NTP's Fate Hinges On 'Father Time' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
News
3/11/2015
06:06 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

NTP's Fate Hinges On 'Father Time'

The Network Time Protocol provides a foundation to modern computing. So why does NTP's support hinge so much on the shaky finances of one 59-year-old developer?

(Image: Geralt via Pixabay)

(Image: Geralt via Pixabay)

The Release Before Christmas

Stenn told us his workload got a little heavier in October 2014, when Google security team member Chris Ries notified him that he had discovered a security risk in NTP. It was a buffer overflow in NTP autokey, the public key/private key authentication system used to verify downloaded code. Although no one was known to have used it yet, the vulnerability had the potential to let a hacker launch malicious code remotely through an NTP server.

Stenn said Google previously had made clear to him that it will publish vulnerabilities 90 days after notifying the party responsible for the code. Stenn felt the clock had started ticking, and he didn't ask for a waiver. He set to work, putting in 16 to 18 hours a day for 10 weeks to correct the defect and get a new release out before the 90 days were up. It would be upsetting to all NTP users to have a vulnerability aired with no fix in hand.

On Dec. 18, he posted news of the vulnerability on the support Web site, sent notices out on the NTP email list, and posted a fixed version of the code. For this effort, Stenn said he got a lot of feedback -- and not in a good way.

As best he can estimate, "I pissed off over a hundred thousand folks by announcing this fix" seven days before Christmas, he recalled. "Yow." People wanted more warning, and they accused him of favoritism and letting some people know about it sooner. It was tough, but also offered a deeper realization of the true position he was in.

One of Stenn's main pillars of support is the originator of NTP, Professor David Mills, "who knows more about NTP code than any other human being," said Stenn. In many cases, he checks with Mills before making changes to the code, in part because Mills has embedded comments in the code that should be checked with before the code is altered.

The core functionality of NTP is described as simple and straightforward. But Mills, in an interview with InformationWeek, said that other parts having to do with monitoring and control "are so complex that the whole thing falls apart if you change something."

Mills, 76, is long retired from teaching computer and electrical engineering at the University of Delaware, where he originated the first version of NTP. At this point, he is also blind and can't help Stenn review code. To Mills, NTP "was kind of a hobby" for many years, and Stenn got in early with good patches as he worked with NTP in his contract jobs, and did some of the thankless tasks like release manager. Asked if Stenn should get more support, Mills responded, "I didn't realize he was working on it full time."

"Dave never saw the need for the type of end-user support that we offer," said Stenn. "He has no patience to deal with people who need that sort of handholding."

Independent, outside contributors do still submit code to NTP, though they tend to focus on the single operating system version they like to work with. One expert, Poul-Henning Kamp, is working in Denmark "with great plans for a future implementation," said Stenn.

When it comes to fixing existing bugs and vulnerabilities, there's Stenn as the sole full-time code committer and a few volunteers he can coax into looking at specific problems.

Stenn clearly likes the work, though. He described himself as an introvert who loves resolving issues of time. At his home lab in Talent, he has four GPS receivers on the roof collecting the combined wisdom of 12 atomic clocks. When the question of taking vacations came up in our discussion, his wife Margaret, who's listening in in the background, issued a hearty laugh. Stenn said vacations are a trip to the movies a few times a year. "My wife thinks I'm insane," he said as an aside in a later email.

As Stenn looks to the future, he sees NTP undergoing further development, including possible coordination with PTP, so that NTP "could speak PTP" for those who need more precise time than NTP can deliver. Such a move will take lots of work, though, and Stenn says he'll need to cut back his hours drastically, and start consulting full time, unless the Linux Foundation and other donors support NTP's work.

"There is a need for support for the free public infrastructure," Stenn said. "But there's just no revenue stream around time right now. People scream if their clocks are off by a second. They say, "Yes, we need you, but we can't give you any money.'"

(Image: Geralt via Pixabay)

(Image: Geralt via Pixabay)

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
5 of 5
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
ThomasW840
50%
50%
ThomasW840,
User Rank: Apprentice
3/16/2015 | 1:44:10 AM
Re: Yes, some contribute, some don't
So why don't all the FOSS distro vednros band together and start a FOSS foundation, and allow the distro installer to donate to suport critical base apps & systems (and optionally along with other groups and efforts)?  Even give them 501 tax status and writeoffs! You KNOW their donations would get a bump every April. :)

 

Tweeks
ThomasW840
50%
50%
ThomasW840,
User Rank: Apprentice
3/16/2015 | 1:41:34 AM
Why not centrlize critical app/protocol financial support at the distros?
Each GNU/Linux distro should have a post install "donate to FOSS" option that allows users of FOSS or Linux distros to donate to these critical, base apps and sysyems.  Very simple issue to solve here folks..

