Hi,

a couple of years ago (in 2017) I stepped up to help bring src:ntp back
in shape because I needed it for work. All uploads since that time have
been made by me. An RFH bug had been open the whole time and just
recently got the first message for five years, which made me remember my
plan.

Back then cleaning up the official ntp.org package in Debian was without alternatives, because ntpsec was not born yet and chrony did not have
any traction in the Debian world (as far as I could tell).

However, development for ntp.org is slow, upstream still using BitKeeper
is cumbersome, and even the testsuite needs to be fixes on some
architectures for new releases. Both ntpsec and chrony are (from my POV)
the better alternatives now. To a point where I would rather use chrony
for new deployments, but I'm shying away from not using my own work
anymore for the lack of real-life testing.

I could just step down as a maintainer/uploader and have the ntp
packaging bitrot, but this would be a large disservice to our users
(unless someone else continues to maintain it). I think another option
would be to migrate to one of the alternatives for Bookworm.

ntpsec and ntp should be largely configuration compatible, so even a
takeover of the binary package names might be practical.

What do you think?

Bernhard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17.01.22 17:01, Bernhard Schmidt wrote:

a couple of years ago (in 2017) I stepped up to help bring src:ntp back
in shape because I needed it for work. All uploads since that time have
been made by me. An RFH bug had been open the whole time and just
recently got the first message for five years, which made me remember my plan.

Back then cleaning up the official ntp.org package in Debian was without alternatives, because ntpsec was not born yet and chrony did not have
any traction in the Debian world (as far as I could tell).

However, development for ntp.org is slow, upstream still using BitKeeper
is cumbersome, and even the testsuite needs to be fixes on some
architectures for new releases. Both ntpsec and chrony are (from my POV)
the better alternatives now. To a point where I would rather use chrony
for new deployments, but I'm shying away from not using my own work
anymore for the lack of real-life testing.

I could just step down as a maintainer/uploader and have the ntp
packaging bitrot, but this would be a large disservice to our users
(unless someone else continues to maintain it). I think another option
would be to migrate to one of the alternatives for Bookworm.

ntpsec and ntp should be largely configuration compatible, so even a
takeover of the binary package names might be practical.

What do you think?

Sounds good to me.

Without your useful email I wouldn't even have been aware of the
situation, so your email has already the useful effect of me planing
migrating to ntpsec.

Thank you!
*t

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jan 17, 2022 at 05:01:10PM +0100, Bernhard Schmidt wrote:

I could just step down as a maintainer/uploader and have the ntp packaging bitrot, but this would be a large disservice to our users (unless someone else continues to maintain it). I think another option would be to migrate
to one of the alternatives for Bookworm.

The cloud team has been installing chrony by default in the images we
generate since stretch and it's been a good experience for us. I'd be
happy to see it become the default distro-wide.

noah


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE65xaF5r2LDCTz+zyV68+Bn2yWDMFAmHlvpUACgkQV68+Bn2y WDPPhQ//dF8HsvEr6Wu5mev4kaMDj24PFvu2acWXmNMiR3MKrI+pT8UoHG2d8W3k aazKoL+qXq/iW1NDtroT9SYL16M8twxgx6e78EKiqrfnCNbioNIohOshi9NhB17A QAYoLjx9Ovwy4AGuIgNJEbMUMBMZpsbLSsU+Pjshpxjo1ZsUBpFVhLH3a5KPclJU gM5c30qxmfqbt3P9/CnKtBsfr5JLMvXn7S3Zwm7RIi6Tk8MfU+0mNXyHDjeir6Oz gnxxK8yILC+4kO0vBFlP+Uue19jXM/OYOz/DTBt7emo48geuB/bGr3vYQ8nVDuky Wf6lWJL1iMOZGYLKHIhLRHwVJm4SwDoOJcFrBUC+F2VpPoIlMxUU19GfxmijtyAO InfSZMIMz94uCIfhSK+7buYmD9fmiyhthp2kO5k/ZDrs4Jp8rfGOAIZWszRowsW+ VFOSzU07WBtpSNXh1CiroD45pOr0rh265M+euRbNFGY3LQW+CpeuU0h4UkhEebxf uUX49p+PCy/u/esgFnBhDsTDDfGrSSXwP2z6ohs+hazGezcoNPuU1D6n3ncQKhL+ lyTZ9kB7yLbaTgZqMgcnE78Eb+QnmeTlWOv0TgO63bmSiBUo5LPqiiihMaM6Der8 ahv5A4hddwSejlpEGyNN8iSZwweB/YMaMC2+0dfjzM/NZ8z5S74=
=7eHh
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jan 17, Bernhard Schmidt <berni@debian.org> wrote:

What do you think?

chrony is MUCH better since Debian 10, I agree that it should be the
preferred NTP client for when systemd-timesyncd is not enough.
You can definitely spend your time on something more fun and more
useful.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYeXN4AAKCRDLPsM64d7X gTaLAP9zsaqnYKjjqCV5HrS68QH0p8RBpafRVMqXQTD5VULESQD/ZD0MzLD67t9E wExCxTJ1OS/PcZGRUcD+hyNQzUzvrgo=
=ShAj
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/17/22 21:13, Marco d'Itri wrote:

On Jan 17, Bernhard Schmidt <berni@debian.org> wrote:

What do you think?

chrony is MUCH better since Debian 10, I agree that it should be the preferred NTP client for when systemd-timesyncd is not enough.
You can definitely spend your time on something more fun and more
useful.

+1

"chronyc tracking" r0x! :)

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Bernhard Schmidt wrote on 17/01/2022:

ntpsec and ntp should be largely configuration compatible, so even a
takeover of the binary package names might be practical.

I played a bit with ntpsec some time ago, I remember being very pleased
with it, and I think it can very well replace ntp in Bookworm. The
incompatible changes [1] are not blockers IMHO, provided that they're documented.

I'd prefer making ntp a dummy package depending on ntpsec rather than
having src:ntpsec takeover bin:ntp. A dummy package will allow us to
easily switch back to ntp from ntp.org if needed, and to document the incompatible changes in NEWS.Debian.

Paride

[1] https://docs.ntpsec.org/latest/ntpsec.html#incompatible

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Bernhard Schmidt <berni@debian.org> wrote:

However, development for ntp.org is slow, upstream still using BitKeeper
is cumbersome, and even the testsuite needs to be fixes on some
architectures for new releases. Both ntpsec and chrony are (from my POV)
the better alternatives now. To a point where I would rather use chrony
for new deployments, but I'm shying away from not using my own work
anymore for the lack of real-life testing.

Agreed, I think we should simply remove src:ntp at this point. Fedora
migrated existing installs to ntpsec it seems: (https://fedoraproject.org/wiki/Changes/NtpReplacement

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------5geCkookPLzvf4RMSFTAOG2G
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

