From nobody Fri Dec 08 08:34:36 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Smkw25PW5z53blS; Fri, 8 Dec 2023 08:34:42 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Smkw24Zwrz3Vyn; Fri, 8 Dec 2023 08:34:42 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702024482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/dp6KtEgC/9miU3XVDFXJASPXJsSIM1jSbeS2hI+yeE=; b=qrcyM0n8+bRekyo08b9gzo+9vrxSNtlN8v+BPBSWwX+WlCegPjnal7MbCqShJHMG4532Ed dTg9J4e6nf0Wed8SW9+fBZT+VipIlZmbmMJ9Xj1ty4SfBk+1jheDaUldmSNUMzDBCD5rHj xrUblMcWcQKNXmWGNgUHgcy2HnH2YEhRFtxVBwZD3rYw07RnrSubzawKMBcoLyPvywl53g IESVGVutcoqyhLaxJHIg2ENxjwU8eCJmgBBdNrSern8QANO+whsrZIcp1QRQzDh6NN+FHJ ysTvCNcmnprPcafwrSVooNAcjx7UlPvEeyMvnX0H39VNSxn9NLD8s0IbEQ1rbA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702024482; a=rsa-sha256; cv=none; b=gd6YDHIX27olmZRqGB6+2ISy5dKZ79oPRaCyIanXHB3PmKJuuVL9VUw146jpPWAsgF1QL5 jpY3q8Nkr7bK5uRcZ9xuFnGzHY0/2HKgrg7YLK9rriVoaolS/ghPHJVoTfBDd1RSi83gJh u6MIpZ7+gUVFlMkOvgm+A8Rvdcu5G57iMRQo4rYLpRcYODJHnc15Xo9SvJRh4g6Iq4ZY47 ulUg8jPTQcvZpTfBSJFjqG+YXYOEo9dZsnn7z9nWgZT7/9+6d0rifY/0cXIhxdHqY918r0 6MJ2DR3XB/qqUd8iUDpEThBUAIBbfcCiTNvd0DE/qwRHAdo2+jLZvoG8ZMl21w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1702024482; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/dp6KtEgC/9miU3XVDFXJASPXJsSIM1jSbeS2hI+yeE=; b=JGWkbdlQsrIhxuaw+C5M3axYQ3H9FjCxi2Jnl+ztFIACcgxjxexw+ftgH6Oyy3ItJ73qtB Yhl9SzNp2LkQNj+wCuPH+PNuIbIGH/LEMDSqyoapIkbTTLq3bFzckHcgWf7J3RTgBzQ616 RAOuPr3Nm9gfCy3xwaZfminW5Toi23qRoHUuIcJj8+u/W5CfbAntfmWWN9ctjRGf9uGxv9 QOp+iXNQTNOs4YxmU8sjftkD7ce9zVd4DVIwse5ADOnimEbQG/1XQqtz1LvBD/DuwxdhcU 6Rv7adGyjUQa1scudv2J9vZ/Ji9sWqJa2W7jKwUIQJFuRPHCZHs6eGMWAa+D4w== Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Smkw23LWCz11Dp; Fri, 8 Dec 2023 08:34:42 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id 51BD327C0054; Fri, 8 Dec 2023 03:34:42 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 08 Dec 2023 03:34:42 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudekhedgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffoffkjghfgggtsehttd hmtdertddtnecuhfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhr vggvsghsugdrohhrgheqnecuggftrfgrthhtvghrnhepteehieeigeeuueeigfdtjefgud ekieehueduiedvjeehgfettefhtdegkeehjeeknecuffhomhgrihhnpehgnhhurdhorhhg pdhfrhgvvggsshgurdhorhhgpdhivghtfhdrohhrghdpihgrnhgrrdhorhhgnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpodhm vghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfeehud ektddtkedqphhhihhlihhppeepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdrihhs X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 8 Dec 2023 03:34:39 -0500 (EST) From: Philip Paeps To: d@delphij.net Cc: Warner Losh , src-committers , dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: b1c95af45488 - main - rc.conf: correct $ntp_leapfile_sources Date: Fri, 08 Dec 2023 16:34:36 +0800 X-Mailer: MailMate (1.14r6005) Message-ID: In-Reply-To: References: <202312070550.3B75o8WV066387@gitrepo.freebsd.org> <389AB29C-D5C0-4091-91ED-219F33351B35@freebsd.org> <20231207222716.obSthG6r@steffen%sdaoden.eu> <20231208010731.3hijmSTL@steffen%sdaoden.eu> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; format=flowed On 2023-12-08 13:33:08 (+0800), Xin Li wrote: > On 2023-12-07 17:07, Steffen Nurpmeso wrote: >> Warner Losh wrote in > [...] >> |>|The bundled version was from NIST ftp, but fetching from ftp for >> every >> |>|FreeBSD system out there was too scary for me. >> |>| >> |>|There may be some security / privacy concerns if we direct users >> to a >> |>|place that we do not have control, by the way. >> |> >> |> Interesting aspect! >> | >> |There might be, but this sounds somewhat speculative. What's the >> anticip\ >> |ated >> |concerns? >> >> Maybe Xin Li has stumbled over the same thread as i after that >> publicsuffix CVE of cURL (first sentence of the quoted message): >> >> https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00113.html >> >> What i mean is, the FreeBSD project and its pkg database, isn't >> this a natural place for such a thing? With guaranteed / >> controlled availability. > > It could be me being too paranoid, just my $0.02 -- > > Fetching the file would make a http request with "libfetch/2.0", and > the server knows the IP address, etc., if they log it somewhere. > > On the other hand, by fetching the file, it means that the periodic > script detected that the local leap-seconds file is outdated and NTP > leap-seconds file is also outdated. > > If we deliver leap-seconds using freebsd-update, this could mean the > user is running something old; with my recent change it means they are > running ntpd, which could be too much of information. > > Another concern is that it's somewhat vague if the URL would stay > valid. Should they move (it happened to us for the NIST file, for > example, that gets moved to a different host), it would be both a loss > of functionality (file can't be updated) and a leak of information > (running an older version of configuration). > > These may be not really a high impact security concern, but some users > may be not very happy with this. If we are hosting it at e.g. > www.freebsd.org, then we can make sure that the URL is always valid > and we have control of logging (e.g. we could exclude certain paths > from getting logged). That was my reasoning for putting it on download.freebsd.org (or creating a data.freebsd.org). I think the bikeshed is pretty liberally coated in paint by now. - The previous implementation hardcoded a single URL: ietf.org - My commit replaced it with another URL: iana.org The only difference between the two URLs is that the previous one returns 404, while the new one is live. Additionally, the new one has a chance of being updated before it expires. Note that there is no polling here. See src/libexec/rc/rc.d/ntpd. When ntpd starts (i.e. when the system boots or the user runs "service ntpd fetch" or similar), the system's best guess at the current time is compared to the expiry date of the file on the filesystem. If we're within the window before expiry or the file has expired, we attempt a fetch. I don't think there's much risk of every FreeBSD system in the world starting at the same time. Nevertheless, I don't like the idea of pointing every FreeBSD installation at a URL that isn't ours. It's bad manners. And we're victims of others doing that to us: a non-trivial fraction of traffic to www.FreeBSD.org is htpdate/1.0. It will never go away. While it feels like over-engineering to put this on our infrastructure, it's the polite thing to do. I can set up a well-behaved cronjob on our infrastructure to poll the authoritative source. I also have interesting opinions and trivia to share about leap seconds, but I don't think they're relevant to this particular discussion. The only problem I want to solve today is the ugly 404 from "service ntpd fetch". Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises