[ntp:hackers] Standardizing NTP...
todd glassey
todd.glassey at worldnet.att.net
Wed Jun 15 08:45:27 PDT 2005
Brian - all
----- Original Message -----
From: "Poul-Henning Kamp" <phk at phk.freebsd.dk>
To: "todd glassey" <todd.glassey at att.net>
Cc: "Brian Utterback" <Brian.Utterback at Sun.COM>; <hackers at ntp.isc.org>
Sent: Wednesday, June 15, 2005 4:05 AM
Subject: Re: [ntp:hackers] Standardizing NTP...
> In message <023a01c57130$28f87e70$010aff0a at gw>, "todd glassey" writes:
>
> Todd,
>
> This is the kind of thing people get paid to do, it is not the stuff
> you will find volunteers doing in their spare time.
>
> What's the sallary you offer for us to help your commercial enterprise ?
Depends on how successful "the lawsuit" is. The current suit is 1/4B USD -
and of that I would be spinning probably as much as 5% into NTP support for
standardizing it as well. That is a pretty significant amount of money as
well.
What I am thinking of now is about some structure like a Chaord to own the
commercially certified footprints for NTP. For comparison sake, the VISA
corporation is a Chaord, that is to say - no stockholders just licensed
members who all share the same set of resources.
In my current thinking we would set up this chaord and as part of creating
it I will add my rights to the US Timebase Services when they are secured.
This will make this the single source of US Timebase Services commercially
in the planet. The next step is to add a number of other timing laboratories
so that we can build what I had running in CertifiedTime inc, which was US
Timebases beating directly against the heartbeat of those other timebases
interoperability was needed to. This allows the tracking of the Delta-T
between any and all timebases and allows the consortia to say that it is the
commercial keeper of time on this planet.
As part of this we would also re-opt for the types of Insurance I had in
place with CertifiedTime - most of you probably didnt know - but CTI offered
a 1M/transaction timestamped insurance policy as to timebase deviations. Way
cool No?
So this gives this group - what it needs, a direct and a specific set of
hurdles
1) From a technical standpoint we need to be able to set a basic standard
for testing NTP and then a process to "characterize" it as well.Thatis to
say from the technologists/physicist of the group - we need a performance
standard - i.e. what is it that the minimum port of NTP is and should do.
2) From a technical standpioint this organization and the code management
process within ISC needs a formal change control and the "NTP Programme"
needs a SDLC (Systems Development Life Cycle) applied to it even if it is a
Programme (i.e. an organized ongoing effort to achieve some ongoing goals
and deliverables)- Paul Vixie - any commentary?
3) We would need a formal charter statement -and a Mission's Model too.
Shouldnt be too hard to produce one
4) We would also need to incorporate this NTP Management entity as a NPO
and elect some Board Members to govern the operaitons of the new Chaord.
That fourth step BTW is what will allow it, the NTP management team project,
to recieve money from anyone. Harlan - I hate to tell you this but because
of how the model is setup now there are some subtleties with operating
within the ISC that need to be addressed including what if any claims the
ISC is going to put on the code or its distribution models as these may
eliminate the ISC as a viable recepticale for the code and its support.
As far as I can tell, from that there is no paperwork to set this aside,
the model you setup under the ISC makes them the owners of any code produced
under funding - its their EID that would be used and they would have to sign
a formal release otherwise the code would belong to the ISC as the Hosting
Entity under US Copyright Law, something about a concept called WORK FOR
HIRE... I am willing to bet that there is no legallly binding agreement
between you and the ISC on this or by any of those working on these projects
who are sponsored by other corporate entities.
As to the keeping of the code itself
-----------------------------------
What I would want to do is formally fund the code-keeping operations so that
we could have then audited in an ongoing basis. That is the beginning of the
type of worth that people will be willing to write checks to be a part of.
As to what to do with managing NTP, as I said, there are two core tracks,
development of new or improved features, and that of "release/packaging" and
characterization. Its actually the second of these tracks that is going to
cost the bulk of the money to operate becuase of the third-party audits and
what not.
Does the ISC meet these needs today?
---------------------------------------
I also gotta tell you - from an Audit Perspective its a no-no for the people
keeping the code and managing the codebase to audit it - they are too close
to it - but dont take my word for it - ask anyone in auditing.
The ISC seems to be missing some critical pieces of their process management
infrastructure. For instance, while there is a Bugtrack instance up and
running - there are no reports generated from it tat are published to
anywhere public. Nor are there are published histories about who - what -
and when ...
It also doesnt appear that the ISC operates any formal change management
process or SDLC,and that there is also no public access to records for
verifications.
If I am wrong or ISC would be willing to put the alluded to controls in
place, and allow ongoing audits of their operations and the code itself,
then there is no issue moving forward with them. If the ISC is going to say
that it already has its operating model and wont make these changes to come
into standard Audit Conformance, then they are the wrong place for this
group to rely on.
This is not personal - its the way it is. If you doubt this - take this
letter in its entirety to your corporate counsel and ask them whether you
can still participate on their dime when the code becomes the property of
the ISC's. I bet the answer is NO.
The Audit World set these standards
-------------------------------------
I also want to point out that I didnt make these global operations
standards. These are not my doing's, these operating requirements are
standards set forth in frameworks like COBiT, ITIL, and ISO17799 - and the
lack of these mitigating and reporting controls on the code management
process and the initiative tracking process *will* demotivate pretty much
anyone from funding anything through it as far as I can tell.
The OpenGroup
----------------
As to this effort - after speaking with the local Director's of the
OpenGroup - I am absolutely positive that Paul Hickey and his US Operations
Team *can* and will make this work for us, IF *WE* WANT THEM TO.
