On 6/7/23 10:13, Richard Laager wrote: > On 2023-06-07 02:37, Rob Janssen wrote: >> Yes I was using the "ntp" package before. >> I have upgraded and it installed "ntpsec". I tried to remove it as I have >> no need >> for the "security" part but it removed "ntp" as well. > > And then you presumably reinstalled it. Did this result in you starting over > with a default ntp.conf, where you then manually removed (or commented out) > the pool lines and added your server lines?
No, then I removed everything and installed chrony. That resolved the problem so then I made a bugreport. > >> Please don't fall in the common trap of trying to make everything "top >> secure" and then making it >> unusable or causing problems for people that do not require that. > NTPsec is a fork of NTP. Most of the security benefit of NTPsec comes from > NTPsec simply removing and cleaning up decades of code cruft in NTP. NTPsec > is a drop-in replacement for NTP. Except that it isn't. Or at least the default configuration isn't. > > > Probably you should put that > > config line commented in the default config so people who like it can > > easily enable it. > > This configuration exists for correctness. If a given system has two time > sources and they disagree, which one is correct? There is no way to be sure. > If you have three sources, then you take whichever two agree. In my opinion it is not good to enforce such policy on the users of the package. I know very well how NTP works and what issues there may be, but indeed the NTP servers are local and I deem them sufficiently reliable FOR MY PURPOSE. It worked fine on bullseye, it failed on upgrade to bookworm. And the config line that is responsible for the problem has a comment that does not indicate at all that you want to remove it when you have fewer than 3 servers. Maybe change that, I would have noticed it when I reviewed the config diffs. I originally commented that it works ok on another machine and believed it may be due to the VMware/Physical difference, but that wasn't the cause: that other machine was on another network and happend to have 3 servers configured. But I commented that line now (I do not want time sync to fail because one of the servers is unavailable!)
