#2372 F33 Self-contained Change: Network Time Security
Closed: Accepted 3 years ago by ignatenkobrain. Opened 3 years ago by bcotton.

Support for the Network Time Security (NTS) authentication mechanism in the NTP client/server (chrony) and installer (anaconda).

+1, I'd like to see it depend on openssl rather than gnutls, but anyhow.

chrony is GPLv2 (possibly GPLv2+) which makes it incompatible with the OpenSSL license. GnuTLS is the license-compatible option here.


It is unclear for me, if we are adding support or changing the default behaviour.

In the change is says:

TBD: This change also makes the default configuration of the NTP client secure.

So when it is going to be decided and based on which data?

After 1 week, I count the vote as (+2,0,-0). Waiting for additional votes

Metadata Update from @bookwar:
- Issue tagged with: meeting

3 years ago

At FESCo meeting yesterday it was agreed that voting will be delayed until TBD items are resolved.

Adding my -1 to prevent approval by the minimum of votes

I was hoping FESCo would provide some guidance on the TBD item as there was no consensus reached on the devel list. Do we want NTS to be enabled by default? We need NTS-enabled servers. Currently the best option seems to be Cloudflare, but it's clear some people would be unhappy with that.

We discussed this during today's meeting, and reached consensus on this proposal:

Ask change owners to update the Change proposal to not enable NTS by default (+6, 1, -0)

@mlichvar @m4rtink it looks like chrony with NTS support is already in rawhide, but we don't want to enable NTS by default, particularly not if relying on Cloudflare.

Ok, thanks. The Change proposal was modified to not enable NTS by default.


(In the longer run, I think it would be reasonable to consider making this the default. But having it "bake" for a bit without being the default sounds like a good idea in any case.)

@ignatenkobrain, @dcantrell, @bookwar please vote again, since the proposal is significantly changed.

  • ACTION: ignatenkobrain to contact change owners and clarify anaconda
    part of the change. (ignatenkobrain, 15:10:14)
  • AGREED: APPROVED (+9, ±0, -0) (ignatenkobrain, 15:10:17)

@mlichvar, did anaconda people sign up for doing necessary anaconda changes? Is that deffered for later? Please modify change page accordingly if needed.

Metadata Update from @ignatenkobrain:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

3 years ago

No, the support in anaconda is still planned for F33. m4rtink (the other owner of the proposed change) is from the anaconda team.

Metadata Update from @bcotton:
- Issue untagged with: F33
- Issue set to the milestone: Fedora 33

3 years ago

Login to comment on this ticket.