QW0gMTguMDEuMjIgdW0gMTk6NDQgc2NocmllYiBNb3JpdHogTcO8aGxlbmhvZmY6DQo+IEJl cm5oYXJkIFNjaG1pZHQgPGJlcm5pQGRlYmlhbi5vcmc+IHdyb3RlOg0KPj4gSG93ZXZlciwg ZGV2ZWxvcG1lbnQgZm9yIG50cC5vcmcgaXMgc2xvdywgdXBzdHJlYW0gc3RpbGwgdXNpbmcg Qml0S2VlcGVyDQo+PiBpcyBjdW1iZXJzb21lLCBhbmQgZXZlbiB0aGUgdGVzdHN1aXRlIG5l ZWRzIHRvIGJlIGZpeGVzIG9uIHNvbWUNCj4+IGFyY2hpdGVjdHVyZXMgZm9yIG5ldyByZWxl YXNlcy4gQm90aCBudHBzZWMgYW5kIGNocm9ueSBhcmUgKGZyb20gbXkgUE9WKQ0KPj4gdGhl IGJldHRlciBhbHRlcm5hdGl2ZXMgbm93LiBUbyBhIHBvaW50IHdoZXJlIEkgd291bGQgcmF0 aGVyIHVzZSBjaHJvbnkNCj4+IGZvciBuZXcgZGVwbG95bWVudHMsIGJ1dCBJJ20gc2h5aW5n IGF3YXkgZnJvbSBub3QgdXNpbmcgbXkgb3duIHdvcmsNCj4+IGFueW1vcmUgZm9yIHRoZSBs YWNrIG9mIHJlYWwtbGlmZSB0ZXN0aW5nLg0KPiANCj4gQWdyZWVkLCBJIHRoaW5rIHdlIHNo b3VsZCBzaW1wbHkgcmVtb3ZlIHNyYzpudHAgYXQgdGhpcyBwb2ludC4gRmVkb3JhDQo+IG1p Z3JhdGVkIGV4aXN0aW5nIGluc3RhbGxzIHRvIG50cHNlYyBpdCBzZWVtczoNCj4gKGh0dHBz Oi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9DaGFuZ2VzL050cFJlcGxhY2VtZW50DQoNCkkg dGhpbmsgRmVkb3JhIHByZWZlcnMgY2hyb255IGluc3RlYWQgb2YgbnRwc2VjLg0KDQpGd2l3 LCBJJ20gd2l0aCBNYXJjbyBoZXJlOiBJZiBzeXN0ZW1kLXRpbWVzeW5jZCAoYSBzaW1wbGUg U05UUCBjbGllbnQgDQp3aGljaCBpcyBlbmFibGVkIGJ5IGRlZmF1bHQpIGRvZXNuJ3QgZml0 IHlvdXIgbmVlZHMsIGNocm9ueSBpcyBhIGdyZWF0IA0KYWx0ZXJuYXRpdmUuDQoNCklmICJu dHAiIHRoZSBiaW5hcnkgcGFja2FnZSB3b3VsZCBiZWNvbWUgYSB0cmFuc2l0aW9uYWwgcGFj a2FnZSB0aGF0IA0KaW5zdGFsbHMgY2hyb255LCB0aGF0J2QgYmUgZmluZSB3aXRoIG1lIGlm IHRoYXQgZWFzZXMgdGhlIHRyYW5zaXRpb24uDQoNCkknZCBhbHNvIGJlIG9rIGlmIHNyYzpu dHAgd291bGQganVzdCBiZSBkcm9wcGVkIGFuZCB3ZSBkb2N1bWVudCB0aGF0IGluIA0Kb3Vy IHJlbGVhc2Ugbm90ZXMgYWNjb3JkaW5nbHkuDQoNCg==

--------------5geCkookPLzvf4RMSFTAOG2G--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmHnJ/EFAwAAAAAACgkQauHfDWCPItzK sw//VvlJZ40jpdoUZVIAUQyVeDQzRbl7tyeVXm7dRhEa9GsD/yzl+j/zf5/GdexfrIfKkMrxpKTK gS0Fn2lNmycYIPWdCYM0DBKGEVckVMzdxbq0bmqPmLigJa63RRRmezzknpH3aOKvmdXMIowAfj7P iCyfqn7AyLbmScUMGdU2S35MbMnqxhNZGB8OOFFKcnNG21spgKITq83B0DtUjCT6MuGUqnMwbhiX SRg6pzi9RiMa942x41T0EbCdL/85PHFN46wZDMAkdWvdoVjRYOGxwqJw4mJTaz+0W/EtJ4L3vJ2s b0BottHqe9hG/qd/rF6t6LNPxFUdByX6V56Vw+qQMkRBx3I4ur/j0OamKMDAs9Ukq9lYHAZHBqmD eg4Yo64XIC6DaApMae6qIbhoEKCfJSgq/oCZA6YnDYsQnoT6F6AwjPpO09Wyb9+FBnSX/7Zn0ms5 1rINoXu72XnkImibYZKMem0jzehHekW9UsSF5CpDaC2Zh3D5Bo3LOy90hCAd/83Q+t+vhV3FK2BZ LKxfW4MVspQ4Zbv8896MU5H9C5zo/+RJIkT6Tili5JTw2h8h0NcJXWXDiyjmeLkSXk0zNnW+xLzF VP/y8Lu9K1BL4rYvdcllT/ToeIj0TH0ljVOud8lBstqrtwV4X2156iNsYh825DXL7mWuryXNn000 ZVs=
=J/fz
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jan 18, Michael Biebl <biebl@debian.org> wrote:

I think Fedora prefers chrony instead of ntpsec.

Fedora even uses btrfs, so who cares. :-)
The interesting point is that RHEL switched to chrony for RHEL 7.

Also, I want to add that chrony is not just better as a client, but also
as a NTP server. https://engineering.fb.com/2020/03/18/production-engineering/ntp-service/ offers quite some insights.

If "ntp" the binary package would become a transitional package that
installs chrony, that'd be fine with me if that eases the transition.

I am not sure that this would be practical since they cannot share the
same configuration.
I have no objections if somebody wants to work on packaging ntpsec, but
I do not think that either ntp or ntpsec should be promoted over chrony nowadays.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYec8TgAKCRDLPsM64d7X gcSHAP9UVbX+ZNPMpj2u9JmiMK+N+yMsddb5oFwDQ/+4qF3MwAEAusFDpTk6ZUR7 QMHUkT8j35bShW9gYQ5SLwBY0P0M/Aw=
=Ofjp
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marco d'Itri wrote on 18/01/2022:

On Jan 18, Michael Biebl <biebl@debian.org> wrote:

If "ntp" the binary package would become a transitional package that
installs chrony, that'd be fine with me if that eases the transition.

I am not sure that this would be practical since they cannot share the
same configuration.
I have no objections if somebody wants to work on packaging ntpsec, but
I do not think that either ntp or ntpsec should be promoted over chrony nowadays.

But ntpsec is already packaged and actively maintained, which is why I
propose making ntp a transitional package installing ntpsec.

After all bin:ntp has always been a specific NTP implementation, I think
it's OK if it's replaced by an almost compatible fork, less OK if a
completely different implementation is brought in instead. Dropping ntp altogether will certainly surprise some users.

Paride

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jjzqenSNF3o0QKM1jOvTGloIOdQlfPB2r
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

[I'm the Debian ntpsec maintainer.]

On 1/18/22 11:21 AM, Paride Legovini wrote:

I'd prefer making ntp a dummy package depending on ntpsec rather than
having src:ntpsec takeover bin:ntp.

If I understand correctly, you're suggesting src:ntp builds bin:ntp that
is a dummy package which depends on ntpsec?

Another option would be to have src:ntpsec build the bin:ntp dummy
package and remove src:ntp entirely.

Either seems fine to me. I don't have a strong preference. I can
implement whatever is necessary on the ntpsec side.

And for either option, probably likewise ntp-doc -> ntpsec-doc, ntpdate

ntpsec-ntpdate, and if I broke out ntpdig as suggested in bug

#1003966, sntp -> ntpsec-ntpdig.

There are some differences. For example, ntp stores its configuration
file at /etc/ntp.conf while ntpsec uses /etc/ntpsec/ntp.conf. [1] But bin:ntpsec's postinst already handles that transition.

On 1/18/22 5:03 PM, Paride Legovini wrote:

bin:ntp has always been a specific NTP implementation, I think
it's OK if it's replaced by an almost compatible fork, less OK if a completely different implementation is brought in instead.

I'm biased here, but I agree. I think it makes the most sense to
transition existing ntp installs to ntpsec, not chrony, as ntpsec is a
drop-in replacement with a shared code history. This is my position even
if we think that chrony should be the default for new installs. On that
topic, I think the current default of systemd-timesyncd is fine.

[1] When I was first packaging ntpsec, I was going to have it share as
many paths, service names, etc. with ntp (as upstream NTPsec does). But
this lead to issues with certain tooling (e.g. around init scripts) and ultimately I decided it was better to use a different namespace. This
does mean that Debian ntpsec is patched and diverges a bit from upstream NTPsec.

--
Richard


--jjzqenSNF3o0QKM1jOvTGloIOdQlfPB2r--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmHngz8ACgkQ+HlhmcBF hs5Aug/9E2r6x09zKXbp3yIfKi4V/9OaNAlMQCYuA4I4jsdwE2h6cR1Z2HD3jfPK JEkcNMPLXnou5pW2YQGR3T1/r3Up8PEyoqYMdVpUdP+gpxFZEHj2OuxWFli3VgUz HzWQcmo+EdWdHmioYt8OnU6yBorfTn51a3apGCUzx24Di9hEgCbKrps0s5gnD/+K 49p20kGcEHwsWvpZWSjDqzoZXn7i/HOvM3HzTgyQ2YgbFEXZYwSNBoEGQ+YHwaT2 SnQBPkPoe7JuzfYJ9UK8i6fYirkYqTgqMuPoupk2QUlfHAI21m29vsn9Yh0Fk2s9 F3P30CPSubumvPCrwOY9AaIu/TjVdm24udgGbOzUG5nOkW918GMctjk354BQ2SVf ZEcGLUU3olq5qJJtNE3YTR0jBniQ8ZvEvEEM7/iZP4o3jNirmxeml8HhZtaGYvVc yjvtyAtkR8wpKoFWpJnBR//YAdH36IOi1VblhsgAKaDg/MXbKrLqcdOIGVKZ2f2J PgHhLEaO4L1c3Ai4nZElLSZ8iWV3YzE1S4VIwpMcrOuQgppfYZAobCQ1AqHZLdkz Gex+BtJvJWF9RASHJxI4FRIktWzqWLqHNLFbErZi+Y1ysUo8bk2EuJbQMnnHdTg7 bZSaVyrPYuF9i/lqmYfEUvDCpW95xFpYuxbRoEKe9u4SqJXCmCs=
=1PTl
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Di, Jan 18, 2022 at 23:16:46 +0100 schrieb Marco d'Itri:

I have no objections if somebody wants to work on packaging ntpsec, but
I do not think that either ntp or ntpsec should be promoted over chrony >nowadays.

Besides from the fact that ntpsec is already packaged: Does chrony
support NTS? If no, it should be clear which package should be promoted
over the other.

Stephan

--
| If your life was a horse, you'd have to shoot it. |

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Richard Laager wrote on 19/01/2022:

On 1/18/22 11:21 AM, Paride Legovini wrote:

I'd prefer making ntp a dummy package depending on ntpsec rather than having src:ntpsec takeover bin:ntp.

If I understand correctly, you're suggesting src:ntp builds bin:ntp that
is a dummy package which depends on ntpsec?

That's what I had in mind, but the other option:

Another option would be to have src:ntpsec build the bin:ntp dummy
package and remove src:ntp entirely.

also looks sensible to me after all. No strong opinion.

Paride

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 18 Jan 2022 21:49:53 +0100, Michael Biebl <biebl@debian.org>
wrote:

Fwiw, I'm with Marco here: If systemd-timesyncd (a simple SNTP client
which is enabled by default) doesn't fit your needs, chrony is a great >alternative.

The Beef I have with chrony is that they just implemented the parts of
the protocol that they wanted to. Most notably, ntp request packet
type 6 is missing, making it impossible to remotely monitor a chrony
server with the Monitoring Plugin check_ntp_peer. Who knows which
crucial parts of the protocol they didn't bother to implement either?

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------1S5200dWLllS8ExLAojf8hZi
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

QW0gMTkuMDEuMjIgdW0gMTM6MDcgc2NocmllYiBNYXJjIEhhYmVyOg0KPiBPbiBUdWUsIDE4 IEphbiAyMDIyIDIxOjQ5OjUzICswMTAwLCBNaWNoYWVsIEJpZWJsIDxiaWVibEBkZWJpYW4u b3JnPg0KPiB3cm90ZToNCj4+IEZ3aXcsIEknbSB3aXRoIE1hcmNvIGhlcmU6IElmIHN5c3Rl bWQtdGltZXN5bmNkIChhIHNpbXBsZSBTTlRQIGNsaWVudA0KPj4gd2hpY2ggaXMgZW5hYmxl ZCBieSBkZWZhdWx0KSBkb2Vzbid0IGZpdCB5b3VyIG5lZWRzLCBjaHJvbnkgaXMgYSBncmVh dA0KPj4gYWx0ZXJuYXRpdmUuDQo+IA0KPiBUaGUgQmVlZiBJIGhhdmUgd2l0aCBjaHJvbnkg aXMgdGhhdCB0aGV5IGp1c3QgaW1wbGVtZW50ZWQgdGhlIHBhcnRzIG9mDQo+IHRoZSBwcm90 b2NvbCB0aGF0IHRoZXkgd2FudGVkIHRvLiBNb3N0IG5vdGFibHksIG50cCByZXF1ZXN0IHBh Y2tldA0KPiB0eXBlIDYgaXMgbWlzc2luZywgbWFraW5nIGl0IGltcG9zc2libGUgdG8gcmVt b3RlbHkgbW9uaXRvciBhIGNocm9ueQ0KPiBzZXJ2ZXIgd2l0aCB0aGUgTW9uaXRvcmluZyBQ bHVnaW4gY2hlY2tfbnRwX3BlZXIuIFdobyBrbm93cyB3aGljaA0KPiBjcnVjaWFsIHBhcnRz IG9mIHRoZSBwcm90b2NvbCB0aGV5IGRpZG4ndCBib3RoZXIgdG8gaW1wbGVtZW50IGVpdGhl cj8NCg0KaHR0cHM6Ly9sd24ubmV0L0FydGljbGVzLzczNTIxMS8NCg0KV291bGQgYmUgaW50 ZXJlc3RpbmcgdG8gc2VlIGlmIG50cHNlYyBoYXMgaW1wcm92ZWQgc2lnbmlmaWNhbnRseSBz aW5jZSANCnRoZW4uIEF0IGxlYXN0IGJhY2sgdGhlbiwgY2hyb255IHdhcyB0aGUgY2xlYXIg d2lubmVyIChhbHNvIGJ5IG5vdCANCnN1cHBvcnRpbmcgc29tZSAobGVnYWN5KSBjcnVmdCku DQoNClJlZ2FyZHMsDQpNaWNoYWVsDQo=

--------------1S5200dWLllS8ExLAojf8hZi--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmHoAXUFAwAAAAAACgkQauHfDWCPItzq VA/9HoyXUpXM84IcRYDCaAjUxPOcX9Ua15WFUZ6BpZdDRpv3Z9krAIa9ZDWKvf/MiK+3kAuE7Ve+ 5oc9qGtCbyKyUvMRG0DBjD+xf0kf4YKgsd8wCN7H0EpZ6nDwlZp6BJpwlsmHqZ4f8hVInSSFOu3c o6gwCU/lL0PPbn6mR8gsqzPF5t5RYmbuw7NZhuTqysOcwkZqjOi2dt0bT0JYhcWEjesfDhBCLCbx FDjMD38YQMmTiF08zkwZ4iUlzALtOWo2QfByLiRPqIAmZsrnSg4fTCgWnKgzVhN9wdl5qMF7Y/9I JxGHXBR+Yy/rsRfK/EAAdedkQXhNqyRqJy2+XRpQqUs6MxjE++wIWqkKRkrw6AGsAAWwW5FLevfR lIqm6A7PvKacXhDTKDrD3bm7QGFstWVx1X25yRPCfcpiXtSVBvLLXBh1EWgIKYF/+i1jXBK4mO06 ZKQvVfJ/Bfmc1PHR5D44ol4qmrPLA/ZdSGjLP7sDldxRPRGPj6YN95D9WqPiJPhlAcmgec2S+tyM nQmsH+v00CPvmDF5E18+CdEHvOQm14pLDh+YiqSu3zZH2RChJLtLrSvhXyVvk0dbe4aqJzSe7VaI Hpn5kyen6+2aNvjOZQe9TktdFBEJLmmciqN0IyDlaWDwL2RgctSoCbEimqc6EJEGljHinMruWWpQ IO0=
=qd8V
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

However, development for ntp.org is slow, upstream still using BitKeeper
is cumbersome, and even the testsuite needs to be fixes on some
architectures for new releases. Both ntpsec and chrony are (from my POV)
the better alternatives now. To a point where I would rather use chrony
for new deployments, but I'm shying away from not using my own work
anymore for the lack of real-life testing.

