Usefuleness of noval

Gary E. Miller gem at rellim.com
Thu Mar 28 20:29:03 UTC 2019 

Yo Richard!

On Wed, 27 Mar 2019 21:11:23 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:

> >> I was thinking along the same lines.  Should we have a command line
> >> switch, say "--secure", that requires nts (without noval) or shared
> >> key on all servers?  
> 
> I'm not sure how that helps in practice. Either someone is going to
> configure their ntp.conf that way or they're not.

Yup.  Middle ground might an a global option in ntp.conf that
enables the use of noval.  Like "insecure yes".

> > I could see the use for --insecure.  --secure does not need an
> > option, it should be the default.  
> 
> I assume that a LOT of people use the pool, especially since that is
> how distros default, so requiring NTS as the default is a non-starter
> unless/until the (or another large public) pool supports NTS.

I don't think anyone suggest blocking non NTS servers, yet.

> The Debian packaging is keeping a /etc/defaults/ntpsec file to stay
> similar to the NTP Classic packaging and to keep systemd and sysvinit
> as consistent as possible for ntpd. Debian is keeping sysvinit for
> various reasons (including choice on Linux and for the kFreeBSD
> port). If I was only supporting systemd, I'd go "full systemd" and
> drop the /etc/defaults/ntpsec file.

Which hurts my head when users ask me how to change their command line
options.  I need to know more than I care to know about how their
system is configured.  But ntp.conf is always there and as we defined it.

> I think the existing "noval" is fine.

Hopefully, optionally, enhanced by some flavore of pinning.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/f5b9e46e/attachment.bin>

More information about the devel mailing list