From nobody Fri Dec  8 08:34:36 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Smkw25PW5z53blS;
	Fri,  8 Dec 2023 08:34:42 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Smkw24Zwrz3Vyn;
	Fri,  8 Dec 2023 08:34:42 +0000 (UTC)
	(envelope-from philip@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1702024482;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=/dp6KtEgC/9miU3XVDFXJASPXJsSIM1jSbeS2hI+yeE=;
	b=qrcyM0n8+bRekyo08b9gzo+9vrxSNtlN8v+BPBSWwX+WlCegPjnal7MbCqShJHMG4532Ed
	dTg9J4e6nf0Wed8SW9+fBZT+VipIlZmbmMJ9Xj1ty4SfBk+1jheDaUldmSNUMzDBCD5rHj
	xrUblMcWcQKNXmWGNgUHgcy2HnH2YEhRFtxVBwZD3rYw07RnrSubzawKMBcoLyPvywl53g
	IESVGVutcoqyhLaxJHIg2ENxjwU8eCJmgBBdNrSern8QANO+whsrZIcp1QRQzDh6NN+FHJ
	ysTvCNcmnprPcafwrSVooNAcjx7UlPvEeyMvnX0H39VNSxn9NLD8s0IbEQ1rbA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1702024482; a=rsa-sha256; cv=none;
	b=gd6YDHIX27olmZRqGB6+2ISy5dKZ79oPRaCyIanXHB3PmKJuuVL9VUw146jpPWAsgF1QL5
	jpY3q8Nkr7bK5uRcZ9xuFnGzHY0/2HKgrg7YLK9rriVoaolS/ghPHJVoTfBDd1RSi83gJh
	u6MIpZ7+gUVFlMkOvgm+A8Rvdcu5G57iMRQo4rYLpRcYODJHnc15Xo9SvJRh4g6Iq4ZY47
	ulUg8jPTQcvZpTfBSJFjqG+YXYOEo9dZsnn7z9nWgZT7/9+6d0rifY/0cXIhxdHqY918r0
	6MJ2DR3XB/qqUd8iUDpEThBUAIBbfcCiTNvd0DE/qwRHAdo2+jLZvoG8ZMl21w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1702024482;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=/dp6KtEgC/9miU3XVDFXJASPXJsSIM1jSbeS2hI+yeE=;
	b=JGWkbdlQsrIhxuaw+C5M3axYQ3H9FjCxi2Jnl+ztFIACcgxjxexw+ftgH6Oyy3ItJ73qtB
	Yhl9SzNp2LkQNj+wCuPH+PNuIbIGH/LEMDSqyoapIkbTTLq3bFzckHcgWf7J3RTgBzQ616
	RAOuPr3Nm9gfCy3xwaZfminW5Toi23qRoHUuIcJj8+u/W5CfbAntfmWWN9ctjRGf9uGxv9
	QOp+iXNQTNOs4YxmU8sjftkD7ce9zVd4DVIwse5ADOnimEbQG/1XQqtz1LvBD/DuwxdhcU
	6Rv7adGyjUQa1scudv2J9vZ/Ji9sWqJa2W7jKwUIQJFuRPHCZHs6eGMWAa+D4w==
Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: philip/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4Smkw23LWCz11Dp;
	Fri,  8 Dec 2023 08:34:42 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailauth.nyi.internal (Postfix) with ESMTP id 51BD327C0054;
	Fri,  8 Dec 2023 03:34:42 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Fri, 08 Dec 2023 03:34:42 -0500
X-ME-Sender: <xms:IdVyZcpIPhiw_9MU6zoj0eLl-qfuJr39SXQZdieZ7fBnK0beBJC12Q>
    <xme:IdVyZSqWGNbJW19Hasqv1LZHv5XNLQq_v7gxTbfCLz-h53UJglPIGLzB3ImzoxbwF
    R3wErZe_BSPjSC1qU4>
X-ME-Received: <xmr:IdVyZRMEehEcW97hqhy4iw3bA_v2ueiIxskRL3pn-ZFycbnxbFFOApqp0LscKoY_EbQQ-v_LsRWiDq5TQ-o8fO0WMczilb7xmg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudekhedgieejucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffoffkjghfgggtsehttd
    hmtdertddtnecuhfhrohhmpefrhhhilhhiphcurfgrvghpshcuoehphhhilhhiphesfhhr
    vggvsghsugdrohhrgheqnecuggftrfgrthhtvghrnhepteehieeigeeuueeigfdtjefgud
    ekieehueduiedvjeehgfettefhtdegkeehjeeknecuffhomhgrihhnpehgnhhurdhorhhg
    pdhfrhgvvggsshgurdhorhhgpdhivghtfhdrohhrghdpihgrnhgrrdhorhhgnecuvehluh
    hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpodhm
    vghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiiedviedvgeekqddvfeehud
    ektddtkedqphhhihhlihhppeepfhhrvggvsghsugdrohhrghesthhrohhusghlvgdrihhs
X-ME-Proxy: <xmx:ItVyZT46BJF2X95D72ay0usolEO979aH7-mVgpOLosTDxaOJAr1XoQ>
    <xmx:ItVyZb5EjDw8zO_zGPmga7X5HSaLJYRAEp4EWREDB3Y5xtopmt2feQ>
    <xmx:ItVyZTiVinEhVC5OlHZ8o0_F__YdlrBflKrnZUIrWASoIBUxs0byxA>
    <xmx:ItVyZe2m1F_M140MsBUMeqNl9Yk_8dyBGPl5tuP7CAqXQ-b-ssXTVA>
Feedback-ID: ia691475d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 8 Dec 2023 03:34:39 -0500 (EST)
From: Philip Paeps <philip@freebsd.org>
To: d@delphij.net
Cc: Warner Losh <imp@bsdimp.com>, src-committers <src-committers@freebsd.org>,
 dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject: Re: git: b1c95af45488 - main - rc.conf: correct $ntp_leapfile_sources
Date: Fri, 08 Dec 2023 16:34:36 +0800
X-Mailer: MailMate (1.14r6005)
Message-ID: <C5DD21B1-C129-4258-BB6C-3E6B59B705E9@freebsd.org>
In-Reply-To: <c345c9cc-9e89-4ab5-a1cb-7345760ab098@delphij.net>
References: <202312070550.3B75o8WV066387@gitrepo.freebsd.org>
 <CANCZdfrSitY2W+7EVaa_yX=KhsJNq_FZqyOLnBeTZX_-6YGxpg@mail.gmail.com>
 <389AB29C-D5C0-4091-91ED-219F33351B35@freebsd.org>
 <d75b041f-05f8-44c1-8de6-1fef89b7e537@delphij.net>
 <20231207222716.obSthG6r@steffen%sdaoden.eu>
 <CANCZdfpHWRECi=DyhxJAW4MkA-CyPLK=OSdSwBdKQJ57MyPwNA@mail.gmail.com>
 <20231208010731.3hijmSTL@steffen%sdaoden.eu>
 <c345c9cc-9e89-4ab5-a1cb-7345760ab098@delphij.net>
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed

On 2023-12-08 13:33:08 (+0800), Xin Li wrote:

> On 2023-12-07 17:07, Steffen Nurpmeso wrote:
>> Warner Losh wrote in
> [...]
>>   |>|The bundled version was from NIST ftp, but fetching from ftp for 
>> every
>>   |>|FreeBSD system out there was too scary for me.
>>   |>|
>>   |>|There may be some security / privacy concerns if we direct users 
>> to a
>>   |>|place that we do not have control, by the way.
>>   |>
>>   |> Interesting aspect!
>>   |
>>   |There might be, but this sounds somewhat speculative. What's the 
>> anticip\
>>   |ated
>>   |concerns?
>>
>> Maybe Xin Li has stumbled over the same thread as i after that
>> publicsuffix CVE of cURL (first sentence of the quoted message):
>>
>>   https://lists.gnu.org/archive/html/bug-wget/2014-03/msg00113.html
>>
>> What i mean is, the FreeBSD project and its pkg database, isn't
>> this a natural place for such a thing?  With guaranteed /
>> controlled availability.
>
> It could be me being too paranoid, just my $0.02 --
>
> Fetching the file would make a http request with "libfetch/2.0", and 
> the server knows the IP address, etc., if they log it somewhere.
>
> On the other hand, by fetching the file, it means that the periodic 
> script detected that the local leap-seconds file is outdated and NTP 
> leap-seconds file is also outdated.
>
> If we deliver leap-seconds using freebsd-update, this could mean the 
> user is running something old; with my recent change it means they are 
> running ntpd, which could be too much of information.
>
> Another concern is that it's somewhat vague if the URL would stay 
> valid.  Should they move (it happened to us for the NIST file, for 
> example, that gets moved to a different host), it would be both a loss 
> of functionality (file can't be updated) and a leak of information 
> (running an older version of configuration).
>
> These may be not really a high impact security concern, but some users 
> may be not very happy with this.  If we are hosting it at e.g. 
> www.freebsd.org, then we can make sure that the URL is always valid 
> and we have control of logging (e.g. we could exclude certain paths 
> from getting logged).

That was my reasoning for putting it on download.freebsd.org (or 
creating a data.freebsd.org).

I think the bikeshed is pretty liberally coated in paint by now.

- The previous implementation hardcoded a single URL: ietf.org
- My commit replaced it with another URL: iana.org

The only difference between the two URLs is that the previous one 
returns 404, while the new one is live.  Additionally, the new one has a 
chance of being updated before it expires.

Note that there is no polling here.  See src/libexec/rc/rc.d/ntpd.  When 
ntpd starts (i.e. when the system boots or the user runs "service ntpd 
fetch" or similar), the system's best guess at the current time is 
compared to the expiry date of the file on the filesystem.  If we're 
within the window before expiry or the file has expired, we attempt a 
fetch.

I don't think there's much risk of every FreeBSD system in the world 
starting at the same time.  Nevertheless, I don't like the idea of 
pointing every FreeBSD installation at a URL that isn't ours.  It's bad 
manners.  And we're victims of others doing that to us: a non-trivial 
fraction of traffic to www.FreeBSD.org is htpdate/1.0.  It will never go 
away.

While it feels like over-engineering to put this on our infrastructure, 
it's the polite thing to do.  I can set up a well-behaved cronjob on our 
infrastructure to poll the authoritative source.

I also have interesting opinions and trivia to share about leap seconds, 
but I don't think they're relevant to this particular discussion.  The 
only problem I want to solve today is the ugly 404 from "service ntpd 
fetch".

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises