Subject: buster-pu: package ntpsec/1.1.3+dfsg1-2+deb10u1
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
This is my first time with the Debian proposed update process (though I
have done my own Ubuntu SRU once), so please bear with me and let me
know if I've done anything wrong.
The debdiff from the current version in Buster is attached. All of these
fixes are in the version of ntpsec in Debian unstable.
This upload is to fix several things, most importantly the first two:
* Backport fix for slow DNS retries (Closes: 924192)
The user described this pretty well, "What seems to be happening is that
if DNS is not immediately available when ntpsec starts, it waits about
10 minutes before trying again. Ten minutes is too long."
This is fixed by backporting an upstream commit which has made it into
an upstream point release.
* Fix ntpdate -s (syslog) to fix the if-up hook (Closes: 931414)
Here, the if-up hook script failed to work at all. It did not trigger
the time to be synchronized. This was ultimately due to upstream's
ntpdate wrapper, which was converting -s (for "log to syslog") to
ntpdig -p. This is wrong, as ntpdig -p is for the number of samples and
requires a parameter. The ntpdig man page says, "This version does not
log to syslog. Pipe standard output and standard error to logger(1) if
you want this behavior.
This was fixed by me implementing the syslog (piping to logger) behavior
in the ntpdate wrapper script. I submitted the patch upstream, it was
accepted, has made it into an upstream point release, and I have pulled
it into this backport update.
It may be controversial that I'm including fixes for bugs in man pages,
including some without Debian bug numbers. The fixes below are trivial
and only affect two (related) man pages. I likely would not have made a
buster update for them alone, but since I'm making an update anyway, it
seemed reasonable to me to include those fixes.
* ntpdate.8: Remove -p option (Closes: 926877)
The ntpdate -p option (not to be confused with the above discussion of
ntpdig -p) no longer exists. This bug is not that critical, but the fix
is trivial and low risk (as it's just to a man page).
* ntpdate.8: Remove -e option
No bug was filed for this, but this was discovered while fixing the
other issue. The -e option is gone too. I removed it from the man pages.
Again, this fix is trivial and low risk (just a man pages change).
* ntpdate.8: Remove duplicated -o option
This was also discovered while reviewing the ntpdate man page. The -o
option was listed twice. This is another trivial (single character
removal, in this case) fix to the man pages.
* ntpdate.8: Remove inaccurate BUGS section
The ntpdate man page has a BUGS section that says its "slew adjustment
is actually 50% larger than the measured offset". This is completely
wrong, which I verified with upstream. The NTPsec implementation of
ntpdate is just a wrapper script around ntpdig, which does not have this
behavior. This is fixed by removing the inaccurate information from the
man page.
* Update ntpdate-debian.8 to match ntpdate.8
The Debian packaging of NTPsec has an ntpdate-debian utility that is
itself a wrapper around ntpdate. This approach is inherited from the
Debian "ntp" package (upstream ntpsec is a fork of upstream ntp). The
man pages were inconsistent. This fixes the ntpdate-debian man page by
adding the missing -4 and -6 flags, strips some EOL whitespace, and
updates the body text to match, including mentioning the server argument(s).
