Tangle - cookie keys file

Eric S. Raymond esr at thyrsus.com
Thu Mar 7 19:07:04 UTC 2019


Richard Laager via devel <devel at ntpsec.org>:
> Either /var/lib/ntp, or as suggested in a previous message, /var/NTP
> seems fine for the default. The important part is discussed below.

I concur.  I think I'd prefer the former slightly, but that's a pure
matter of taste (I dislike caps in filenames) so Hal gets to make the
call.

> >> Can we and/or should we make the default file names OS dependent?
> > 
> > I recommend trying to avoid that.  Follow the Filesystem Hierarchy
> > Standard and let other OSes be their local packagers' problem.
> 
> In any event, this should be a configurable location in waf, like other
> directories. Then, if you want to try to do platform default detection,
> write that in waf configure. That is the standard way to handle such things.

Dissenting mildly.  For reasons I've explained before I'm trying to move us
away from config options.  I will be resistant to adding more in the future.
Doesn't mean that we can never do it, but I'd want to see a demonstration of
need in each individual case.

> >> What should the system do if it can't read the file?  Crash?  Blunder on in 
> >> no-NTS mode?  Make one?  ...
> > 
> > I think blundering on in no-NTS mode would be wrong unless NTS has
> > been explicitly disabled in the config.  An iron rule: Enabled
> > security measures should fail noisily, not quietly, so a human will
> > take action.
> 
> Agreed. If you cannot continue, log an error and exit with a failure
> status. This would happen if the key file exists but cannot be read
> (e.g. open(..., O_RDONLY) fails with other than ENOENT), the file exists
> but its contents are missing or invalid, or if it doesn't exist and
> cannot be written.

Good analysis of the precondition. Endorsed.

> >> If it crashes, where do we get the first one?
> > 
> > The fact that this question needs to be asked implies that the right
> > answer to the previous one is "Make one and log a warning".
> 
> I think it should be "make one and log an info message". The key being
> missing isn't really a problem worthy of a warning, is it? It's going to
> happen on every first install/upgrade-to-NTS.

Friendly amendment accepted; I was being loose in my use of the term "warning".

This raises an interesting point.  ntpd can now tell when its on first startup
(absence of this file).  I'm not a fan of this kind of statefulness - worked
hard at avoiding it in GPSD - but since NTS's requirements stick us with it there's
a question: what else should trigger on this event?
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.




More information about the devel mailing list