Daniel Franke <dfoxfra...@gmail.com>: > Anyway, although NTP.org blew this advisory, they did get the patch > correct, and as I reported in my previous email I've already ported > and pushed that patch as of yesterday morning. I'm on the fence as to > whether this bug is bad enough to merit tagging a release right away. > Both NTP.org and the Redhat folks who discovered the bug are > downplaying it, but I'm leaning toward yes given that even > *legitimate* leap seconds have a long history of creating ops havoc, > so a bogus one could be especially insidious.
Yeouch! I think your caution is well-founded. I also think it would do NTPsec no harm to be *seen* to be more cautious and security-sensitive than NTP.org, even if this weren't a real ops issue. It's Mark's call, but my advice to him is to tag a release and make a minor public fuss about NTP.org's and Red Hat's dismissiveness. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a> _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel