Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-21 Thread Florian Weimer 
* Ian Jackson:

>> PS: Paying that extra money to ntp.org would certainly not kill use, but
>> adding that money instead to our currently already existing support of
>> Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
>> Debian (downstream) users and developers.
>
> I wasn't aware that they charged commercial entities in this kind of
> situation but that seems reasonable to me.  IDK how much the charge
> is.  You are getting a service from pool.ntp.org, and as a commercial
> entity you should pay your suppliers.

Just to be clear: the fee goes to the pool operator, not the server
operators.  The actual service is donated without an expectation of
compensation, or the compensation is kind, say for enabling network
mapping and port scanning of IPv6 hosts.

Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Yao Wei (魏銘廷) 
We are probably accepting their TOS without reading them first:

https://www.ntppool.org/tos.html

Yao Wei

(This email is sent from a phone; sorry for HTML email if it happens.)

> On Oct 18, 2018, at 20:51, Ansgar Burchardt  wrote:
> 
>> On Thu, 2018-10-18 at 13:57 +0200, Philipp Hahn wrote:
>> So my question is more like "is it okay to not change Debians default
>> NTP server selection", so the initial setup and those lazy enough to
>> not change the default get a sane time?
> 
> I don't think Debian can answer that question and suggest to ask the
> pool operators.  This seems to be the correct list:
>  https://lists.ntp.org/listinfo/pool
> 
> A related question is the use of API keys that are included in some
> packages (e.g. chromium).  These are also vendor-specific, but cannot
> be really secret (as they are included in the binaries and could be
> extracted even for proprietary software).
> 
> Ansgar
>

Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Ansgar Burchardt 
On Thu, 2018-10-18 at 13:57 +0200, Philipp Hahn wrote:
> So my question is more like "is it okay to not change Debians default
> NTP server selection", so the initial setup and those lazy enough to
> not change the default get a sane time?

I don't think Debian can answer that question and suggest to ask the
pool operators.  This seems to be the correct list:
  https://lists.ntp.org/listinfo/pool

A related question is the use of API keys that are included in some
packages (e.g. chromium).  These are also vendor-specific, but cannot
be really secret (as they are included in the binaries and could be
extracted even for proprietary software).

Ansgar

Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Philipp Hahn 
Hello Ian et al.,

Am 18.10.18 um 12:40 schrieb Ian Jackson:
> Philipp Hahn writes (""debian.pool.ntp.org" for Debian derivatives?"):
>> Are we (as a Debian derivate) allowed to hard-code and use the
>> "debian.pool.ntp.org" or must we apply for our own pool?
> 
> The NTP pool folks would like you to use your own pool.  So would
> Debian, I'm pretty sure.

Q: So must all Debian derivatives patch NTP and re-compile¹ it as
Debians pool is hard-coded:

> $ apt download ntp
> $ ar p ntp_1%3a4.2.8p10+dfsg-3+deb9u2_amd64.deb | tar xfO data.tar.xz 
> ./etc/ntp.conf | grep ^pool
> pool 0.debian.pool.ntp.org iburst
> pool 1.debian.pool.ntp.org iburst
> pool 2.debian.pool.ntp.org iburst
> pool 3.debian.pool.ntp.org iburst

or only the commercial derivatives?


>> PS: Paying that extra money to ntp.org would certainly not kill use, but
>> adding that money instead to our currently already existing support of
>> Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
>> Debian (downstream) users and developers.

First of all: We don't what to cheat them or Debian, but the question is
interesting enough as it can have legal questions for all derivatives.

> I wasn't aware that they charged commercial entities in this kind of
> situation but that seems reasonable to me.  IDK how much the charge
> is.  You are getting a service from pool.ntp.org, and as a commercial
> entity you should pay your suppliers.

The question remains, if "Debian" can be our supplier and allow us (and
any other derivatives) to use their pool?

> If the charge is too much, you could always run your own ntp server.