I could just step down as a maintainer/uploader and have the ntp
packaging bitrot, but this would be a large disservice to our users
(unless someone else continues to maintain it). I think another option
would be to migrate to one of the alternatives for Bookworm.

This has sparked even less controversy than I feared, so let's use the momentum.

AFAICT other than systemd-timesyncd being installed by default we don't
have a "default" NTP daemon in Debian. There are a few that depend on at
least one implementation (on my Bullseye workstation)

Package: bwctl-server
Depends: ntp

Package: lava
Depends: ntp | ntpdate | chrony

Package: openstack-cloud-services
Depends: ntp

Package: openstack-compute-node
Depends: ntp

Package: progress-linux-host
Depends: ntp

Package: freeipa-server
Depends: chrony

Package: ceph-base
Recommends: chrony | time-daemon | ntp

Package: radioclk
Recommends: ntp (>= 1:4.2.2+dfsg-1) | ntpsec | chrony

Package: debci
Recommends: ntp | time-daemon

Package: openafs-fileserver
Recommends: ntp | time-daemon

Package: slony1-2-bin
Recommends: ntp | time-daemon

So we should most probably decide on a "default" and have all of them
changed to $newdefault | time-daemon


As default both ntpsec and chrony are challengers. Both support NTS.
Both appear to be active upstream and in Debian. Chrony has a higher
popcon (possibly due to things like the default installation in the
cloud images) and is default in Fedora/RHEL land. Feedback on this list
also seems to favour chrony. My personal preference would be slightly
towards chrony as well.

And then there is the migration from src:ntp. I think only ntpsec would
be an option here, which should be 99% compatible with the existing configuration file. ntpsec even takes over the old ntp configuration
when it replaces ntp already. I guess the conffile prompt would be fine
during a dist-upgrade.

For the actual migration, src:ntp currently builds 4 binary packages

ntp
ntp-doc
ntpdate
sntp

ntp-doc could be an easy transitional package

sntp could depend on on the ntpdig package from #1003966, but it would
probably need to carry a compatibility symlink

ntpdate and ntp could be transitional packages on the ntpsec
counterparts as well, but since ntpsec/ntpsec-ntpdate has
Conflicts/Replaces on the src:ntp binary packages it needs coordination.

For this reason building the transitional binaries from src:ntpsec would probably be easier.

Bernhard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Mi, Jan 19, 2022 at 13:34:13 -0600 schrieb Richard Laager:

For people that want something more than systemd-timesyncd, e.g. to get
NTS, I think either are acceptable choices. It seems that the consensus

Well, most people will use the default NTP server of the package and
don’t have a NTP server in their network.

And since Debian is trying to be as secure as possible, the default NTP
server should be ntpsec with as much activated NTS entries as possible.

Stephan

--
| If your life was a horse, you'd have to shoot it. |

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --o04GTyyc9dSSzlsmhjp0djYueIagdhlxv
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 1/19/22 9:49 AM, Bernhard Schmidt wrote:

AFAICT other than systemd-timesyncd being installed by default we don't
have a "default" NTP daemon in Debian.

I'm not sure how much more "default" it can be than installed by
default. So I'd say we do have a default: systemd-timesyncd.

So we should most probably decide on a "default" and have all of them changed to $newdefault | time-daemon

+1, except that my position is we already have that answer:
systemd-timesyncd | time-daemon

As default both ntpsec and chrony are challengers.

For people that want something more than systemd-timesyncd, e.g. to get
NTS, I think either are acceptable choices. It seems that the consensus
for new installs is towards chrony over ntpsec. But I don't think we as
the distro need to push either over systemd-timesyncd. For people who
don't care, systemd-timesyncd should be fine.

Do you disagree on that point (that systemd-timesyncd is fine for people
who don't care about NTP)? If so, can you elaborate?

And then there is the migration from src:ntp. I think only ntpsec would
be an option here

Agreed (as I stated already; just agreeing here again).

sntp could depend on on the ntpdig package from #1003966, but it would probably need to carry a compatibility symlink

Good point.

ntpdate and ntp could be transitional packages on the ntpsec
counterparts as well, but since ntpsec/ntpsec-ntpdate has
Conflicts/Replaces on the src:ntp binary packages it needs coordination.

For this reason building the transitional binaries from src:ntpsec would probably be easier.

Sure.

How do we feel about this process then:

1. I split out ntpdig, as suggested in #1003966. This is presumably
ntpsec-ntpdig for consistency with the rest being ntpsec-*.
Maybe upload this at this step, to start the NEW process.
2. I create transitional binary packages in src:ntpsec:
ntp -> ntpsec
ntp-doc -> ntpsec-doc
ntpdate -> ntpsec-ntpdate
sntp -> ntpsec-ntpdig
with an sntp -> ntpdig symlink
3. Get a review from you (Bernhard) if you're willing?
4. Upload.
5. Then Bernhard requests ftpmasters remove src:ntp. Is that how
that works?

Can be done in any order:
N. Mass bug filing on that list of packages, that they should use:
Depends: systemd-timesyncd | time-daemon
If we're going to promote chrony instead, then I think we need some
more discussion and there would be more work, as it seems we should
then replace systemd-timesyncd with chrony in default installs too.

--
Richard


--o04GTyyc9dSSzlsmhjp0djYueIagdhlxv--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmHoZ7UACgkQ+HlhmcBF hs6bZw//RblshXjA7ltRk6YT5KgwYbfDpWCm/brjDe7X0CKCv6kFfaw0sNDesscD EjGOIDYM7qRXnzgxH16k+44BnsQuzp8XsxcDUeDuKEaWiCjCNm/4kD3/Qt7HJyr1 x1i4DORUL+nL1ObqTrSW/c5bchZB9PPEtPZJ0M4pN7MGexLpXQ6MUBVP7R8lYM2z T5/QjrRcdCsGYx4QsKRIPugVL/dhc/jvpJbAI9+16/B8P7a7dQWCToR3wON/B4tI 91UgX2S/uUL0A5H4PeyxGh1bZtZkNjX6EJa6PGuwtQ6XF5SzQQ1m9Py2GIz/PhID IeIgV522w3fgacL/5wE0Vss6zQDeFvZtcxBCR0AyJgO43gg2NKgIB+ao2jeQX5sl DoZp1fgLNoaO85SD7OQ8VMoBZhGsgLhM120nuFJ2WbM7+c7sgYvhKm586VWeuw45 9eearOING3fXa/NcrPVdmv1BHgQ1YgX1xR92WLbNSK4VC8HJeWtCwX/dygDh18zY 6RlgKXEGC8hV/xUDtjqYuFraOZSR770UVDWifRkez4HmmKbRyL6xEI1+q1ZNGQUs lvM6BGJ/rN0Df0vvxZRepX2SwQtLSA2Iog24rLM5xbQt0ehxIusblKKhxfMTqbSh pXBQ8WoSMcLHb4624g3R+z2uTdRm2ZbBMxYynNXvhiB+Nj/sTq0=
=nNEm
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19.01.22 20:34, Richard Laager wrote:

Hi Richard,

+1, except that my position is we already have that answer:
systemd-timesyncd | time-daemon

As default both ntpsec and chrony are challengers.

