summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.gitlab-ci.yml7
-rw-r--r--debian/NEWS58
-rw-r--r--debian/README.Debian29
-rw-r--r--debian/changelog1868
-rw-r--r--debian/chrony-dnssrv@.service17
-rw-r--r--debian/chrony-dnssrv@.timer9
-rwxr-xr-xdebian/chrony-helper251
-rw-r--r--debian/chrony.conf28
-rw-r--r--debian/chrony.default6
-rw-r--r--debian/chrony.dhcp25
-rw-r--r--debian/chrony.if-post-down11
-rw-r--r--debian/chrony.if-up11
-rw-r--r--debian/chrony.keys10
-rw-r--r--debian/chrony.lintian-overrides3
-rw-r--r--debian/chrony.maintscript1
-rw-r--r--debian/chrony.ppp.ip-down13
-rw-r--r--debian/chrony.ppp.ip-up12
-rw-r--r--debian/chrony.service20
-rw-r--r--debian/clean3
-rw-r--r--debian/control51
-rw-r--r--debian/copyright182
-rw-r--r--debian/dirs8
-rw-r--r--debian/docs3
-rw-r--r--debian/init73
-rw-r--r--debian/install4
-rw-r--r--debian/links5
-rw-r--r--debian/patches/allow-_llseek-in-seccomp-filter.patch31
-rw-r--r--debian/patches/allow-further-syscalls-in-seccomp-filter.patch41
-rw-r--r--debian/patches/allow-recv-send-in-seccomp-filter.patch24
-rw-r--r--debian/patches/allow-waitpid-in-seccomp-filter.patch22
-rw-r--r--debian/patches/create-new-file-when-writing-pidfile.patch187
-rw-r--r--debian/patches/series5
-rw-r--r--debian/postinst86
-rw-r--r--debian/postrm50
-rw-r--r--debian/preinst36
-rw-r--r--debian/prerm28
-rwxr-xr-xdebian/rules45
-rw-r--r--debian/source/format1
-rw-r--r--debian/tests/control7
-rw-r--r--debian/tests/time-sources-from-dhcp-servers42
-rw-r--r--debian/tests/upstream-simulation-test-suite26
-rw-r--r--debian/upstream/metadata9
-rw-r--r--debian/upstream/signing-key.asc29
-rw-r--r--debian/usr.sbin.chronyd64
-rw-r--r--debian/watch3
45 files changed, 3444 insertions, 0 deletions
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
new file mode 100644
index 0000000..6eed751
--- /dev/null
+++ b/debian/.gitlab-ci.yml
@@ -0,0 +1,7 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+
+variables:
+ RELEASE: 'buster'
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..c25bd51
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,58 @@
+chrony (3.4-2) unstable; urgency=medium
+
+ To reduce the range of operations available to chronyd, and thereby decrease
+ the kernel attack surface, a system call filter is now active by default
+ wherever¹ possible.
+ Please, take into account that this change prevents the use of the
+ “mailonchange” directive in chrony.conf as the chronyd process will not be
+ allowed to fork and execute the sendmail binary. Therefore, it is fundamental
+ to disable the system call filter to continue using this directive!
+
+ To do so, edit the /etc/default/chrony file and substitute the “-F -1”
+ parameter with “-F 0”. Restart chrony afterward.
+
+ ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64
+ architectures due to lack of support in “libseccomp” and/or the Linux kernel.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 10 Feb 2019 18:44:22 +0100
+
+chrony (2.2.1-1) unstable; urgency=medium
+
+ In chrony versions before 2.2, the 'chrony.keys' file contained a command
+ key used for run-time configuration via the 'chronyc' command-line tool.
+ Starting from this version, support for this authentication method has been
+ dropped in favor of a Unix domain socket accessible only *locally* by root or
+ the _chrony system user. Consequently, if you refuse to use the 'chrony.keys'
+ file template provided by the maintainers when upgrading, please don’t forget
+ to manually remove the obsolete command key (ID 1) in the aforementioned file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 07 Feb 2016 17:02:30 +0100
+
+chrony (2.1.1-1) unstable; urgency=medium
+
+ From this version, 'chronyd' will strictly act as an NTP client by default. If
+ you want it to serve time to other systems, please do so by configuring the
+ 'allow' directive.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 12 Oct 2015 19:12:39 +0200
+
+chrony (1.31.1-1) unstable; urgency=medium
+
+ From now on, we use the "hwclockfile" directive in /etc/chrony/chrony.conf.
+ Basically, it makes the detection of the standard (Local or UTC time) set
+ in /etc/adjtime — and used by the hardware clock — clearer compared to the
+ text processing method we used to use in the post install script to complete
+ the same task. Note that it overrides the "rtconutc" directive.
+
+ Also, we now create the _chrony system user to which chronyd will drop root
+ privileges. For users already allowing chronyd to drop root privileges in
+ favor of the user configured by the "user" directive in
+ /etc/chrony/chrony.conf, your configuration will remain unchanged and will
+ still work as intended.
+ However, some users might use a custom init script to accomplish the same
+ task by invoking chronyd with the '-u' option. We advise you to drop this
+ option from your init script before upgrading, otherwise you’ll have to
+ readjust the owner of the /var/l{ib,og}/chrony directories (recursively) to
+ the user you configured in your init script.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:14:54 +0200
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..2ec089a
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,29 @@
+Chrony for Debian
+-----------------
+
+ Notes about Debian-specific changes:
+
+ - Default chrony’s configuration files are located in the /etc/chrony directory.
+ It is filled by two important files:
+ → chrony.conf (configuration of the chronyd daemon, see man 5 chrony.conf
+ for further information)
+
+ → chrony.keys (lists keys used for NTP packets authentication, see
+ § 4.2.24 in /usr/share/doc/chrony/chrony.txt.gz)
+
+ - We also provide /etc/ppp/ip-up.d/chrony and /etc/ppp/ip-down.d/chrony
+ to put chronyd online/offline depending on the PPP link status.
