I think we should consider retiring the ntp package. The upstream project is not in a good shape and it doesn't seem to be improving. Contributors left long time ago. The development is slow and happens behind closed doors. They still use bitkeeper. The main problem is that they don't fix all known security issues. In the CVE list I see about 10 issues that were not fixed at all or only partially, some exploitable in default configuration. This was one of the reasons why we dropped it from RHEL. I'm not sure how many users of ntp are there. As a replacement, we could package ntpsec. It is an actively maintained fork of ntp which has removed a lot of code and fixed or avoided most of the issues in ntp. What I don't like much about it is that they kept the mode-6 protocol of NTP, which allows traffic amplification and is still causing problems on Internet, but I think the code and the project are definitely in a better shape than ntp. I can help with the packaging or review, and as a comaintainer if there is a volunteer for the role of the primary maintainer. In Fedora, there seems to be only one package that has a dependency on ntp: nagios-plugins-ntp-perl. It's a monitoring plugin using the problematic mode-6 protocol. It should work with ntpsec. Thoughts? -- Miroslav Lichvar _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