For people that want something more than systemd-timesyncd, e.g. to get
NTS, I think either are acceptable choices. It seems that the consensus
for new installs is towards chrony over ntpsec. But I don't think we as
the distro need to push either over systemd-timesyncd. For people who
don't care, systemd-timesyncd should be fine.

Do you disagree on that point (that systemd-timesyncd is fine for people
who don't care about NTP)? If so, can you elaborate?

I tend to agree in principle. systemd-timesyncd should be enough for
most use cases. I think we can nowadays assume that most, if not all,
systems do have some clock sync mechanism in place, either through the
default installation of systemd-timesyncd together with systemd, or
through manual installation. So the question is why those packages do
set an explicit dependency on ntp or another time sync daemon in the
first place. Is it obsolete because you could not expect a continously
synced clocked at all in the past or does it need some property of a full-fledged NTP daemon?

So the "MBF" would be to check the packages and, for most cases, drop
these dependencies or change them to "systemd-timesyncd | time-daemon".

Sure.

How do we feel about this process then:

1. I split out ntpdig, as suggested in #1003966. This is presumably
   ntpsec-ntpdig for consistency with the rest being ntpsec-*.
   Maybe upload this at this step, to start the NEW process.
2. I create transitional binary packages in src:ntpsec:
   ntp -> ntpsec
   ntp-doc -> ntpsec-doc
   ntpdate -> ntpsec-ntpdate
   sntp -> ntpsec-ntpdig
     with an sntp -> ntpdig symlink
3. Get a review from you (Bernhard) if you're willing?
4. Upload.
5. Then Bernhard requests ftpmasters remove src:ntp. Is that how
   that works?

Sounds good, I'd like to have a few more reviewers though. ntp is aged,
but according to popcon the transition could affect ~25% of the Debian installations.

Bernhard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Richard Laager <rlaager@debian.org> [220119 14:34]:

On 1/19/22 9:49 AM, Bernhard Schmidt wrote:

AFAICT other than systemd-timesyncd being installed by default we don't have a "default" NTP daemon in Debian.

I'm not sure how much more "default" it can be than installed by default. So I'd say we do have a default: systemd-timesyncd.

So we should most probably decide on a "default" and have all of them changed to $newdefault | time-daemon

+1, except that my position is we already have that answer:
systemd-timesyncd | time-daemon

This is only appropriate if the package doesn't care which time daemon
is installed. If the package depends on ntp because it uses one of the provided binaries in a script, replacing the dependency as you suggest
would be inappropriate. A number of the packages mentioned by Bernhard
depend specifically on ntp, so the reason for that must be determined
for each individual package.

...Marvin

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 19.01.22 20:44, Stephan Seitz wrote:

Am Mi, Jan 19, 2022 at 13:34:13 -0600 schrieb Richard Laager:

For people that want something more than systemd-timesyncd, e.g. to
get NTS, I think either are acceptable choices. It seems that the
consensus

Well, most people will use the default NTP server of the package and
don’t have a NTP server in their network.

And since Debian is trying to be as secure as possible, the default NTP server should be ntpsec with as much activated NTS entries as possible.

I agree we should have a look at this (either ntpsec or chrony, both do
NTS), but I think this should be done completely independently of the ntp.org->ntpsec migration.

I can think of two problems with running NTS enabled by default (I have checked neither problem against any documentation, so it might be a
non-issue)

- AFAIK there is no pool.ntp.org (or similar) service only containing
NTS enabled timesources yet. I don't know how it would work either,
since you need to verify the peer with a standard X.509 certificate and
you don't know the expected CN from a DNS RR

- Since NTS leverages X.509, how does it work with a broken clock on
boot that is ticking outside of the certificate validity period?

Bernhard

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --phCVkGeHJZH3oaSeb9ubfVaDzoRO09VVZ
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 1/19/22 3:13 PM, Bernhard Schmidt wrote:

I agree we should have a look at this (either ntpsec or chrony, both do NTS), but I think this should be done completely independently of the ntp.org->ntpsec migration.

+1 that promoting NTS is orthogonal.

If the bigger problems below are solved, it's also theoretically
possible to add NTS support to systemd-timesyncd.

- AFAIK there is no pool.ntp.org (or similar) service only containing
NTS enabled timesources yet.

This is the most serious problem. As the world stands right now, we'd
have to do something like use CloudFlare's NTS service (and only them).

I don't know how it would work either,
since you need to verify the peer with a standard X.509 certificate and
you don't know the expected CN from a DNS RR

NTS does referrals, so it is theoretically possible for the NTS server
to hand you off to a pool of NTP servers, with which it is coordinating
keys. AFAIK, nobody has implemented this yet, outside of maybe
CloudFlare's internal thing (but I don't recall off the top of my head).

- Since NTS leverages X.509, how does it work with a broken clock on
boot that is ticking outside of the certificate validity period?

This is a concern too. I did some brainstorming about this on the NTPsec
list a couple years ago, but neither I nor anybody else has implemented
this (nor do I have plans to do so myself): https://lists.ntpsec.org/pipermail/devel/2019-February/007576.html

--
Richard


--phCVkGeHJZH3oaSeb9ubfVaDzoRO09VVZ--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmHokDcACgkQ+HlhmcBF hs7dORAAiEemvVd6exdX7Wuw2JP7EhgEK6zpWRUHCt+0iHGKPML9JkJWnJmWSLme z1xtJX07YXMNMK6k6D9V4zmqYveZYLouFKNSAjmTZG0WpYg4J9X3OLcd9HmQtpkE Ob8qydEcjXAvqAHdRCTEm1hUxr+AnMcst7ylq8wym3CKTmgumnlxNQ6ZYcJhrADn 1qBY0De9ZqqYWn+fkhcHD/mzkwYlYXCGzi2C3W0FI3bSeH3pKSOiU1MpZl+hiGr0 iBfAJ7ZzY9U04tmO4izEN5yN3DnUqua0hSjyC3Nt8m2qnUos9S7VXnbUljHh7OtZ SUbLTaHK1ZmqqTwJ91+nFLDKLz5PMpONrPYQSVwm1+PZEGts+IKahmLp2jqa0vAV uQFP+awJty5+Ui3dT1CFCde8DlB+q//iK0j9InegK6a5n+WMOiwvr8uLkE4/0ArX MNUJSMHC5u4oV504TySJSkt9mnkpoXmSd1mikDojB6JhFSNBmjdVgcwN9cN4Z4os 1dbtj0nptwq311lTzhhRl0XaDWi9nbkH/i/5JSpZYvhYbuVD4DftM2EmxypHoNYA cV7pJBs3JxZPHsykCST/N0TzeaZgTbHXt0/dEmhwQtkPntbUDlgnWR49s+HxxHLT Qo3s6RG2i3aIx8wqyLNWlW8Ae+dc8AGcndf+JDe1zy9t7Tqpzlc=
=fSwE
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jan 19, Paride Legovini <paride@debian.org> wrote:

That's what I had in mind, but the other option:

Another option would be to have src:ntpsec build the bin:ntp dummy
package and remove src:ntp entirely.

also looks sensible to me after all. No strong opinion.

I think that this would be better since they are close enough that
ntpsec can usually be a drop-in replacement.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYeiQ4gAKCRDLPsM64d7X gY0EAQDZPLTeIltRiPyd0yXBxVHGRByj7fuo+bQk3nGmR9KergEAlXy3tR6BUif6 JydwKg0bb4WTf055ialp871i6agpjAU=
=HEuF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Bernhard Schmidt <berni@debian.org> writes:

- Since NTS leverages X.509, how does it work with a broken clock on
boot that is ticking outside of the certificate validity period?

