[ntp:hackers] Anybody object to requiring AnsiC for building NTP?

mayer mayer at gis.net
Wed May 25 14:56:19 PDT 2005


Todd,

I'm not sure that I would regard K&R compilers as a "standard" in that
sense. I think that committing to ANSI standards should be sufficient.

What you are asking really belongs in the IETF NTP working group rather
than NTP development per se since you are asking for standards. Please
sign up to the working group and post your requirements, proposals
there as we really need some good input. See
http://ntp.isc.org/bin/view/IETF/WebHome for details of the Working
Group.

We have no intention of doing anything that will cause problems for
DISA, ARPA, DHS or any other organization and we would be very
happy to work with the various OS Manufacturers. We urgently need
their input and ideas about what's needed in the product above and
beyond the algorithms, protocols and usability that Dave Mills has
created and refined over the years that has made NTP such an important
and useful infrastructure tool.

Dave did distribute one draft of a testing document and I believe
he has at least one student working on testing various areas of
the protocol and application.

If you have the background and it sounds like you do and can help,
please join the working group and help draft standards that you
believe will meet the requirements of the various organizations,
auditors, etc.

Danny
----- Original Message Follows -----
> Harlen, Paul (Vixie)...
> As long a certifiable production model is built so that the code body
> that is produced for each OS can be checkpointed and fully audited
> there is no real reason to keep this archaic standard unless there are
> Military Users who
> mandate it. There are however systems which the Military cannot easily
> move off of and neither DISA, DARPA, or DHS will be happy with you
> folks if you decide to screw them.
> 
> Rather than that, I suggest that its time for a formal charter for
> NTP.ORG that addresses
> 
>     1)    What NTP is to be supported by this consortia (for lack of a
> better term) - What's to be supported, by who and how. Oh and how is
> this support being paid for? - there are inherent costs to running "a
> for free" organization so who is paying for it?
> 
>     2)    How its (NTP) to be tested (from an Audit Perspective.) -
> This will be
> critical in moving forward in these Post-SOX days whether the
> physicists in the bunch agree or not - and bluntly its not worth
> arguing about. Its going to happen one way or the other... Is there a
> group of Consortia Members with each OS Manufacturer?
> 
> Seems like we need formal representatives from anyone shipping NTP,
> I.a. Sun, HP, The BSD consortia, IBM, the Linux Companies, and
> possibly someone like Oracle and the Timing Companies (Hi Greg!) at
> the very least. These individuals would be the "owners" of the Code
> Body and Certification Processes for those Operations and would be the
> party that folks like the Big-4 Auditors and the Internal Auditor
> Committees would get Certification for those Applications in Legally
> Controlled Environments. ISC can be the keeper of the code if it can
> certify the security of the environment - otherwise -there is a
> problem with allowing ISC to use NTP as a profit center. Hence ISC is
> going to have to formalize what it does and what it is liable for to
> the NTP consortia.
> 
>     3)    Which brings us to that we need a formal statement how
> NTP.ORG through ISC is going to maintain its process, release model,
> and operations process, and not just in the Code Repository... We also
> need to understand how the Code to be audited, and how is each release
> being checkpointed and audited? What is it that ISC is guaranteeing by
> the use of the Code Repository? - Is ISC guaranteeing that the code
> remains unhacked or clean? If not then we may have a problem
> especially with ISC's using NTP as a source of income. In any event
> these are a easily resolved points and should be handled with some
> speed IMHO.
> 
>     4)    Some form of administrative review process needs to be
> formally instituted as well to insure that the NTP process and methods
> are followed and that the releases of the products formally offering
> NTP services or as bolt-on's to NTP as in the case of GPS or other
> Stratum-2/Stratum-1 References.
> 
> ---
> 
> Vixie and team at ISC should be able to help with some of this
> framework, as part of ISC's hosting critical projects for bux... and I
> and any number of other Certified Auditors, can provide an operations
> audit on an ongoing basis to satisfy the COBiT/ITIL/ISO17799 3rd party
> Walkthough Requirements.
> 
> Todd Glassey CISM, CIFI
> Streaming Media Manager, KZSU Stanford
> Information Security Consultant
> Owner of NIST CRADA 1681 and NIST Service 76110s
> 
> ----- Original Message ----- 
> From: "Harlan Stenn" <stenn at ntp.isc.org>
> To: <hackers at ntp.isc.org>
> Cc: <mills at udel.edu>
> Sent: Wednesday, May 25, 2005 1:50 AM
> Subject: [ntp:hackers] Anybody object to requiring AnsiC for building
> NTP?
> 
> 
> > Folks,
> >
> > One of the requirements of NTP has been that it compile on systems
> > without Ansi C compilers.
> >
> > I'm thinking that it's time we remove this backward-compatibility
> > requirement.
> >
> > It will let us do some code cleanup and simplification, including
> > the prototype stuff and, I believe, getting rid of varargs (in favor
> > of stdargs).  Near as I can remember...
> >
> > Does anybody have a requirement to still support K&R compilers?
> >
> > H
> > _______________________________________________
> > hackers mailing list
> > hackers at support.ntp.org
> > https://support.ntp.org/mailman/listinfo/hackers
> 
> _______________________________________________
> hackers mailing list
> hackers at support.ntp.org
> https://support.ntp.org/mailman/listinfo/hackers
> >>



More information about the hackers mailing list