Context is the seccomp tangle. Issue #633
Should I just add a helper that looks in /etc/os-release?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
> lsb_release -a might be useful here.
Thanks. Interesting, but the system I'm interested in doesn't have it in the
default package collection. I don't think I'll go down that rathole unless
waf already knows how to use it and that just pushes the problem over to
buildprep.
--
These are m
> NTSc: certificate invalid: 10=>certificate has expired
> is that a local expiration or a remote one?
That's your client side saying that it thinks the remote certificate has
expired. You could get the same error if your system clock was set into the
far future.
The local certificate (if a
[Was Subject: Re: Is there a clean way for waf to test for the distro?]
> Are you really, absolutely, positively sure that you can't check for the
> feature itself directly. If you start going down the distro-checking path,
> things get very messy, very fast. For example, is "Linux Mint" like Ub
Fedora fixed their problem. seccomp now builds and works on both Fedora and
Arch.
But now it won't build on Alpine. It looks like the same problem that Fedora
had. The problem is a bug in a header file. Copying the ppoll bits from a
Fedora header file fixes the problem.
The CI checker ha
> Wouldn't it be simpler to ude a base image in the CI that isn't buggy?
Maybe. I don't know that area. If that is the only place we test seccomp,
then yes, we should switch to Fedora or Debian. If that is testing if we can
build on Alpine, then it has found a bug but the bug is in Alpine ra
hmur...@megapathdsl.net said:
> I'm working on a hack fix.
Fix pushed. CI is happy.
The bug is missing code in a header file. I just put that code inside
ntp_sandbox. Seems obvious in hindsight. The hard part was figuring out when
to do it.
Then I had to debug seccomp on Alpine. I'd be
e...@thyrsus.com said:
[dropping seccomp]
> We're a security-focused prodict. I don't think it would be good optics to
> drop a layer of defense just because it's a pain to maintain.
Have you considered the lost opportunity cost?
This current approach of tossing everything in gives is braggin
I'm looking at strace output. There are a few calls used only once or twice.
It seems obvious that we should drop root as early as possible. But it's not
obvious that we should enable seccomp early.
If we turn on seccomp early, then we have to allow all the syscalls used
during initialization
> Is there anything preventing the possibility of an early looser
> seccomp setup and then tightening it later possibly with a knob
> to generate terse or verbose warnings instead of dying.
> Do you have an implementation strategy in mind?
The API, or the subset we are using, is:
This list
e...@thyrsus.com said:
> 46 to 55. If just 9 syscalls are the difference, the very slightly reduced
> assurance starts to look like a reasonable trade to make the whole problem go
> away.
That was comparing 2 lists from the same distro+version, just different
hardware platforms, so I'd expect
> At least under Linux, you'd better trace kernel calls with ftrace, not
> strace. The newer kernels should have dtrace-like capabilities to tailor
> your probes.
What do I gain by using it? strace does exactly what I want -- it tells me
which syscalls are being used. I don't care about any
> Does ntpd need root for anything other than opening files/interfaces?
It doesn't even need it to open files if you set the permissions right.
Last I checked FreeBSD didn't have a way to allow non-root to set the system
clock.
Linix has a capability bit.
NetBSD has /dev/clockctl
--
These
Richard said:
> I do not. It seems really fragile to me. A change in an underlying library
> can break a working binary, possibly only in some scenarios. That's scary.
> It'd be safer (but still not completely safe) to enable if I had good (or
> any) "as installed" tests using Debian's autopkgt
Lots of handwaving here.
I'd like the server to run multi-threaded.
At a talk at Stanford yesterday, the speaker liked Rust. He called it Safe C,
good for embedded systems. A simple NTP server (no client, no ntpq server) is
simple enough for an embedded environment. (When I run out of other
devel@ntpsec.org said:
> I think you mean mode 6/7 server there. It might also be a place to configure
> and read/write files.
Mode 7 is gone.
I'm willing to throw away mode 6 as long as we replace it with something that
has roughly the same functionality as the current ntpq.
> If you are ro
Gary said:
>> There was discussion on the IETF NTP list of having the client
>> use a separate port. The idea is to make it harder to attack
>> a client only system. (There may be a draft RFC.)
