From owner-freebsd-security@freebsd.org Sat Apr 30 16:34:58 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F40FDB1F376 for ; Sat, 30 Apr 2016 16:34:57 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E9F2F1A1D for ; Sat, 30 Apr 2016 16:34:57 +0000 (UTC) (envelope-from marquis@roble.com) Date: Sat, 30 Apr 2016 09:34:50 -0700 (PDT) From: Roger Marquis To: "Julian H. Stacey" cc: freebsd-security@freebsd.org, "Matthew X. Economou" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp In-Reply-To: <201604301129.u3UBTjWL055247@fire.js.berklix.net> References: <201604301129.u3UBTjWL055247@fire.js.berklix.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Apr 2016 16:34:58 -0000 Large builds over NFS filesystems, particularly secure NFS (i.e., Kerberos) are one the best tests of time synchronization. Clients with bad clocks can further exercise this not uncommon infrastructure. The reason you don't typically see build errors even here, IME, is because the timehosts tend to be shared by and local to both client and server. Roger Julian Stacey wrote: > AMD + NFS makes on a LAN. 1/10 second seems insufficient. > ( Though one could run a faster less secure NTP on a local LAN > behind a firewall, & a slower more secure NTP on a WAN, > (so a FreeBSD gate would need both NTPs ) ).