Re: [pkg-ntp-maintainers] squeeze update of ntp?

To: Kurt Roeckx <kurt@roeckx.be>
Cc: Damyan Ivanov <dmn@debian.org>, ntp@packages.debian.org, debian-lts@lists.debian.org
Subject: Re: [pkg-ntp-maintainers] squeeze update of ntp?
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Wed, 18 May 2016 17:31:32 -0400
Message-id: <[🔎] 878tz7qci3.fsf@angela.anarcat.ath.cx>
In-reply-to: <[🔎] 20160518212041.GA3715@roeckx.be>
References: <20160213100622.GA13541@ktnx.net> <20160213104924.GA3127@roeckx.be> <[🔎] 878tz7b7oq.fsf@angela.anarcat.ath.cx> <[🔎] 20160518175636.GA29165@roeckx.be> <[🔎] 87futf9knp.fsf@angela.anarcat.ath.cx> <[🔎] 20160518212041.GA3715@roeckx.be>

On 2016-05-18 17:20:42, Kurt Roeckx wrote:
> On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote:
>> On 2016-05-18 13:56:37, Kurt Roeckx wrote:
>> > There are 22 open, some of which are marked as non-important.  Of
>> > the new ones some should probably also be marked as such.
>> 
>> I did so with CVE-2015-8158 as it affects only ntpq under very specific
>> conditions and the impact is minor (it hangs).
>
> There are also some things that you need to be authenticated for,
> which is at least a none default config.  I consider all of those to
> be non-imporant.

Right, okay that makes sense.

>> > I've spend several hours during the weekend going over commits in
>> > bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
>> > fixed in svn.  I also have 7 files with the patches in as they
>> > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
>> > version yet, so I have no idea what the state of those patches
>> > is.  Then there also seem to be at least 2 other bug fixes that
>> > appear to be security issues but that didn't get a CVE.
>> 
>> I tried to go through a few CVEs myself, and I must say I admire your
>> courage. It seems like a really confusing tangled mess up there in NTP
>> land, really scary stuff and really hard to triage.
>
> Which is one of the reason I want to switch to ntpsec instead.
> I've complained about this mess many times, but it seems to be too
> complicated to make things simple.

Interesting, i didn't know about this project.

It's too bad that PHK's work on ntimed basically stopped at the client,
because that was also a promising project.

Anyways, on the client side of things, there's openntpd and other
implementations. In my opinion, the only relevance of ntpd now is for
stratum servers and time sources, not clients.

> I suggest that you at least let me finish the patches I started
> on.

Glad to. :)

[...]

>> I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie
>> and get it over with. I certainly don't feel like I have the courage to
>> go through all of those.
>
> The changes between 4.2.6 and 4.2.8 are years of work, caused lots
> of breakage (that we told years before the release), and I don't
> really trust 4.2.8 yet.

Understood.

A.
-- 
Modern man has a kind of poverty of the spirit which stands
in great contrast to his remarkable scientific and technological
achievements. We've learned to walk in outer space and yet we
haven't learned to walk to earth as brothers and sisters.
                        - Dr. Martin Luther King, Jr.

Reply to:

References:
- Re: [pkg-ntp-maintainers] squeeze update of ntp?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: [pkg-ntp-maintainers] squeeze update of ntp?
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: [pkg-ntp-maintainers] squeeze update of ntp?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: [pkg-ntp-maintainers] squeeze update of ntp?
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: [pkg-ntp-maintainers] squeeze update of ntp?
Next by Date: Re: imagemagick
Previous by thread: Re: [pkg-ntp-maintainers] squeeze update of ntp?
Next by thread: NSS and logjam in wheezy (CVE-2015-4000)
Index(es):
- Date
- Thread