[KirinDave]

I deny support for NTPsec specifically because I think it's an idea who's time has passed and now soldiers on because of inertia rather than good sense. It's sort of a meme that any project ending in "sec" is vestigal.

So no: they don't get my support. Why would they? Same with DNSsec. Useless project, please desist.

[tptacek]

Can I just use this spot to remind everyone that when one of his commenters found an integer handling bug in the ntpsec codebase, Raymond said "I will neither confirm nor deny that I left it in there deliberately to see who would be sharp enough to spot it".

You can find it in the thread on his blog post titled (I am not making this up) "Thinking like a master programmer, redux".

Another fun fact: Cure53 audited ntpd and ntpsec concurrently, and found an instance where ntpsec rewrote a function and managed to regress out a patch for a security vulnerability, reintroducing it into their codebase. (By the way: overwhelmingly, with I think just one exception --- not counting the regression above --- the significant findings in that report applied uniformly to both ntpsec and ntpd).

Additional fun: until 2017, the ntpsec project apparently didn't even enable system/runtime mitigations like ASLR (according to the "Fix/Validation log" in the Mozilla SOS project).

Conclusion of that report: "While the NTPsec project emphasizes cleaning up its ancestors’ flaws, the difference regarding quality between the original code and the current implementation was not as great as anticipated."

[kasey_junk]

I feel like this violates the spirit of the ban...

[tptacek]

The ban applies only to Twitter.

[pvg]

Yes, this is unconstructive legalism. Is anyone out there checking whether he's written something about Iranian agents attaching strumpet mines to his car which he then successfully demagnetized with his Aikido?

Apropos of nothing at all, if someone were to gather his greatest hits into some sort of collection, it should probably be named Bearin' Load