On Mon, Dec 22, 2014 at 10:39:54 -0700, Brett Glass wrote:> I'd like to propose that FreeBSD move to OpenNTPD, which appears to > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd. > There's already a port.Heartbleed, more than any other vulnerability in recent memory, showed us users on the outside of the Project just how much effort is involved in patching the base system (thank you, again, DES, for being patient and explaining all the details!). Because of this, I am reticent to support more software going into the base system. It should be small enough to build itself and bootstrap the ports tree, with very little else. The more things are in base, the more things the developers need to worry about patching across all the different supported versions of FreeBSD. It's a lot faster to update a port to use a different version. If you want fast security updates, use ports. Or hire developers to patch software for you. -- Chris Nehren -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 908 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/9fa1ea4b/attachment.sig>
Chris Nehren <cnehren+freebsd-security at pobox.com> writes:> Brett Glass <brett at lariat.net> writes: > > I'd like to propose that FreeBSD move to OpenNTPD, which appears to > > have none of the [...] vulnerabilities that are present in ntpd. > [...] I am reticent to support more software going into the base > system. It should be small enough to build itself and bootstrap the > ports tree, with very little else.I absolutely agree. If we replace the NTP suite, it will be with a minimal SNTP client, although no decision has been made. DES -- Dag-Erling Sm?rgrav - des at des.no
At 11:52 AM 12/22/2014, Chris Nehren wrote:>Heartbleed, more than any other vulnerability in recent memory, >showed us users on the outside of the Project just how much >effort is involved in patching the base system (thank you, again, >DES, for being patient and explaining all the details!). Because >of this, I am reticent to support more software going into the >base system.I understand your concern! Frankly, both ntpd and OpenNTPD have more functionality than ought to be in the base system. The daemon in the base system probably should only query trusted servers for the time, as securely as possible, rather than also being a server itself. Within my own network, I have used cron and ntpdate (even though it's officially deprecated) on most of the clients, querying a couple of trusted local time servers. I've then armored those servers -- which do query the outside world -- as much as possible against abuse, with very restrictive security settings and stateful firewall rules for good measure. This is a super-lightweight approach from the clients' point of view; it takes up as little CPU and memory as possible on them. But it obviously has some drawbacks; in particular, it doesn't continuously correct the clocks but makes them jump at particular times of day. Ultimately, I'd love to see the whole world go to PKI-based digital signatures on responses to time queries. With the crypto accelerators that are now being built into many CPUs, this will probably become practical... IF one can trust the hardware not to have security holes or backdoors. Which is, of course, a big "if." --Brett Glass