Bug 223647 - net/chrony: remove dubious security warning
Summary: net/chrony: remove dubious security warning
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Mark Felder
Depends on:
Reported: 2017-11-13 11:57 UTC by Bernhard Froehlich
Modified: 2017-11-16 19:13 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (yonas)


Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Froehlich freebsd_committer 2017-11-13 11:57:26 UTC
The chrony port has since it's appearance in the ports tree in r350635 (April 2014) the following security warning after installation:

"Unfortunately, this software has shameful history of several vulnerabilities
previously discovered.  FreeBSD Project cannot guarantee that this spree had
come to an end.  It is further complicated, as chronyd(8) requires superuser
permissions to operate; please type ``make deinstall'' to deinstall the port
if tight security is a concern."

The "requires superuser" part has become invalid in 2017 with r434012 when the maintainer decided to use the privilege dropping feature in the port. In the chrony code it seems this code was available for a very long time already.

What remains is a dubious security warning for the chrony port without any technical arguments. In the FreeBSD portstree it's not our job to tell our "feelings" about probable future security risks. We should provide CVE and CPE information (already exists in the port) and warn people about EXISTING and KNOWN vulnerabilities.

In addition to that a recent security audit exists which came to a completely different conclusion about the chrony security situation:

"The overwhelmingly positive result of this security assignment performed by three Cure53 testers can be clearly inferred from a marginal number and low-risk nature of the findings amassed in this report. Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. The software boasts sound design and is secure across all tested areas. It is quite safe to assume that untested software in the Chrony family is of a similarly exceptional quality. In general, the software proved to be well-structured and marked by the right abstractions at the appropriate locations. While the functional scope of the software is quite wide, the actual implementation is surprisingly elegant and of a minimal and just necessary complexity. In sum, the Chrony NTP software stands solid and can be seen as trustworthy."



The longterm CVE history also seems quite reasonable in comparison to other NTP implementations:


I will add a few parties to the loop to make sure all opinions are heard and will keep this bug open for at least a month to make sure people have a chance to respond.
Comment 1 Yonas Yanfa 2017-11-13 17:04:03 UTC
(In reply to Bernhard Froehlich from comment #0)

Sounds good Bernhard, thanks!
Comment 2 Mark Felder freebsd_committer 2017-11-16 19:12:01 UTC
The verbiage of that warning was not very representative of the FreeBSD project in the first place.

Comment 3 commit-hook freebsd_committer 2017-11-16 19:12:07 UTC
A commit references this bug:

Author: feld
Date: Thu Nov 16 19:11:43 UTC 2017
New revision: 454328
URL: https://svnweb.freebsd.org/changeset/ports/454328

  net/chrony: Remove dubious security warnings in pkg-message

  PR:		223647
  MFH:		2017Q4

Comment 4 commit-hook freebsd_committer 2017-11-16 19:13:10 UTC
A commit references this bug:

Author: feld
Date: Thu Nov 16 19:12:10 UTC 2017
New revision: 454329
URL: https://svnweb.freebsd.org/changeset/ports/454329

  MFH: r454328

  net/chrony: Remove dubious security warnings in pkg-message

  PR:		223647

_U  branches/2017Q4/