James Browning said: >> I think we should split ntpd into several independant programs. >> More in another message. > I gave up on that notion; I lacked the patience to do it.
I think we can take small steps. Or at least some of them. > Yeah, the IETF NTP WG shot down the notion of NTP alternative port. It wasn't the NTP WG -- they had a draft RFC ready to go. The group that vetoed it was the group in charge of rationing port assignments. [testing config file] > I think somewhere in the middle might be a program that takes config files > and dumps them into some format that is easy to eyeball and machine parse. Internally, there is a parse tree. But it doesn't contain the comments. I'm not interested in that, but if you want to work on it, it might be a useful utility. [testing FIPS] > None of the CI runners support FIPS140-2 at the moment. I don't know how to > make them either. There is a HOWTO-OpenSSL that tells you how to build OpenSSL from source. Adding enable-fips to the configure step builds/tests/installs the FIPS library too. The recent FIPS discussion has a recipe for getting libssl to use it. I haven't tried that step yet. >> I'd like a script that checks the certificates. When do they expire? > That sounds like a simple wrapper around 'openssl x509' would work. I think it will be something simple like that after we do it. I've poked around a few times but never ended up with anything clean. The openssl command has a blizzard of options. This just got more important for me. I fatfingered renewing a certificate and a KE server stopped working. [I did the certbot step but forgot to copy the new cert/key over to /etc/ntp/.] -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
