[ntp:questions] NTP internal server?

Richard B. Gilbert rgilbert88 at comcast.net
Mon Oct 30 19:32:34 UTC 2006

Hal Murray wrote:

>>Old vulnerabilities that have been fixed are not a problem of much 
>>concern to me.  I run a recent version of ntpd that does not exhibit 
>>these vulnerabilities.  If people chose, for whatever reason, to run a 
>>ten year old version of ntpd they must accept the associated risks and 
>>inferior performance.  Since the modern, improved and fixed version is 
>>freely available to all I don't see any reason why anyone who needs NTP 
>>and is concerned about security should not run it.
> How about:
>   If it ain't broke, don't fix it.
> Lots of people get their version of (x)ntp from their hardware
> vendor.  Most of them are not time geeks, they just need something
> that's good enough.  They depend on their vendor to fix security
> problems in packages like ntp.

Perhaps the vendors do fix security problems.  If so, the simplest 
approach, for most, would be to grab an up to date copy of the reference 
implementation, build it, and distribute it.   Clearly most vendors do 
not do this!  In the case of OpenVMS it is understandable since the 
reference implementation contains enough "Unixisms" that it will not 
build on VMS (I've tried).  For Solaris and Linux the build should be 
straightforward.  I expect that the build for AIX and HP-UX should also 
be straightforward.

More information about the questions mailing list