On Wed, Dec 2, 2020 at 9:24 AM Ben Cotton <bcotton(a)redhat.com> wrote:
https://fedoraproject.org/wiki/Changes/NtpReplacement
== Summary ==
The `ntp` package is replaced with `ntpsec`.
== Owner ==
* Name: [[User:mlichvar| Miroslav Lichvar]]
* Email: mlichvar(a)redhat.com
== Detailed Description ==
`ntp` is one of the few NTP implementations provided in Fedora. It is
not used or installed by default.
The [
https://www.ntp.org/ upstream project] is not in a good shape and
it doesn't seem to be improving. The development is slow and happens
behind closed doors. There is a significant number of known security
issues that have not been fixed yet. Some are exploitable in the
default configuration.
[
https://www.ntpsec.org/ ntpsec] is a fork of `ntp` with focus on
security. It has removed a lot of code and fixed or avoided most of
the security issues in `ntp`. It doesn't support all features, but in
typical configurations it can be used as a drop-in replacement for
`ntp`.
There are few packages in Fedora that have a dependency on `ntp`:
* `nagios-plugins-ntp-perl`
* `ntpstat`
== Benefit to Fedora ==
This change makes Fedora more secure.
== Scope ==
* Proposal owners:
# Package `ntpsec` obsoleting the `ntp` package.
# Retire `ntp` package.
# Make sure the dependent packages still work.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
The `ntp` package is replaced automatically on upgrade to Fedora 34.
The configuration file ''/etc/ntp.conf'' is saved as to
''/etc/ntp.conf.rpmsave'' and it needs to be renamed to
''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will
fall back to the default configuration in ''/etc/ntp.d'' using the
''pool.ntp.org'' servers.
The `ntpd` service is disabled after the upgrade and needs to be enabled again.
== How To Test ==
* Install `ntpsec`
* Run `ntpdate pool.ntp.org`
* Start the `ntpd` service
* Run `ntpq -p` to verify `ntpd` is polling servers and synchronizing the clock
== User Experience ==
For most users of `ntp` the experience is not expected to change
significantly. Advanced configurations may need to be modified to work
with `ntpsec`.
== Dependencies ==
N/A (not a System Wide Change)
== Contingency Plan ==
* Contingency mechanism: Unretire `ntp` and remove the obsoletes in `ntpsec`
* Contingency deadline: Fedora 34 Beta
* Blocks release? N/A (not a System Wide Change)
* Blocks product?
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
TBD
Makes sense, though I think the release notes section would be pretty
easy to write:
"The classic ntpd service was formerly provided by the ntp package.
The ntp software has significant security issues and development seems
moribund. It has now been replaced with the ntpsec package, an
actively maintained fork of the ntp software. No functional changes
are expected."
--
真実はいつも一つ!/ Always, there's only one truth!