[tptacek]

I haven't accused anyone of the crime of fraud; fraud requires an active intent to acquire something of value through misrepresentation, and I'm happy to concede that forces other than intentional misrepresentation are at work here.

The premise of the ntpsec project was that ntpd was an unloved and mismanaged codebase that suffered, as a result, from security flaws. Raymond and his team would take over the code, in something similar to the manner the openssh project took over SSH, and eliminate security vulnerabilities. The project needed funding because ordinary developers wouldn't take on such a thankless task --- maintenance programming on a giant C codebase --- without compensation.

A reimplementation of NTP in a different language is not at all the same project --- as you can see from all the NTP projects that already exist in Go and Rust, for which nobody appears to be begging contributions. Not to mention the obvious fact that people don't run new implementations of NTP in Go or Rust because they can't, and so abandoning the ntpd codebase eliminates almost all of the purported value of the project to the Internet.

[wbl]

Most sites can switch from ntpd to something else. See for instance systemd timescynd which really doesn't have a reason to exist. And changing to chronyd was a very quick switch.

I think it is really inertia. Time synchronization goes unloved at a lot of places.

[tptacek]

I don't disagree! In particular, a ground-up Rust replacement for the 20% of ntpd that everyone relies on would do a lot of good and be deployable virtually everywhere ntpd is today (Raymond proposed a Go rewrite --- I strongly prefer Go to Rust, but Go has a garbage-collected runtime).

But that's besides the point. Pushing a hostile fork of a popular project, raising money for it, and then abandoning the codebase entirely for a rewrite takes a "special" kind of chutzpah.