[LEAPSECS] My FOSDEM slides

Tue Mar 3 16:05:11 EST 2015

Joseph Gwinn wrote:
> Harlan,
>
> On Sun, 01 Mar 2015 20:35:20 +0000, Harlan Stenn wrote:
>> Joseph Gwinn writes:
>>> 1.  Slide titled "Known Bugs (2)": Has support for negative leap
>>> seconds been restored in NTP v4?  It wasn't clear.
>>
>> Not yet.  It's a tradeoff.
>>
>> We've never needed to delete a leapsecond and depending on who you ask
>> it will probably never happen.
>
> So long as UTC can do negative leaps, and the Earth is a wobbly clock,
> the possibility is always with us.

I absolutely agree. It would have been better to fix this (in case it 
didn't work) than to remove the code which supported negative leap seconds.

In the 7 year interval where no leap second was required/scheduled I 
heard several people saying we might have needed a negative leap second.

Fortunately we didn't, but I still think it's better to prepare for it, 
if possible than just ignore it and even remove existing support.

GPS can deal with it, even IEEE 1344 and C37.118 time codes can, but I'm 
not sure if WWVB can. Anyway, I know the German DCF-77 transmitter has 
no flag defined to announce a negative leap second, so there would be 
major problems if one had to be inserted.

>> If we add the code to handle it, we increase complexity, potentially add
>> in a (pretty small) abuse vector (a bad actor could find a way to tell
>> your system to delete a second), and make some small demands on the test
>> framework that we want to have.
>
> The abuse vector argument is pretty weak -- the attacker could just as
> well add a leap second.  In both cases, one is off by a second.  So, I
> would submit that it's support for leap seconds that provides the
> attack surface, and the area of that surface is not reduced by
> elimination of negative leap seconds.

Again, I strongly agree.

>> If we don't have it and we end up needing it, that causes different
>> problems.
>>
>> There is a parallel issue about folks who cannot or do not upgrade their
>> software.  Over 1100 issues were addressed between 4.2.6 and 4.2.8 and
>> people still think 4.2.6 should be "good enough" for them.
>
> Certainly in my world, changing software is a big deal, because one
> needs to rerun all the regression tests.  Changing NTP isn't as big a
> deal as changing the OS or the C++ compiler and/or libraries, but still
> people are wary.
>
>
>> We've probably fixed about 3000 issues since 4.2.0 and people still run
>> that.
>>
>> We don't have numbers for the number of bugs fixed between xntp3.5f,
>> xntp3-5.86.5, ntp-4.0, ntp-4.1.{0,1,2}, and ntp-4.2.0.
>>
>> These older releases are still running out there, too.
>
> And don't forget NTPv3 - bet lots of those still run.
>
> Once people get a system to work, they don't tend to go fixing things
> that ain't broke.

Yep.

Martin
-- 
Martin Burnicki

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki at meinberg.de
Phone: +49 (0)5281 9309-14
Fax: +49 (0)5281 9309-30

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, 
Andre Hartmann, Heiko Gerstung
Web: http://www.meinberg.de