Re: git: b1c95af45488 - main - rc.conf: correct $ntp_leapfile_sources

From: Xin Li <delphij_at_delphij.net>
Date: Fri, 08 Dec 2023 05:33:08 UTC
On 2023-12-07 17:07, Steffen Nurpmeso wrote:
> Warner Losh wrote in
[...]
>   |>|The bundled version was from NIST ftp, but fetching from ftp for every
>   |>|FreeBSD system out there was too scary for me.
>   |>|
>   |>|There may be some security / privacy concerns if we direct users to a
>   |>|place that we do not have control, by the way.
>   |>
>   |> Interesting aspect!
>   |
>   |There might be, but this sounds somewhat speculative. What's the anticip\
>   |ated
>   |concerns?
> 
> Maybe Xin Li has stumbled over the same thread as i after that
> publicsuffix CVE of cURL (first sentence of the quoted message):
> 
>    https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00113.html
> 
> What i mean is, the FreeBSD project and its pkg database, isn't
> this a natural place for such a thing?  With guaranteed /
> controlled availability.

It could be me being too paranoid, just my $0.02 --

Fetching the file would make a http request with "libfetch/2.0", and the 
server knows the IP address, etc., if they log it somewhere.

On the other hand, by fetching the file, it means that the periodic 
script detected that the local leap-seconds file is outdated and NTP 
leap-seconds file is also outdated.

If we deliver leap-seconds using freebsd-update, this could mean the 
user is running something old; with my recent change it means they are 
running ntpd, which could be too much of information.

Another concern is that it's somewhat vague if the URL would stay valid. 
  Should they move (it happened to us for the NIST file, for example, 
that gets moved to a different host), it would be both a loss of 
functionality (file can't be updated) and a leak of information (running 
an older version of configuration).

These may be not really a high impact security concern, but some users 
may be not very happy with this.  If we are hosting it at e.g. 
www.freebsd.org, then we can make sure that the URL is always valid and 
we have control of logging (e.g. we could exclude certain paths from 
getting logged).

Cheers,