+
+ - Since version 1.31.1-1, we create the _chrony system user to which chronyd
+ will drop root privileges on initialisation. For users already allowing
+ chronyd to drop root privileges in favor of the user configured by the "user"
+ directive in chrony.conf, your configuration will remain unchanged and will
+ still work as it did. However, if you don’t want to deviate from Debian’s
+ default configuration, delete or comment out the "user" directive in
+ chrony.conf and recursively change the owner of the /var/lib/chrony and
+ /var/log/chrony directories. For example:
+
+ # sed -i 's/^user/#user/' /etc/chrony/chrony.conf
+ # chown -R _chrony:_chrony /var/l{ib,og}/chrony
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 16 Jan 2017 18:44:32 +0100
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..84ee4cc
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1868 @@
+chrony (3.4-4+deb10u2) buster; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+ - Allow reading the chronyd configuration file that timemaster(8)
+ generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 15 Mar 2022 13:45:14 +0100
+
+chrony (3.4-4+deb10u1) buster; urgency=medium
+
+ * debian/patches/:
+ - Add create-new-file-when-writing-pidfile.patch to prevent symlink race
+ when writing to PID file (CVE-2020-14367).
+
+ * debian/tests/:
+ - Fix a regression when running upstream-simulation-test-suite autopkgtest
+ on Buster.
+
+ [ Matt Corallo ]
+ * debian/usr.sbin.chronyd:
+ - Fix temperature reading. (Closes: #970421)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 16 Sep 2020 13:44:04 +0200
+
+chrony (3.4-4) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
+ seccomp filter whitelist with those syscalls is a prerequisite, notably for
+ the arm64 architecture.
+
+ [ Leigh Brown ]
+ * debian/patches/*:
+ - Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
+ ppc64el. Other architectures might also be affected. (Closes: #924494)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 18 Mar 2019 19:35:34 +0100
+
+chrony (3.4-3) unstable; urgency=medium
+
+ * debian/.gitlab-ci.yml:
+ - Check for missing hardening flags.
+
+ * debian/patches/*:
+ - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
+ plateforms to log the {raw}measurements and statistics information when
+ the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
+ <invernomuto@paranoici.org> for the report. (Closes: #923137)
+ - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
+ chronyd on some plateforms when the seccomp filter is enabled.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 04 Mar 2019 23:32:12 +0100
+
+chrony (3.4-2) unstable; urgency=medium
+
+ * debian/.gitlab-ci.yml:
+ - Replace home-made GitLab CI with the standard Salsa pipeline.
+ - Allow autopkgtest job to fail. The time-sources-from-dhcp-servers test
+ currently fails due to a testbed issue on salsa CI.
+
+ * debian/chrony.default:
+ - Enable the system call filter by default.
+
+ * debian/control:
+ - Bump standard-version to 4.3.0 (no changes required).
+ - Use the new debhelper-compat (= 12) notation and drop d/compat.
+ - Add Pre-Depends: ${misc:Pre-Depends}. Debhelper compatibility level 12
+ makes use of the “--skip-systemd-native” flag from “invoke-rc.d”. Adding
+ Pre-Depends: ${misc:Pre-Depends} to d/control ensure that we have a recent
+ enough version of “init-system-helpers”.
+ - Suggest networkd-dispatcher.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2019.
+
+ * debian/links:
+ - Now that “networkd-dispatcher” is in the Debian archive, link
+ NetworkManager dispatcher script to networkd-dispatcher routable and off
+ states. Patch cherry-picked from Ubuntu; thanks to Christian Ehrhardt
+ <christian.ehrhardt@canonical.com> for working on this.
+
+ * debian/NEWS:
+ - Report that a system call filter is now enabled by default and the way
+ to disable it if needed.
+
+ * debian/rules:
+ - Don’t enable the system call filter on some architectures due to missing
+ support in the “libseccomp” and/or the Linux kernel.
+
+ * debian/upstream/:
+ - Strip upstream key from extra signatures. Thanks lintian!
+ - Remove the Miroslav-Lichvar.txt file as it serves no purpose.
+
+ * debian/usr.sbin.chronyd:
+ - Don’t include “tunables/sys”. The etc/apparmor.d/tunables/sys file has
+ been deprecated in AppArmor 2.13.1! The @{sys} variable is now defined in
+ “tunables/kernelvars” which is included in “tunables/global”.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 13 Feb 2019 17:08:17 +0100
+
+chrony (3.4-1) unstable; urgency=medium
+
+ * Import upstream version 3.4:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * Merge branch “experimental” into “master”.
+
+ * debian/chrony.service:
+ - Conflict with ntpsec.service.
+
+ * debian/copyright:
+ - Update copyright years.
+
+ * debian/patches/*:
+ - Remove fix-samplefilt-unit-test-to-work-with-low-precision-clock.patch,
+ fixed upstream.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 21 Sep 2018 14:12:03 +0200
+
+chrony (3.4~pre1-2) experimental; urgency=medium
+
+ * debian/patches/*:
+ - Cherry-pick upstream patch to fix samplefilt unit test to work with
+ low-precision clocks. This should prevent chrony from failing to build
+ from source on HPPA and Alpha.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 10 Sep 2018 18:39:58 +0200
+
+chrony (3.4~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.4-pre1:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * debian/:
+ - Add “.gitlab-ci.yml” file to use GitLab Continuous Integration.
+
+ * debian/chrony.if-{post-down,up}:
+ - Use the new “onoffline” command to tell chronyd to switch all sources to
+ the online or offline status according to the current network configuration.
+
+ * debian/chrony.ppp.ip-{down,up}:
+ - As for ifupdown scripts, use the “onoffline” command.
+
+ * debian/control:
+ - Bump standard-version to 4.2.1 (no changes required).
+
+ * debian/patches/*:
+ - Remove fall-back-to-urandom.patch. Applied in this prerelease.
+
+ * debian/post{inst,rm}:
+ - Use “command -v” instead of “which” to enhance portability.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 02 Sep 2018 19:14:08 +0200
+
+chrony (3.3-3) unstable; urgency=medium
+
+ * debian/:
+ - Normalize packaging with “wrap-and-sort -ab”.
