Mouse writes: > > See: > > http://support.ntp.org/bin/view/Main/SecurityNotice > > > You might want to upgrade or disable ntpd. > > It would really REALLY help if the report would give enough details for > me to make an informed decision. There are three buffer overflows > claimed that have almost no details given (or at least not in any way > I've figured out how to get) - one of which, fortunately, does mention > a detail that tells me I don't have occasino to care about it - and no > fixes provided beyond "switch to this version", no matter how bad a fit > that might be to your use case. Apparently they consider it acceptable > to make me reproduce the work to figure out what the vulnerability is, > rather than actually providing useful information about it.
You are whining, and I'll attribute that to the extra work this time of year. Imagine what I've been doing for the past 3 weeks, with another week or so of similar effort in front of me. Please tell me a valid use case for sticking with the older version. "Because my auditor says so" is a valid but not good reason. They're just cost-shifting. Let them backport the patches, or pay somebody to do it. NTF offers support contracts for older versions of NTP. Nobody has ever asked us to do this for them. We barely have adequate resources to work on the mainline codebase. Did you notice it's been 5 YEARS since the last stable release? Get NTF enough funding and that will change. We are *seriously* resource-strapped. Having said that, I sometimes get offers from "young" coders who want to help. That's great, but I'd need to pair them up with a well-seasoned senior engineer before I could even begin to use their work. We don't have enough well-seasoned senior engineers as it is, let alone ones who have enough extra volunteer time to mentor a newbie. The detail that I wrote up is more than the short sentence I originally got describing the problem. If somebody can write even better descriptions I'll happily add that information to the reports. > This does not inspire me to want to use their software. I've long been > tempted to build my own NTP implementation, first to understand the > protocol, then because the principal implementation is so badly > documented (HTML as a documentation format? Seriously?!), now because > they're not providing enough information about apparently-serious bugs > to let me make an informed decision on what (if anything) to do, or to > fix the version I'm running if that turns out to be a right answer. > They appear to be under some sort of delusion that "switch versions" is > an easy and reasonable thing for anyone to do. So far, I've held off > because I've been intimidated by the apparent difficulty of getting all > the details right, but it's definitely getting more difficult to > justify holding off. It _is_ a documented protocol, after all. Goferit. Several other folks have done similarly, and to my knowledge *all* have stuck thru it to get something that was good enough for their specific needs and all have said that when they started they had no idea how difficult a problem this is to solve. Here's another data point for you. Over 1,100 bugfixes and improvements have been made to the NTP codebase between 4.2.6 and 4.2.8. In rough numbers, that's about 1 fix every workday. -- Harlan Stenn <[email protected]> http://networktimefoundation.org - be a member! _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
