[ntp:questions] ntpdate.c unsafe buffer write

Harlan Stenn stenn at ntp.org
Fri Feb 8 20:18:16 UTC 2008


>>> In article <foi07v$grj$1 at scrotar.nss.udel.edu>, "David L. Mills" <mills at udel.edu> writes:

David> Harlan, My position on ntpdate and sntp has always been clear. Remove
David> them both from the distribution and let other folks contribute sntp
David> products.

Yes, your position has been clear and your opinion has been noted.

David> The standards labs in various contries do not recommend the
David> NTP reference implementation, they recommend other shrinkwrap
David> products.

I'd appreciate references on this point.  And how it is germane to this
discussion?

David> There is no need for folks to download the reference
David> implementatino only to bring up an sntp product.

Yes, which is why the sntp code can be trivially bundled separately.

The feedback I have received is that the majority of folks want the
distribution to contain both ntp and sntp.

David> The matter of concern is an sntp product that strictly conforms to
David> the NTPv4 specification as it applies to sntp. There is at least one
David> contributor testing the kiss-o'-death rate limit and has apparently
David> actually read rfc 2030. On the other hand, there are numerous
David> examples of clients that casually violate the rate rules both at
David> servers we operate here and at the national labs.

Yup.

David> What we should be
David> doing is supporting those products that play by the rules and that
David> are maintained by other players.

This depends first on the definition of "we", and then on the definition of
"supporting".

The people who talk to me want an SNTP implementation from the NTP Project.

Nobody is expecting you to ride herd over any SNTP code that may or may not
be part of the same tarball that includes NTP.  I am mulling over different
ideas in this regard.

Two obvious ways to go on NTP/SNTP are to have shared code, or completely
separate codebases.  There is some middle ground regarding "support"
libraries.

I see difficult tradeoffs with either approach.
-- 
Harlan Stenn <stenn at ntp.org>
http://ntpforum.isc.org  - be a member!




More information about the questions mailing list