> Why fight so hard to run 6 year old software on the public Internet? I can't speak for anyone else. But, as someone running NTP even older than that, my response is, because the expected time investment required to switch versions is fairly high and the perceived benefit is quite low.
I run the NTP daemon shipped with the OS version I run. (Which one this is varies depending on the machine; there are three OS revs I run.) So far, I have seen no reason to think I am vulnerable to any of the various issues running around, though I did break monlist because my upstream didn't want to have to special-case me. (I worked fine as a bandwidth amplifier for tiny amounts of bandwidth; try to push more than tiny amounts, though, and you get router-blocked at my border. My upstream apparently had something set up that assumed being willing to bandwidth-amplify for a few packets meant being willing to bandwidth-amplify for arbitrary levels of traffic.) And all the other vulnerabilities I've seen reported have been in facilities I don't use, mostly crypto stuff. Until and unless I see reason to think I'm vulnerable to to something worse than the above, I see no reason to go through the hell of convincing a more recent ntpd to build on my systems - especially since (a) the documentation is in such an inconvenient format and (b) it has drunk the ./configure koolaid, each of which substantially increases the time and effort involved. So, I guess, my answer is to ask in return, why fight so hard to create an unfunded mandate for others to heatseek ntpd versions? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
