Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Mon, Dec 07, 2020 at 10:47:31AM +, Zbigniew Jędrzejewski-Szmek wrote: > Since the plan it to Obsolete the old package, I think you should trigger > on the removal of it: > %triggerun ntp <= ... > > # copy service enablement from the old name to the new name > if systemctl is-enabled -q ntpd 2>/dev/null; then > systemctl enable ntpsecd # if the name is different... > fi More magic is needed. The service name is the same (ntpd). The ntpsec post disables the service before the triggerun runs. I suspect the original state needs to be captured first in a triggerprein or pre scriptlet. -- Miroslav Lichvar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Mon, Dec 07, 2020 at 11:05:56AM +0100, Miroslav Lichvar wrote: > On Fri, Dec 04, 2020 at 01:38:02AM +0100, Björn Persson wrote: > > > == Upgrade/compatibility impact == > > > > > > The `ntp` package is replaced automatically on upgrade to Fedora 34. > > > The configuration file ''/etc/ntp.conf'' is saved as to > > > ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to > > > ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will > > > fall back to the default configuration in ''/etc/ntp.d'' using the > > > ''pool.ntp.org'' servers. > > > > > > The `ntpd` service is disabled after the upgrade and needs to be enabled > > > again. > > > > That's not so nice to those users who can use NTPsec as a drop-in > > replacement. For them it would be better to keep the configuration file > > and have the service enabled if it was enabled before the upgrade. > > Good point. What would be the best way to do that in the ntpsec > package? Trigger on ntp? Since the plan it to Obsolete the old package, I think you should trigger on the removal of it: %triggerun ntp <= ... # copy service enablement from the old name to the new name if systemctl is-enabled -q ntpd 2>/dev/null; then systemctl enable ntpsecd # if the name is different... fi ... Zbyszek ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Fri, Dec 04, 2020 at 01:38:02AM +0100, Björn Persson wrote: > > == Upgrade/compatibility impact == > > > > The `ntp` package is replaced automatically on upgrade to Fedora 34. > > The configuration file ''/etc/ntp.conf'' is saved as to > > ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to > > ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will > > fall back to the default configuration in ''/etc/ntp.d'' using the > > ''pool.ntp.org'' servers. > > > > The `ntpd` service is disabled after the upgrade and needs to be enabled > > again. > > That's not so nice to those users who can use NTPsec as a drop-in > replacement. For them it would be better to keep the configuration file > and have the service enabled if it was enabled before the upgrade. Good point. What would be the best way to do that in the ntpsec package? Trigger on ntp? -- Miroslav Lichvar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
> == Upgrade/compatibility impact == > > The `ntp` package is replaced automatically on upgrade to Fedora 34. > The configuration file ''/etc/ntp.conf'' is saved as to > ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to > ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will > fall back to the default configuration in ''/etc/ntp.d'' using the > ''pool.ntp.org'' servers. > > The `ntpd` service is disabled after the upgrade and needs to be enabled > again. That's not so nice to those users who can use NTPsec as a drop-in replacement. For them it would be better to keep the configuration file and have the service enabled if it was enabled before the upgrade. Users who use some feature that NTPsec has dropped will have to adjust their configuration either way. Everyone else should get their drop-in replacement dropped in if possible. What harm could it cause if the configuration file and the service were tranparently transferred for all users? If the configuration file uses any of the dropped features, then NTPsec should at worst refuse to run. If it does anything worse than that, then I think that's a serious defect that needs to be fixed. > == User Experience == > For most users of `ntp` the experience is not expected to change > significantly. Or rather: For most users their only experience will be that their clocks will drift until they un-rename the configuration file and reenable the service? Björn Persson pgpp5LBDN7tg3.pgp Description: OpenPGP digital signatur ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Wed, Dec 02, 2020 at 09:29:05AM -0600, Chris Adams wrote: > Once upon a time, Tomasz Torcz said: > > There ARE functional changes. Mainly removal of long-obsolete drivers, > > full list can be found at: > > https://docs.ntpsec.org/latest/ntpsec.html#incompatible > > https://www.ntpsec.org/removal-plan.html > > Yeah, this would break my use of NTP, since I use one of the drivers to > be removed (I have an old Trimble Resolution T, which uses the Palisade > driver). I think I tried gpsd with it at one point and something didn't > work, can't remember now. The ntp drivers stay in the ntp-refclock package. It requires an extra service to run the ntpd driver, but you can feed the ntpsec ntpd or chrony using the SHM or SOCK driver. -- Miroslav Lichvar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
