Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Programming Open Source Linux

"Father Time" Gets Another Year At NTP From Linux Foundation 157

dkatana writes: Harlan Stenn, Father Time to some and beleaguered maintainer of the Network Time Protocol (NTP) to others, will stay working for the NTP another year. But there is concern that support will decline as more people believe that NTP works just fine and doesn't need any supervision. NTP is the preeminent time synchronization system for Macs, Windows, and Linux computers and most servers on networks. According to IW, for the last three-and-a-half years, Stenn said he's worked 100-plus hours a week answering emails, accepting patches, rewriting patches to work across multiple operating systems, piecing together new releases, and administering the NTP mailing list. If NTP should get hacked or for some reason stop functioning, hundreds of thousands of systems would feel the consequences. "If that happened, all the critics would say, 'See, you can't trust open source code,'" said Stenn.
This discussion has been archived. No new comments can be posted.

"Father Time" Gets Another Year At NTP From Linux Foundation

Comments Filter:
  • by Anonymous Coward on Monday August 17, 2015 @06:12PM (#50335513)

    Nor can you trust closed-source code.

    But while "open source makes all bugs shallow" is demonstrably a fallacy, at least you CAN see the source if you need to. (Good luck understanding it, though - says this pretty good C developer who just about shit when he had to look at OpenSSL/SSH code...)

    • But while "open source makes all bugs shallow" is demonstrably a fallacy, at least you CAN see the source if you need to. (Good luck understanding it, though - says this pretty good C developer who just about shit when he had to look at OpenSSL/SSH code...)

      And understanding it is more than being a programmer - it's also understanding the problem domain.

    • by Anonymous Coward

      Some of that is just that SSL is complex, though, especially the crypto. I had to read the openssl verify code to figure out precisely which bits are needed in certain certs and it was pretty easy to figure out.

    • But while "open source makes all bugs shallow" is demonstrably a fallacy

      Well, sure if you make stuff up on the spot you can generate arbitrary fallacies. The actual quote was:

      "given enough eyeballs all bugs are shallow"

      And I've only ever seen it "disproved" by people who thoroughly misunderstand it.

      Good luck understanding it, though - says this pretty good C developer who just about shit when he had to look at OpenSSL/SSH code...

      And this actually demonstrates the code, not disproves it. The OpenSSL code is

      • "given enough eyeballs all bugs are shallow"

        On the other hand, many (most?) people are taught or learn programming in the same way or much the same way. This means that we all (to simplify the point) will look at things the same way and may all overlook the same problem.

        I worked on an N-version fault-tolerance research project in college way back in the mid 1980s that studied this and used different programming languages -- some wildly different, like Pascal and Prolog -- as the N versions to see if using different languages would provide more cov

  • Bus Factor (Score:5, Insightful)

    by allquixotic ( 1659805 ) on Monday August 17, 2015 @06:13PM (#50335521)

    With all due to respect to Harlan Stenn, and working under the assumption that he will choose to continue to maintain NTP for the good of everyone who uses it, the biggest donation that could possibly be given to the NTP project would be to increase its bus factor. Basically, we need at least another small handful of people -- ideally distributed throughout the world -- who have the same level of knowledge and expertise as Harlan in the area of network time, and can thus take his place if, for any reason whatsoever Harlan can't continue to work on the NTP project.

    Getting Harlan to continue working on it is a short-term solution, but the sustainable future is to ensure that we have maintainers who can take his place -- ideally, paid ones.

    So what we need is for a company like Red Hat or IBM or Microsoft or Canonical to bankroll a developer who has at least strong fundamentals that would enable them to quickly pick up advanced knowledge of network time, and then spend most of their working hours acquiring more knowledge about it so that it can be maintained going forward. This would probably involve a lot of ML posts with Harlan (or reading his previous ones), as well as any other developers/maintainers working on pieces of the code.

    If Harlan is absolutely instrumental to the project as it stands now, the solution is to have a backup or two, who ideally are being paid a living wage to ensure the continuity of knowledge and expertise if Harlan willingly or unwillingly stopped contributing.

    Projects with a bus factor of 1 that are widely relied upon need to be identified and highlighted every now and again -- not to make a case to shower the developer in money, but to get other developers to work in the same space and increase the bus factor to at least 3.

    • by Anonymous Coward

      And why, exactly, is some company going to pay people to maintain NTP? Its been around for years and quite apparently it has been a time sink for the maintainer and no one has decided to bank roll the effort in any significant way.