> That is just handwaving security by obscurity. No matter what port you put
> something on, nmap c
Subject: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-01.txt
From: internet-dra...@ietf.org
Date: Mon, 09 Mar 2020 16:58:43 -0700
To:
Cc: n...@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Time Protocol WG
I just pushed a rate limiting cleanup. The old rate limiting was carefully
tuned to match what a single well behaved client would send. That doesn't
leave room for several clients behind a NAT box.
The code now allows 1 packet per second average with a burst of 20. (There is
no way to chang
There is a pile of ugly code that starts on line 1069 of ntpd/ntp_loopfilter.c
#ifdef SIGSYS
/*
* Use sigsetjmp() to save state and then call ntp_adjtime(); if
* it fails, then pll_trap() will set pll_control false before
* returning control using siglogjmp().
A new version of the draft RFC is available:
https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/
They decided to drop support for TLS 1.2. Details way down.
They also tweaked the TLS export string used to make client-server keys. That
will break things if the client and serv
> I think that our implementing this is a good reason for make a point release.
Sounds good. I'll have code ready in a day or 3.
What else should we be working on or testing? (I need to update the doc on
rate limiting.)
--
These are my opinions. I hate spam.
___
I'd like to check the OpenSSL version number and give a sensible error message
rather than some mumbo jumble from the compiler.
Can somebody show me how to do that? Or suggest what to search for?
(Or just do it?)
The value I want is a hex constant.
# define OPENSSL_VERSION_NUMBER 0x1010104
matthew.sel...@twosigma.com said:
> I would model the check that we removed in
> https://gitlab.com/NTPsec/ntpsec/-/commit/6d17955b03ca65d67f2cc2ceba01bd60e07d5fd4
>
Thanks. That doesn't get the info where waf can work with it, but it does get
the job done.
--
These are my opinions. I ha
I just pushed the change.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Would somebody please fix and/or teach me how to do it.
https://gitlab.com/NTPsec/ntpsec/pipelines/130148924
had 11 failed builds.
Name: openSUSE-leap-refclocks
...
Checking for OpenSSL > 1.1.1a : no
The configuration failed
Name: openSUSE-leap-basic
...
Name
> Edit .gitlab-ci.yml and remove the debian-oldstable-* jobs. For Ubuntu, you
> can either remove or comment out ubuntu-latest (in a few days, when 20.04 is
> released, "ubuntu:latest" should mean 20.04 instead of 18.04). Repeat for
> .gitlab-opttest-ci.yml.
Thanks.
Where is the doc for that s
> Can we bring back support of older OpenSSL releases for builds that don't
> need NTS support?
It shouldn't be hard to implement something like --disable-nts
Probably a day or so if you round up to include all the quirks that I always
find when testing.
Without NTS, all we need from OpenSSL ar
In case I forgot to mention it, the draft has been officially approved. It
still has to go through an editing step to replace some tbds with actual
numbers and remove various chunks like the list of known implementations. I
expect a few days or weeks.
Subject: [Ntp] Coordinated NTS
Anybody running on FreeBSD?
I've had an eye on that hole in our code for a long time and finally stumbled
into how to do it.
The trick is that you have to load a kernel module: mac_ntpd
That adds 2 new slots to sysctl:
security.mac.ntpd.uid: 123
security.mac.ntpd.enabled: 1
If you are not
Our sizeof code is broken on FreeBSD using Python 3.7.7
Works on python 3.6.9, 3.7.6, and 3.8.1
https://gitlab.com/NTPsec/ntpsec/-/issues/646
Does anybody know enough about waf or python to offer some hints?
Lots of tests have worked before we try sizeof. The sizeof test is slightly
differe
matthew.sel...@twosigma.com said:
> Can you reproduce with a wscript file that contains just this test?
> If so, we can report this upstream to the waf team.
I can't make it fail. My setup is slightly different. Everything I have
tried works.
I might be able to replicate the setup that doe
This may break things.
The default restriction now starts with noquery and limited.
The idea is to reduce opportunities for DDoS-ing.
If you use ntpq, that will break things unless you have restrict lines that
explicitly allow access.
If you don't have any restrict lines, you probably want to
If you try to use nts options, the error messages may not be wonderful.