Once upon a time, Tomasz Torcz said: > There ARE functional changes. Mainly removal of long-obsolete drivers, > full list can be found at: > https://docs.ntpsec.org/latest/ntpsec.html#incompatible > https://www.ntpsec.org/removal-plan.html Yeah, this would break my use of NTP, since I use one of the drivers to be removed (I have an old Trimble Resolution T, which uses the Palisade driver). I think I tried gpsd with it at one point and something didn't work, can't remember now. -- Chris Adams ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Wed, Dec 02, 2020 at 10:00:04AM -0500, Neal Gompa wrote: > > == Release Notes == > > TBD > > > > Makes sense, though I think the release notes section would be pretty > easy to write: > > "The classic ntpd service was formerly provided by the ntp package. > The ntp software has significant security issues and development seems > moribund. It has now been replaced with the ntpsec package, an > actively maintained fork of the ntp software. No functional changes > are expected." There ARE functional changes. Mainly removal of long-obsolete drivers, full list can be found at: https://docs.ntpsec.org/latest/ntpsec.html#incompatible https://www.ntpsec.org/removal-plan.html -- Tomasz TorczTo co nierealne – tutaj jest normalne. to...@pipebreaker.pl Ziomale na życie mają tu patenty specjalne. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Wed, Dec 02, 2020 at 10:00:04AM -0500, Neal Gompa wrote: > Makes sense, though I think the release notes section would be pretty > easy to write: > > "The classic ntpd service was formerly provided by the ntp package. > The ntp software has significant security issues and development seems > moribund. It has now been replaced with the ntpsec package, an > actively maintained fork of the ntp software. No functional changes > are expected." Thanks. I put it there with "No functional changes are expected for most users" as ntpsec doesn't have some of the less useful features of ntp. -- Miroslav Lichvar ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Fedora 34 Change: ntp replacement (Self-Contained Change)
On Wed, Dec 2, 2020 at 9:24 AM Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/NtpReplacement > > == Summary == > > The `ntp` package is replaced with `ntpsec`. > > == Owner == > * Name: [[User:mlichvar| Miroslav Lichvar]] > * Email: mlich...@redhat.com > > == Detailed Description == > > `ntp` is one of the few NTP implementations provided in Fedora. It is > not used or installed by default. > > The [https://www.ntp.org/ upstream project] is not in a good shape and > it doesn't seem to be improving. The development is slow and happens > behind closed doors. There is a significant number of known security > issues that have not been fixed yet. Some are exploitable in the > default configuration. > > [https://www.ntpsec.org/ ntpsec] is a fork of `ntp` with focus on > security. It has removed a lot of code and fixed or avoided most of > the security issues in `ntp`. It doesn't support all features, but in > typical configurations it can be used as a drop-in replacement for > `ntp`. > > There are few packages in Fedora that have a dependency on `ntp`: > * `nagios-plugins-ntp-perl` > * `ntpstat` > > == Benefit to Fedora == > > This change makes Fedora more secure. > > == Scope == > * Proposal owners: > > # Package `ntpsec` obsoleting the `ntp` package. > # Retire `ntp` package. > # Make sure the dependent packages still work. > > * Other developers: N/A (not a System Wide Change) > * Release engineering: N/A (not needed for this Change) > * Policies and guidelines: N/A (not a System Wide Change) > * Trademark approval: N/A (not needed for this Change) > > == Upgrade/compatibility impact == > > The `ntp` package is replaced automatically on upgrade to Fedora 34. > The configuration file ''/etc/ntp.conf'' is saved as to > ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to > ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will > fall back to the default configuration in ''/etc/ntp.d'' using the > ''pool.ntp.org'' servers. > > The `ntpd` service is disabled after the upgrade and needs to be enabled > again. > > == How To Test == > * Install `ntpsec` > * Run `ntpdate pool.ntp.org` > * Start the `ntpd` service > * Run `ntpq -p` to verify `ntpd` is polling servers and synchronizing the > clock > > == User Experience == > For most users of `ntp` the experience is not expected to change > significantly. Advanced configurations may need to be modified to work > with `ntpsec`. > > == Dependencies == > N/A (not a System Wide Change) > > == Contingency Plan == > > * Contingency mechanism: Unretire `ntp` and remove the obsoletes in `ntpsec` > * Contingency deadline: Fedora 34 Beta > * Blocks release? N/A (not a System Wide Change) > * Blocks product? > > == Documentation == > N/A (not a System Wide Change) > > == Release Notes == > TBD > Makes sense, though I think the release notes section would be pretty easy to write: "The classic ntpd service was formerly provided by the ntp package. The ntp software has significant security issues and development seems moribund. It has now been replaced with the ntpsec package, an actively maintained fork of the ntp software. No functional changes are expected." -- 真実はいつも一つ!/ Always, there's only one truth! ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Fedora 34 Change: ntp replacement (Self-Contained Change)
