[ntp:questions] IA approved COTS NTP servers question

Fran fran.horan at jhuapl.edu
Tue Jun 8 14:40:50 UTC 2010


On Jun 8, 4:07 am, Rob <nom... at example.com> wrote:
> Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
>
> > Running everything directly on the protocol's recommended platform, and
> > with source code for everything, would make it very easy to document
> > that the server is on spec.
>
> I wonder if they would consider the presence of source code (and the
> implied possibility of hand-checking all of it to make sure it is secure)
> would be sufficient.  It would probably fit in some bureaucratic
> ruleset, but we all know that security issues *are* found in open source
> products.  Even with only port 123 open, there could always be some
> as of yet unknown security issue in ntpd.  It would certainly not be
> very easy to prove, using the source code, that there is none.

You  can find some good guidance if you google 'DoD open source'. I
believe the presence of available source code helps a lot in allowing
its use.

For our application and business environment, I would like to try very
hard to find a commercial product. But a homebrew system would be a
fallback.

Thanks everybody for you ideas,

Fran




More information about the questions mailing list