From Fedora Project Wiki
(Created page with "= ntp replacement = == Summary == The `ntp` package is replaced with `ntpsec`. == Owner == * Name: Miroslav Lichvar * Email: mlichvar@redhat.com == Curr...")
(No difference)

Revision as of 11:27, 2 December 2020

ntp replacement

Summary

The ntp package is replaced with ntpsec.

Owner

Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-12-02
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

ntp is one of the few NTP implementations provided in Fedora. It is not used or installed by default.

The upstream project is not in a good shape and it doesn't seem to be improving. The development is slow and happens behind closed doors. There is a significant number of known security issues that have not been fixed yet. Some are exploitable in the default configuration.

ntpsec is a fork of ntp with focus on security. It has removed a lot of code and fixed or avoided most of the security issues in ntp. It doesn't support all features, but in typical configurations it can be used as a drop-in replacement for ntp.

There are few packages in Fedora that have a dependency on ntp:

  • nagios-plugins-ntp-perl
  • ntpstat

Benefit to Fedora

This change makes Fedora more secure.

Scope

  • Proposal owners:
  1. Package ntpsec obsoleting the ntp package.
  2. Retire ntp package.
  3. Make sure the dependent packages still work.
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The ntp package is replaced automatically on upgrade to Fedora 34. The configuration file /etc/ntp.conf is saved as to /etc/ntp.conf.rpmsave and it needs to be renamed to /etc/ntp.conf to be used by ntpsec. Otherwise, ntpsec will fall back to the default configuration in /etc/ntp.d using the pool.ntp.org servers.

The ntpd service is disabled after the upgrade and needs to be enabled again.

How To Test

  • Install ntpsec
  • Run ntpdate pool.ntp.org
  • Start the ntpd service
  • Run ntpq -p to verify ntpd is polling servers and synchronizing the clock

User Experience

For most users of ntp the experience is not expected to change significantly. Advanced configurations may need to be modified to work with ntpsec.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: Unretire ntp and remove the obsoletes in ntpsec
  • Contingency deadline: Fedora 34 Beta
  • Blocks release? N/A (not a System Wide Change)
  • Blocks product?

Documentation

N/A (not a System Wide Change)

Release Notes

TBD

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/NtpReplacement&oldid=596060"