Eric S Raymond releases hardened, slimmer NTP beta

Dogged developer and open source champion Eric S Raymond has announced a beta of a refined version of the network time protocol code as open source following financial backing.

Raymond (@esrtweet) has been plugging away at a more secure and cleaner version of NTP part time, as "architecture and protocols guru" on the NTPsec project. He's also tried to gain some crowdfunding to support his efforts to improve the known insecure code.

He says in the last four months he has reduced the size of the NTP from "227KLOC to 98KLOC" or by 57 percent.

NTPsec has been "seriously security-hardened" Raymond says, including the fixing of all public vulnerabilities and holes and the inclusion of preventive measures to shutter whole vulnerability classes.

All function calls that can produce buffer overruns have been replaced with memory-safe equivalents, for example.

Raymond says the project will kill bugs first.

"The (current) NTP Classic codebase had accumulated serious vulnerabilities Raymond says.

"We’ve worked overtime to identify and plug the critical holes; more needs to be done on the lesser ones.

"Our goal is to reach the exceptionally low defect-per-thousand-hour rates of GPSD and RTEMS; we have the people and the skills to do it."

Beta version 0.9.0 has "some rough edges, mostly due to the rather traumatic (but utterly necessary) replacement of the autoconf build system."

The range of ports is also narrow affecting anyone not on Linux or modern FreeBSD.

"However, the core function – syncing your clock via NTP – is solid, and using 0.9.0 for production might be judged a bit adventurous but wouldn’t be crazy," Raymond says.

Subsequent betas will be more polished, notably if readers throw coins into Raymond's Patreon page. ®