[LEAPSECS] A standard for leap second smearing

Steve Summit scs+ls at eskimo.com
Tue Sep 27 22:41:48 EDT 2016

Stephen Colebourne asked:
> 2) When to smear?
> Some smear up to midnight, some smear after midnight, some smear both
> sides. What are the arguments for/against each?

I have a personal preference for smearing up to midnight.
It just feels right to me that any shenanigans should be confined
to the day that the leap second is at the end of, and that on the
next day, everything is back to normal.

> 4) Anything else?

I think there are aspects of the implementation of any smearing
that are maybe being glossed over.  I think it's important to
distinguish pretty carefully between three distinct "clocks",
or views of time:
1. The time exchanged between machines by a protocol such as NTP.
2. The time kept by an OS kernel (which is typically based on
   oscillators that are disciplined by (1).)
3. The time returned to user-mode programs by system calls such
   as gettimeofday.

There seems to be a presumption in several comments in this
thread that (3) is necessarily identical to (2), but I think
that's a bad idea.  If the suggestion is to implement smearing
by temporarily messing with the actual kernel clock, I think
you pretty inevitably end up with a complicated and bug-prone
implementation.  Yet we should be striving for robust simplicity;
indeed one of the arguments for abandoning leap seconds entirely
is that the world seems to think that we computer geeks are
incapable of implementing them correctly.

Moreover, carelessly messing with the actual kernel clock could
mess up NTP's attempts to keep it disciplined.  (Indeed, as far
as I know, ntpd's hardwired assumption is that (2) is always
identical to (1), which tinkering with (2) would undermine.)

An alternative is to do the smearing purely mathematically,
between (2) and (3), notionally as times are being handed to
user mode by gettimeofday() and the like.  I don't believe it's
necessary to tinker with internal clock steps or frequencies.

By analogy, I presume (though I don't know for sure) that
Google's smear implementation is also a simple mathematical
operation, performed in user mode by a modified NTP server,
that's feeding smeared times to an isolated cluster of machines.
Within that cluster, (1) == (2) == (3), they're all pure Posix,
and there are no leap seconds.  Nowhere is there any explicit
adjustment of any clock steps or frequencies.

More information about the LEAPSECS mailing list