[ntp:questions] NTP internal server?

Richard B. Gilbert rgilbert88 at comcast.net
Mon Oct 30 21:47:42 UTC 2006


Uwe Klein wrote:

> Richard B. Gilbert wrote:
> 
>> Hal Murray wrote:
>>
>>>> Old vulnerabilities that have been fixed are not a problem of much 
>>>> concern to me.  I run a recent version of ntpd that does not exhibit 
>>>> these vulnerabilities.  If people chose, for whatever reason, to run 
>>>> a ten year old version of ntpd they must accept the associated risks 
>>>> and inferior performance.  Since the modern, improved and fixed 
>>>> version is freely available to all I don't see any reason why anyone 
>>>> who needs NTP and is concerned about security should not run it.
>>>
>>>
>>>
>>>
>>> How about:
>>>   If it ain't broke, don't fix it.
>>>
>>> Lots of people get their version of (x)ntp from their hardware
>>> vendor.  Most of them are not time geeks, they just need something
>>> that's good enough.  They depend on their vendor to fix security
>>> problems in packages like ntp.
>>>
>>
>> Perhaps the vendors do fix security problems.  If so, the simplest 
>> approach, for most, would be to grab an up to date copy of the 
>> reference implementation, build it, and distribute it.   Clearly most 
>> vendors do not do this!  In the case of OpenVMS it is understandable 
>> since the reference implementation contains enough "Unixisms" that it 
>> will not build on VMS (I've tried).  For Solaris and Linux the build 
>> should be straightforward.  I expect that the build for AIX and HP-UX 
>> should also be straightforward.
> 
> Suse forex ( as of 9.1 through 10.1 ) are still based in 
> ntp-stable-4.2.0a-20050816.tar.bz2

Sun Solaris 9 and 10 ship with 3-5.93e!  I believe that Solaris 8 ships 
with the same version.

Maybe, after another year or three, the working group will come up with 
an RFC for the current version and some of the dinosaurs will be updated.




More information about the questions mailing list