--
Richard
diff -Nru ntpsec-1.1.3+dfsg1/debian/changelog
ntpsec-1.1.3+dfsg1/debian/changelog
--- ntpsec-1.1.3+dfsg1/debian/changelog 2019-02-04 01:38:48.000000000 -0600
+++ ntpsec-1.1.3+dfsg1/debian/changelog 2019-10-04 00:21:09.000000000 -0500
@@ -1,3 +1,15 @@
+ntpsec (1.1.3+dfsg1-2+deb10u1) buster; urgency=medium
+
+ * Backport fix for slow DNS retries (Closes: 924192)
+ * ntpdate.8: Remove duplicated -o option
+ * ntpdate.8: Remove -p option (Closes: 926877)
+ * ntpdate.8: Remove -e option
+ * ntpdate.8: Remove inaccurate BUGS section
+ * Update ntpdate-debian.8 to match ntpdate.8
+ * Fix ntpdate -s (syslog) to fix the if-up hook (Closes: 931414)
+
+ -- Richard Laager <rlaa...@wiktel.com> Fri, 04 Oct 2019 00:21:09 -0500
+
ntpsec (1.1.3+dfsg1-2) unstable; urgency=medium
* Suppress lintian warning
diff -Nru ntpsec-1.1.3+dfsg1/debian/gbp.conf ntpsec-1.1.3+dfsg1/debian/gbp.conf
--- ntpsec-1.1.3+dfsg1/debian/gbp.conf 2019-02-04 01:38:48.000000000 -0600
+++ ntpsec-1.1.3+dfsg1/debian/gbp.conf 2019-10-04 00:19:41.000000000 -0500
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = sid
+debian-branch = buster
[buildpackage]
sign-tags = True
diff -Nru ntpsec-1.1.3+dfsg1/debian/man/ntpdate.8
ntpsec-1.1.3+dfsg1/debian/man/ntpdate.8
--- ntpsec-1.1.3+dfsg1/debian/man/ntpdate.8 2019-02-04 01:38:48.000000000
-0600
+++ ntpsec-1.1.3+dfsg1/debian/man/ntpdate.8 2019-09-27 02:12:22.000000000
-0500
@@ -3,17 +3,13 @@
ntpdate \- set the date and time via NTP
.SH SYNOPSIS
.B ntpdate
-.RB [\| \-46bBdoqsuv \|]
+.RB [\| \-46bBdqsuv \|]
.RB [\| \-a
.IR key \|]
-.RB [\| \-e
-.IR authdelay \|]
.RB [\| \-k
.IR keyfile \|]
.RB [\| \-o
.IR version \|]
-.RB [\| \-p
-.IR samples \|]
.RB [\| \-t
.IR timeout \|]
.I server
@@ -91,13 +87,6 @@
but not adjust the local clock and using an unprivileged port. Information
useful for general debugging will also be printed.
.TP
-.BI \-e \ authdelay
-Specify the processing delay to perform an authentication
-function as the value authdelay, in seconds and fraction (see
-ntpd for details). This number is usually small enough to be
-negligible for most purposes, though specifying a value may
-improve timekeeping on very slow CPU's.
-.TP
.BI \-k \ keyfile
Specify the path for the authentication key file as the string
keyfile. The default is /etc/ntp.keys. This file should be in
@@ -108,11 +97,6 @@
can be 1, 2, 3 or 4. The default is 4. This allows ntpdate to be used with
older NTP versions.
.TP
-.BI \-p \ samples
-Specify the number of samples to be acquired from each server
-as the integer samples, with values from 1 to 8 inclusive. The
-default is 4.
-.TP
.B \-q
Query only \(en don't set the clock.
.TP
@@ -144,12 +128,6 @@
.TP
.I /etc/ntp.keys
\- encryption keys used by ntpdate.
-.SH BUGS
-The slew adjustment is actually 50% larger than the measured offset,
-since this (it is argued) will tend to keep a badly drifting clock
-more accurate. This is probably not a good idea and may cause a
-troubling hunt for some values of the kernel variables tick and
-tickadj.