+
+ * debian/control:
+ - Bump standard-version to 4.2.0:
+ ↳ Install upstream release notes as “/usr/share/doc/chrony/NEWS.gz”.
+ Installing these as “/usr/share/doc/package/changelog.gz” is now
+ deprecated.
+
+ * debian/patches/:
+ - Cherry-pick upstream patch to avoid hangs when starting
+ chronyd on newer kernels by falling back to urandom.
+ Thanks to Gustavo Scalet <gustavo.scalet@collabora.com> for the report and
+ the initial patch. (LP: #1787366, Closes: #906276)
+
+ * debian/upstream/metadata:
+ - Add DEP12 upstream metadata file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 18 Aug 2018 16:23:19 +0200
+
+chrony (3.3-2) unstable; urgency=medium
+
+ * debian/chrony.service:
+ - Conflict with ntp.service.
+
+ * debian/control:
+ - Bump standard-version to 4.1.4 (no changes required).
+ - Switch to the Nettle cryptographic library for hash functions.
+
+ [ Helmut Grohne ]
+ * debian/rules:
+ - Pass CC to make and set “--host-system” to fix FTCBFS. (Closes: #895852)
+
+ [ Christian Ehrhardt ]
+ * debian/usr.sbin.chronyd:
+ - Support all paths suggested in the man page.
+ (LP: #1771028, Closes: #898614)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 14 May 2018 21:37:30 +0200
+
+chrony (3.3-1) unstable; urgency=medium
+
+ * Import upstream version 3.3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * Merge branch “experimental” into “master”.
+
+ * debian/copyright:
+ - Update copyright year.
+
+ * debian/usr.sbin.chronyd:
+ - Allow CAP_NET_ADMIN to support HW timestamping. (LP: #1761327)
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 05 Apr 2018 02:08:31 +0200
+
+chrony (3.3~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.3-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/copyright:
+ - Add “hash_nettle.c” copyright information and update copyright year of
+ test/unit/*
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 15 Mar 2018 13:58:21 +0100
+
+chrony (3.2-5) unstable; urgency=medium
+
+ [ Christian Ehrhardt ]
+ * debian/usr.sbin.chronyd:
+ - Allow write access to RTC, PPS and PTP devices.
+ (Closes: #891201, LP: #1751241)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 28 Feb 2018 17:31:08 +0100
+
+chrony (3.2-4) unstable; urgency=medium
+
+ * debian/changelog:
+ - Remove trailing spaces.
+
+ * debian/chrony-dnssrv@.service:
+ - Use NTP servers obtained from DNS SRV records.
+
+ * debian/chrony-dnssrv@.timer:
+ - Periodic lookup of DNS SRV records.
+
+ * debian/chrony-helper:
+ - New helper script to make use of NTP servers obtained from DHCP and
+ _ntp._udp DNS SRV records.
+
+ * debian/chrony.dhcp:
+ - Add a dhclient-exit-hook script to add/remove NTP servers depending
+ on the operations invoked by the DHCP client. (Closes: #889656)
+
+ * debian/chrony.service:
+ - Run “/usr/lib/chrony/chrony-helper update-daemon” after starting chronyd.
+
+ * debian/control:
+ - Suggest dnsutils. The dig utility is used to update files with NTP
+ servers from DNS SRV records.
+
+ * debian/init:
+ - Run “/usr/lib/chrony/chrony-helper update-daemon” after starting chronyd.
+
+ * debian/install:
+ - Install the chrony-helper script in /usr/lib/chrony.
+ - Install chrony-dnssrv@.* files in /lib/systemd/system.
+
+ * debian/postinst:
+ - Don’t use recursive chown as this is vulnerable to hardlink attacks on
+ mainline, non-Debian kernels that do not have fs.protected_hardlinks=1.
+ Thanks Lintian!
+
+ * debian/postrm:
+ - Remove “/run/chrony” on purge.
+
+ * debian/rules:
+ - Install the dhclient-exit-hook script in /etc/dhcp/dhclient-enter-hooks.
+
+ * debian/tests/:
+ - Use autopkgtest to ensure that chronyd can use NTP servers obtained from
+ DHCP servers.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 20 Feb 2018 18:27:10 +0100
+
+chrony (3.2-3) unstable; urgency=medium
+
+ [ Christian Ehrhardt ]
+ * debian/chrony.default:
+ - Mention systemd service file in the comment.
+
+ * debian/chrony.service:
+ - Support the DAEMON_OPTS variable from “/etc/default/chrony” in systemd
+ environment. (LP: #1746081, Closes: #889012)
+
+ * debian/usr.sbin.chronyd:
+ - Allow the creation of /run/chrony on demand.
+ (LP: #1746444, Closes: #889011)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Feb 2018 21:27:09 +0100
+
+chrony (3.2-2) unstable; urgency=medium
+
+ * Initial AppArmor profile for chronyd. Thanks to Jamie
+ Strandboge <jamie@ubuntu.com>. (Closes: #888038)
+
+ * debian/compat:
+ - Bump to debhelper compat 11.
+
+ * debian/control:
+ - Bump standard-version to 4.1.3 (no changes required).
+ - Build depend on debhelper ≥ 11.
+ - Set “Rules-Requires-Root: no”.
+ - Move Vcs-* to salsa.debian.org.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2018.
+
+ * debian/postinst:
+ - Don’t force removal of cron file since it doesn’t exist anymore.
+
+ * debian/preinst:
+ - Update the chrony version on which to act.
+ - Add the debhelper token.
+
+ * debian/usr.sbin.chronyd:
+ - Improve AppArmor profile to support more chronyd features and ease
+ portability with other distros.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 28 Jan 2018 19:33:46 +0100
+
+chrony (3.2-1) unstable; urgency=medium
+
+ * Import upstream version 3.2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 15 Sep 2017 11:37:10 +0200
+
+chrony (3.2~pre2-1) experimental; urgency=medium
+
+ * Import upstream version 3.2-pre2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/control:
+ - Bump standard-version to 4.1.0 (no changes required).
