As I understand it, NTPsec, a hostile fork of ntpd, is not a well-regarded project. Look at the "project accomplishments" page and see what they don't claim to have accomplished: the elimination, prior to publication, of any vulnerabilities in a msinstream/default ntpd configuration. They reorganized a bunch of code, swapped strcpy's (and strncpy's) with strlcpy, moved the project out of Bitkeeper (something that has nothing to do with security but is the first listed achievement on the site), and generally removed stuff nobody enables in ntpd.
Before it lost funding, Raymond was openly discussing rewriting the whole thing in Go, which sort of gives the lie to the idea that the project was operating in good faith.
Accusing ESR and the rest of the NTPsec project of fraud is a very serious claim. Could you explain in more detail why contemplating rewriting of most or all of the project in Go as he was learning the language is such a definitive tell?
tptacek|6 years ago
Before it lost funding, Raymond was openly discussing rewriting the whole thing in Go, which sort of gives the lie to the idea that the project was operating in good faith.
dfrage|6 years ago