[Devel] Proposal: switch from ntp to ntpsec in Apertis

Andrej Shadura andrew.shadura at collabora.co.uk
Thu Jan 20 13:15:06 CET 2022

Hi all,

In short, Debian is considering removing ntp package and switching to 
ntpsec which is a drop-in replacement. In Apertis, we already use 
systemd-timesyncd as a default ntp client, and ntp is as far as I can 
see only a dependency of some packages. Namely, fake-hwclock has ntp as 
a hard dependency, but not because it requires strictly ntp, but because 
at the time the dependency was added, there was no other viable 
alternative. However, it remains to be seen how much fake-hwclock itself 
is necessary, as it seems systemd-timesyncd already provides a replacement:


> systemd-timesyncd is a system service that may be used to synchronize
> the local system clock with a remote Network Time Protocol (NTP)
> server. It also saves the local time to disk every time the clock has
> been synchronized and uses this to possibly advance the system realtime
> clock on subsequent reboots to ensure it (roughly) monotonically advances
> even if the system lacks a battery-buffered RTC chip.

-------- Forwarded Message --------
Subject: Re: The future of src:ntp
Resent-Date: Wed, 19 Jan 2022 03:20:23 +0000 (UTC)
Resent-From: debian-devel at lists.debian.org
Date: Tue, 18 Jan 2022 21:19:27 -0600
From: Richard Laager <rlaager at debian.org>
To: debian-devel at lists.debian.org

[I'm the Debian ntpsec maintainer.]

On 1/18/22 11:21 AM, Paride Legovini wrote:
  > I'd prefer making ntp a dummy package depending on ntpsec rather than
  > having src:ntpsec takeover bin:ntp.

If I understand correctly, you're suggesting src:ntp builds bin:ntp that 
is a dummy package which depends on ntpsec?

Another option would be to have src:ntpsec build the bin:ntp dummy 
package and remove src:ntp entirely.

Either seems fine to me. I don't have a strong preference. I can 
implement whatever is necessary on the ntpsec side.

And for either option, probably likewise ntp-doc -> ntpsec-doc, ntpdate 
-> ntpsec-ntpdate, and if I broke out ntpdig as suggested in bug 
#1003966, sntp -> ntpsec-ntpdig.

There are some differences. For example, ntp stores its configuration 
file at /etc/ntp.conf while ntpsec uses /etc/ntpsec/ntp.conf. [1] But 
bin:ntpsec's postinst already handles that transition.

On 1/18/22 5:03 PM, Paride Legovini wrote:
  > bin:ntp has always been a specific NTP implementation, I think
  > it's OK if it's replaced by an almost compatible fork, less OK if a
  > completely different implementation is brought in instead.

I'm biased here, but I agree. I think it makes the most sense to 
transition existing ntp installs to ntpsec, not chrony, as ntpsec is a 
drop-in replacement with a shared code history. This is my position even 
if we think that chrony should be the default for new installs. On that 
topic, I think the current default of systemd-timesyncd is fine.

[1] When I was first packaging ntpsec, I was going to have it share as 
many paths, service names, etc. with ntp (as upstream NTPsec does). But 
this lead to issues with certain tooling (e.g. around init scripts) and 
ultimately I decided it was better to use a different namespace. This 
does mean that Debian ntpsec is patched and diverges a bit from upstream 


More information about the devel mailing list