Ubuntu
ntp package

[needs-packaging] The packages ntp and ntpsec are not equivalent

Bug #2039252 reported by Jonathan Ferguson
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
NTP
Confirmed
Undecided
auto-rlaager
ntp (Debian)
Confirmed
Undecided
Unassigned
ntp (Juju Charms Collection)
Confirmed
Undecided
Unassigned
ntp (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

I recently did an install of Ubuntu 23.04 and then configured ntp as I have been doing so for more than 8 years.
With previous versions of Debian and Ubuntu using the real ntp package, the details at https://wiki.ubuntu.com/JonathanFerguson/NTP?action=recall&rev=38 created the desired results.
I updated the details at https://wiki.ubuntu.com/JonathanFerguson/NTP with the new location of ntp.conf, after restarting I noticed that the resultant output was missing requisite details.

Compare the following and the lack of ".MCST." and ".ACST.":

Original ntp on Apollo-Lake-N3150
jonathan@Apollo-Lake-N3450:~$ lsb_release -rd
Description: Ubuntu 22.04.3 LTS
Release: 22.04
jonathan@Apollo-Lake-N3450:~$ ntpq -p
     remote refid st t when poll reach delay offset jitter
==============================================================================
 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000
 1.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000
 2.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000
 3.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000
 ntp.ubuntu.com .POOL. 16 p - 64 0 0.000 +0.000 0.000
 ntp.mcast.net .MCST. 16 M - 64 0 0.000 +0.000 0.000
 ff0e::101 .MCST. 16 M - 64 0 0.000 +0.000 0.000
 ntp.mcast.net .ACST. 16 a - 64 0 0.000 +0.000 0.000
 ff0e::101 .ACST. 16 a - 64 0 0.000 +0.000 0.000
*time.cloudflare 10.242.8.77 3 u 469 1024 367 234.691 -0.929 67.380
+2001-44b8-2100- 42.3.115.79 2 u 581 1024 377 487.209 +55.669 57.154
+2001-44b8-2100- 4.179.66.17 3 u 215 1024 377 489.637 +57.002 35.399
jonathan@Apollo-Lake-N3450:~$

NTPsec on Braswell-N3150
jonathan@Braswell-N3150:~$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 23.04
Release: 23.04
jonathan@Braswell-N3150:~$ ntpq -p
     remote refid st t when poll reach delay offset jitter
=======================================================================================================
 0.ubuntu.pool.ntp.org .POOL. 16 p - 256 0 0.0000 0.0000 0.0002
 1.ubuntu.pool.ntp.org .POOL. 16 p - 256 0 0.0000 0.0000 0.0002
 2.ubuntu.pool.ntp.org .POOL. 16 p - 256 0 0.0000 0.0000 0.0002
 3.ubuntu.pool.ntp.org .POOL. 16 p - 64 0 0.0000 0.0000 0.0002
+prod-ntp-5.ntp1.ps5.canonical.com 37.15.221.189 2 u 141 1024 367 383.4932 -19.6895 35.0534
*time.tfmcloud.au 203.35.83.242 2 u 325 1024 367 325.9317 -0.1496 43.0522
+any.time.nl 133.243.238.243 2 u 158 1024 373 300.7941 -20.8962 136.1422
+ntp2.its.waikato.ac.nz .GPS. 1 u 363 1024 377 356.5361 -18.2740 140.5984
+2001-44b8-2100-3f00-0000-0000-007b-0004 42.3.115.79 2 u 214 1024 367 490.3898 28.3416 2.7728
+tic.ntp.telstra.net 203.35.83.242 2 u 13 1024 367 566.0744 -14.1332 6.0377
+863xqmprtfqv69pv7nwc.ip6.superloop.au 192.168.1.1 2 u 79 1024 367 330.2658 -14.3483 16.2172
+gps-ads.10mrlp.juneks.com.au .PPS. 1 u 271 1024 367 443.4812 -71.8020 44.6332
+x.ns.gin.ntt.net 129.250.35.222 2 u 57 1024 367 22.4974 41.3055 6.0639
jonathan@Braswell-N3150:~$

This behaviour will affect the following:
Ubuntu 22.10, 23.04 and 23.10
Debian 12, 13 and 14

NTPsec have documented their reasoning for lacking support.
https://docs.ntpsec.org/latest/discover.html
https://docs.ntpsec.org/latest/ntpsec.html
https://docs.ntpsec.org/latest/assoc.html#broad
https://docs.ntpsec.org/latest/assoc.html#many

The issue remains that ntp and ntpsec are not capability equivalent.

I foresee two means of rectifying this predicament, if NTPsec is going to be the default implementation of NTP then ntpsec needs to implement all of the capabilities of ntp, or the easier alternative is that the real ntp https://www.ntp.org/downloads/ is packaged as ntp-classic for instances where its capabilities are required.

ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: ntp 1:4.2.8p15+dfsg-2~1.2.2+dfsg1-1
ProcVersionSignature: Ubuntu 6.2.0-34.34-generic 6.2.16
Uname: Linux 6.2.0-34-generic x86_64
ApportVersion: 2.26.1-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Fri Oct 13 18:13:27 2023
InstallationDate: Installed on 2023-09-15 (27 days ago)
InstallationMedia: Ubuntu-Unity 23.04 "Lunar Lobster" - Release amd64 (20230419)
PackageArchitecture: all
SourcePackage: ntpsec
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.ntpsec.ntp.conf: [modified]
mtime.conffile..etc.ntpsec.ntp.conf: 2023-10-12T21:59:03.557719

See original description
Revision history for this message
Jonathan Ferguson (jonathan-ferguson) wrote :
Jonathan Ferguson (jonathan-ferguson)
description: updated
description: updated
affects: ntpsec (Debian) → ntp (Debian)
affects: ntpsec (Ubuntu) → ntp (Ubuntu)
Jonathan Ferguson (jonathan-ferguson)
tags: added: ntp
Revision history for this message
Richard Laager (rlaager) wrote :

You are correct that the multicast support has been removed in NTPsec. This was intentional:

https://docs.ntpsec.org/latest/ntpsec.html
"Broadcast- and multicast modes, which are impossible to secure, have been removed."

The Debian maintainers of the "ntp" package decided to stop maintaining it. Rather than orphaning it, they asked on debian-devel and the consensus was to drop it entirely in favor of "ntpsec" (which I was already maintaining in Debian).

It would be a pain, but if you wanted to pick up maintaining "ntp" in Debian again, that's theoretically possible. I wouldn't recommend it, and certainly not if the only missing thing is multicast support.

Instead, I recommend you configure all of your clients to speak unicast to your NTP server. This is more-or-less the same effect anyway. It gives you the option to then "upgrade" to NTS (Network Time Security), if you desire.

Changed in ntp (Debian):
status: New → Invalid
Changed in ntp (Ubuntu):
status: New → Invalid
Jonathan Ferguson (jonathan-ferguson)
Changed in ntp (Ubuntu):
status: Invalid → Confirmed
tags: added: needs-packaging
Changed in ntp (Debian):
status: Invalid → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

*** This is an automated message ***

This bug is tagged needs-packaging which identifies it as a request for a new package in Ubuntu. As a part of the managing needs-packaging bug reports specification, https://wiki.ubuntu.com/QATeam/Specs/NeedsPackagingBugs, all needs-packaging bug reports have Wishlist importance. Subsequently, I'm setting this bug's status to Wishlist.

summary: - The packages ntp and ntpsec are not equivalent
+ [needs-packaging] The packages ntp and ntpsec are not equivalent
Changed in ntp (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Jonathan Ferguson (jonathan-ferguson) wrote (last edit ):

I found the thread on the Debian Developers' Mailing List that Richard Laager (rlaager) mentioned. https://lists.debian.org/debian-devel/2022/01/msg00172.html

I read through all of the replies in the aforementioned thread.

There is this devastating nugget that is not expounded upon and is the same crux I am bringing to the Ubuntu community's attention:
"Sounds good, I'd like to have a few more reviewers though. ntp is aged, but according to popcon the transition could affect ~25% of the Debian installations." https://lists.debian.org/debian-devel/2022/01/msg00211.html

I believe that it is critical that Ubuntu makes available the most feature complete standards complying NTP daemon. https://www.rfc-editor.org/rfc/rfc5905

The present LTS, 22.04, has the original ntp package. To avert disaster for a substantial number of users, Ubuntu will need the original ntp package available when 24.04LTS is released.

Jonathan Ferguson (jonathan-ferguson)
Changed in ntp:
status: New → Confirmed
Revision history for this message
Jonathan Ferguson (jonathan-ferguson) wrote :

https://packages.ubuntu.com/noble/ntp
I now see that Noble has a package for ntp but it is a transitional package to ntpsec instead of the real ntp package. — This is an extremely dangerous situation for the Long Term Support release.

Revision history for this message
Jonathan Ferguson (jonathan-ferguson) wrote :

https://charmhub.io/ntp/configure

ntp_package | string

If set to "ntp" the ntp package will be installed and configured, or if set to "chrony" the chrony package will be installed and configured. If unspecified the appropriate package will be selected based on the operating system. Please note that the use of ntp on Ubuntu bionic or later is not recommended as it does not receive security updates.

affects: charms → ntp (Juju Charms Collection)
Changed in ntp (Juju Charms Collection):
status: New → Confirmed
Revision history for this message
Ulrich Weber (ulrich-weber-0) wrote :

Please note that its not always possible to switch to unicast.
We use multicast NTP to synchronize via a unidirectional fiber diode, which is one way only:
https://en.wikipedia.org/wiki/Unidirectional_network

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.