Works on my test cases. CI now runs without errors.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/
> Apr 13 07:10:23 doos kernel: ntpd[204063]: segfault at 17f8 ip
> 7f9d70252a70 sp 7ffe3665adc0 error 4 in libssl.so.1.1.1d[7f9d7022e000+
> 5]
Can you get a stack trace?
What were your configure options?
> Apr 13 06:10:27 doos ntpd[204063]: EX-REP: Count=1 Print=1, Score=0.500, M
udo...@xs4all.nl said:
> I did not find a core dump. How else can I get a stack dump?
use gdb.
You need to add -n to the command line args ot ntpd will detach itself.
cd build dir
gdb build/main/ntpd/ntpd
run -n http://lists.ntpsec.org/mailman/listinfo/devel
udo...@xs4all.nl said:
> Started things this way. One gdb line worries me a bit: (No debugging symbols
> found in build/main/ntpd/ntpd)
> Perhaps a different build is needed?
I'm not sure how that stuff works.
configure has an --enable-debug-gdb option. That may do it.
--
These are my op
udo...@xs4all.nl said:
> I could disable NTSc for now to avoid crashes. Or if you have a patch I can
> test with that one?
Changing that may break (fix?) the crash. I'd like to understand that before
we change anything else.
Fixing Cloudflare will break all other NTS servers unless they make
> Or will I do the debug build?
Please do it again with symbols.
How long does it run before it crashes? Seconds? Hours? ...
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listin
Thanks.
It's dying while trying to reload the certificate file.
Is that happening after running for an hour?
That turns into 2 questions. Why is it trying to reload the certificates, and
why is it crashing?
What's in your ntp.conf? I don't need the whole thing, just the lines with
"nts".
Di
I think I've found a way for that to happen.
Were you missing a "nts enable" in your config file?
but did have a "nts cert ..." pointing to a valid file?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists
> # grep nts /etc/ntp.conf
> nts key /etc/letsencrypt/keys/_key-certbot.pem
> nts cert /etc/letsencrypt/csr/_csr-certbot.pem
> server time.cloudflare.com:1234 nts # TLS1.3 only
...
Thanks.
I just pushed a fix. Please test.
If you want the server side to support NTS, you need to add "
udo...@xs4all.nl said:
>> If you want the server side to support NTS, you need to add "nts enable"
> With that in ntp.conf the ntpd does not start. Config needed I guess.
The log file should have a useful message. It may take more than a few
seconds to find due to all the cruft that is useful
> -rw--- 1 root root 1708 Dec 13 11:05 ./keys/_key-certbot.pem
> Anything wrong in here?
Your configure line includes early-droproot.
Your command line includes -u ntp:ntp
With that combination, it's probably trying to read the key after switching to
user ntp.
--
These are my opin
> So no error messages about gps/NMEA.
> NMEA(0) .GPS.0 l 15 64 377
> 0. 0. 0.0019
What's the line for that in your ntp.conf? Any fudge lines?
What does stty say for the baud rate?
What sort of GPS device ? What baud rate is it usi
Anybody object if I remove it?
It's used to conditionalize logging of various messages from refclocks. You
will see them if your ntp.conf has"
logconfig +clockall
(and won't see them by default)
include/ntp_syslog.h:#define LOGIF(nlog_suffix, msl_args)
\
ntpd/refclock_tr
Gary said:
>> They are all very low volume that are useful for debugging,
>> especially when somebody asks for help on users@ or devel@
> Why remove something you think is useful?
Ahh/oops.
I didn't want to remove the messages, just remove the LOGIF wrapper so the
messages would always appea
Gary said:
> Sorry, I misread that. Some people want verbose logging, some none. Choice
> is good. As long as there is an on/off switch of some sort.
Yes and no.
The on/off switch is obscure enough and the amount of logging that can be
turned on/off is small enough that the choice isn't wor
Gary said:
> Then hang it off another switch.
Care to suggest "another switch"?
> but it does burn out SD cards quickly.
>From my initial message:
They are all very low volume
I was close to saying they all happened only during initialization, but at
least one is termination, and I think
> I could switch to a NMEA clock sans PPS and a dedicated PPS clock?
That's what I would try.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
>> If so, you must use the clear edge of the PPS (flag2 1).
> Why is that?
