[ntp:hackers] Anybody object to requiring AnsiC for building NTP?
todd.glassey at worldnet.att.net
Wed May 25 08:11:04 PDT 2005
Harlen, Paul (Vixie)...
As long a certifiable production model is built so that the code body that
is produced for each OS can be checkpointed and fully audited there is no
real reason to keep this archaic standard unless there are Military Users
mandate it. There are however systems which the Military cannot easily move
off of and neither DISA, DARPA, or DHS will be happy with you folks if you
decide to screw them.
Rather than that, I suggest that its time for a formal charter for NTP.ORG
1) What NTP is to be supported by this consortia (for lack of a
better term) - What's to be supported, by who and how. Oh and how is this
support being paid for? - there are inherent costs to running "a for free"
organization so who is paying for it?
2) How its (NTP) to be tested (from an Audit Perspective.) - This
critical in moving forward in these Post-SOX days whether the physicists in
the bunch agree or not - and bluntly its not worth arguing about. Its going
to happen one way or the other... Is there a group of Consortia Members with
each OS Manufacturer?
Seems like we need formal representatives from anyone shipping NTP, I.a.
Sun, HP, The BSD consortia, IBM, the Linux Companies, and possibly someone
like Oracle and the Timing Companies (Hi Greg!) at the very least. These
individuals would be the "owners" of the Code Body and Certification
Processes for those Operations and would be the party that folks like the
Big-4 Auditors and the Internal Auditor Committees would get Certification
for those Applications in Legally Controlled Environments. ISC can be the
keeper of the code if it can certify the security of the environment -
otherwise -there is a problem with allowing ISC to use NTP as a profit
center. Hence ISC is going to have to formalize what it does and what it is
liable for to the NTP consortia.
3) Which brings us to that we need a formal statement how NTP.ORG
through ISC is going to maintain its process, release model, and operations
process, and not just in the Code Repository... We also need to understand
how the Code to be audited, and how is each release being checkpointed and
audited? What is it that ISC is guaranteeing by the use of the Code
Repository? - Is ISC guaranteeing that the code remains unhacked or clean?
If not then we may have a problem especially with ISC's using NTP as a
source of income. In any event these are a easily resolved points and should
be handled with some speed IMHO.
4) Some form of administrative review process needs to be formally
instituted as well to insure that the NTP process and methods are followed
and that the releases of the products formally offering NTP services or as
bolt-on's to NTP as in the case of GPS or other Stratum-2/Stratum-1
Vixie and team at ISC should be able to help with some of this framework,
as part of ISC's hosting critical projects for bux... and I and any
number of other Certified Auditors, can provide an operations
audit on an ongoing basis to satisfy the COBiT/ITIL/ISO17799 3rd party
Todd Glassey CISM, CIFI
Streaming Media Manager, KZSU Stanford
Information Security Consultant
Owner of NIST CRADA 1681 and NIST Service 76110s
----- Original Message -----
From: "Harlan Stenn" <stenn at ntp.isc.org>
To: <hackers at ntp.isc.org>
Cc: <mills at udel.edu>
Sent: Wednesday, May 25, 2005 1:50 AM
Subject: [ntp:hackers] Anybody object to requiring AnsiC for building NTP?
> One of the requirements of NTP has been that it compile on systems
> without Ansi C compilers.
> I'm thinking that it's time we remove this backward-compatibility
> It will let us do some code cleanup and simplification, including
> the prototype stuff and, I believe, getting rid of varargs (in favor
> of stdargs). Near as I can remember...
> Does anybody have a requirement to still support K&R compilers?
> hackers mailing list
> hackers at support.ntp.org
More information about the hackers