1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
#!/usr/bin/make -f
include /usr/share/dpkg/architecture.mk
include /usr/share/dpkg/default.mk
include /usr/share/dpkg/pkg-info.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow,+pie
export DEB_CFLAGS_MAINT_APPEND = -fno-strict-aliasing
export systemdsystemunitdir = $(shell pkg-config --variable=systemdsystemunitdir systemd)
%:
dh $@ --with apache2,python3
override_dh_auto_configure:
ifeq (hurd, $(DEB_HOST_ARCH_OS))
# hurd does not provided the system calls needed for ntpd to work.
exit 1
endif
# Only build with refclocks NOT slated for removal. See also
# debian/patches/update-refclock-docs.patch. However, if the reason
# for deprecation is only "two digit years", I *am* keeping it.
#
# Upstream references:
# https://www.ntpsec.org/removal-plan.html
# https://www.ntpsec.org/drivers.html
#
# Also drop modem. It "requires a Hayes-compatible 1200bps modem,
# hardware now 20 years obsolete".
#
# gpsd is a tough call. It's not deprecated upstream, and it still can
# work. However, upstream recommends the use of SHM, as does every
# example HOWTO I found with a quick search. Furthermore, it is buggy:
# https://lists.ntpsec.org/pipermail/devel/2016-October/002392.html
# Also, it "makes all sorts of non-standard assumptions about how gpsd
# is configured. A configuration that is contorted and non-obvious":
# https://lists.ntpsec.org/pipermail/devel/2016-October/002422.html
# Most importantly, it is an attractive nuisance. If someone is told
# that the best practice is to use "gpsd", they might logically think
# they should use the gpsd driver. Skipping the gpsd driver also avoids
# using the embedded copy of libjsmn.
#
# We pass LDFLAGS as LINKFLAGS because LINKFLAGS appears first in the
# command line. Debian wants to build with -fPIE for security reasons.
# This is not compatible with building shared libraries like the ntpc
# python extension. If the -fPIE flag comes before -shared (or -fPIC),
# the latter will override, and the build succeeds.
CFLAGS='$(CFLAGS) $(CPPFLAGS)' \
LDFLAGS='' \
LINKFLAGS='$(LDFLAGS)' \
python3 waf configure \
--pythonarchdir=/usr/lib/python3/dist-packages \
--pythondir=/usr/lib/python3/dist-packages \
--pyshebang=/usr/bin/python3 \
--prefix=/usr --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
--enable-debug \
--enable-mssntp --enable-warnings \
--refclock=local,spectracom,generic,arbiter,nmea,pps,hpgps,shm,trimble,jjy,zyfer \
--enable-doc --htmldir=/usr/share/doc/ntpsec/html
override_dh_auto_build:
python3 waf build -v
override_dh_auto_clean:
python3 waf clean || true
rm -rf \
build \
.lock-waf_*_build \
ntpclients/ntp \
ntpd/version.h \
.waf* \
wafhelpers/autorevision.sh
find -name "*.pyc" -delete
override_dh_install:
python3 waf install --destdir=$(CURDIR)/debian/tmp
mv \
debian/tmp/$(systemdsystemunitdir)/ntpd.service \
debian/tmp/$(systemdsystemunitdir)/ntpsec.service
mv \
debian/tmp/$(systemdsystemunitdir)/ntp-wait.service \
debian/tmp/$(systemdsystemunitdir)/ntpsec-wait.service
rm -rf debian/tmp/usr/lib/python3/dist-packages/ntp/__pycache__
# ntpfrob probes internal, mostly undocumented settings. It is
# extremely unlikely that anyone needs this.
#
# ntpsnmpd is experimental. If support for it is desired, then
# it can be installed, but it will require some patching of file
# paths to be compliant with Debian best practices. It also needs
# more documentation on how to integrate with snmpd.
#
# From ntpsweep.1, "ntpsweep relies on ntpq and Mode 6 queries to
# probe servers. This depends on the remote host's restrict
# configuration allowing queries. Nowadays effectively all public
# hosts set noquery, so this script is unlikely to be useful unless
# you have multiple specially-configured timeservers on a LAN." The
# default ntp.conf from this package also sets "noquery" (with an
# exception for localhost).
rm \
debian/tmp/usr/bin/ntpfrob \
debian/tmp/usr/bin/ntpsnmpd \
debian/tmp/usr/bin/ntpsweep \
debian/tmp/usr/share/man/man1/ntpsweep.1 \
debian/tmp/usr/share/man/man8/ntpfrob.8 \
debian/tmp/usr/share/man/man8/ntpsnmpd.8
mv \
debian/tmp/usr/bin/ntptime \
debian/tmp/usr/bin/ntpkeygen \
debian/tmp/usr/bin/ntploggps \
debian/tmp/usr/bin/ntplogtemp \
debian/tmp/usr/bin/ntpwait \
debian/tmp/usr/sbin/
install -m 755 \
attic/ntpdate \
debian/tmp/usr/sbin
# Sometimes we get the timestamp from the tarball and sometimes we get
# a more recent timestamp (probably build time?). The latter gets
# clamped to the debian/changelog timestamp when the .deb is built,
# but the tarball timestamp does not (as it is older). This forces
# all the timestamps to be newer so they all get clamped.
find $(CURDIR)/debian/tmp/usr/share/doc/ntpsec/html -type f \
-exec touch {} \+
install -d debian/ntpsec/etc/letsencrypt/renewal-hooks/deploy
install -m 755 \
debian/ntpsec.certbot \
debian/ntpsec/etc/letsencrypt/renewal-hooks/deploy/ntpsec
install -d debian/ntpsec/$(systemdsystemunitdir)
install -m 644 \
debian/ntpsec.ntpsec-rotate-stats.service \
debian/ntpsec/$(systemdsystemunitdir)/ntpsec-rotate-stats.service
install -m 644 \
debian/ntpsec.ntpsec-rotate-stats.timer \
debian/ntpsec/$(systemdsystemunitdir)/ntpsec-rotate-stats.timer
install -d debian/ntpsec-ntpviz/$(systemdsystemunitdir)
install -m 644 \
etc/ntploggps.service \
etc/ntploggps.timer \
debian/ntpsec-ntpviz/$(systemdsystemunitdir)
install -d debian/ntpsec-ntpviz/etc/ntpviz/day
install -m 644 www/day/footer \
debian/ntpsec-ntpviz/etc/ntpviz/day/footer.html
install -m 644 www/day/header \
debian/ntpsec-ntpviz/etc/ntpviz/day/header.html
install -m 644 www/index.html \
debian/ntpsec-ntpviz/etc/ntpviz/index.html
install -m 644 debian/ntpviz.options \
debian/ntpsec-ntpviz/etc/ntpviz/options
install -d debian/ntpsec-ntpviz/etc/ntpviz/week
install -m 644 www/week/footer \
debian/ntpsec-ntpviz/etc/ntpviz/week/footer.html
install -m 644 www/week/header \
debian/ntpsec-ntpviz/etc/ntpviz/week/header.html
install -d debian/ntpsec-ntpviz/usr/share/ntpsec-ntpviz/ntpviz
install -m 644 \
www/favicon.ico \
www/ntpsec-logo.png \
debian/ntpsec-ntpviz/usr/share/ntpsec-ntpviz/ntpviz
install -D -m 0755 debian/ntpdate-debian \
debian/ntpsec-ntpdate/usr/sbin/ntpdate-debian
install -D -m 0644 debian/ntpsec.dhcp \
debian/ntpsec/etc/dhcp/dhclient-exit-hooks.d/ntpsec
install -D -m 0755 debian/ntpsec.networkmanager \
debian/ntpsec/usr/lib/NetworkManager/dispatcher.d/ntpsec
install -D -m 0644 debian/ntpsec-ntpdate.dhcp \
debian/ntpsec-ntpdate/etc/dhcp/dhclient-exit-hooks.d/ntpsec-ntpdate
install -D -m 0755 debian/ntpsec-ntpdate.networkmanager \
debian/ntpsec-ntpdate/usr/lib/NetworkManager/dispatcher.d/ntpsec-ntpdate
install -D -m 0644 debian/ntpsec-systemd-netif.path \
debian/ntpsec/$(systemdsystemunitdir)/ntpsec-systemd-netif.path
install -D -m 0644 debian/ntpsec-systemd-netif.service \
debian/ntpsec/$(systemdsystemunitdir)/ntpsec-systemd-netif.service
ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
install -D -m 0644 debian/ntp.conf.ubuntu debian/ntpsec/etc/ntpsec/ntp.conf
else
install -D -m 0644 debian/ntp.conf debian/ntpsec/etc/ntpsec/ntp.conf
endif
install -D -m 0644 debian/ntpviz.conf \
debian/ntpsec-ntpviz/etc/ntpsec/ntp.d/ntpviz.conf
# install apparmor profile
install -D -m 0644 debian/apparmor-profile \
debian/ntpsec/etc/apparmor.d/usr.sbin.ntpd
install -D -m 0644 debian/apparmor-profile.tunable \
debian/ntpsec/etc/apparmor.d/tunables/ntpd
dh_link -pntpsec etc/apparmor.d/usr.sbin.ntpd \
etc/apparmor/init/network-interface-security/usr.sbin.ntpd
# install apport hook
install -D -m 644 debian/source_ntpsec.py \
debian/ntpsec/usr/share/apport/package-hooks/source_ntpsec.py
dh_link
dh_install
override_dh_installinit-arch:
dh_installinit -pntpsec --error-handler=installinit_error
dh_installinit -pntpsec-ntpviz --name=ntpviz
dh_installinit -pntpsec-ntpdate
ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
install -m 644 debian/ntpsec-ntpdate.default.ubuntu \
debian/ntpsec-ntpdate/etc/default/ntpsec-ntpdate
endif
dh_apparmor --profile-name=usr.sbin.ntpd -pntpsec
override_dh_installsystemd:
dh_installsystemd -pntpsec \
ntpsec.service \
ntpsec-systemd-netif.path \
ntpsec-rotate-stats.timer
dh_installsystemd -pntpsec-ntpviz \
ntploggps.timer \
ntplogtemp.timer \
ntpviz-daily.timer \
ntpviz-weekly.timer
override_dh_makeshlibs:
# This avoids an unnecessary trigger of ldconfig. libntpc.so is not
# installed in a system library path.
dh_makeshlibs -n
|