.SH AUTHOR
David L. Mills (mi...@udel.edu)
.br
diff -Nru ntpsec-1.1.3+dfsg1/debian/man/ntpdate-debian.8
ntpsec-1.1.3+dfsg1/debian/man/ntpdate-debian.8
--- ntpsec-1.1.3+dfsg1/debian/man/ntpdate-debian.8 2019-02-04
01:38:48.000000000 -0600
+++ ntpsec-1.1.3+dfsg1/debian/man/ntpdate-debian.8 2019-09-27
02:12:22.000000000 -0500
@@ -3,19 +3,17 @@
ntpdate-debian \- set the date and time via NTP
.SH SYNOPSIS
.B ntpdate-debian
-.RB [\| \-bBdoqsuv \|]
-.RB [\| \-a
-.IR key \|]
-.RB [\| \-e
-.IR authdelay \|]
-.RB [\| \-k
+.RB [\| \-46bBdqsuv \|]
+.RB [\| \-a
+.IR key \|]
+.RB [\| \-k
.IR keyfile \|]
.RB [\| \-o
.IR version \|]
-.RB [\| \-p
-.IR samples \|]
.RB [\| \-t
.IR timeout \|]
+.I server
+.RB [\| ... \|]
.SH DESCRIPTION
.B ntpdate-debian
is identical to
@@ -24,5 +22,7 @@
.I /etc/default/ntpsec-ntpdate
by default.
.B ntpdate
-sets the local date and time by polling Network Time
-Protocol (NTP) servers.
+sets the local date and time by polling the Network Time
+Protocol (NTP) server(s) given as the
+.I server
+argument(s) to determine the correct time.
diff -Nru
ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-for-577-DNS-retry-sloth.patch
ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-for-577-DNS-retry-sloth.patch
--- ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-for-577-DNS-retry-sloth.patch
1969-12-31 18:00:00.000000000 -0600
+++ ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-for-577-DNS-retry-sloth.patch
2019-10-04 00:19:41.000000000 -0500
@@ -0,0 +1,56 @@
+From bf3dfbe30ad16b4d345dfe9d6c6d842d9321355f Mon Sep 17 00:00:00 2001
+From: Hal Murray <mur...@shuksan.example.com>
+Date: Sat, 16 Mar 2019 11:07:41 -0700
+Subject: [PATCH] Fix for #577, DNS retry sloth
+
+There is only one thread for DNS (and NTS-KE) work. If an attempt
+was made while the thread was busy, it waited for the retry timer
+rather than trying again as soon as the previous DNS work finished.
+---
+ ntpd/ntp_proto.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/ntpd/ntp_proto.c
++++ b/ntpd/ntp_proto.c
+@@ -811,7 +811,11 @@
+ if ((peer_associations <= 2 * sys_maxclock) &&
+ (peer_associations < sys_maxclock ||
+ sys_survivors < sys_minclock))
+- if (!dns_probe(peer)) return;
++ if (!dns_probe(peer)) {
++ /* DNS thread busy, try again soon */
++ peer->nextdate = current_time;
++ return;
++ }
+ poll_update(peer, hpoll);
+ return;
+ }
+@@ -819,7 +823,10 @@
+ /* Does server need DNS lookup? */
+ if (peer->cfg.flags & FLAG_DNS) {
+ peer->outdate = current_time;
+- if (!dns_probe(peer)) return;
++ if (!dns_probe(peer)) {
++ peer->nextdate = current_time;
++ return;
++ }
+ poll_update(peer, hpoll);
+ return;
+ }
+@@ -2419,8 +2426,15 @@
+ hpoll = 8;
+ break;
+ case DNS_temp:
++ /* DNS not working yet. ??
++ * Want to retry soon,
++ * but also want to avoid log clutter.
++ * Beware, Fedora 29 lies:
++ * What I expect to be temp (no Wifi)
++ * gets EAI_NONAME, Name or service not known
++ */
+ txt = "temp";
+- hpoll += 1;
++ hpoll = 3;
+ break;
+ case DNS_error:
+ txt = "error";
diff -Nru ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-ntpdate-s-syslog.patch
ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-ntpdate-s-syslog.patch
--- ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-ntpdate-s-syslog.patch
1969-12-31 18:00:00.000000000 -0600
+++ ntpsec-1.1.3+dfsg1/debian/patches/0001-Fix-ntpdate-s-syslog.patch
2019-10-04 00:19:41.000000000 -0500
@@ -0,0 +1,75 @@
+From 59070b9146de693cb36cdeab2a70be73cfb54bff Mon Sep 17 00:00:00 2001
+From: Richard Laager <rlaa...@wiktel.com>
+Date: Thu, 8 Aug 2019 02:30:49 +0000
+Subject: [PATCH] Fix ntpdate -s (syslog)
+
+The ntpdate wrapper script was converting -s (for "log to syslog") to
+ntpdig -p. This is wrong, as ntpdig -p is for the number of samples and
+requires a parameter. The ntpdig man page says, "This version does not
+log to syslog. Pipe standard output and standard error to logger(1) if
+you want this behavior.
