Discussion:
"debian.pool.ntp.org" for Debian derivatives?
Philipp Hahn
2018-10-18 09:22:35 UTC
Permalink
Hello,

our business model is to we sell support for our own Debian based
distribution "Univention Corporate Server":
<https://wiki.debian.org/Derivatives/Census/UniventionCorporateServer>

I recently had a discussion about NTP and their pool concept per vendor:
<http://www.pool.ntp.org/en/vendors.html>, but one question remains:

Are we (as a Debian derivate) allowed to hard-code and use the
"debian.pool.ntp.org" or must we apply for our own pool?

This might be interesting for other derivatives as well.

Thanks for any answer
Philipp (AKA ***@debian.org)

PS: Paying that extra money to ntp.org would certainly not kill use, but
adding that money instead to our currently already existing support of
Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
Debian (downstream) users and developers.
--
Philipp Hahn
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str. 1
D-28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99
***@univention.de

http://www.univention.de/
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
Ian Jackson
2018-10-18 10:40:46 UTC
Permalink
Post by Philipp Hahn
Are we (as a Debian derivate) allowed to hard-code and use the
"debian.pool.ntp.org" or must we apply for our own pool?
The NTP pool folks would like you to use your own pool. So would
Debian, I'm pretty sure.
Post by Philipp Hahn
PS: Paying that extra money to ntp.org would certainly not kill use, but
adding that money instead to our currently already existing support of
Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
Debian (downstream) users and developers.
I wasn't aware that they charged commercial entities in this kind of
situation but that seems reasonable to me. IDK how much the charge
is. You are getting a service from pool.ntp.org, and as a commercial
entity you should pay your suppliers.

If the charge is too much, you could always run your own ntp server.

If you continue to use the Debian pool to avoid paying them, then you
are using their facilities without permission. I don't know what
German law is like but in the UK that would be the crime of
unauthorised access to a computer system. Also they could probably
sue you for the money.

TBH I doubt they would get you prosecuted or sue you - because they're
not that kind of people and wouldn't want to harm the free software
community = but I hope you will agree that you should act legally!

Regards,
Ian.
--
Ian Jackson <***@chiark.greenend.org.uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Philipp Hahn
2018-10-18 11:57:22 UTC
Permalink
Hello Ian et al.,
Post by Ian Jackson
Post by Philipp Hahn
Are we (as a Debian derivate) allowed to hard-code and use the
"debian.pool.ntp.org" or must we apply for our own pool?
The NTP pool folks would like you to use your own pool. So would
Debian, I'm pretty sure.
Q: So must all Debian derivatives patch NTP and re-compile¹ it as
Post by Ian Jackson
$ apt download ntp
$ ar p ntp_1%3a4.2.8p10+dfsg-3+deb9u2_amd64.deb | tar xfO data.tar.xz ./etc/ntp.conf | grep ^pool
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
or only the commercial derivatives?
Post by Ian Jackson
Post by Philipp Hahn
PS: Paying that extra money to ntp.org would certainly not kill use, but
adding that money instead to our currently already existing support of
Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
Debian (downstream) users and developers.
First of all: We don't what to cheat them or Debian, but the question is
interesting enough as it can have legal questions for all derivatives.
Post by Ian Jackson
I wasn't aware that they charged commercial entities in this kind of
situation but that seems reasonable to me. IDK how much the charge
is. You are getting a service from pool.ntp.org, and as a commercial
entity you should pay your suppliers.
The question remains, if "Debian" can be our supplier and allow us (and
any other derivatives) to use their pool?
Post by Ian Jackson
If the charge is too much, you could always run your own ntp server.
Any sane setup needs at least 4 servers. That is why there is that pool
project so not everyone has to run their own farm of NTP servers around
the world themselves.
Post by Ian Jackson
If you continue to use the Debian pool to avoid paying them, then you
are using their facilities without permission.
...
Post by Ian Jackson
TBH I doubt they would get you prosecuted or sue you - because they're
not that kind of people and wouldn't want to harm the free software
community = but I hope you will agree that you should act legally!
Normally I tell our customers to ask their Internet providers for their
preferred NTP servers, as they usually run their own farm, which are
then close to their customers (network wise). Many routers have a
built-in NTP server anyway. This normally improves the accuracy and
reduces network traffic as with the pool you can get servers from the
other end of the world. Lucky you if you get that information from your
provider via DHCP (option nntp-server).

Even if your provider does not run its own farm, you can still
re-configure your servers to use at least the pool for your continent or
country, which hopefully are closer by network vise, too.

As an end-user you are not bound by that pool.ntp.org rule and can
configure whatever server you like.

But not as a software or Operating System vendors: I MUST NOT use
'pool.ntp.org'.

So my question is more like "is it okay to not change Debians default
NTP server selection", so the initial setup and those lazy enough to not
change the default get a sane time?

Philipp


¹: not a big deal for us, but we try to stay as closely to Debian as we can.
Florian Weimer
2018-10-21 16:26:55 UTC
Permalink
Post by Ian Jackson
Post by Philipp Hahn
PS: Paying that extra money to ntp.org would certainly not kill use, but
adding that money instead to our currently already existing support of
Debian-LTS / DebConf sponsoring / ... would probably benefit a lot more
Debian (downstream) users and developers.
I wasn't aware that they charged commercial entities in this kind of
situation but that seems reasonable to me. IDK how much the charge
is. You are getting a service from pool.ntp.org, and as a commercial
entity you should pay your suppliers.
Just to be clear: the fee goes to the pool operator, not the server
operators. The actual service is donated without an expectation of
compensation, or the compensation is kind, say for enabling network
mapping and port scanning of IPv6 hosts.

Daniel Baumann
2018-10-18 10:25:29 UTC
Permalink
Post by Philipp Hahn
Are we (as a Debian derivate) allowed to hard-code and use the
"debian.pool.ntp.org" or must we apply for our own pool?
the idea between the different pool CNAMEs is that when one vendor does
something bad/wrong, the queries of devices running that version of ntp
can be easier diverted to /dev/null.

hence, as long as you don't "modify" the ntp package from debian in your
derivative, there is no need/gain of applying for an own ntp pool.

(re "modify": use your best judgement. fictional example: if you would
recompile the unmodified source package from debian with some weird
toolchain/settings in your derivative which would be likely to break
stuff, I would err on the side of causion and apply for a pool.)

Regards,
Daniel
Loading...