Re: git: b1c95af45488 - main - rc.conf: correct $ntp_leapfile_sources

On Thu, Dec 7, 2023 at 6:07 PM Steffen Nurpmeso <steffen@sdaoden.eu> wrote:

> Warner Losh wrote in
>  <CANCZdfpHWRECi=DyhxJAW4MkA-CyPLK=OSdSwBdKQJ57MyPwNA@mail.gmail.com>:
>  |On Thu, Dec 7, 2023 at 3:27 PM Steffen Nurpmeso <steffen@sdaoden.eu>
> wrote:
>  |> Xin Li wrote in
>  |>  <d75b041f-05f8-44c1-8de6-1fef89b7e537@delphij.net>:
>  |>|On 2023-12-06 22:34, Philip Paeps wrote:
>  |>|> On 2023-12-07 14:26:05 (+0800), Warner Losh wrote:
>  |>|>> We should point to bipm
>  |>|>> https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list since
>  |> they
>  |>|>> are
>  |>|>> the source of truth, no?
>  |>|>
>  |>|> I went for the IANA copy because data.iana.org is a much shorter and
>  |>|> trustworthy looking URL.  And it's also where other operating systems
>  |>|> get their copies.
>  |>|
>  |>|My understanding is that IANA's copy is part of tzdata and it's only
>  |>|updated when a new set of zone data is released, so it's sometimes
>  |>|outdated.  It is actually going to be outdated really soon by the way.
>  |>
>  |> But nothing will change.
>  |> It is only about the included end-of-life tag why there is
>  |> discussion at all.
>  |> The IANA TZ data is always updated as necessary, "early enough".
>  |
>  |Yes. TZ data updates multiple times a year. The lead time on NIST/BIPM
>  |updating the file usually is within days or weeks after the new leap is
>  |announced.
>  |But ntpd can't possibly use it for about 5 months. TZ updates are plenty
>  |fast.
>  |
>  |The bigger problem is that we have to do a EN to get a new set of zone
>  |files. If we had a way to fetch them, we could just copy this file from
> the
>  |updated
>  |zone files.
>
> I never spoke against fetching the plain file (who is my role in
> this project in the end?), i only spoke against using the server
> of the french institute directly.
>

The French institute is the source of truth. The BIPM defines what
UTC is, based on atomic clock measurements from all over the world.
A subagency, the IERS, measures the delta between UTC and
the earth's orientation and makes the determination of when a
leap second is scheduled.

There's no cryptographic signature of this file. There is a hash
that ensures it's not corrupted, but it can't be verified as authoritative
since it's just a SHA hash. By grabbing it from BIPM, the source
of truth for time, we at least get their TLS certs to back up the file.
Grabbing it from anywhere else means our users have to trust the
other places. While the IETF/IANA are trustworthy, it's one level
removed.

Then again, given this file, in this context, is only used when ntpd
can't otherwise determine the leap seconds, so maybe that high
level of trust isn't strictly needed. The lack of easy verification
of this file has been discussed in the time community on and off
for the last 25 or more years.


> Ie one could poll this once a day or so, and upload it somewhere
> else.  Or ping the github URL of the raw IANA TZ file, which is
> placed in Eggert's repo quite fast, even without release.
> (Just in case the FreeBSD project want to lock out all the
> countries that github blocks, i think Iran, North Korea, Cuba
> even, who knows which otherwise, i will not look up that political
> war thing.)
>

Polling any more frequently than every other month is overkill. This file
is used,
at most, twice a year. It changes 6 months before the leap second,
give or take. Polling it every 60 days is given how often it is used.
Ideally, our scripts would spread out the polling over those 60 days...