+
+Signed-off-by: Richard Laager <rlaa...@wiktel.com>
+---
+ attic/ntpdate | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/attic/ntpdate b/attic/ntpdate
+index 0af352724..dd1137471 100755
+--- a/attic/ntpdate
++++ b/attic/ntpdate
+@@ -28,7 +28,7 @@
+ # -p N -q How many samples to take
+ # -q default -q query/report only, don't set clock
+ # (implies -u for ntpdate)
+-# -s -p log to syslog (always enabled in ntpd)
++# -s log to syslog (always enabled in ntpd)
+ # -t N.N -t N.N request timeout
+ # -u default unpriv port
+ # -v verbose (ntpd is always more verbose than ntpdate)
+@@ -43,7 +43,8 @@
+ PASSTHROUGH=""
+ TIMEOUT="-t 1"
+ setclock=yes
+-echo=""
++echo=no
++log=no
+ while getopts 46a:bBe:k:no:p:qst:uv opt
+ do
+ case $opt in
+@@ -55,11 +56,11 @@ do
+ d) PASSTHROUGH="$PASSTHROUGH -d";;
+ e) echo "ntpdate: -e is no longer supported." >&2;;
+ k) PASSTHROUGH="$PASSTHROUGH -k $OPTARG";;
+- n) echo=echo ;; # Echo generated command, don't execute
++ n) echo=yes;; # Echo generated command, don't execute
+ o) PASSTHROUGH="$PASSTHROUGH -o $OPTARG";;
+ p) echo "ntpdate: -p is no longer supported." >&2;;
+ q) setclock=no;;
+- s) PASSTHROUGH="$PASSTHROUGH -p";;
++ s) log=yes;;
+ t) PASSTHROUGH="$PASSTHROUGH -t $OPTARG"; TIMEOUT="";;
+ u) ;;
+ v) ;;
+@@ -72,7 +73,17 @@ then
+ ADJUST="-s -j"
+ fi
+
+-$echo ntpdig $ADJUST $TIMEOUT $PASSTHROUGH $*
++if [ "$echo" = yes ]
++then
++ echo ntpdig $ADJUST $TIMEOUT $PASSTHROUGH $*
++else
++ if [ "$log" = yes ]
++ then
++ ntpdig $ADJUST $TIMEOUT $PASSTHROUGH $* 2>&1 | logger -t ntpdate
++ else
++ ntpdig $ADJUST $TIMEOUT $PASSTHROUGH $*
++ fi
++fi
+
+ #end
+
+--
+2.17.1
+
diff -Nru ntpsec-1.1.3+dfsg1/debian/patches/series
ntpsec-1.1.3+dfsg1/debian/patches/series
--- ntpsec-1.1.3+dfsg1/debian/patches/series 2019-02-04 01:38:48.000000000
-0600
+++ ntpsec-1.1.3+dfsg1/debian/patches/series 2019-10-04 00:19:41.000000000
-0500
@@ -42,9 +42,10 @@
0001-Use-.egg-info-for-the-Python-info-file.patch
## Fix a spelling error
0001-Fix-a-typo.2.patch
-
-# Forwarded
+## Fix DNS timeouts
+0001-Fix-for-577-DNS-retry-sloth.patch
0001-Add-Documentation-to-ntp-wait.service.patch
+0001-Fix-ntpdate-s-syslog.patch
# Forwarding not needed
systemd-use-wrapper.patch