Tweeks
hstenn
IW Pick
100%
0%
hstenn,
User Rank: Apprentice
3/15/2015 | 11:12:08 PM
Re: Yes, some contribute, some don't
Thanks a bunch, Charlie!

Slight clarification: Network Time Foundation is not "my" non-profit, I'm just the founder and president. it's there for public benefit.

There are "donate" and "join" links at www.nwtime.org and we do also accept PayPal.  We're looking at some other "ways to send money".

The feedback and support we've already seen is heartwarming, and it will currently cover about 2 more weeks of my time.  We've also heard from a few companies that have said "we saw the article and we're looking to help, we'll be in touch soon."

Network Time Foundation has no anonymous institutional or governmental supporters.  If you don't see their name on our site, they're not supporting us directly.  The reason Linux Foundation is not there is they insisted on sending their money directly to me and PHK, instead of to NTF.  I can appreciate their reasons.  Having said that, if you are using software or equipment that uses network time and you don't see that company listed, please contact them and ask them to support us!  They will listen to you more than they'll listen to us...
hstenn
50%
50%
hstenn,
User Rank: Apprentice
3/15/2015 | 10:39:30 PM
Re: If UTC stands for Coordinated Universal Time, then why TAI?
In English, TAI is "International Atomic Time".  In French it's "Temps Atomique International".

 

In English, UTC is "Coordinated Universal Time", while in French it's "Temps Universel Coordonné".  This way the French and English speakers are equally unhappy with the acronym.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/15/2015 | 5:11:27 PM
If UTC stands for Coordinated Universal Time, then why TAI?
I have always wondered why Coordinated Universal Time is abbreviated UTC. There's a gem of an explanation below by Jeff_Logullo, who happens to be a pre-sales engineer for the Oracle's Public Sector Systems division. Can anyone confirm what he's saying? Jeff doesn't remember where he first heard the story.

Then, 2), can someone explain to me why TAI is used as the acronym for International Atomic Time? (Don't tell me it's the French, again--temps atomique international?)
curts88
50%
50%
curts88,
User Rank: Apprentice
3/15/2015 | 11:59:20 AM
Free PTP implementation for Windows?
Last time I checked (sometime in 2014) there were no free implementations of PTP for Windows. This situation probably needs to change if we expect PTP to gradually replace NTP. Maybe Microsoft should include PTP support in Windows 10?
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
3/14/2015 | 7:04:49 AM
Re: Is there really a problem?
Such kind of important open source protocol deserves more attention - it's so important that everybody took it for granted. Then it's a real trouble if one day it stops working.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/13/2015 | 7:25:01 PM
Oops, Coverity is a hidden contributor
I've learned there are a few hidden contributors to NTP. For example, Stenn uses almost 100% open source code but I knew he liked to check his code against the Coverity's security and bug detecting software, a commercial service. So the first version of this story listed Coverity as a service he had to pay for from his slender resources. It turns out that Coverity contributes its service to NTP. Stenn has also used BitMover's BitKeeper, commercial software for source code management, which he likes better than open source git. "Because (CEO) Larry McVoy appreciates the NTP Project, they've freely given my entire team licenses to bk, and they've given us free enterprise-class service as well, for nearly '14 years' time,'" Stenn wrote in a follow-up message.
jeff_logullo
IW Pick
100%
0%
jeff_logullo,
User Rank: Apprentice
3/13/2015 | 6:53:30 PM
UTC = Coordinated Universal Time
Great article - thanks for shedding light on the issue, especially that of the unsung heroes of the internet and the open source community!

One small comment: the abbreviation "UTC" stands for "Coordinated Universal Time". You might wonder how that acronym makes sense... seems it should be "CUT" instead.

We English speakers call it Coordinated Universal Time -- which would make the acronym CUT.

French speakers, however, call it Temps Universel Cordonné -- which would result in TUC.

What to do? Compromise! Instead of CUT or TUC, the alternative UTC was chosen. It plays no favorites! Strange but true.

The wikipedia entry for Coordinated Universal Time has more details, including a reference to the IAU resolution in 1976 when this decision was made.
GIGABOB
50%
50%
GIGABOB,
User Rank: Strategist
3/13/2015 | 2:12:21 PM
Is there really a problem?
As a prior Oregon developer who needed a real job I appreciate Stenn's dilemma.  I am less concerned about shipping Stenn a few bucks than creating a better vehicle to support critical open source protocols like NTP. 

Stenn really needs help i nunderstanding how to monetize his efforts.  I suggest a microcent per millisecond.

At the end of the day do you see a lack of industry support for this activity or a vicious fight for gatekeeper rights?
<<   <   Page 2 / 4   >   >>
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll