The OpenNTPD Portable project copies portions of the OpenBSD tree, along with relevant portions of the C library, to a Git repository. This makes it easier to follow all of the relevant changes to the upstream project in a single place: https://github.com/openntpd-portable/openntpd-openbsd The portable bits of the project are largely maintained out-of-tree, and their history is also available from Git. https://github.com/openntpd-portable/openntpd-portable OpenNTPD Portable Release Notes: 6.7p1 - New release based on OpenBSD 6.7 * ntpd now does constraint validation against 9.9.9.9 and 2620:fe::fe by default. * The ntpd daemon now gets and sets the clock in a secure way when booting even when a battery-backed clock is absent. * Improvements in DNS resolving and constraints checking, especially during startup. Unreliable NTP peers are removed from the pool and DNS resolving is repeated to add replacements. * Improved reliability and security of TLS constraint checking. * Improved logging of failure cases. * Prevent the case of multiple ntpds running at once by checking presence of the local control socket. * TLS certificates are now searched in TLS_CA_CERT_FILE. The libtls library, as shipped with LibreSSL 3.1.0 or later, is required to use the HTTPS constraint feature, though it is not required to use OpenNTPD. 6.2p3 - Bug fixes * Fixed build on OS X 6.2p2 - Bug fixes * Fixed support for 'query from' and clarified usage. 6.2p1 - New release based on OpenBSD 6.2 * Added option "query from " to ntpd.conf, to specify a local IP address for outgoing NTP queries. 6.1p1 - New release based on OpenBSD 6.1 * Quieted warnings about constraint connection retries. * Implemented fork+exec for ntpd child processes. * Added imsg inter-process reliability fixes. * Fixed memory leaks and reduced heap memory usage. * Numerous logging improvements and additions. * Added macOS 10.12 getentropy support. * Fixed arc4random blacklist use native implementations where possible. 6.0p1 - New release based on OpenBSD 6.0 * Fixed a link failure on older Linux distributions and a build failure on FreeBSD. * Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime. * Fixed HTTP Timestamp header parsing to use strptime in a more portable fashion. * Hardened TLS for ntpd constraints, enabling server name verification. Thanks to Luis M. Merino. 5.9p1 - New release based on OpenBSD 5.9 * When a single "constraint" is specified, try all returned addresses until one succeeds, rather than the first returned address. * Relaxed the constraint error margin to be proportional to the number of NTP peers, avoid constant reconnections when there is a bad NTP peer. * Removed disabled hotplug sensor support. * Added support for detecting crashes in constraint subprocesses. * Moved the execution of constraints from the ntp process to the parent process, allowing for better privilege separation since the ntp process can be further restricted. * Added pledge(2) support. * Updated to require LibreSSL 2.3.2 or greater. * Fixed high CPU usage when the network is down. * Fixed various memory leaks. * Switched to RMS for jitter calculations. * Unified logging functions with other OpenBSD base programs. OpenNTPD portable-specific changes: * Added support for syncing time with the Realtime Clock (RTC) on OSes that require it. * CFLAGS is no longer overridden by the build system. * FreeBSD RTABLE support is disabled * FreeBSD is no longer linked with -lmd to avoid hash function collisions, causing failures in constraint certificate loading. * Fixed crashes due to __progname being used before initialized. * Added Solaris 10 compatibility. * Added --disable-https-constraint build option for explicitly disabling constraint support. * Synced build system files with LibreSSL The libtls library, as shipped with LibreSSL 2.3.2 or later, is required to use the HTTPS constraint feature, though it is not required to use OpenNTPD. 5.7p4 - Bug fixes, HTTPS constraint support with LibreSSL * Added support for HTTPS constraints to validate NTP responses. See the man page and example config file for how to configure it. The initial announcement: http://marc.info/?l=openbsd-tech&m=142356166731390&w=2 is an explanation of the rationale and how the feature works. * Workaround an apparent bug in Solaris adjtime that cause the clock to report sync/unsync continuously. * Workaround an issue on systems with 32-bit time_t that causes an overflow if the system time is later than early 2036. The libtls library, as shipped with LibreSSL 2.1.4 or later, is required to use the HTTPS constraint feature, though it is not required to use OpenNTPD. 5.7p3 - Bug fixes * Fixed issue resolving hostnames when the network is initially unavailable. * Fixed process name logging on Linux and OS X. * Fixed adjfreq failures on Solaris due to uninitialized struct timex. * Support building on Linux musl libc. * Default privilege separation directory changed from /var/empty/ntp to /var/empty. Please ensure that if you are using the default from previous releases that the privsep directory is empty, owned by root, and has no write privileges for other users. 5.7p2 - Bug fixes, and new OS support * Switched the drift file from an unscaled frequency offset to ppm. The latter format is compatible with that of ntp.org. This allows easy switching between ntpd daemons * Fixed a memory leak in DNS lookups. * Added support for setting the process title on Linux and OS X. The different processes are now possible to tell apart by role in the process list. * Import NetBSD support. * Various bugfixes and refinements from the community. 5.7p1 - New release based on OpenBSD 5.7 * Support for a new build infrastructure based on the LibreSSL framework. Source code is integrated directly from the OpenBSD tree with few manual changes, easing maintenance. * Removed support for several OSes pending test reports and updated portability code. * Supports the Simple Network Time Protocol version 4 as described in RFC 5905 * Added route virtualization (rdomain) support. * Added ntpctl(8), which allows for querying ntpd(8) at runtime. * Finer-grained clock adjustment via adjfreq / ntp_adjtime where available. * Improved latency on heavily-loaded machines.