Re: "debian.pool.ntp.org" for Debian derivatives?
* Ian Jackson: >> PS: Paying that extra money to ntp.org would certainly not kill use, but >> adding that money instead to our currently already existing support of >> Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more >> Debian (downstream) users and developers. > > I wasn't aware that they charged commercial entities in this kind of > situation but that seems reasonable to me. IDK how much the charge > is. You are getting a service from pool.ntp.org, and as a commercial > entity you should pay your suppliers. Just to be clear: the fee goes to the pool operator, not the server operators. The actual service is donated without an expectation of compensation, or the compensation is kind, say for enabling network mapping and port scanning of IPv6 hosts.
Re: "debian.pool.ntp.org" for Debian derivatives?
We are probably accepting their TOS without reading them first: https://www.ntppool.org/tos.html Yao Wei (This email is sent from a phone; sorry for HTML email if it happens.) > On Oct 18, 2018, at 20:51, Ansgar Burchardt wrote: > >> On Thu, 2018-10-18 at 13:57 +0200, Philipp Hahn wrote: >> So my question is more like "is it okay to not change Debians default >> NTP server selection", so the initial setup and those lazy enough to >> not change the default get a sane time? > > I don't think Debian can answer that question and suggest to ask the > pool operators. This seems to be the correct list: > https://lists.ntp.org/listinfo/pool > > A related question is the use of API keys that are included in some > packages (e.g. chromium). These are also vendor-specific, but cannot > be really secret (as they are included in the binaries and could be > extracted even for proprietary software). > > Ansgar >
Re: "debian.pool.ntp.org" for Debian derivatives?
On Thu, 2018-10-18 at 13:57 +0200, Philipp Hahn wrote: > So my question is more like "is it okay to not change Debians default > NTP server selection", so the initial setup and those lazy enough to > not change the default get a sane time? I don't think Debian can answer that question and suggest to ask the pool operators. This seems to be the correct list: https://lists.ntp.org/listinfo/pool A related question is the use of API keys that are included in some packages (e.g. chromium). These are also vendor-specific, but cannot be really secret (as they are included in the binaries and could be extracted even for proprietary software). Ansgar
Re: "debian.pool.ntp.org" for Debian derivatives?
Hello Ian et al., Am 18.10.18 um 12:40 schrieb Ian Jackson: > Philipp Hahn writes (""debian.pool.ntp.org" for Debian derivatives?"): >> Are we (as a Debian derivate) allowed to hard-code and use the >> "debian.pool.ntp.org" or must we apply for our own pool? > > The NTP pool folks would like you to use your own pool. So would > Debian, I'm pretty sure. Q: So must all Debian derivatives patch NTP and re-compile¹ it as Debians pool is hard-coded: > $ apt download ntp > $ ar p ntp_1%3a4.2.8p10+dfsg-3+deb9u2_amd64.deb | tar xfO data.tar.xz > ./etc/ntp.conf | grep ^pool > pool 0.debian.pool.ntp.org iburst > pool 1.debian.pool.ntp.org iburst > pool 2.debian.pool.ntp.org iburst > pool 3.debian.pool.ntp.org iburst or only the commercial derivatives? >> PS: Paying that extra money to ntp.org would certainly not kill use, but >> adding that money instead to our currently already existing support of >> Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more >> Debian (downstream) users and developers. First of all: We don't what to cheat them or Debian, but the question is interesting enough as it can have legal questions for all derivatives. > I wasn't aware that they charged commercial entities in this kind of > situation but that seems reasonable to me. IDK how much the charge > is. You are getting a service from pool.ntp.org, and as a commercial > entity you should pay your suppliers. The question remains, if "Debian" can be our supplier and allow us (and any other derivatives) to use their pool? > If the charge is too much, you could always run your own ntp server. Any sane setup needs at least 4 servers. That is why there is that pool project so not everyone has to run their own farm of NTP servers around the world themselves. > If you continue to use the Debian pool to avoid paying them, then you > are using their facilities without permission. ... > TBH I doubt they would get you prosecuted or sue you - because they're > not that kind of people and wouldn't want to harm the free software > community = but I hope you will agree that you should act legally! Normally I tell our customers to ask their Internet providers for their preferred NTP servers, as they usually run their own farm, which are then close to their customers (network wise). Many routers have a built-in NTP server anyway. This normally improves the accuracy and reduces network traffic as with the pool you can get servers from the other end of the world. Lucky you if you get that information from your provider via DHCP (option nntp-server). Even if your provider does not run its own farm, you can still re-configure your servers to use at least the pool for your continent or country, which hopefully are closer by network vise, too. As an end-user you are not bound by that pool.ntp.org rule and can configure whatever server you like. But not as a software or Operating System vendors: I MUST NOT use 'pool.ntp.org'. So my question is more like "is it okay to not change Debians default NTP server selection", so the initial setup and those lazy enough to not change the default get a sane time? Philipp ¹: not a big deal for us, but we try to stay as closely to Debian as we can.
Re: "debian.pool.ntp.org" for Debian derivatives?
On 10/18/2018 11:22 AM, Philipp Hahn wrote: > Are we (as a Debian derivate) allowed to hard-code and use the > "debian.pool.ntp.org" or must we apply for our own pool? the idea between the different pool CNAMEs is that when one vendor does something bad/wrong, the queries of devices running that version of ntp can be easier diverted to /dev/null. hence, as long as you don't "modify" the ntp package from debian in your derivative, there is no need/gain of applying for an own ntp pool. (re "modify": use your best judgement. fictional example: if you would recompile the unmodified source package from debian with some weird toolchain/settings in your derivative which would be likely to break stuff, I would err on the side of causion and apply for a pool.) Regards, Daniel
Re: "debian.pool.ntp.org" for Debian derivatives?
Philipp Hahn writes (""debian.pool.ntp.org" for Debian derivatives?"): > Are we (as a Debian derivate) allowed to hard-code and use the > "debian.pool.ntp.org" or must we apply for our own pool? The NTP pool folks would like you to use your own pool. So would Debian, I'm pretty sure. > PS: Paying that extra money to ntp.org would certainly not kill use, but > adding that money instead to our currently already existing support of > Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more > Debian (downstream) users and developers. I wasn't aware that they charged commercial entities in this kind of situation but that seems reasonable to me. IDK how much the charge is. You are getting a service from pool.ntp.org, and as a commercial entity you should pay your suppliers. If the charge is too much, you could always run your own ntp server. If you continue to use the Debian pool to avoid paying them, then you are using their facilities without permission. I don't know what German law is like but in the UK that would be the crime of unauthorised access to a computer system. Also they could probably sue you for the money. TBH I doubt they would get you prosecuted or sue you - because they're not that kind of people and wouldn't want to harm the free software community = but I hope you will agree that you should act legally! Regards, Ian. -- Ian JacksonThese opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.