesn't seem the be overly risky?
I followed such a discussion some years ago, in the end the consent was: ... broadcast/multicast is "theoretically" acceptable for a closed, "management only" network. BUT, (and notice the capitals) how could we (as programmers) ensure that these conditions (closed, "management only") are kept in the reality out there? - The answer is: we can not, and thus for the safety of all, let's not include such potential security risk,
I can sort of accept that argument, even if one might argue that having root access is also a potential security risk especially when the admin isn't suitably qualified :-(
IMHO, network traffic has become to cheap to ensure that the network-management people are trained enough to ensure a reliably safe setup in 'el-cheapo' (dsl-/docsis-/lte-)routers and gateways to allow such a potential risk to get in the base code at all.
In consumer equipment it is the manufacturer who is in charge, not the developer. For ntpsec, I think it might have been nice with a build-time option to enable e.g. broadcast/multicast, but I'm just thinking out loud. Using the multicast ff05::101 is a nice option instead of hardcoding IPv6 addresses. -- Per Jessen, Zürich (2.3°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Dec 8, 2016 at 2:43 PM, Per Jessen <per@computer.org> wrote:
In consumer equipment it is the manufacturer who is in charge, not the developer. For ntpsec, I think it might have been nice with a build-time option to enable e.g. broadcast/multicast, but I'm just thinking out loud. Using the multicast ff05::101 is a nice option instead of hardcoding IPv6 addresses.
If your only concern is autodiscovery, ntpsec still supports manycast client/server. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Thu, Dec 8, 2016 at 2:43 PM, Per Jessen <per@computer.org> wrote:
In consumer equipment it is the manufacturer who is in charge, not the developer. For ntpsec, I think it might have been nice with a build-time option to enable e.g. broadcast/multicast, but I'm just thinking out loud. Using the multicast ff05::101 is a nice option instead of hardcoding IPv6 addresses.
If your only concern is autodiscovery, ntpsec still supports manycast client/server.
Autodiscovery is my main concern - thanks, I have not looked at a manycast setup. -- Per Jessen, Zürich (2.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/08/2016 06:43 AM, Per Jessen wrote:
I can sort of accept that argument, even if one might argue that having root access is also a potential security risk especially when the admin isn't suitably qualified :-(
LOL! In the days of DARPANET we might expect that any and all system one might met on the 'Net to be both experienced and responsible. Even the Mr Morris there was the "Snr". But today any ... I almost said 'yahoo', but terminology evolves and who reads the last book of "Travels" these days? -- idiot can buy a PC at Walmart or Costco and load -- !shock! !Horror! -- ubuntu on it and claim they are a a Linux guru and download things like this and run them as root, just as they run everything else as root. Then some of them decide they want to, and I'm quoting here, "break into cyber security" and become "Ethical Hackers". I wouldn't trust them to flush my toilet[1]. [1] Think about that. It means they would have to enter your house - aka penetrate your security perimeter - walk deep into the house to visit the bathroom, probably on the upper floor, walk past many open doors including the doors to your bedrooms. While in the bathroom they would be able to see what is in your medicine cabinet, perhaps replace simple things like aspirin with more nefarious substances - aka 'malware'. who knows what else along the way. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 7, 2016 at 7:00 AM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Wed, Dec 7, 2016 at 5:26 AM, Roger Oberholtzer <Roger.Oberholtzer@ramboll.se> wrote:
Eric Raymond has been working on an NTP replacement. He seems a likely candidate as his gpsd is one major source of information to many NTP servers.
http://www.theregister.co.uk/2015/11/18/network_time_protocol_beta/
Reading both articles I wonder if openSUSE Tumbleweed should jump to the new project now?
Worth discussing on the factory list?
Greg
I just checked OBS and I don't even see the new NTPsec package in there at all yet. Anyone have time to put together an initial package for testin? Greg
________________________________________ From: Per Jessen [per@computer.org] Sent: Wednesday, December 07, 2016 11:14 AM To: opensuse@opensuse.org Subject: [opensuse] Time is running out for NTP
Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives.
http://www.infoworld.com/article/3144546/security/time-is-running-out-for-nt...
-- Per Jessen, Zürich (-0.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Andrei Borzenkov -
Anton Aylward -
Greg Freemyer -
Malcolm -
Per Jessen -
Roger Oberholtzer -
Yamaban