|
|
The OpenNTPD Portable project copies portions of the OpenBSD tree, along
|
|
|
with relevant portions of the C library, to a Git repository. This makes it
|
|
|
easier to follow all of the relevant changes to the upstream project in a
|
|
|
single place:
|
|
|
|
|
|
https://github.com/openntpd-portable/openntpd-openbsd
|
|
|
|
|
|
The portable bits of the project are largely maintained out-of-tree, and their
|
|
|
history is also available from Git.
|
|
|
|
|
|
https://github.com/openntpd-portable/openntpd-portable
|
|
|
|
|
|
OpenNTPD Portable Release Notes:
|
|
|
|
|
|
6.7p1 - New release based on OpenBSD 6.7
|
|
|
|
|
|
* ntpd now does constraint validation against 9.9.9.9 and 2620:fe::fe by default.
|
|
|
|
|
|
* The ntpd daemon now gets and sets the clock in a secure way when booting
|
|
|
even when a battery-backed clock is absent.
|
|
|
|
|
|
* Improvements in DNS resolving and constraints checking, especially during
|
|
|
startup. Unreliable NTP peers are removed from the pool and DNS resolving
|
|
|
is repeated to add replacements.
|
|
|
|
|
|
* Improved reliability and security of TLS constraint checking.
|
|
|
|
|
|
* Improved logging of failure cases.
|
|
|
|
|
|
* Prevent the case of multiple ntpds running at once by checking presence
|
|
|
of the local control socket.
|
|
|
|
|
|
* TLS certificates are now searched in TLS_CA_CERT_FILE.
|
|
|
|
|
|
The libtls library, as shipped with LibreSSL 3.1.0 or later, is
|
|
|
required to use the HTTPS constraint feature, though it is not
|
|
|
required to use OpenNTPD.
|
|
|
|
|
|
6.2p3 - Bug fixes
|
|
|
|
|
|
* Fixed build on OS X
|
|
|
|
|
|
6.2p2 - Bug fixes
|
|
|
|
|
|
* Fixed support for 'query from' and clarified usage.
|
|
|
|
|
|
6.2p1 - New release based on OpenBSD 6.2
|
|
|
|
|
|
* Added option "query from <ip>" to ntpd.conf, to specify a local IP
|
|
|
address for outgoing NTP queries.
|
|
|
|
|
|
6.1p1 - New release based on OpenBSD 6.1
|
|
|
|
|
|
* Quieted warnings about constraint connection retries.
|
|
|
|
|
|
* Implemented fork+exec for ntpd child processes.
|
|
|
|
|
|
* Added imsg inter-process reliability fixes.
|
|
|
|
|
|
* Fixed memory leaks and reduced heap memory usage.
|
|
|
|
|
|
* Numerous logging improvements and additions.
|
|
|
|
|
|
* Added macOS 10.12 getentropy support.
|
|
|
|
|
|
* Fixed arc4random blacklist use native implementations where
|
|
|
possible.
|
|
|
|
|
|
6.0p1 - New release based on OpenBSD 6.0
|
|
|
|
|
|
* Fixed a link failure on older Linux distributions and a build
|
|
|
failure on FreeBSD.
|
|
|
|
|
|
* Set MOD_MAXERROR to avoid unsynced time status when using
|
|
|
ntp_adjtime.
|
|
|
|
|
|
* Fixed HTTP Timestamp header parsing to use strptime in a more
|
|
|
portable fashion.
|
|
|
|
|
|
* Hardened TLS for ntpd constraints, enabling server name
|
|
|
verification. Thanks to Luis M. Merino.
|
|
|
|
|
|
5.9p1 - New release based on OpenBSD 5.9
|
|
|
|
|
|
* When a single "constraint" is specified, try all returned addresses
|
|
|
until one succeeds, rather than the first returned address.
|
|
|
|
|
|
* Relaxed the constraint error margin to be proportional to the number
|
|
|
of NTP peers, avoid constant reconnections when there is a bad NTP
|
|
|
peer.
|
|
|
|
|
|
* Removed disabled hotplug sensor support.
|
|
|
|
|
|
* Added support for detecting crashes in constraint subprocesses.
|
|
|
|
|
|
* Moved the execution of constraints from the ntp process to the
|
|
|
parent process, allowing for better privilege separation since the
|
|
|
ntp process can be further restricted.
|
|
|
|
|
|
* Added pledge(2) support.
|
|
|
|
|
|
* Updated to require LibreSSL 2.3.2 or greater.
|
|
|
|
|
|
* Fixed high CPU usage when the network is down.