      Money makes the world go 'round folks. If it doesn't make money, people are not going to put money into it.

      • One possible mercenary reason: because their consumers will blame them if the Internet fucks up, even if it's not their fault. Therefore it behooves them to ensure that the Internet keeps working without a major incident.

    • by zdzichu ( 100333 )

      Linux Foundation sponsored developer who has extraordinary knowledge of NTP and time issues: http://phk.freebsd.dk/time/ind... [freebsd.dk]
      But apparently something went iffy between them, as last commit to https://github.com/bsdphk/Ntim... [github.com] was over a half year ago.

    • The phrase you're looking for is "single point of failure". And yes, Harlan Stenn is a single point of failure. And no, that's not good.

  • by Anonymous Coward

    If he doesn't like it, start a foundation and start transferring rights & control of NTP to the foundation. Instead, he refuses to give up control and complains about the heavy workload and lack of funds. The internet has grown up & out, the era of "Jon Postels" is over.

  • by Anonymous Coward

    How is it that an old tech like NTP with a fixed protocol need so much maintenance? That should have already settled out and just need minor patching for new architectures.

    • Re:Upkeep (Score:4, Insightful)

      by david_bonn ( 259998 ) <davidbonnNO@SPAMmac.com> on Monday August 17, 2015 @08:19PM (#50336107) Homepage Journal

      A lot of it has to do with the fact that the system calls that you use to arrange time sync are, well, fragile and obscure and all-too-frequently broken by a new OS release. Also, a lot of bugs with respect to time synchronization are subtle and quick to anger and require quite a bit of time to reproduce and analyze.

      In some ways, it would be a heck of a lot easier if we just forgot about stuff like having a monotonically increasing clock and clock skew caused by network latency. Just have everyone hard-set their clock every day from a GPS receiver, say. Of course, you'd end up with poor synchronization amongst hosts, which would easily cause its own kind of havoc. And your timestamps would be untrustworthy during that period where you are hard-setting the clock. There isn't a perfect solution.

  • by Anonymous Coward on Monday August 17, 2015 @06:46PM (#50335719)

    Poettering and the rest already have a time solution, why keep this old neckbeard around?

    • by umghhh ( 965931 )
      You are being sickly sarcastic, are you? I am asking because there are many evil people around so maybe you are serious.
  • Uh, no. NTP needs to be redesigned so it doesn't use UDP anymore so we can stop worrying about spoofing and amplification/recursion attacks.
    • by Bengie ( 1121981 )
      UDP and TCP, choose which one you want. TCP is great if you want the accuracy of calling someone on the phone and saying "now". It's isn't UDP's fault for spoofing and amp attacks, that's that application's fault. UDP blindly does what it's told, no questions asked. Application says respond with a payload, UDP does it.
      • TCP is great if you want the accuracy of calling someone on the phone and saying "now".

        this is totally bizarre statement, tcp streams get backed up, packets get retransmitted, data arrives at the client at a completely indeterminate time.

  • not just NTP (Score:3, Insightful)

    by Anonymous Coward on Monday August 17, 2015 @07:26PM (#50335905)

    it's not just NTP that is languishing, perhaps a dozen other open source projects that the Internet depends on, each with one greybeard maintainer, underfunded or neglected entirely, going away soon, lose that institutional knowledge.

    C'mon Apple, Google, Facebook, give back a little.

  • 7 days = 1 week
    times 24 hours = 168 hours

    Or in other words, he does not work in NTP 68 hours a week = 8.5h a day.

    So considering that a person needs half an hour a day for eating, actually I eat longer, some sleep, some time on the toilet, some people even shower - shudder if that is longer than 5 mins - and usually you get dressed sometimes you have to go shopping ...

    Well, I assume he is a nerd, sleeping in his bathrobe, so he saves dressing, showers only once a week and gets everything ordinary people shop via mail/internet order ...

    Perhaps he should consider to hire an assistant? Or raise funds for one ... sorry: no one is working 100 hours a week.

