[tptacek]

As I understand it, NTPsec, a hostile fork of ntpd, is not a well-regarded project. Look at the "project accomplishments" page and see what they don't claim to have accomplished: the elimination, prior to publication, of any vulnerabilities in a msinstream/default ntpd configuration. They reorganized a bunch of code, swapped strcpy's (and strncpy's) with strlcpy, moved the project out of Bitkeeper (something that has nothing to do with security but is the first listed achievement on the site), and generally removed stuff nobody enables in ntpd.

Before it lost funding, Raymond was openly discussing rewriting the whole thing in Go, which sort of gives the lie to the idea that the project was operating in good faith.

[dfrage]

Accusing ESR and the rest of the NTPsec project of fraud is a very serious claim. Could you explain in more detail why contemplating rewriting of most or all of the project in Go as he was learning the language is such a definitive tell?

[tptacek]

I haven't accused anyone of the crime of fraud; fraud requires an active intent to acquire something of value through misrepresentation, and I'm happy to concede that forces other than intentional misrepresentation are at work here.

The premise of the ntpsec project was that ntpd was an unloved and mismanaged codebase that suffered, as a result, from security flaws. Raymond and his team would take over the code, in something similar to the manner the openssh project took over SSH, and eliminate security vulnerabilities. The project needed funding because ordinary developers wouldn't take on such a thankless task --- maintenance programming on a giant C codebase --- without compensation.

A reimplementation of NTP in a different language is not at all the same project --- as you can see from all the NTP projects that already exist in Go and Rust, for which nobody appears to be begging contributions. Not to mention the obvious fact that people don't run new implementations of NTP in Go or Rust because they can't, and so abandoning the ntpd codebase eliminates almost all of the purported value of the project to the Internet.

[wbl]

Most sites can switch from ntpd to something else. See for instance systemd timescynd which really doesn't have a reason to exist. And changing to chronyd was a very quick switch.

I think it is really inertia. Time synchronization goes unloved at a lot of places.

[tptacek]

I don't disagree! In particular, a ground-up Rust replacement for the 20% of ntpd that everyone relies on would do a lot of good and be deployable virtually everywhere ntpd is today (Raymond proposed a Go rewrite --- I strongly prefer Go to Rust, but Go has a garbage-collected runtime).

But that's besides the point. Pushing a hostile fork of a popular project, raising money for it, and then abandoning the codebase entirely for a rewrite takes a "special" kind of chutzpah.