Which edge you should use depends on the device and how you wired it up.
Most PPS devices are setup so you should use the rising/assert edge. If you
run it through an RS-232 level shifter, they contain an inverter so you
> Because RS232 signaling is negative logic.
That's what I used to think, but somebody corrected me many years ago.
The data is upside down but the control signals are not.
>From https://en.wikipedia.org/wiki/RS-232
under Voltage levels
For data transmission lines (TxD, RxD, and their secondar
> What can I do about these EX-REP messages?
Comment out your server line for time.cloudflare.com
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Stage: build
Name: gentoo-hardened-basic
Trace: Fetching file portage-20200314.tar.gz.md5sum ...
20200314 snapshot was not found
Trying to retrieve 20200313 snapshot from http://distfiles.gentoo.org ...
Fetching file gentoo-20200313.tar.xz.md5sum ...
Fetching file portage-20200313.tar.xz.md5sum ...
One of the last changes to the draft NTS RFC was to change the string constant
used to make the keys that are used to encrypt and authenticate the NTP+NTS
traffic.
There isn't any easy way to make a backwards compatible update.
The symptoms of incompatible versions are that the NTS-KE step wi
> By Monday, do you mean today (in which case midnight UTC has passed but maybe
> you mean what is technically Tuesday 00:00) or a week from now?
Sorry, I meant the midnight at the end of today. 23:59
Sweeden/Netnod has the new code running on port 3443
(The old code was on 4443.)
> Is the
ntp1.glypnod.com and ntp2.glypnod.com are now running the new code.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
> After a great deal of refactoring, digging, confusion, and generalized
> wrestling with the surprising number of tentacles that comprise the mrulist
> system I can now make a report of sorts:
Great. Thanks.
Did you fix anything in the process? Are you describing the current code or
new/f
What's the right fix for this?
gcc (GCC) 10.0.1 20200328 (Red Hat 10.0.1-0.11)
../../libaes_siv/aes_siv.c: In function âAES_SIV_EncryptFinalâ:
../../libaes_siv/aes_siv.c:385:19: warning: inlining failed in call to
âdo_s2v_pâ: --param max-inline-insns-single limit reached [-Winline]
38
dfoxfra...@gmail.com said:
> There's nothing to fix. It's the just optimizer telling you it'd rather not
> inline a function that was declared inline. Which is fine, it doesn't affect
> correctness.
Thanks.
I think it's important to not have warnings. If you are happy with the code,
we'll ha
devel@ntpsec.org said:
> Much our of NTS code uses BSD-4-Clause-UC instead of BSD-2-Clause (our
> preferred license for new code).
> What this license selection intentional?
No. I just copied something from somewhere.
> Is BSD-4-Clause-UC intended for code owned by the University of Californ
> Is it not possible to use self-signed certificates? Or am I missing some
> steps; is there a recipe that works for machines on private networks?
I use self signed certificates for testing so it should be reasonable for you
to get it working.
I used a recipe I found on the web. It sets up a
watsonbl...@gmail.com said:
> I've gotten reports from some users of a remaining incompatibility with
> time.cloudflare.com and the code currently in git. I'm going to dig into it,
> but let me know if you have other reports.
I haven't seen any solid reports of our git head not working with you
If I read things correctly, you are signing the server's certificate with your
root certificate. I tested with an intermediate cert in there. I don't know
any reason your case won't work, but it's not how I tested things.
[on server]
2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL
devel@ntpsec.org said:
> I have upgraded to ntpd ntpsec-1.1.8+ (git rev 36bb89920) and I
> believe I'm seeing this problem.
You aren't connecting to ntp1.glypnod.com either, so that's probably not a
cloudflare problem.
Thanks for the report. I may have seen something similar.
Are the serve
watsonbl...@gmail.com said:
> There is speculation and some evidence that port 123 might not work very well
> due to ISP interference: I wonder if that might be happening here.
I've tracked down a bug that prevents sending requests. With no requests
going out, there are no answers coming back
I just pushed a fix that explains some cases of cloudflare not working.
The case that I fixed is IPv6 and the clock being stepped.
If you encounter a case of git head not working with cloudflare, please let me
know.
--
These are my opinions. I hate spam.