>  |> Also the beasts are about to get rid of leap seconds until 2035
>  ...
>  |> earlier).  Bets can be placed whether it will happen before
>  |> a possible occurring leap second, or not.  (My bet is that they
>  |> run everything against the wall, and then run away yelling about
>  |> the evil leap second, after having missed to create an appropriate
>  ...
>  |Yea, we're years away from the next leap second. And there's still
>  |a good chance we'll have at least one more. And there's also rumblings
>  |that leaps will stop before 2035 (that's the current absolute last date,
>  |and there's several folks that want to pull that in). What will happen
>  |for sure isn't well known...
>  |
>  |ntpv5 discussions have, at times, assumed there will be no more leap
>  |seconds and so ntpv5 needn't have anything to accommodate them.
>
> I have not looked into current WG outcome (there was just recently
> some IETF post regarding NTP, i have not looked).
> I would only wish they distribute TAI and the offset to UTC, but
> i think, i would hope, they will doing the opposite regulary.
> I have no time, and i am not the right person to do anything about
> NTP, let alone in the IETF.  All i could ever say i did say, and
> that was that it was always wrong to go for "civil time" aka UTC,
> at least without a permanent indication to a constant reliable
> time scale.  And a longer possibility to detect leaps, as i knew
> secretaries who turn off their computer at Friday afternoon, not
> to turn it on again until Monday morning.  And my impression in
> the past, before i came a little bit involved in international
> email etc communication, was that the engineers simply could not
> imagine such a situation.  Or, *at best*, decided that then
> silence is the best communication on such a switch.
>

The need for leap seconds, or its lack, has complicated history.


>  |>|The IERS one is more up-to-date because they publish the bulletin.
>  |>
>  |> In general i think distribution of load is a good thing, and
>  |> i find it very unfriendly to put all the load onto some jealous
>  |> institute (if it is one) and its single server.
>  |> The FreeBSD project has an established set of mirrors, and, the
>  ...
>  |We can skew the load in time by spreading all our users out over
>  |the few months we have if there's a load issue.
>
> I have recognized even the nice name of this mechanism in the
> FreeBSD rc system, Warner Losh.
>

Yea, I worked for a timing company in the 2000s. I couldn't recall
if I'd written this or Ian had. I think my name is on it, but Ian fixed
all the mistakes I made. :)


>  |> Btw PHK had a thrilling idea of DNS distributing leap ticks some
>  |> years ago, and he even started to host it.  As it unfortunately
>  |> did not fly i did not track it further.
>  |> Would also be an idea for the FreeBSD project: simply download the
>  |> file ones, then place a DNS record that FreeBSD installations then
>  |> can query.  DNSSEC is in place i think.
>  |
>  |Yea, that's not a thing that's happening. It was an interesting idea,
>  |but hasn't been standardized and there's little to apetite to distribute
>  |this way.
>
> Unfortunately.  And then there is the fully blown tzdist protocol
> that the IETF hammered through with XML and what not formats,
> unfortunately not CBOR ("later"), this is what Meinberg says on
> the state of that:
>
>   https://kb.meinbergglobal.com/kb/time_sync/tzdist
>

Yea...


>  |>|The bundled version was from NIST ftp, but fetching from ftp for every
>  |>|FreeBSD system out there was too scary for me.
>  |>|
>  |>|There may be some security / privacy concerns if we direct users to a
>  |>|place that we do not have control, by the way.
>  |>
>  |> Interesting aspect!
>  |
>  |There might be, but this sounds somewhat speculative. What's the anticip\
>  |ated
>  |concerns?
>
> Maybe Xin Li has stumbled over the same thread as i after that
> publicsuffix CVE of cURL (first sentence of the quoted message):
>
>   https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00113.html
>
> What i mean is, the FreeBSD project and its pkg database, isn't
> this a natural place for such a thing?  With guaranteed /
> controlled availability.
>

The ntp leap stuff does pre-date the pkg by a decade. Having a package
for it might be a natural evolution,

Warner


> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
> |
> | Only in December: lightful Dubai COP28 Narendra Modi quote:
> |  A small part of humanity has ruthlessly exploited nature.
> |  But the entire humanity is bearing the cost of it,
> |  especially the inhabitants of the Global South.
> |  The selfishness of a few will lead the world into darkness,
> |  not just for themselves but for the entire world.
>