I don't know how it is intended to work, but it seems pretty obvious
that NTS certificate validation must ignore the validity period.

If you have a validating DNS resolver with correct time, then you might
replace it with DANE validation (i.e if the certificate matches the
current DNS TLSA record then it is valid regardless of current
time). But I don't know if you can make that a requirement.



Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/19/22 20:34, Richard Laager wrote:

For people that want something more than systemd-timesyncd, e.g. to get
NTS, I think either are acceptable choices. It seems that the consensus
for new installs is towards chrony over ntpsec. But I don't think we as
the distro need to push either over systemd-timesyncd. For people who
don't care, systemd-timesyncd should be fine.

Do you disagree on that point (that systemd-timesyncd is fine for people
who don't care about NTP)? If so, can you elaborate?

Well, could you elaborate why you didn't write "chrony is fine for
people who don't care"? I fail to understand why you're having a
preference on systemd-timesyncd...

Cheers,

Thomas Goirand (zigo)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

2022, ജനുവരി 19 5:27:28 PM IST, Paride Legovini <paride@debian.org>ൽ എഴുതി

Richard Laager wrote on 19/01/2022:

On 1/18/22 11:21 AM, Paride Legovini wrote:

I'd prefer making ntp a dummy package depending on ntpsec rather than
having src:ntpsec takeover bin:ntp.

If I understand correctly, you're suggesting src:ntp builds bin:ntp that
is a dummy package which depends on ntpsec?

That's what I had in mind, but the other option:

Another option would be to have src:ntpsec build the bin:ntp dummy
package and remove src:ntp entirely.

also looks sensible to me after all. No strong opinion.

Do we really need a dummy package for upgrades to work? Can't ntpsec binary package just add Provides: ntp (=$source:Version) ?

Paride

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 20 Jan 2022 at 20:09:18 +0530, Pirate Praveen wrote:

Do we really need a dummy package for upgrades to work?

Yes, we do need transitional packages.

Can't ntpsec binary package just add Provides: ntp (=$source:Version) ?

No, apt won't automatically replace a real package "ntp" with a package
that merely Provides: ntp during upgrades.

(One way to think about this is: how would that work? If more than one
package provided ntp, which one would be correct for apt to choose, and why?)

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --GPie7dpCEbD9poyLLaZajyQHoy3UKv6HP
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 1/20/22 8:04 AM, Thomas Goirand wrote:

On 1/19/22 20:34, Richard Laager wrote:

For people that want something more than systemd-timesyncd, e.g. to
get NTS, I think either are acceptable choices. It seems that the
consensus for new installs is towards chrony over ntpsec. But I don't
think we as the distro need to push either over systemd-timesyncd. For
people who don't care, systemd-timesyncd should be fine.

Do you disagree on that point (that systemd-timesyncd is fine for
people who don't care about NTP)? If so, can you elaborate?

Well, could you elaborate why you didn't write "chrony is fine for
people who don't care"?

Because that question is about changing the status quo, where systemd-timesyncd is the default.

I fail to understand why you're having a
preference on systemd-timesyncd...

Let me separate the two scenarios:

A) Imagine we had no NTP support by default and we are considering
adding NTP support to the default install.

B) systemd-timesyncd is currently the default and we are discussing
whether it should be changed.


In both scenarios, I assume that most users don't particularly care
about their NTP daemon. They don't generally interact with it. They just
want their clock to be "accurate enough". (And for people who don't
care, "accurate enough" is pretty wide. If you need extremely precise
time, you presumably know that and thus care about things like NTP or
even PTP.) This is no different than other system components: some
people have preferences (sometimes strong ones) about certain
components, but essentially nobody cares about every single one.

In scenario A, any of chrony, ntp, ntpsec, or systemd-timesyncd will
achieve the desired objective of having an accurate enough clock by
default. So we would consider other things, for example:

One might say ntpsec > ntp, because ntpsec comes from the same history
(so has the same advantages) plus the codebase has been cleaned up
(which has security and maintainability advantages). Also, the ntp
maintainer wants to discontinue maintaining it.

One might say that chrony > {ntp, ntpsec, systemd-timesyncd?} because
chrony is more accurate. FWIW, I can't personally weigh in on that
argument, as I haven't researched it well enough myself.

One might say that systemd-timesyncd > {chrony, ntp, ntpsec} because
it's part of systemd, which we're already using by default.

One might say that {chrony, ntpsec} > systemd-timesyncd because they
support NTS. Of course, there are problems with configuring NTS by
default, as I mentioned.

These, and potentially other factors, would need to be weighed.
Different individuals might come to different conclusions.


In scenario B, it's the same calculation, PLUS we need to overcome the
inertia of the current default. The new default must be sufficiently
better to be worth the change.


Personally, my take is:

It's not practical to deploy NTS by default right now. If we had
multiple operators of geo-diverse, high-capacity, non-smeared (or
consistently smeared and a consensus that this was desirable by default)
NTS servers, that'd be different. So NTS is not currently a
consideration for the default.

systemd-timesyncd is good enough for people who don't particular care
about their NTP daemon. For people that do care, they are free to
install software of their choice, be that chrony or ntpsec.

--
Richard


--GPie7dpCEbD9poyLLaZajyQHoy3UKv6HP--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmHp1kgACgkQ+HlhmcBF hs5U4xAAvL97x+0GnkZn+mgIdl2/jSZtu3isH6rD216LO2bbVkr/QgAduEOikwn4 xI5eOulATc5hB9wSWA5xcuNEbENuwKFwR617OTSFuHrGwDGF5jsGM2fwDMY0uzFM 51CpfD4Zy+RAlwakoaJ+jjjnDFRj1TETJQWcnnQ0HXQOg1IT3yiXmFyA4BLHQVbO FcDwN1izHb/XXe31FZzCojzuZ6BDUqRHsmFeuEtZo6R+xnXyMiU5+4PHCZfAU5II xrqx28p80y/GP5DeWOK+9jIoSfV/hLEQGVInzEcJdm5/Cvko/2ejIb9EyySZ9NCr LN0tjD+427/qp7N2zXwfTu2T7iXqkcHT98cwj/5ZA5KekbNfjxvC75L+ORBCfkD0 rMFt7Xa+j8VSCa36xpPZPMrSpLRWNqiOX2IsKVs33GToO/2bS0dykBUm13PnkhMP L2IXyFh0yQdGiiMHs/KnJWU02r6P2vk6BNwV4cVJf/5RbiaMIhmsvj5vqRykhM/8 kvIg5VtuFUClLplpvv6u8bVC0vkyN3c4TIUZoGbO4QBy+z9PNv591zrzEsiqm+t8 vX6YX+Mg7fP8jHdw3TG2qDh5b89AK9vYK886R5tR5Ep2z9M82Wjh96Ou8mURoMpK bOfjME6JIJZExdxBIKo4RlhyEF0P2JZ2Inf7Qrpggn78ebh+etU=
=8cj/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------Z82LCFPqf2OOoVbtnghlT7X0
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