|
|
|
|
|
|
* Fixed various memory leaks.
|
|
|
|
|
|
* Switched to RMS for jitter calculations.
|
|
|
|
|
|
* Unified logging functions with other OpenBSD base programs.
|
|
|
|
|
|
OpenNTPD portable-specific changes:
|
|
|
|
|
|
* Added support for syncing time with the Realtime Clock (RTC) on OSes
|
|
|
that require it.
|
|
|
|
|
|
* CFLAGS is no longer overridden by the build system.
|
|
|
|
|
|
* FreeBSD RTABLE support is disabled
|
|
|
|
|
|
* FreeBSD is no longer linked with -lmd to avoid hash function
|
|
|
collisions, causing failures in constraint certificate loading.
|
|
|
|
|
|
* Fixed crashes due to __progname being used before initialized.
|
|
|
|
|
|
* Added Solaris 10 compatibility.
|
|
|
|
|
|
* Added --disable-https-constraint build option for explicitly
|
|
|
disabling constraint support.
|
|
|
|
|
|
* Synced build system files with LibreSSL
|
|
|
|
|
|
The libtls library, as shipped with LibreSSL 2.3.2 or later, is
|
|
|
required to use the HTTPS constraint feature, though it is not
|
|
|
required to use OpenNTPD.
|
|
|
|
|
|
5.7p4 - Bug fixes, HTTPS constraint support with LibreSSL
|
|
|
|
|
|
* Added support for HTTPS constraints to validate NTP responses.
|
|
|
See the man page and example config file for how to configure it.
|
|
|
The initial announcement:
|
|
|
http://marc.info/?l=openbsd-tech&m=142356166731390&w=2 is an
|
|
|
explanation of the rationale and how the feature works.
|
|
|
|
|
|
* Workaround an apparent bug in Solaris adjtime that cause the clock
|
|
|
to report sync/unsync continuously.
|
|
|
|
|
|
* Workaround an issue on systems with 32-bit time_t that causes an
|
|
|
overflow if the system time is later than early 2036.
|
|
|
|
|
|
The libtls library, as shipped with LibreSSL 2.1.4 or later, is
|
|
|
required to use the HTTPS constraint feature, though it is not
|
|
|
required to use OpenNTPD.
|
|
|
|
|
|
5.7p3 - Bug fixes
|
|
|
|
|
|
* Fixed issue resolving hostnames when the network is initially
|
|
|
unavailable.
|
|
|
|
|
|
* Fixed process name logging on Linux and OS X.
|
|
|
|
|
|
* Fixed adjfreq failures on Solaris due to uninitialized struct timex.
|
|
|
|
|
|
* Support building on Linux musl libc.
|
|
|
|
|
|
* Default privilege separation directory changed from /var/empty/ntp
|
|
|
to /var/empty. Please ensure that if you are using the default from
|
|
|
previous releases that the privsep directory is empty, owned by
|
|
|
root, and has no write privileges for other users.
|
|
|
|
|
|
5.7p2 - Bug fixes, and new OS support
|
|
|
|
|
|
* Switched the drift file from an unscaled frequency offset to ppm.
|
|
|
The latter format is compatible with that of ntp.org. This allows
|
|
|
easy switching between ntpd daemons
|
|
|
|
|
|
* Fixed a memory leak in DNS lookups.
|
|
|
|
|
|
* Added support for setting the process title on Linux and OS X.
|
|
|
The different processes are now possible to tell apart by role in
|
|
|
the process list.
|
|
|
|
|
|
* Import NetBSD support.
|
|
|
|
|
|
* Various bugfixes and refinements from the community.
|
|
|
|
|
|
5.7p1 - New release based on OpenBSD 5.7
|
|
|
|
|
|
* Support for a new build infrastructure based on the LibreSSL
|
|
|
framework. Source code is integrated directly from the OpenBSD tree
|
|
|
with few manual changes, easing maintenance.
|
|
|
|
|
|
* Removed support for several OSes pending test reports and updated
|
|
|
portability code.
|
|
|
|
|
|
* Supports the Simple Network Time Protocol version 4 as described in
|
|
|
RFC 5905
|
|
|
|
|
|
* Added route virtualization (rdomain) support.
|
|
|
|
|
|
* Added ntpctl(8), which allows for querying ntpd(8) at runtime.
|
|
|
|
|
|
* Finer-grained clock adjustment via adjfreq / ntp_adjtime where
|
|
|
available.
|
|
|
|
|
|
* Improved latency on heavily-loaded machines.
|