From Fedora Project Wiki
(Announcing the Change proposal)
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 10: Line 10:


== Current status ==
== Current status ==
[[Category:ChangeAnnounced]]
[[Category:ChangeAcceptedF34]]
[[Category:SelfContainedChange]]
[[Category:SelfContainedChange]]


* Targeted release: [[Releases/34 | Fedora 34 ]]
* Targeted release: [[Releases/34 | Fedora 34 ]]
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2517 #2517]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1909783 #1909783]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/619 #619]


== Detailed Description ==
== Detailed Description ==
Line 30: Line 30:
* `nagios-plugins-ntp-perl`
* `nagios-plugins-ntp-perl`
* `ntpstat`
* `ntpstat`
Drivers for hardware reference clocks stay in Fedora in a form of a standalone wrapper in the `ntp-refclock` package. They can be used by other NTP implementations.


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 39: Line 41:


# Package `ntpsec` obsoleting the `ntp` package.
# Package `ntpsec` obsoleting the `ntp` package.
# Retire `ntp` package.
# Retire the `ntp` package.
# Make sure the dependent packages still work.
# Make sure the dependent packages still work.


Line 52: Line 54:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==


The `ntp` package is replaced automatically on upgrade to Fedora 34. The configuration file ''/etc/ntp.conf'' is saved as to ''/etc/ntp.conf.rpmsave'' and it needs to be renamed to ''/etc/ntp.conf'' to be used by `ntpsec`. Otherwise, `ntpsec` will fall back to the default configuration in ''/etc/ntp.d'' using the ''pool.ntp.org'' servers.
The `ntp` package is replaced automatically with `ntpsec` on upgrade to Fedora 34. If the original `ntpd` and/or `ntp-wait` services were enabled, they are re-enabled in the upgrade. The original configuration file ''/etc/ntp.conf'' and directory ''/etc/ntp'' are reused by `ntpsec`.
 
The `ntpd` service is disabled after the upgrade and needs to be enabled again.


== How To Test ==
== How To Test ==
Line 63: Line 63:


== User Experience ==
== User Experience ==
For most users of `ntp` the experience is not expected to change significantly. Advanced configurations may need to be modified to work with `ntpsec`.
For most users of `ntp`, the experience is not expected to change significantly. Advanced configurations may need to be modified to work with `ntpsec`. The system log will contain error or warning messages from `ntpd` if unsupported directives or options are present in the configuration. For monitoring, the `ntpq` tool works as before.


== Dependencies ==
== Dependencies ==
Line 79: Line 79:


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.


Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze.  
The classic `ntpd` service was formerly provided by the `ntp` package. The `ntp` software has significant security issues and slow development. It has now been replaced with the `ntpsec` package, an actively maintained fork of the `ntp` software. No functional changes are expected for most users. Users should check the system log for errors and warnings from the new `ntpd` service and modify ''/etc/ntp.conf'' as necessary.
-->
TBD

Latest revision as of 16:20, 6 January 2021

ntp replacement

Summary

The ntp package is replaced with ntpsec.

Owner

Current status

Detailed Description

ntp is one of the few NTP implementations provided in Fedora. It is not used or installed by default.

The upstream project is not in a good shape and it doesn't seem to be improving. The development is slow and happens behind closed doors. There is a significant number of known security issues that have not been fixed yet. Some are exploitable in the default configuration.

ntpsec is a fork of ntp with focus on security. It has removed a lot of code and fixed or avoided most of the security issues in ntp. It doesn't support all features, but in typical configurations it can be used as a drop-in replacement for ntp.

There are few packages in Fedora that have a dependency on ntp:

  • nagios-plugins-ntp-perl
  • ntpstat

Drivers for hardware reference clocks stay in Fedora in a form of a standalone wrapper in the ntp-refclock package. They can be used by other NTP implementations.

Benefit to Fedora

This change makes Fedora more secure.

Scope

  • Proposal owners:
  1. Package ntpsec obsoleting the ntp package.
  2. Retire the ntp package.
  3. Make sure the dependent packages still work.
  • Other developers: N/A (not a System Wide Change)
  • Release engineering: N/A (not needed for this Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

The ntp package is replaced automatically with ntpsec on upgrade to Fedora 34. If the original ntpd and/or ntp-wait services were enabled, they are re-enabled in the upgrade. The original configuration file /etc/ntp.conf and directory /etc/ntp are reused by ntpsec.

How To Test

  • Install ntpsec
  • Run ntpdate pool.ntp.org
  • Start the ntpd service
  • Run ntpq -p to verify ntpd is polling servers and synchronizing the clock

User Experience

For most users of ntp, the experience is not expected to change significantly. Advanced configurations may need to be modified to work with ntpsec. The system log will contain error or warning messages from ntpd if unsupported directives or options are present in the configuration. For monitoring, the ntpq tool works as before.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: Unretire ntp and remove the obsoletes in ntpsec
  • Contingency deadline: Fedora 34 Beta
  • Blocks release? N/A (not a System Wide Change)
  • Blocks product?

Documentation

N/A (not a System Wide Change)

Release Notes

The classic ntpd service was formerly provided by the ntp package. The ntp software has significant security issues and slow development. It has now been replaced with the ntpsec package, an actively maintained fork of the ntp software. No functional changes are expected for most users. Users should check the system log for errors and warnings from the new ntpd service and modify /etc/ntp.conf as necessary.