https://fedoraproject.org/wiki/Changes/NtpReplacement == Summary == The `ntp` package is replaced with `ntpsec`. == Owner == * Name: [[User:mlichvar| Miroslav Lichvar]] * Email: mlich...@redhat.com == Detailed Description == `ntp` is one of the few NTP implementations provided in Fedora. It is not used or installed by default. The [https://www.ntp.org/ upstream project] is not in a good shape and it doesn't seem to be improving. The development is slow and happens behind closed doors. There is a significant number of known security issues that have not been fixed yet. Some are exploitable in the default configuration. [https://www.ntpsec.org/ ntpsec] is a fork of `ntp` with focus on security. It has removed a lot of code and fixed or avoided most of the security issues in `ntp`. It doesn't support all features, but in typical configurations it can be used as a drop-in replacement for `ntp`. There are few packages in Fedora that have a dependency on `ntp`: * `nagios-plugins-ntp-perl` * `ntpstat` == Benefit to Fedora == This change makes Fedora more secure. == Scope == * Proposal owners: # Package `ntpsec` obsoleting the `ntp` package. # Retire `ntp` package. # Make sure the dependent packages still work. * Other developers: N/A (not a System Wide Change) * Release engineering: N/A (not needed for this Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == The `ntp` package is replaced automatically on upgrade to Fedora 34. The configuration file ''/etc/ntp.conf'' is saved as to ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will fall back to the default configuration in ''/etc/ntp.d'' using the ''pool.ntp.org'' servers. The `ntpd` service is disabled after the upgrade and needs to be enabled again. == How To Test == * Install `ntpsec` * Run `ntpdate pool.ntp.org` * Start the `ntpd` service * Run `ntpq -p` to verify `ntpd` is polling servers and synchronizing the clock == User Experience == For most users of `ntp` the experience is not expected to change significantly. Advanced configurations may need to be modified to work with `ntpsec`. == Dependencies == N/A (not a System Wide Change) == Contingency Plan == * Contingency mechanism: Unretire `ntp` and remove the obsoletes in `ntpsec` * Contingency deadline: Fedora 34 Beta * Blocks release? N/A (not a System Wide Change) * Blocks product? == Documentation == N/A (not a System Wide Change) == Release Notes == TBD -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Fedora 34 Change: ntp replacement (Self-Contained Change)
https://fedoraproject.org/wiki/Changes/NtpReplacement == Summary == The `ntp` package is replaced with `ntpsec`. == Owner == * Name: [[User:mlichvar| Miroslav Lichvar]] * Email: mlich...@redhat.com == Detailed Description == `ntp` is one of the few NTP implementations provided in Fedora. It is not used or installed by default. The [https://www.ntp.org/ upstream project] is not in a good shape and it doesn't seem to be improving. The development is slow and happens behind closed doors. There is a significant number of known security issues that have not been fixed yet. Some are exploitable in the default configuration. [https://www.ntpsec.org/ ntpsec] is a fork of `ntp` with focus on security. It has removed a lot of code and fixed or avoided most of the security issues in `ntp`. It doesn't support all features, but in typical configurations it can be used as a drop-in replacement for `ntp`. There are few packages in Fedora that have a dependency on `ntp`: * `nagios-plugins-ntp-perl` * `ntpstat` == Benefit to Fedora == This change makes Fedora more secure. == Scope == * Proposal owners: # Package `ntpsec` obsoleting the `ntp` package. # Retire `ntp` package. # Make sure the dependent packages still work. * Other developers: N/A (not a System Wide Change) * Release engineering: N/A (not needed for this Change) * Policies and guidelines: N/A (not a System Wide Change) * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == The `ntp` package is replaced automatically on upgrade to Fedora 34. The configuration file ''/etc/ntp.conf'' is saved as to ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will fall back to the default configuration in ''/etc/ntp.d'' using the ''pool.ntp.org'' servers. The `ntpd` service is disabled after the upgrade and needs to be enabled again. == How To Test == * Install `ntpsec` * Run `ntpdate pool.ntp.org` * Start the `ntpd` service * Run `ntpq -p` to verify `ntpd` is polling servers and synchronizing the clock == User Experience == For most users of `ntp` the experience is not expected to change significantly. Advanced configurations may need to be modified to work with `ntpsec`. == Dependencies == N/A (not a System Wide Change) == Contingency Plan == * Contingency mechanism: Unretire `ntp` and remove the obsoletes in `ntpsec` * Contingency deadline: Fedora 34 Beta * Blocks release? N/A (not a System Wide Change) * Blocks product? == Documentation == N/A (not a System Wide Change) == Release Notes == TBD -- Ben Cotton He / Him / His Senior Program Manager, Fedora & CentOS Stream Red Hat TZ=America/Indiana/Indianapolis ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
