[ntp:questions] IA approved COTS NTP servers question

Rob nomail at example.com
Tue Jun 8 08:07:45 UTC 2010

Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
> Running everything directly on the protocol's recommended platform, and 
> with source code for everything, would make it very easy to document 
> that the server is on spec.

I wonder if they would consider the presence of source code (and the
implied possibility of hand-checking all of it to make sure it is secure)
would be sufficient.  It would probably fit in some bureaucratic
ruleset, but we all know that security issues *are* found in open source
products.  Even with only port 123 open, there could always be some
as of yet unknown security issue in ntpd.  It would certainly not be
very easy to prove, using the source code, that there is none.

More information about the questions mailing list