T24gMS8xOS8yMiAxNTowNCwgQmVybmhhcmQgU2NobWlkdCB3cm90ZToNCj4gT24gMTkuMDEu MjIgMjA6MzQsIFJpY2hhcmQgTGFhZ2VyIHdyb3RlOg0KPj4gMi4gSSBjcmVhdGUgdHJhbnNp dGlvbmFsIGJpbmFyeSBwYWNrYWdlcyBpbiBzcmM6bnRwc2VjOg0KDQpJIGdvdCB0byB0aGlu a2luZyBhYm91dCB0aGlzIG1vcmUuIFRoaXMgd29uJ3Qgd29yaywgYmVjYXVzZSBzcmM6bnRw IGlzIA0KMTo0LjIuOHAxNStkZnNnLTEgYW5kIHNyYzpudHBzZWMgaXMgMS4yLjErZGZzZzEt Mi4gSSB3b3VsZCBuZWVkIGFuIGVwb2NoIA0KKG9mIDIsIHNpbmNlIG50cCBhbHJlYWR5IGhh cyBhbiBlcG9jaCBvZiAxKSBvbiBudHBzZWMgaW4gb3JkZXIgZm9yIA0Kc3JjOm50cHNlYydz IHRyYW5zaXRpb25hbCBiaW46bnRwIHBhY2thZ2UgdG8gYmUgbmV3ZXIgdGhhbiBzcmM6bnRw J3MgDQpiaW46bnRwIHBhY2thZ2UuDQoNCkl0IG1pZ2h0IGJlIHRlY2huaWNhbGx5IHBvc3Np YmxlIHRvIGJ1aWxkIGEgYmluYXJ5IHBhY2thZ2Ugd2l0aCANCmRpZmZlcmVudCB2ZXJzaW9u aW5nLCBidXQgZXZlbiBpZiBpdCBpczogMSkgSSBkb24ndCBrbm93IGhvdywgYW5kIDIpIEkn bSANCm5vdCBzdXJlIHdoZXRoZXIgdGhhdCdzIGEgZ29vZCBpZGVhLCBlc3BlY2lhbGx5IGNv bXBhcmVkIHRvIHRoZSANCmFsdGVybmF0aXZlcy4NCg0KV2hhdCBkbyB5b3UgdGhpbmsgYWJv dXQgdGhlIG90aGVyIGFwcHJvYWNoIG9mIGhhdmluZyBzcmM6bnRwIGJ1aWxkIHRoZSANCnRy YW5zaXRpb25hbCBwYWNrYWdlcz8NCg0KSSB0aGluayB0aGF0IGxvb2tzIGxpa2UgdGhpczoN Cg0KMS4gSSBzcGxpdCBvdXQgbnRwZGlnLCBhcyBzdWdnZXN0ZWQgaW4gIzEwMDM5NjYuIFRo aXMgaXMgcHJlc3VtYWJseQ0KICAgIG50cHNlYy1udHBkaWcgZm9yIGNvbnNpc3RlbmN5IHdp dGggdGhlIHJlc3QgYmVpbmcgbnRwc2VjLSouDQoyLiBZb3UgKG9yIEkgYWRvcHQgYW5kKSBj cmVhdGUgdHJhbnNpdGlvbmFsIGJpbmFyeSBwYWNrYWdlcyBpbiBzcmM6bnRwLA0KICAgIGFz IDE6NC4yLjhwMTUrZGZzZy0yLCAxOjQuMi44cDE1K2Zha2UsIDE6NC4yLjhwMTUrdHJhbnNp dGlvbmFsLA0KICAgIDE6NC4yLjhwMTZ+dHJhbnNpdGlvbmFsLCBvciBzb21ldGhpbmcgZWxz ZSA+IDE6NC4yLjhwMTUrZGZzZy0xLCB3aXRoDQogICAgYW4gZW1wdHkgdXBzdHJlYW0gdGFy YmFsbDoNCiAgICAgIG50cCAtPiBudHBzZWMNCiAgICAgIG50cC1kb2MgLT4gbnRwc2VjLWRv Yw0KICAgICAgbnRwZGF0ZSAtPiBudHBzZWMtbnRwZGF0ZQ0KICAgICAgc250cCAtPiBudHBz ZWMtbnRwZGlnDQogICAgICAgIHdpdGggYW4gc250cCAtPiBudHBkaWcgc3ltbGluaw0KMy4g VXBsb2FkIHRoYXQgdG8gZXhwZXJpbWVudGFsLiBQZW9wbGUgcmV2aWV3Lg0KNC4gVXBsb2Fk IHRvIHVuc3RhYmxlLg0KNS4gQWZ0ZXIgYm9va3dvcm0gcmVsZWFzZXMsIHlvdSAob3IgSSwg aWYgSSBhZG9wdGVkIHNyYzpudHApIHJlcXVlc3QNCiAgICByZW1vdmFsIG9mIHNyYzpudHAu DQoNCi0tIA0KUmljaGFyZA0K

--------------Z82LCFPqf2OOoVbtnghlT7X0--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmHtxNEACgkQ+HlhmcBF hs7xVRAAvseBW6AwdIZy5LYQYIbQ/ASCBc7GA2XxVd/K/voXLcImSxb6QZC2uP6A +LE2ZqQa1T4KPKOLelbhWBQoXN/lX/zHw/TGspvYgklK/KJuxSzIj2SuREMEH273 xbRIy+oxcsf41ExvdM7ETtOMRj02xtnrE6aC4X0xGEIsNKXWUJu3SsfMMNSuPe75 69smU3/zvhS3hWdn3nbg7AnDUcublUjZEJ11HOoaRZ2cKXQ/fcETMe9RI5AR78d3 jsuqxMOJBjEi+LmcI6ebh3xGlwLYMzNEiBZ5HuB2ZvobdsQzA6QXRof8xq9gxqPq hVVYbXjnXkUUxiyzFXJNaNVKNIKHnqVdoIuis0hZdB0/Xemb4kBEHfdEcCZYKTd8 6v3wU0S4o0rqBljyvbHZZ6m6RTE76DB0nTKE5RPezWS2q/7g9jj/WB1FzB6LCBmj CNQW+RSqbrzTNi4YGQ9MOUjx67XsIOhjM74FRE7gNe7P/hMDUE3WqaBGf1cyQv4R /FT/iiWFNPyDVtYkWgG1q4iJxhzDGqCHRqsGgzVpofeRf6aL9re+qAHy65WeLQje WRW5V5gjIizr1915wazbyDresyCvfbcGzOxjBwrLwuj7s5nIM90NsueZ/F6XIA7W ZRdrcwkiNz1d5c/wGyIyWGB9bVF9gtSkJ4PAS4UjgCpwTrHXU9w=
=Q6eR
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Richard Laager wrote on 23/01/2022:

On 1/19/22 15:04, Bernhard Schmidt wrote:

On 19.01.22 20:34, Richard Laager wrote:

2. I create transitional binary packages in src:ntpsec:

I got to thinking about this more. This won't work, because src:ntp is 1:4.2.8p15+dfsg-1 and src:ntpsec is 1.2.1+dfsg1-2. I would need an epoch
(of 2, since ntp already has an epoch of 1) on ntpsec in order for src:ntpsec's transitional bin:ntp package to be newer than src:ntp's
bin:ntp package.

It might be technically possible to build a binary package with
different versioning, but even if it is: 1) I don't know how,

One way it can be done is by creating d/changelog files which are
specific to the binary package, e.g.

debian/ntp.changelog
debian/ntpdate.changelog (no idea if it can be a symlink)
...

with their own version, different from the one in debian/changelog.

Paride

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 23 Jan 2022 at 15:12:49 -0600, Richard Laager wrote:

2. I create transitional binary packages in src:ntpsec:

I got to thinking about this more. This won't work, because src:ntp is 1:4.2.8p15+dfsg-1 and src:ntpsec is 1.2.1+dfsg1-2. I would need an epoch (of 2, since ntp already has an epoch of 1) on ntpsec in order for src:ntpsec's transitional bin:ntp package to be newer than src:ntp's bin:ntp package.

It might be technically possible to build a binary package with different versioning

It is.

but even if it is: 1) I don't know how, and 2) I'm not sure
whether that's a good idea, especially compared to the alternatives.

1) something like this (untested) will give you ntpsec_1.2.1+dfsg1-2
and ntp_2:1.2.1+dfsg1-2 packages:

override_dh_gencontrol:
dh_gencontrol -pntp -- -v2:$(DEB_VERSION_UPSTREAM_REVISION)
dh_gencontrol --remaining-packages

2) If you are going to build ntp.deb from src:ntpsec, then I think this
is a lot better than adding an epoch to the whole source package (i.e. d/changelog) of src:ntpsec, because it can eventually go away (when the transitional package does).