+
+ * debian/copyright:
+ - Update copyright years.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 30 Aug 2017 15:48:37 +0200
+
+chrony (3.2~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.2-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/patches/*:
+ - Remove allow_getpid_in_seccomp_filter.patch and update the series file
+ accordingly.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Run tests in multiple iterations.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 25 Jul 2017 21:13:22 +0200
+
+chrony (3.1-5) unstable; urgency=medium
+
+ * debian/chrony.if-up:
+ - Do not pass the “burst” command to chronyc as the script could return an
+ error in certain situations. As a consequence, that would prevent ifupdown
+ from writing the current state of the interfaces in /run/network/ifstate.
+ Thanks to John Eikenberry <jae@zhar.net> for reporting that issue.
+ (Closes: #868491)
+
+ * debian/chrony.ppp.ip-up:
+ - Take the same action as for the “chrony.if-up” script as a precautionary
+ measure.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 17 Jul 2017 16:47:56 +0200
+
+chrony (3.1-4) unstable; urgency=medium
+
+ * Now that Stretch has been released (\o/), let’s upload chrony 3.1 to
+ unstable.
+
+ * debian/:
+ - Remove the menu file used to launch “chronyc”. It is a CLI only tool,
+ thus it probably does not make a lot of sense to keep it in the Debian
+ menu.
+
+ * debian/control:
+ - Drop dependency on pre-jessie util-linux version.
+ - Bump standard-version to 4.0.0 (no changes required).
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Fix the leading comment which mentioned “vm” despite the fact that the
+ test runs in a container.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 19 Jun 2017 02:30:10 +0200
+
+chrony (3.1-3) experimental; urgency=medium
+
+ * debian/chrony.if-{post-down,up}:
+ - Remove unnecessary “else” statements.
+
+ * debian/chrony.ppp.ip-down:
+ - Don’t check and delete “/var/run/chrony-ppp-up”, that file doesn’t exist
+ anymore.
+ - Check for pid file existence instead of calling “pidof”.
+
+ * debian/chrony.ppp.ip-up:
+ - Don’t create “/var/run/chrony-ppp-up” file after the ppp link came up.
+ - Check for pid file existence instead of calling “pidof”.
+ - Don’t call “chronyc” using its absolute path.
+ - Check for the presence of a default route before advising “chronyd” that
+ the network connectivity to the sources is ready.
+
+ * debian/init:
+ - Check if “$PIDFILE” exists before taking action.
+ - Do not print informational messages.
+ - Remove the “chronyd” pid file when stopping as it doesn’t do it on
+ its own.
+ - Rework the “restart|force-reload” pattern.
+ - Make use of some init-functions.
+ - Print a message if “chronyd” is already running while attempting to start
+ it.
+ - Do not delete “/var/run/chrony-ppp-up”, that file doesn’t exist anymore.
+
+ * d/rules:
+ - Move the default pid file from “/var/run” to “/run”.
+
+ * d/tests/*:
+ - Use autopkgtest facility to run the upstream simulation test suite.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 14 May 2017 17:26:15 +0200
+
+chrony (3.1-2) experimental; urgency=medium
+
+ * Merge branch 'master' into experimental. (Closes: #861258)
+
+ * debian/patches/*:
+ - Remove the “fix_time_smoothing_in_interleaved_mode.patch” patch. Not
+ needed anymore.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 26 Apr 2017 21:17:43 +0200
+
+chrony (3.1-1) experimental; urgency=medium
+
+ * Import upstream version 3.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.conf:
+ - Remove the “hwclockfile” directive. Unneeded now that the configure
+ script allows us to set the default path to the adjtime file via the
+ “--with-hwclockfile” option.
+
+ * debian/copyright:
+ - Update copyright years.
+
+ * debian/rules:
+ - Specify default path to hwclock adjtime file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 02 Feb 2017 19:24:30 +0100
+
+chrony (3.0-4) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Backport commit 768bce799bfe to make chrony operable with the syscall
+ filtering feature enabled in level 1. (Closes: #861258)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 26 Apr 2017 17:39:44 +0200
+
+chrony (3.0-3) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Backport an upstream patch to fix time smoothing in interleaved mode.
+ (Closes: #854424)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 07 Feb 2017 00:37:24 +0100
+
+chrony (3.0-2) unstable; urgency=medium
+
+ * debian/chrony.conf:
+ - Disable logging by default, it waste some disk space and users are
+ probably better served by “chronyc sources” and “chronyc sourcestats”
+ commands anyway.
+
+ * debian/chrony.service:
+ - Remove the “Restart=on-failure” option. There are possible security
+ implications for NTP clients.
+
+ * debian/dirs:
+ - Add etc/logrotate.d to avoid build failure.
+
+ * Remove our logrotate configuration file in favour of the upstream’s one.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 Jan 2017 15:26:31 +0100
+
+chrony (3.0-1) unstable; urgency=medium
+
+ * Import upstream version 3.0:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * Merge branch “experimental”:
+ - Enable support for MS-SNTP authentication in Samba.
+ - Rename --chronysockdir to --chronyrundir.
+ - Enable seccomp facility on powerpcspe.
+
+ * debian/chrony.conf:
+ - Make use of the “makestep” directive to step the system clock instead of
+ slewing it when necessary.
+ - Drop the “offline” option as per upstream’s advice to render chrony’s
+ start-up sequence safer.
+
+ * debian/chrony.service:
+ - Reflect init-helper script deletion.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2017.
+ - Adjust copyright holders and update some copyright years. Kudos to Paul
+ Gevers <elbrus@debian.org> for spotting the necessary updates.
+
+ * debian/init:
+ - Reflect init-helper script deletion.
+
+ * debian/install:
+ - Don’t install the init-helper script, it has been deleted.
+
+ * debian/README.Debian:
+ - Remove obsolete information.