    • by Bengie ( 1121981 )
      At one of my hourly jobs back in college, someone had 110 hours on their pay-check. Punch in, punch out, and even punch out on breaks. It can be done, but I don't recommend it.
    • Yes, he really does work that many hours! I live with him and am the one that runs errands, cooks, cleans, maintains the workspace, cares for his health, and makes sure the bills are paid just so he can spend his entire waking day sitting in front of a freakin' huge pile of computer equipment, have hundreds of browser windows open and monitor them all just so y'all can snark and have a jolly good laugh at his obvious exaggeration and whining. You're welcome. He is the hardest working human I have ever me
    • by umghhh ( 965931 )
      It depends on the job. The discussion about legally allowed work loads in EU was quite informative and sometimes funny. There was a guy there for instance - a president of a small country, claiming that he is putting more than 100h/week and all is well. OC this job was including dinners with other assholes from other states etc on which they stuffed themselves with expensive, tax payer funded food. I do not care about the food, his job is doing that but comparing that to any other job (operating table perso
    • by Anonymous Coward

      Your math is wrong and appears to assume an eight day week. Working 100 hours in 7 days is about 14 hours per day, leaving about 10 hours each day for rest, eating and hygene. That would be stressful, but it is certainly possible. Heck,I did that for a while in college.

    • sorry: no one is working 100 hours a week.

      You have clearly lived a very sheltered life.

      I used to work two jobs to make ends meet. 16 hours a day (lol, more like 18 once everything was done) working as a manager at a security guard agency 4 days a week and then for the other 3 days each week, I worked 12 hours a day assembling powermacs for Apple. I averaged 116 hours a week for 2 years.

      Many single moms have it just as bad or worse since kids do not allow time off. You clearly have no idea what life is like near minimum wage. If you did, you would k

      • That is because you live in a fucked up country.

        Of course I know that some people indeed work 100h a week.

        My claim was more figurative. Pointing at the "high skilled worker" who claims to work 100h a week for NTP.

  • by Anonymous Coward

    Not particularly highlighted in the article is that the LF CII is funding a small team of developers with NTP experience to focus on security hardening, development process modernization, and opening the community. There is concern about the bus factor and an attempt is being made to address it.

    No critical infrastructure project should ever be so dependent on a single developer.

  • by davidwr ( 791652 ) on Monday August 17, 2015 @08:38PM (#50336201) Homepage Journal

    Let's be clear here - we are talking about one particular software package - albeit a very popular one - and not the underlying protocol [ietf.org] (which itself is subject to errata [rfc-editor.org], some of which are still under discussion).

  • Ah, well, this is how it always goes.

    No private, for-profit entity will happily provide support for maintenance of a non-profit entity that provides a universal service, for example time-synchronization, upon which their lifeblood depends.


    Gasp! That would put us at an economic disadvantage to our competitors! We donate a few thousand $$$, but others don't donate a thing. I say, "No. no. no."

    OK, so I am past wasting breath. For the uninitiated, just find the Wikipedia article on the "Tragedy of the C

  • by Anonymous Coward

    Obviously no one has read the article. The Linux Foundation funded Harlan (who has a foundation) and a group to do NTPsec. An effort to harden NTP, modernize development processes, open the community, and fix the bus factor.

  • NTP still stuck with MD5 authentication, when are they implementing modern crypto?
    • by Anonymous Coward

      Depends on when you submit the patch.

    • by Bengie ( 1121981 )
      Even worse is that newer strong crypto hashes are much faster than MD5.
  • by Anonymous Coward on Monday August 17, 2015 @11:04PM (#50336743)

    "If NTP should get hacked or for some reason stop functioning, hundreds of thousands of systems would feel the consequences."

    Hah! Anyone attend DefCon23 last weekend? I am going to assume somebody did because it was awfully crowded at the old Paris Hotel, Las Vegas.

    https://defcon.org/html/defcon-23/dc-23-speakers.html#Selvi

  • I'm not saying I don't appreciate his work, but 100 hours a week doesn't add up. Unless he's counting multiple people? Which would be reasonable, let's find funding for him and some sort of helper/assistant/apprentice.

    • There's 168 hours in a week. But 100+ hours of work doesn't leave much time for sleeping, eating, and pooping.
  • According to IW, for the last three-and-a-half years, Stenn said he's worked 100-plus hours a week answering emails, accepting patches, rewriting patches to work across multiple operating systems, piecing together new releases, and administering the NTP mailing list.

    First off, bullshit. Well, bullshit or he sucks at his job or he doesn't want to do anything BUT his job.

    If that was a problem, he could say 'I quit' and he would get help. But he doesn't. And he's not the maintainer of the protocol, just a daemon, arguably not even the best one at this point, especially based on his claims of how much work it takes to keep it going.

    This whole thing wreaks of whiney little bitch syndrome.

    If he wanted Apple to contribute to his lively hood he should have contracted like a

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...