debcrafters-packages team mailing list archive

Thread
Date

[Bug 2111342] Re: Install time-daemon with NTS support by default

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Lukas Märdian <2111342@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 May 2025 13:15:26 -0000
Reply-to: Bug 2111342 <2111342@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

The current plan looks like this:

0/ Testing can happen already, by switching to "chrony" manually
   => apt install chrony && apt-mark auto chrony  # will remove systemd-timesyncd

1/ Get the seed changes landed in "platform:minimal" and "ubuntu:cloud-minimal"
   => seeding "chrony | time-daemon", to allow for switching of NTP stack, e.g. by installing systemd-timesyncd (also in "main").

   => Give germinate some time to regenerate its outputs and sync to the
mirrors.

2/ update "ubuntu-meta", by running the ./update script and dput to the
archive, deploying the seed changes from (1) to to the "ubuntu-minimal"
and "ubuntu-cloud-minimal" meta packages.


3/ Update systemd, to drop "Recommends: systemd-timesyncd", just keeping "time-daemon".
   => We can potentially avoid this delta, as the ubuntu-meta "Depends: chrony | time-daemon" should overrule systemd's "Recommends: systemd-timesyncd | time-daemon".

4/ At this point new installations/images should come pre-installed with chrony (not sd-timesyncd).
   => People can manually switch back by calling "apt install systemd-timesyncd && apt-mark auto systemd-timesyncd"

5/ Implement transition logic in ubuntu-release-upgrader to remove systemd-timesyncd from upgrading system, replacing it with chrony.
    => To make upgraded systems behave the same as new installations.
    => People can still manually switch back to any other "time-daemon" as described in (4).

6/ Update docs and release notes.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2111342

Title:
  Install time-daemon with NTS support by default

Status in Ubuntu:
  New
Status in chrony package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  New
Status in ubuntu-meta package in Ubuntu:
  New
Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  Ubuntu shall be secure by default, therefore utilize Network Time
  Security (NTS), as time is the trust anchor for many cryptography
  related processes (e.g. certificates).

  NTS was previously enabled in chrony (LP: #2084585) and comes pre-
  installed in certain Ubuntu cloud images. Still, in Ubuntu
  Desktop/Server and other generic Ubuntu images we rely on systemd-
  timesyncd (without support for NTS [1]). This leads to a situation
  where we have to maintain two time-daemons in "main", while still not
  using NTS on most systems.

  [1] https://github.com/systemd/systemd/issues/9481

  References: spec-FO207, SD-2171, chrony MIR (LP: #1744072)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/2111342/+subscriptions

References

[Bug 2111342] [NEW] Install time-daemon with NTS support by default
From: Lukas Märdian, 2025-05-20