+
+ * Remove the init-helper script as it no longer needed.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 17 Jan 2017 22:05:31 +0100
+
+chrony (3.0~pre3-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 06 Jan 2017 14:20:13 +0100
+
+chrony (3.0~pre2-2) experimental; urgency=low
+
+ * Merge branch “master”.
+
+ * Enable seccomp facility on powerpcspe.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 03 Jan 2017 18:17:13 +0100
+
+chrony (3.0~pre2-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 15 Dec 2016 15:23:44 +0100
+
+chrony (3.0~pre1-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/copyright:
+ - Mention new files.
+
+ * debian/rules:
+ - Enable support for MS-SNTP authentication in Samba.
+ - Rename --chronysockdir to --chronyrundir.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 10 Dec 2016 16:30:19 +0100
+
+chrony (2.4.1-3) unstable; urgency=medium
+
+ * debian/apm:
+ - Removing that script as APM as been replaced by ACPI long time ago, thus
+ it’s highly probable that it isn’t useful anymore.
+
+ * debian/chrony.maintscript:
+ - Remove the apm script’s conffile.
+
+ * debian/chrony.service:
+ - Supply a systemd service file.
+ - Update unit section’s description. Add chronyc and chrony.conf man pages
+ information and remove reference to “/usr/share/doc/chrony.txt.gz” which
+ is not generated anymore.
+ - Update unit section’s documentation.
+
+ * debian/dirs:
+ - Don’t create etc/apm/event.d as the apm script isn’t provided anymore.
+
+ * debian/init:
+ - Convert to use the init-helper script.
+
+ * debian/init-helper:
+ - Add a helper script that will be used to maintain feature parity between
+ the SysV script and the systemd service file.
+
+ * debian/install:
+ - Install the init-helper script in “/usr/lib/chrony”.
+
+ * debian/rules:
+ - Don’t install the now removed apm script.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 22 Dec 2016 02:16:54 +0100
+
+chrony (2.4.1-2) unstable; urgency=medium
+
+ * debian/chrony.conf:
+ - Don’t create sample histories by default. Using that feature does not
+ make a lot of sense when using a pool of rapidely rotating time servers.
+ - Remove unused directives.
+ - Improve (well, I hope! ;-) ) the configuration file readability.
+ - Reword the driftfile directive commentary.
+ - Shorten the lead-in comment.
+
+ * debian/control:
+ - Build-depend on pps-tools only on linux.
+ - Remove libnss3-dev from Build-Depends until #846012 is fixed.
+
+ * debian/init:
+ - Don’t pass the “-r” option when restarting chronyd as we have disabled
+ the creation of sample histories by default.
+
+ * debian/rules:
+ - Drop dh_auto_build override. Nowadays, the documentation is built by
+ default.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 9 Dec 2016 16:58:32 +0100
+
+chrony (2.4.1-1) unstable; urgency=medium
+
+ * Import upstream version 2.4.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.default:
+ - New file used to pass options to chronyd. Thanks to nutzteil
+ <nutzteil@web.de> for the suggestion and the initial patch.
+ (Closes: #834240)
+
+ * debian/compat:
+ - Bump to debhelper compat 10.
+
+ * debian/control:
+ - Build depend on debhelper ≥ 10.
+
+ * debian/copyright:
+ - Use HTTPS for all URI.
+
+ * debian/init:
+ - Read and execute options assigned to the “DAEMON_OPTS” variable.
+
+ * debian/rules:
+ - Drop dh “--parallel” option. Enabled by default in debhelper 10.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 21 Nov 2016 12:58:05 +0100
+
+chrony (2.4-1) unstable; urgency=medium
+
+ The “Fix decade-old bug reports” release.
+
+ * Import upstream version 2.4:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.if-{up,post-down}:
+ - New scripts used to put chronyd online/offline depending on the
+ state of the connection. (Closes: #240528,#312092,#389961)
+
+ * debian/chrony.keys:
+ - Highlight “chronyc keygen” command to generate keys.
+
+ * debian/chrony.ppp.ip-down:
+ - Be sure that there is no default route before going offline.
+ (Closes: #252131)
+
+ * debian/control:
+ - Remove install-info dependency.
+ - Remove texinfo build dependency since documentation in Texinfo format
+ has been dropped upstream.
+ - Build depend on asciidoctor ≥ 1.5.3-1~. The version constraint is
+ important since chrony’s man pages are generated from “adoc” files, a
+ functionality that has been added in asciidoctor 1.5.3.
+
+ * debian/dirs:
+ - Add “etc/NetworkManager/dispatcher.d”.
+
+ * debian/doc-base:
+ - Remove the file since we do not generate chrony.{html,txt} anymore.
+
+ * debian/docs:
+ - Remove references to chrony.{html,txt}.
+
+ * debian/patches/*:
+ - Drop fix-ftbfs-on-powerpc-ppc64-ppc64el.diff; applied upstream.
+ - Update the “series” file accordingly.
+
+ * debian/postinst:
+ - Use ucfr to associate chrony with its configuration files. Suggested by
+ Paul Gevers <elbrus@debian.org>
+
+ * debian/postrm:
+ - Remove all vestiges of the association between chrony and its
+ configuration files. Also suggested by Paul Gevers <elbrus@debian.org>
+
+ * debian/rules:
+ - Provide upstream NetworkManager dispatcher script.
+
+ * debian/watch:
+ - Use HTTPS to fetch new upstream releases.
+ - Switch to version 4 format.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 17 Jun 2016 17:20:08 +0200
+
+chrony (2.3-2) unstable; urgency=low
+
+ * Cherry pick upstream patch to fix FTBFS on PowerPC, ppc64 and ppc64el
+ architectures.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 20 May 2016 14:21:14 +0200
+
+chrony (2.3-1) unstable; urgency=low
+
+ * Import upstream version 2.3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+ (Closes: #818235)
+
+ * debian/chrony.conf:
+ - Drop the “logchange” directive. Upstream has enabled “logchange” by
+ default with a threshold of 1 second. We now use that instead of our custom
+ threshold of 0,5 second which tended to spam syslog.
