On 4/11/2019 12:12 PM, Axel Beckert wrote:
Hi John,
On Thu, Apr 11, 2019 at 10:33:51AM -0800, John Thurston wrote:
So it might be an idea to drop the "-p 1" completely. That seems premature. The fact that ntpseq has dropped the parameter does not make it common or standard. I expect ntpsec to become standard in the near future. See https://www.ntpsec.org/FAQ.html#_why_ntpsec why.
I though must admit, that we're still far away from there, at least in Debian: https://qa.debian.org/popcon-graph.php?packages=ntpsec%2Cntpsec-ntpdate%2Cnt...
But a decline of ntp installations is clearly visible in that graph (probably due to systemd also providing a time service, though).
And ntpsec is not yet available in a Debian Stable release, but will be in the upcoming Debian 10 release "buster".
And what also just became clear to me is that only the ntp-announce mailing list is dead with only a single mail since mid 2015 (c.f. http://lists.ntp.org/pipermail/announce/), but there seems to be at least about 1 security update per year: http://support.ntp.org/bin/view/Main/SecurityNotice
Maybe forking off ntpsec in 2015 was a kinda wakeup call, at least the amount of security fixes in 2016 was much high than in the years afterwards.
I don't think it is reasonable to build in a 4x longer delay for everyone. I think Xymon should support both variants by using default settings which work with both implementations.
But maybe it should indeed do that only with a later release, when ntpsec gained more traction and is available in more stable distributions.
Kind regards, Axel
It's definitely worth calling out in the notes somewhere for those platforms affected. F30 at least is still using legacy ntpdate.
Axel: Is that ending up in xymonnet.log, or is it elsewhere? And over STDERR?
-jc