___
matthew.sel...@twosigma.com said:
> I don't see these commits on https://gitlab.com/NTPsec/ntpsec/-/commits/
> master or merge request on https://gitlab.com/NTPsec/ntpsec/-/merge_requests
Thanks for the heads-up. I forgot the push. It's there now.
--
These are my opinions. I hate spam.
> Unless someone pulls the stop cord, I will tag NTPsec_1_1_9 on 2020-05-23.
Seems like a good plan to me.
The NTS RFC is still somewhere in the paperwork process. We'll have to do
another release shortly after it comes out. I have now idea when that will be.
--
These are my opinions. I ha
rlaa...@wiktel.com said:
> ntpd seems to load the TLS certificate and key before dropping privileges.
> Unfortunately, when it tries to *reload* the certificate later, it has
> dropped privileges and fails. This is a bit of a trap, as a sysadmin can
> think a setup is working when it isn't. (This
James Browning said:
> Maybe the feast day of Nicholas Copernicus and Johannes Kepler for the fun
> fact.
John Harrison.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/dev
> The NTPsec Project is pleased to announce the tagging of version 1.1.9
Congrats/thanks.
In hindsight, we should have pushed a release when we made the incompatible
change to the new string used to make the c2s and s2c keys. (The draft RFC
changed a string constant There is no reasonable bac
> I am trying to track down if MS-SNTP support was added back, and if it is
> supported.
> We have an entry in the news file, about removal, but none on addition.
The code is still there. I don't know if it works or anybody uses it.
I don't see any mention of it in NEWS. Do you have a line
> bottom of docs/ntpsec.adoc
That's under Future directions.
It says:
> * Now that we have full Network Time Security, a near-future
> direction is to remove older insecure authentication methods (MAC
> and MS-SNTP).
I'd be happy to drop MS-SNTP, especially if we don't have any users.
I th
Fedora is updating from Python 3.7 to 3.8.
That breaks ntpq (and friends) because the installed ntp libraries are over in
3.7 but ntpq is looking in 3.8
Is there a good/clean fix for this? Should the code that chops the ".py? off
the name also fixup the first line of the script to replace "pyt
I've been experimenting with some code to allow custom scccomp lists.
The idea is to replace the --enable-seccomp configure option with
--enable-seccomp=foo
and ntp_sandbox would include syscomp/foo.c which would be a list of syscalls
used by this system.
I assume we would maintain a list fo
> Recently I noticed such an error from khronos.mikieboy.net, which is operated
> by Michael Simpson. Mike has been involved in ntpsec and is on this list, so
> I'm taking this opportunity to investigate the issue.
Mike: Do you have log files from then? (May 22)
If so, please save them and/or
e...@thyrsus.com said:
>> If yes, I'll need some help to work out the details.
> Aaarrgghhh. It;s a huge pain in the ass and I wish it weren't interesting.
> But given our mission statememnnt, it has to be.
OK. Let's discuss how to do it.
I was thinking of putting the individual lists in ntp
e...@thyrsus.com said:
> Aaarrgghhh. It;s a huge pain in the ass and I wish it weren't interesting.
> But given our mission statememnnt, it has to be.
Just to make sure we are on the same wavelength...
My question/proposal was not to drop seccomp if we didn't do what I sketched
out. It was
WIBDR == What I've Been Doing Recently
Maybe if we use a tag like that occasionally, it will encourage others to
report on their adventures, or some interesting details of plain old boring
work.
--
I'm not sure how/why I got started on this, but I've been trying to learn more
about
We should do this. It's not trivial. Doing it involves reworking the code is
a good way.
Subject: [Ntp] I-D Action: draft-ietf-ntp-port-randomization-03.txt
From: internet-dra...@ietf.org
Date: Fri, 29 May 2020 00:13:38 -0700
To:
Cc: n...@ietf.org
A New Internet-Draft is available from the on
In case anybody is looking for things to work on...
There are several clumps of statistics that ntpq can print that get reset
every hour because foostats prints them out and clears the counters. I think
we should not reset the counters but update a copy when they currently get
reset. foostats
> I'm thinking of tagging 1.2.0 for when NTS is officially official.
Seems like a good plan.
I'm expecting there will be a new port number assigned for the KE server.
