What next?

[Hal Murray]

James Browning said:
>> I think we should split ntpd into several independant programs.
>> More in another message.
> I gave up on that notion; I lacked the patience to do it. 

I think we can take small steps.  Or at least some of them.


> Yeah, the IETF NTP WG shot down the notion of NTP alternative port.

It wasn't the NTP WG -- they had a draft RFC ready to go.  The group that 
vetoed it was the group in charge of rationing port assignments.



[testing config file]
> I think somewhere in the middle might be a program that takes config files
> and dumps them into some format that is easy to eyeball and machine parse. 

Internally, there is a parse tree.  But it doesn't contain the comments.

I'm not interested in that, but if you want to work on it, it might be a 
useful utility.


[testing FIPS]
> None of the CI runners support FIPS140-2 at the moment. I don't know how to
> make them either. 

There is a HOWTO-OpenSSL that tells you how to build OpenSSL from source.  
Adding enable-fips to the configure step builds/tests/installs the FIPS 
library too.

The recent FIPS discussion has a recipe for getting libssl to use it.  I 
haven't tried that step yet.


>> I'd like a script that checks the certificates.  When do they expire?
> That sounds like a simple wrapper around 'openssl x509' would work. 

I think it will be something simple like that after we do it.  I've poked 
around a few times but never ended up with anything clean.  The openssl 
command has a blizzard of options.

This just got more important for me.  I fatfingered renewing a certificate and 
a KE server stopped working.  [I did the certbot step but forgot to copy the 
new cert/key over to /etc/ntp/.]


-- 
These are my opinions.  I hate spam.