Re: systemd, ntp, kernel and hwclock

[Adam Borowski <kilobyte@angband.pl>]

On Tue, Feb 28, 2017 at 10:15:23AM +0100, Daniel Pocock wrote:
> > But ntpd is also known to have a large amount of code written
> > without as much regard for security as one would hope.  It seems
> > like an unnecessary risk for most systems.
> 
> 
> Thanks for that security tip, I'm tempted to get rid of some ntpd
> instances now

You'd be interested in NTPsec (https://www.ntpsec.org/) then, which is a
project to review and sanitize ntpd without downsides prevalent in most
replacements (such as same-week accuracy or no managing clock drift).

Sadly, it's not a part of stretch or even unstable yet:
https://bugs.debian.org/819806

> - for a site with several machines, should they all be querying
> pool.ntp.org servers directly or can any other local ntp daemon be
> relied on?

Using a local daemon means:
* less burden on public servers or the network
* if there's a problem, your machines will be consistent at least between
  them, which is usually a bigger concern than being globally accurate

-- 
⢀⣴⠾⠻⢶⣦⠀ Meow!
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋⠀ Collisions shmolisions, let's see them find a collision or second
⠈⠳⣄⠀⠀⠀⠀ preimage for double rot13!