Step 1 will be to listen on both old and new port #
Step 2 is to switch the client side to default to the new port #.
Step 3
gha...@gmail.com said:
> Hal, are we talking of the ntske port, 4460/tcp ?
Yes.
> As I understand it, NTS requires an out-of-band pre-arrangement. It makes no
> sense for me to probe random IP addresses for an NTS server to use, why would
> I trust this? So there would be an existing channel b
> The port has been assigned: https://www.iana.org/assignments/service-names-por
> t-numbers/service-names-port-numbers.xhtml?search=4460
Thanks. I'd missed that.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
h
I just pushed the code so that ntpd now listens on both ports 4460 and 123.
Mark: This is step 1. You get to decide if you want to do another release
now, and another for step 2 in a couple of days. If so, the release
announcement should describe the process.
--
These are my opinions. I h
>> Step 1 will be to listen on both old and new port #
>> Step 2 is to switch the client side to default to the new port #.
>> Step 3 is to stop listening on the old port #.
>> Plan B is to merge them all 3 steps and tolerate the brokenness until
>> everybody switches to the new port number.
> Which causes ntpd to fail on startup (I assume after dropping root):
Looks like you are dying trying to read the certificate. It will get worse
when you want to read the key.
--
Do you trust user ntp? If so, the fix is to change ownership. I copy the
cert and key over to /etc/
> But then I lose the automatic rotation :-(
Good catch. I do the update manually after it sends me reminder email.
Is the automatic stuff a cron job? Did you set it up manually, or is there an
option to set it up?
We should make a pass at the documentation collecting these ideas.
--
These
mikie.simp...@gmail.com said:
> I used to have a symlink into /etc/ntp from /etc/letsencrypt/live... which
> worked until the recent changes.
Do you have old log files? Can you find a case with the old setup where your
ntpd reloaded the updated certificate and key?
The recent change was add
> When I recently installed 3.19 from repo on the new 'raspberry pi os (64
> bit)', I had to change /etc/letsencrypt from ownership ntp:ntp to root:ntp
> in order to get past the 'permission denied' errors.
3.19 sounds more like a GPSD version. Did you update ntpsec too?
I can't figure out ho
They are up to alpha3. I've been trying it.
I added a tweak to wscript to support this, and some notes in HOWTO-OpenSSL
That recipe also works for getting 1.1.1 on old systems so they can use NTS.
-
There are several big changes in 3.0.0
The CMAC_* API that we have been using is now
k...@roeckx.be said:
> Note that we're still waiting for a reply from you about your test code. I
> would like to see if it's possible to improve the speed in 3.0.0, or at least
> understand where the slowdown comes from.
Sorry.
Richard Levitte's message said "I would very much like to see you
This is obvious, but it surprised me so I'll mention it to add to the general
background understanding.
seccomp has to allow not just what our code does directly, but also what the
libraries do. DNS lookup in libc does all sorts of things.
So does libssl.
--
These are my opinions. I hate
> May 18 10:06:48 boombox ntpd[2055]: CLOCK: time stepped by 59097600.478559
> May 18 10:06:48 boombox ntpd[2055]: CLOCK: time changed from 2020-07-03 to
> 2022-05-18
> We're running a fairly recent git version of ntpsec: ntpsec-1.1.9-0.fc31.x86_6
> 4 on Fedora 31 on kernel.org 5.7.7.
> How ca
> the assumption you are suffering from GPS rollover issues
WNRO seems unlikely. That would be off by 20 years. This case if off by 2.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailm
It's still listening on both 123 and 4460
I want to remove listening on 123 right before Mark releases 1.2.0
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
gha...@gmail.com said:
> Hal, why wait till just before the release? Switch the code now, so that the
> NTPsec testers can remind each other to rewrite config files (if required).
If other testers are running git head from a week or so ago, it is already
listening to both 123 and 4460. If pe
>From an ntp.comf:
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
That's not totally correct for ntpsec. When setting up a serve
There are a handful of modes that we don't support. I changed them from
MODE_FOO to MODE_FOOx so any use would break at compile time and we would fix
it. That was back in April.
My best guess is that you have only half updated your system. You have a new
ntpmon but it is using an old pylib
1201 - 1300 of 2873 matches
Mail list logo