+ - Remove obsolete comment.
+
+ * debian/chrony.lintian-overrides:
+ - Update “chrony.keys” path
+
+ * debian/control:
+ - Bump standard-version to 3.9.8 (no changes required).
+ - Use HTTPS transport protocol for the homepage URL.
+
+ * debian/copyright:
+ - Add some entries about new or untracked files.
+
+ * debian/postinst:
+ - Move /usr/share/chrony/chrony.keys template to /etc/chrony using ucf.
+ - Avoid displaying needless prompt when upgrading to chrony ≥ 2.2.1-1.
+ (Closes: #820087)
+
+ * debian/postrm:
+ - Remove chrony.keys on purge.
+ - Remove all vestiges of chrony.keys from the state hashfile.
+
+ * debian/rules:
+ - Re-enable test suite.
+ - Remove dh_installinit override. The init script is LSB-compliant so
+ passing the “default” option or the two-digit sequence number is unneeded.
+ - Explicitly set the NTP era. With this change, the NTP time will be
+ mapped from 1970-01-01T00:00:00Z to 2106-02-07T06:28:16Z. Thanks to this
+ fixed value, chrony build should be reproducible.
+ - Move the key file template (chrony.keys) in /usr/share/chrony.
+ - Force /usr/share/chrony/chrony.keys to use 0640 modes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 May 2016 23:13:05 +0200
+
+chrony (2.2.1-1) unstable; urgency=medium
+
+ * Import upstream versions 2.2 and 2.2.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+ - The 2.2.1 release version fixes CVE-2016-1567. (Closes: #812923)
+
+ * debian/chrony.conf:
+ - Drop the commandkey directive. It is obsolete since the introduction of a
+ Unix domain command socket in chrony 2.2.
+ - Fix keyfile directive commentary.
+
+ * debian/chrony.keys:
+ - New file template.
+
+ * debian/chrony.lintian-overrides:
+ - New file used to force lintian to stop complaining about the “chrony.keys”
+ file modes (0640).
+
+ * debian/chrony.ppp.ip-down:
+ - Drop obsolete authentication method to the chronyd daemon. This is now
+ handled by the usage of a Unix domain command socket.
+
+ * debian/chrony.ppp.ip-up:
+ - Drop obsolete authentication method to the chronyd daemon. This is now
+ handled by the usage of a Unix domain command socket.
+ - Reinstate the “burst” chronyc command.
+
+ * debian/control:
+ - Build depend on libseccomp-dev ≥ 2.2.3-3~. We need it to provide syscall
+ filtering.
+ - Fix a typo relative to the name of an architecture.
+ - Build depend on pkg-config.
+ - Restrict libcap-dev build dependency on Linux only.
+ - Depend on iproute2 instead of net-tools.
+ - Drop timelimit dependency.
+ - Update Vcs-Git to use HTTPS.
+ - Bump standard-version to 3.9.7 (no changes required).
+
+ * debian/copyright:
+ - Update copyright year for debian/*.
+
+ * debian/init:
+ - Make use of “ip r” instead of “netstat -rn”. (Closes: #818234)
+ - Delete unused “FLAGS” variable.
+ - Do not execute ip and chronyc through timelimit.
+ - Don’t call chronyc using its absolute path.
+ - Check if the value of the DAEMON variable is executable.
+ - Drop the two seconds delay as it should be unnecessary.
+ - Drop obsolete authentication method from the putonline() function.
+ - Fix indentation issue in the putonline() function.
+
+ * debian/logrotate:
+ - Do not pass the “-a” option to chronyc, it’s no longer necessary.
+
+ * debian/NEWS:
+ - Add a comment about the command key suppression from the “chrony.keys”
+ file.
+
+ * debian/patches/:
+ - Drop 01_do-not-install-copying-file.patch, not needed anymore.
+ ↳ Remove reference to that patch from the series file.
+
+ * debian/postinst:
+ - Do not create an ID/key pair for command authentication. Configuration
+ and monitoring via chronyc is now done using Unix domain socket accessible
+ by root or by the system user to which chronyd will drop root privileges,
+ i.e. _chrony.
+
+ * debian/postrm:
+ - Remove /var/lib/chrony content only on purge. (Closes: #568492)
+
+ * debian/README.Debian:
+ - Drop obsolete statement.
+
+ * debian/rules:
+ - Build with --enable-scfilter.
+ - Install the “chrony.keys” file in /etc/chrony/ with 0640 modes.
+ - Override dh_fixperms to prevent it from modifying modes of the
+ “chrony.keys” file. By default, dh_fixperms tries to set the default modes
+ (0644).
+ - Move the “chronyd.sock” file from /var/run/chrony to /run/chrony.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 19 Mar 2016 14:42:23 +0100
+
+chrony (2.1.1-1) unstable; urgency=medium
+
+ * Import upstream version 2.0 and 2.1.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/:
+ - Rename ppp scripts from ip-{up,down} to chrony.ppp.ip-{up,down}.
+ Necessary to let dh_installppp do its magic.
+
+ * debian/chrony.conf:
+ - Use the new 'pool' directive to specify the pool of NTP servers.
+ - Use the iburst option to speed up the initial synchronization.
+ - Drop the minpoll option. There is no point to deviate from upstream here.
+ Consequently, the default minimum polling interval is now 64 seconds
+ instead of 256 seconds.
+ - Enable kernel synchronization of the RTC via the 'rtcsync' directive.
+ - Drop the commented out 'rtcfile' directive in the configuration file.
+ - Stricly act as an NTP client by default. Serving time to other systems
+ should be the decision of the administrator(s). (Closes: #778770)
+ - Clarify some comments.
+ - Improve comment about the 'commandkey' directive.
+
+ * debian/control:
+ - Drop 'Recommends: udev (>= 0.124-1)' since it predates Debian squeeze.
+
+ * debian/copyright:
+ - Update copyright years.
+ - Various cleanups.
+ - Update relative to sys_macosx.{c,h} files.
+ - The test/simulation/test.common file is under the GPL-2+ license.