As noted above, this would involve the creation of a NPO to be the owner of
the code and its processes as well so that it could recieve money without a
world of paperwork pains that the current model would take.
And Harlan/Poul/Brad/Brian - I swear to you - my intent is not to take
anything away from any of you... Its to build a sturcture so that the rest
of us commercially interested geeks get the benefit of all that is availble
from your (and the others of this list's) genius... and the code controls we
as auditors need from production code footprints.
>
> Poul-Henning
>
> >Thanks Brian - What we need to do is to
> >
> > 1) Define what formally is in a NTP release and how its to be
tested.
> >I.e. how does a NTP port work. This is killer and important for all SW
based
> >NTP service providers and for those like Symmetricom who build the 2100
NTP
> >Engine's as well.
> >
> > 2) Define what compilation environment it is to be compiled in and
> >what optional modules or additions are acceptable
> >
> > 3) Code fingerprints for executables/certified performance
> >statements.
> >
> > 4) A process of characterization - i.e. how will the performance
of
> >NTP in a loaded environment be tested and what will that loading consist
of
> >
> > 5) Practice/Use Statements - these are the freakin gold - this is
> >where from an Audit Perspective it all comes together. The Practice/Use
> >statements integrate the deliverable workproduct from steps 1-4 into a
set
> >of "you do it like this" statements... like what Terje was talking about
> >yesterday in his "hey Todd we can do it this way" retort.
> >
> > 6) Certifications from the Big-4 for the pre-approved use of our
> >code... (*this may be the most valuable part of this whole play).
> >
> >My comment to the group as a whole!
> >--------------------------------------
> >As to what this group is doing - most all of this group are freaking
amazing
> >people - you are technical wizards in your own right and that is why I
would
> >bring this to you, because I honor your creativity and skill,. What "this
> >is" is the opportunity to drive the standardization of NTP before the
Big-4
> >do as part of an Audit Practice.
> >
> >Just my two cents...
> >
> >
> >Todd
> >
> >
> >----- Original Message -----
> >From: "Brian Utterback" <Brian.Utterback at Sun.COM>
> >To: <todd.glassey at att.net>
> >Cc: "Paul Vixie" <paul at vix.com>; <hackers at ntp.isc.org>
> >Sent: Tuesday, June 14, 2005 2:16 PM
> >Subject: Re: [ntp:hackers] Standardizing NTP...
> >
> >
> >> "Tyson:Am I invisible? Am I inaudible? Do I merely festoon
> >> The room with my presence?" - The Lady's Not for Burning by
Christopher
> >> Fry.
> >>
> >> Please, let's get this back to a technical level, shall we? Todd,
> >> instead of telling us
> >> what we are doing wrong, give us the requirements for your project.
> >> Everybody else,
> >> once Todd does that, let's discuss if we can incorporate it into the
> >> current framework,
> >> and whether or not we want to.
> >>
> >> We have three choices as far as I can tell, depending on what we
decide.
> >>
> >> 1. Todd's agenda is a natural extension of the current project and we
> >> incorporate
> >> it directly into the existing framework. Todd and/or anyone else
> >> contributes as
> >> we have done up to now. Or Todd simply contributes any work he does.
> >>
> >> 2. Auditable time becomes a NTP project sub-project. The same framework
> >> for development is used, but the codebase is separate.
> >>
> >> 3. We reject the project and Todd either starts a new project of his
own
> or
> >> forks the code.
> >>
> >> Can we discuss this please instead of worrying about who owns what and
> >pays
> >> for this and that? Once the bigger issue of whether or not it even
makes
> >> sense
> >> is decided, the rest can be ironed out.
> >>
> >> todd.glassey at att.net wrote:
> >>
> >> >So prove me wrong Vixie... show me the paperwork.
> >> >
> >> >Todd Glassey
> >> >
> >> >--
> >> >Regards,
> >> >Todd
> >> >
> >> >This message (including any
> >> >attachments) contains confidential
> >> >information intended for a
> >> >specific individual and purpose,
> >> >and is protected by law. If you
> >> >are not the intended recipient,
> >> >you should delete this message.
> >> >Any disclosure, copying, or
> >> >distribution of this message, or
> >> >the taking of any action based on
> >> >it, is strictly prohibited.
> >> >
> >> >
> >> > -------------- Original message ----------------------
> >> >From: Paul Vixie <paul at vix.com>
> >> >
> >> >
> >> >>>Possibly - this group neither signed any releases or oherwise agreed
> >> >>>to the ISC's ownership policies as far as I can tell.
> >> >>>
> >> >>>
> >> >>that's right (as far as you can tell).
> >> >>
> >> >>
> >> >>
> >> >>>That is an issue I think Paul, but I do uunderstand the desire to
make
> >> >>>something universally available as a human resource.
> >> >>>
> >> >>>
> >> >>more than that, it's in our corporate dna. if isc money is spent in
> >ways
> >> >>that are creative or supportive of $X, then $X has to be open source.
> >> >>
> >> >>
> >> >>
> >> >>>Unfortunately someone winds up paying for that out of their
> >> >>>pockets... which is to say, that without the sponsorship of the BIND
> >> >>>moneys, there would be little to fund the ISC as far as I can tell.
> >> >>>
> >> >>>
> >> >>that's also right (as far as you can tell).
> >> >>
> >> >>
> >> >
> >> >
> >> >_______________________________________________
> >> >hackers mailing list
> >> >hackers at support.ntp.org
> >> >https://support.ntp.org/mailman/listinfo/hackers
> >> >
> >> >
> >>
> >
> >_______________________________________________
> >hackers mailing list
> >hackers at support.ntp.org
> >https://support.ntp.org/mailman/listinfo/hackers
> >
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk at FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by
incompetence.
More information about the hackers
mailing list