Bug#1003966: ntpsec: split out ntpdig?
On Tue, 2022-01-25 at 01:09 -0600, Richard Laager wrote: > I'm relatively set on the idea of breaking out ntpdig, since it's the > renamed replacement for sntp which is broken out in src:ntp, which we > are talking (on debian-devel) about ntpsec replacing. Thanks :-)
Bug#1003966: ntpsec: split out ntpdig?
I'm relatively set on the idea of breaking out ntpdig, since it's the renamed replacement for sntp which is broken out in src:ntp, which we are talking (on debian-devel) about ntpsec replacing. -- Richard OpenPGP_signature Description: OpenPGP digital signature
Bug#1003966: ntpsec: split out ntpdig?
Hey Richard. On Tue, 2022-01-18 at 20:33 -0600, Richard Laager wrote: > 1. What is your use case for ntpdig and/or ntpdate (please be > specific > which) if not for the hooks? Well it's mostly what I've semi-indicated already: - I wouldn't want all the hooks, as for normal operations I have ntpsec running. - But *if* for some reason the system time deviated to far from the real time (e.g. when it was changed manually for some debugging or so, or when the system was longer powered of and the clock is bad),... where the daemon would take to long to correct,... it would be nice to have a manual(!) one-shot command which simply sets the time to what every is determined via NTP (well ideally NTS, but ntpdig doesn't seem to support that). An alternative would of course be to use -g and/or -G ... but that I wouldn't want to set in general. > 2. My recollection is that there was some talk about removing ntpdate > from Debian's src:ntp. I don't know if that's already happened. > > I ended up implementing all that in Debian's src:ntpsec for > compatibility with ntp, but I intended on removing it once ntp did. I thought the plan was to replace ntpdate with sntp? > The network hooks do a couple of different things. First, if you're > using ifupdown, then when an interface comes up, ntpsec is stopped, > ntpdate is run, and ntpsec is started. This is arguably* desirable if > the system is not always connected to the Internet. If it then fetches the current time every time... and if ntpdig doesn't use NTS... doesn't that give an attacker the chance to mess with the time rather easily? > * But why not either: A) run systemd-timesyncd (the default anyway) I think that has (not yet) support for NTS? > 3. The DHCP bit can be turned off in /etc/default/ntpsec-ntpdate. > Disabling running ntpdate on ifup would require deleting the hook > script. Well that's why I kinda wanted not to have the hooks at all, but just the tool,... so that I don't need to worry how far or not they integrated into NM/ifupdown/etc.. Cheers, Chris.
Bug#1003966: ntpsec: split out ntpdig?
I have a few questions: 1. What is your use case for ntpdig and/or ntpdate (please be specific which) if not for the hooks? Note that ntpdate is a wrapper script around ntpdig that upstream does not install by default. And then there's ntpdate-debian wrapping ntpdate. 2. My recollection is that there was some talk about removing ntpdate from Debian's src:ntp. I don't know if that's already happened. I ended up implementing all that in Debian's src:ntpsec for compatibility with ntp, but I intended on removing it once ntp did. The network hooks do a couple of different things. First, if you're using ifupdown, then when an interface comes up, ntpsec is stopped, ntpdate is run, and ntpsec is started. This is arguably* desirable if the system is not always connected to the Internet. If you're running both ntpsec and these hooks (why?), this is harmful if interfaces come and go while the system remains connected to the Internet. Off the top of my head, I can't remember whether this behavior happens with NetworkManager or networkd. The hooks also take the NTP server(s) given by the DHCP server and write them to a configuration file to be used by ntpdate/ntpsec. I believe this works with dhclient, NetworkManager, and networkd. * But why not either: A) run systemd-timesyncd (the default anyway) or B) just run ntpsec and let it figure out when the network is up (which it's probably "good enough" at). Is any of this a use case you care about? 3. The DHCP bit can be turned off in /etc/default/ntpsec-ntpdate. Disabling running ntpdate on ifup would require deleting the hook script. -- Richard OpenPGP_signature Description: OpenPGP digital signature
Bug#1003966: ntpsec: split out ntpdig?
Source: ntpsec Version: 1.2.1+dfsg1-2 Severity: wishlist Hey. Would it perhaps make sense to split out ntpdig into it's own package? Or at least the downside of the current ntpsec-ntpdate is, that it also adds all the hooks for ifupdown/NetworkManager/etc. and calls them unnecessarily when ntpsec itself is also installed. So what I'd actually like to have is probably rather, that I can use ntpdig (and maybe even ntpdate) in some one-shot fashion, without having them run every time the network changes, at least not when ntpsec itself is already installed. Perhaps one could also modify the hooks to look for some new config option that decides whether they should run or not, like in: no = never run yes = always run auto = run only, when ntpsec itself isn't installed Thanks, Chris.