I'm not sure whether building transitional packages from src:ntpsec with
this technique is better or worse than having a src:ntp that only builds transitional packages.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jan 23, Richard Laager <rlaager@debian.org> wrote:

It might be technically possible to build a binary package with different versioning, but even if it is: 1) I don't know how, and 2) I'm not sure whether that's a good idea, especially compared to the alternatives.

I did it long ago, I think for kmod taking over module-init-tools: you
just need to add an appropriate Version field to debian/control.

--
ciao,
Marco

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCYe3NRAAKCRDLPsM64d7X gSgmAQCOvQLZJqdOICsyX3FxY3L/6DrtfHMJaerVN6s9GK0JNAEA/8SzXF2EOXhK CJ+OjF54NSbM6bn15ZXiJvl8CcfYwQA=
=psND
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 2022-01-23 at 15:12:49 -0600, Richard Laager wrote:

On 1/19/22 15:04, Bernhard Schmidt wrote:

On 19.01.22 20:34, Richard Laager wrote:

2. I create transitional binary packages in src:ntpsec:

I got to thinking about this more. This won't work, because src:ntp is 1:4.2.8p15+dfsg-1 and src:ntpsec is 1.2.1+dfsg1-2. I would need an epoch (of 2, since ntp already has an epoch of 1) on ntpsec in order for src:ntpsec's transitional bin:ntp package to be newer than src:ntp's bin:ntp package.

Bumping the epoch to 2 here is completely gratuitous and can make a mess
for ntpsec *and* potentially ntp iff upstream got to be improved and we
wanted to reintroduce it in the future.

It might be technically possible to build a binary package with different versioning, but even if it is: 1) I don't know how, and 2) I'm not sure whether that's a good idea, especially compared to the alternatives.

Yes, this is the recommended method, that has been used in the past,
and which is mentioned in the dpkg FAQ. You can set arbitrary versions
via dpkg-gencontrol (or indirectly via dh_gencontrol).

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2022-01-24 at 08:08:16 +0100, Guillem Jover wrote:

On Sun, 2022-01-23 at 15:12:49 -0600, Richard Laager wrote:

On 1/19/22 15:04, Bernhard Schmidt wrote:

On 19.01.22 20:34, Richard Laager wrote:

2. I create transitional binary packages in src:ntpsec:

I got to thinking about this more. This won't work, because src:ntp is 1:4.2.8p15+dfsg-1 and src:ntpsec is 1.2.1+dfsg1-2. I would need an epoch (of
2, since ntp already has an epoch of 1) on ntpsec in order for src:ntpsec's transitional bin:ntp package to be newer than src:ntp's bin:ntp package.

Bumping the epoch to 2 here is completely gratuitous and can make a mess
for ntpsec *and* potentially ntp iff upstream got to be improved and we wanted to reintroduce it in the future.

It might be technically possible to build a binary package with different versioning, but even if it is: 1) I don't know how, and 2) I'm not sure whether that's a good idea, especially compared to the alternatives.

Yes, this is the recommended method, that has been used in the past,
and which is mentioned in the dpkg FAQ. You can set arbitrary versions
via dpkg-gencontrol (or indirectly via dh_gencontrol).

To clarify, which seems I had included initially but removed while
editing. If generating the transition packages from ntpsec, then you
can set the binary versions, for example, to be something like:

«1:$(ntp_upstream_version)+$(ntpsec_binary_full_version)»

so you'd end up with something like:

1:4.2.8p15+dfsg+1.2.1+dfsg1-2
1:4.2.8p15+dfsg+1.2.1+dfsg1-3
1:4.2.8p15+dfsg+1.2.2+dfsg1-1
…

and while ugly, it serves its intended purpose quite well w/o messing
with epochs and potentially muddling any package's future.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------SKFvWuxXgzT0SHBAmiMyN210
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

SWYgeW91IHVzZSBudHAsIEkgd291bGQgYXBwcmVjaWF0ZSBpZiB5b3UgY291bGQgdGVzdCB0 aGUgdHJhbnNpdGlvbiB0byANCm50cHNlYy4gIG50cHNlYyAxLjIuMStkZnNnMS01IGhhcyBi ZWVuIHVwbG9hZGVkIHRvIGV4cGVyaW1lbnRhbCBhbmQgDQpjbGVhcmVkIHRoZSBORVcgcXVl dWUuDQoNCkJlcm5oYXJkIFNjaG1pZHQgc3VnZ2VzdGVkIGFuZCBJIHVzZWQgDQoxOjQuMi44 cDE1K2Rmc2ctMn4kKERFQl9WRVJTSU9OX1VQU1RSRUFNX1JFVklTSU9OKSBhcyB0aGUgdmVy c2lvbiBmb3IgDQp0aGUgdHJhbnNpdGlvbmFsIHBhY2thZ2VzLiBUaGUgZmlyc3QgcGFydCAo YmVmb3JlIHRoZSB+KSBpcyB0aGUgY3VycmVudCANCnNyYzpudHAgdmVyc2lvbiwgYnV0IHdp dGggdGhlIERlYmlhbiByZXZpc2lvbiBidW1wZWQgZnJvbSAxIHRvIDIuICBUaGlzIA0KYWxs b3dzIGZvciBwb3RlbnRpYWwgc2VjdXJpdHkgb3Igc3RhYmxlIGZpeCB1cGxvYWRzIHRvIGV4 aXN0aW5nIERlYmlhbiANCnJlbGVhc2VzLCBpZiBuZWVkZWQuDQoNCkJhcnJpbmcgYnVncywg SSBiZWxpZXZlIHRoZSBuZXh0IHN0ZXBzIGFyZToNCjEuIFVwbG9hZCB0byB1bnN0YWJsZS4N CjIuIFJlcXVlc3QgZnRwbWFzdGVyIHJlbW92YWwgb2Ygc3JjOm50cD8NCg0KLS0gDQpSaWNo YXJkDQo=

--------------SKFvWuxXgzT0SHBAmiMyN210--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1Ot9lOeOTujs4H+U+HlhmcBFhs4FAmI6OeAACgkQ+HlhmcBF hs5dJxAAgRw6YRla+6mpHJN+vAI5milQOzo2tTFeAJhSuc+x970dsTcdQinTOBRW nxyVDr7gbFkqmH/K7O3/cmG47FPe6XiPA4FYjdE9psgB4erWpkDng53M2tVjri2d D3r+2Qdg2f52vysLObaeBFEC9uumMn+m0Qe1JYxRVUYhwe4AT9WMmVtZqTCxar6X 5KtNoop5BvgvhwNy2K3EA4SGlgOyq7cBnm2kVv+8lqXRi1RSnVjXQ/ict3TeGxTp xH73GtQi7M9f2BME/xV1u1illL/3+1MKtOKdPDTxcKnAplLA8LkovoYUT5hijwSU 1bnCdsTOR86EfC0RP6F7xsPUasEZcZGI43U1SYYtloQnbnLO0hhrHuLaXdAbbP5r Q0q5J5lyJthOls12Gp+krPQQHEN1X4+gDpBngSVfTNjkU3qS9tl1KJVAU8ycbsDa AlOeRtlLEXFeKq5nbmY4a+AoWXhqlTNjlDEphNGGJUTOUoR0LVqcAev+I3Est58P 9H0CYqOSjp/gPgrqiYRNpc0J7BQil1i3VUyPmcfphVu7O8Fg/uaC2ivrZk53ex4I WCAqkuqd13qt66WTZFPhnthNH0HQBGQ2oPhGrHS+wszYPeZGASSzPYbGAwcxHNso ZTzMzkImx9s5f6SnQ8PALudVp2vLNj5JvQLFHi3BB5fcYEHg0Nw=
=7hMu
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)