+ Thanks to Paul Gevers <elbrus@debian.org> for catching it.
+
+ * debian/NEWS:
+ - Comment the deactivation of the NTP server capability by default.
+
+ * debian/patches/:
+ - Refresh 01_do-not-install-copying-file.patch.
+
+ * debian/README.Debian:
+ - Fix misleading information.
+
+ * debian/rules:
+ - No need to install ppp scripts from the 'rules' script. Let dh_installppp
+ handle that.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 Nov 2015 00:11:23 +0100
+
+chrony (1.31.1-2) unstable; urgency=medium
+
+ * Rename the NEWS.Debian file to NEWS. dh_installchangelogs doesn’t seems
+ to be able to deal with the former name.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 17 Sep 2015 21:50:30 +0200
+
+chrony (1.31.1-1) unstable; urgency=medium
+
+ * Import upstream version 1.31 and 1.31.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for release notes.
+
+ * debian/chrony.conf:
+ - Use the 'hwclockfile' directive. Avoid using text processing methods in
+ the post install script to find out if the RTC keeps local time or UTC.
+ (Closes: #778710)
+
+ * debian/clean:
+ - Add getdate.c
+
+ * debian/control:
+ - Move chrony from admin to net section.
+ - Change priority from extra to optional.
+ - Build depends on libcap-dev. (Closes: #768803)
+ - Bump standards-version to 3.9.6 (no changes required).
+ - Set myself as maintainer and Joachim as uploader.
+ - Update Vcs-Browser URL to use cgit and https.
+ - Build depends on pps-tools. Provides PPSAPI (RFC-2783) support.
+ - Improve the synopsis.
+ - Depend on util-linux (>= 2.20.1-5). Ensure that the 'UTC=' setting
+ from the '/etc/default/rcS' file have been migrated to UTC/LOCAL in
+ '/etc/adjtime'.
+ - Depends on adduser. Needed to create "_chrony" system user/group.
+
+ * debian/copyright:
+ - Add myself to copyright holders.
+ - Remove spaces from short name license (fix Lintian warning)
+ - Filled short license field (RSA-MD) (fix Lintian warning)
+ - Move comment to the "Comment:" field
+
+ * debian/logrotate:
+ - Simplify postrotate script. Thanks to Frédéric Brière
+ <fbriere@fbriere.net> for reporting and diagnosing the issue.
+ (Closes: #763542)
+
+ * debian/patches:
+ - Drop patches for issues fixed upstream.
+ - Rename and update patch. Update the series file accordingly.
+
+ * debian/postinst:
+ - Pass the '--three-way' option to ucf.
+ - Remove useless text processing methods as we now use the 'hwclockfile'
+ directive. (Closes: #778711)
+ - Create "_chrony" system user/group.
+ - Update the "new_file" path in the ucf invocation.
+ - Remove the MAILPASSWORD shell variable as we don’t use it.
+
+ * debian/postrm:
+ - Drop removal instruction of /etc/cron.weekly/chrony.
+ - Remove "_chrony" system user/group on purge.
+ - Don’t pass the --group option to deluser.
+
+ * debian/NEWS.Debian:
+ - New file incorporating worthwhile changes in this release.
+
+ * debian/README.Debian:
+ - Fix typo, thanks to Paul Gevers <elbrus@debian.org> for catching it.
+ - Missing word added.
+
+ * debian/rules:
+ - Build with all hardening flags.
+ - Ease the reading of configure options.
+ - Specify "_chrony" as default chronyd user. This is the system user to
+ which chronyd will drop root privileges. You'll find further information
+ in /usr/share/doc/chrony/README.Debian.
+ (Closes: #688971)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:39:22 +0200
+
+chrony (1.30-2) unstable; urgency=medium
+
+ * With the following security bugfixes (Closes: #782160):
+ - Fix CVE-2015-1853: Protect authenticated symmetric NTP
+ associations against DoS attacks.
+ - Fix CVE-2015-1821: Fix access configuration with subnet
+ size indivisible by 4.
+ - Fix CVE-2015-1822: Fix initialization of reply slots for
+ authenticated commands.
+ * debian/control:
+ - Update e-mail address of myself.
+ - Add Vincent Blut as co-maintainer.
+
+ -- Joachim Wiedorn <joodebian@joonet.de> Fri, 10 Apr 2015 11:41:31 +0200
+
+chrony (1.30-1) unstable; urgency=medium
+
+ * New upstream release with following bugfixes:
+ - Fix crash when selecting with multiple preferred sources.
+ - Fix frequency calculation with large frequency offsets.
+ - Fix code writing drift and RTC files to compile correctly.
+ - Fix -4/-6 options in chronyc to not reset hostname set by -h.
+ - Fix refclock sample validation with sub-second polling interval.
+ - Set stratum correctly with non-PPS SOCK refclock and local stratum.
+ - Modify dispersion accounting in refclocks to prevent PPS getting
+ stuck with large dispersion and not accepting new samples.
+ - Move faq.txt (PHP style) to a plain text file FAQ. Closes: #415729
+
+ * Add gpg signature of upstream developer for use with uscan.
+ * Update debian/watch, add check of upstream gpg signature.
+ * Update all patches.
+
+ * Bugfix: Use /etc/adjtime in postinst script to recognize
+ UTC hardware clock. Closes: #680498
+ * Use logrotate instead of cron script. Closes: #323966
+ * debian/rules: disable test simulation.
+
+ * debian/control: remove obsolete build dependency to dpkg-dev.
+ * debian/install, debian/dirs, debian/clean: Update.
+ * debian/copyright: Update and add entries.
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Sun, 10 Aug 2014 19:10:35 +0200
+
+chrony (1.29.1-1) unstable; urgency=high
+
+ * New upstream release with bugfix:
+ - Closes: #737644: Fixing vulnerability:
+ CVE-2014-0021 - traffic amplification in cmdmon protocol
+ (incompatible with previous protocol version, but chronyc
+ supports both).