Any sane setup needs at least 4 servers. That is why there is that pool
project so not everyone has to run their own farm of NTP servers around
the world themselves.

> If you continue to use the Debian pool to avoid paying them, then you
> are using their facilities without permission.
...
> TBH I doubt they would get you prosecuted or sue you - because they're
> not that kind of people and wouldn't want to harm the free software
> community = but I hope you will agree that you should act legally!

Normally I tell our customers to ask their Internet providers for their
preferred NTP servers, as they usually run their own farm, which are
then close to their customers (network wise). Many routers have a
built-in NTP server anyway. This normally improves the accuracy and
reduces network traffic as with the pool you can get servers from the
other end of the world. Lucky you if you get that information from your
provider via DHCP (option nntp-server).

Even if your provider does not run its own farm, you can still
re-configure your servers to use at least the pool for your continent or
country, which hopefully are closer by network vise, too.

As an end-user you are not bound by that pool.ntp.org rule and can
configure whatever server you like.

But not as a software or Operating System vendors: I MUST NOT use
'pool.ntp.org'.

So my question is more like "is it okay to not change Debians default
NTP server selection", so the initial setup and those lazy enough to not
change the default get a sane time?

Philipp


¹: not a big deal for us, but we try to stay as closely to Debian as we can.

Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Daniel Baumann 
On 10/18/2018 11:22 AM, Philipp Hahn wrote:
> Are we (as a Debian derivate) allowed to hard-code and use the
> "debian.pool.ntp.org" or must we apply for our own pool?

the idea between the different pool CNAMEs is that when one vendor does
something bad/wrong, the queries of devices running that version of ntp
can be easier diverted to /dev/null.

hence, as long as you don't "modify" the ntp package from debian in your
derivative, there is no need/gain of applying for an own ntp pool.

(re "modify": use your best judgement. fictional example: if you would
recompile the unmodified source package from debian with some weird
toolchain/settings in your derivative which would be likely to break
stuff, I would err on the side of causion and apply for a pool.)

Regards,
Daniel

Re: "debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Ian Jackson 
Philipp Hahn writes (""debian.pool.ntp.org" for Debian derivatives?"):
> Are we (as a Debian derivate) allowed to hard-code and use the
> "debian.pool.ntp.org" or must we apply for our own pool?

The NTP pool folks would like you to use your own pool.  So would
Debian, I'm pretty sure.

> PS: Paying that extra money to ntp.org would certainly not kill use, but
> adding that money instead to our currently already existing support of
> Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
> Debian (downstream) users and developers.

I wasn't aware that they charged commercial entities in this kind of
situation but that seems reasonable to me.  IDK how much the charge
is.  You are getting a service from pool.ntp.org, and as a commercial
entity you should pay your suppliers.

If the charge is too much, you could always run your own ntp server.

If you continue to use the Debian pool to avoid paying them, then you
are using their facilities without permission.  I don't know what
German law is like but in the UK that would be the crime of
unauthorised access to a computer system.  Also they could probably
sue you for the money.

TBH I doubt they would get you prosecuted or sue you - because they're
not that kind of people and wouldn't want to harm the free software
community = but I hope you will agree that you should act legally!

Regards,
Ian.

-- 
Ian JacksonThese opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

"debian.pool.ntp.org" for Debian derivatives?

2018-10-18 Thread Philipp Hahn 
Hello,

our business model is to we sell support for our own Debian based
distribution "Univention Corporate Server":


I recently had a discussion about NTP and their pool concept per vendor:
, but one question remains:

Are we (as a Debian derivate) allowed to hard-code and use the
"debian.pool.ntp.org" or must we apply for our own pool?

This might be interesting for other derivatives as well.

Thanks for any answer
Philipp (AKA pmh...@debian.org)

PS: Paying that extra money to ntp.org would certainly not kill use, but
adding that money instead to our currently already existing support of
Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
Debian (downstream) users and developers.
-- 
Philipp Hahn
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str. 1
D-28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99
h...@univention.de

http://www.univention.de/
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876