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Thu, 06 Feb 2014 15:51:47 +0100
+
+chrony (1.29-1) unstable; urgency=medium
+
+ * New upstream release with some bugfixes:
+ - Closes: #719132: new upstream version, fixes security bugs.
+ - Closes: #719203: Fixing vulnerabilities:
+ CVE-2012-4502 - Buffer overflow,
+ CVE-2012-4503 - Uninitialized data.
+
+ * debian/control:
+ - Set myself as new maintainer. Closes: #705768
+ - Bump to Standards-Version 3.9.5.
+ - Move to debhelper >= 9 and compat level 9.
+ - Update package descriptions.
+ - Add Vcs fields to new git repository.
+ - Add dependency to lsb-base (for init script).
+ - Add build dependency to libtomcrypt-dev.
+ * Move to source format 3.0 (quilt).
+ * Add the following patch files: (Closes: #637514)
+ - 01_fix-small-typo-in-manpages
+ - 03_recreate-always-getdate-c
+ - 04_do-not-look-for-ncurses (Closes: #646732)
+ - 05_disable-installation-of-license
+ * debian/rules:
+ - Move to dh-based rules file.
+ - Enable parallel builds.
+
+ * Add debian/watch file.
+ * Full update of debian/copyright file.
+ * Add debian/doc-base file.
+ * Full update of debian/README.Debian file.
+ * Update debian/postinst, debian/postrm, debian/prerm.
+ * Remove obsolete debian/preinst. Reduce mailing within postinst.
+ * Do not use old md5sum file anymore for ucf in postinst script.
+ * Add status action in init script (debian/init). Closes: #652207
+ * Add debian/install file for installing example of chrony.conf.
+ * Reduce debian/dirs file for use with debhelper 9.
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Fri, 20 Dec 2013 23:35:25 +0100
+
+chrony (1.26-4) unstable; urgency=low
+
+ * QA upload.
+ * Depend on net-tools, for netstat (closes: #707260).
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 08 Jul 2013 18:00:45 +0100
+
+chrony (1.26-3) unstable; urgency=low
+
+ * Orphaned.
+
+ -- John G. Hasler <jhasler@debian.org> Fri, 19 Apr 2013 13:08:31 -0500
+
+chrony (1.26-2) unstable; urgency=low
+
+ * Fixed Makefile.in so that getdate.c gets made (and removed
+ in "clean"). This will go upstream. Moved faq stuff in rules
+ from binary-indep to binary-arch.
+ * Restored accidently deleted nmu changelog entry.
+
+ * Applied patch from Moritz Muehlenhoff <jmm@debian.org>
+ Closes: #655123 Please enabled hardened build flags
+
+ * Fixed upstream.
+ Closes: #518385 Chrony segfaults on startup (narrowed down to
+ chronyc and "burst")
+
+ * Added DEB_BUILD_OPTIONS=noopt to rules.
+ Added build-arch and build-indep to rules.
+ Prefix is now 'usr'.
+ Changed to dh_installman.
+ Fixed "clean:" target.
+ Closes: #479389 Improvements for debian/rules
+
+ * Fixed upstream.
+ Closes: #195620 Strange "System time : xxx seconds slow of NTP time"
+ output
+
+ * Upstream changes should have fixed this.
+ Closes:#294030 chronyd makes the whole system briefly (< 1 second)
+ freeze
+
+ * Fixed by upstream changes and new LSB headers.
+ Closes: #407466 Chrony won't access hardware clock but prevents
+ hwclock from doing so either
+
+ -- John G. Hasler <jhasler@debian.org> Sun, 01 Jul 2012 22:05:56 -0500
+
+chrony (1.26-1) unstable; urgency=low
+
+ * New upstream release
+ Closes: #348554: chrony and hwclock packages not coordinated.
+ Closes: #572964: RTC support is missing.
+ Closes: #642209: add RTC support for linux 3.0.
+ Closes: #644241: new upstream version 1.26 available.
+
+ * Applied patches from Joachim Wiedorn <ad_debian@joonet.de>:
+ Fixed several typos in man pages and README.
+ Added version.h.
+ Moved default chrony.conf to debian/ .
+ Renamed cron and init files.
+ Removed debian/NEWS.Debian, debian/info.
+ Added debian/clean.
+ Updated debian/copyright. COPYING stays. Upstream requires it.
+ Fixed debian/menu, debian/control, updated debian/compat.
+ Added "--without-readline" to debian/rules: rewrite later.
+ Minor fixes to initscript: rewrite later.
+
+ Closes: #646732 Move from readline support to editline support.
+ Closes: #598253 Fix typo in LSB init headers ($hwclock to $time).
+ Closes: #600403 Fix init check with PPP connection.
+
+ -- John G. Hasler <jhasler@debian.org> Sun, 17 Jun 2012 21:55:47 -0500
+
+chrony (1.24-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add patch (directly over the source...), to work with kernels > 3.0.0,
+ by Paul Martin at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628919#15.
+ (Closes: #628919)
+ * Fix readline build-depends from "libreadline5-dev | libreadline-dev" to
+ libreadline-gplv2-dev because chrony is GPLv2 only. (Closes: #634447)
+ * Update copyright file to say that chrony is GPLv2 only. (Closes: #637526)
+
+ -- Ana Beatriz Guerrero Lopez <ana@debian.org> Fri, 12 Aug 2011 12:32:26 +0200
+
+chrony (1.24-3) unstable; urgency=high
+
+ * Applied (modifed) patch from Gregor Herrmann.
+
+ Closes: #593145: fails to configure on installation
+ Closes: #552162: chrony incorrectly thinks that it has failed to
+ (re)start
+ Closes: #592930: invoke-rc.d: initscript chrony, action "start" failed.
+
+ -- John G. Hasler <jhasler@debian.org> Tue, 14 Sep 2010 10:06:47 -0500
+
+chrony (1.24-2) unstable; urgency=low
+
+ * Fixed regression that caused default CHRONY_IOC_ lines to
+ vanish from io_linux.h thereby breaking hppa and ia64.
+
+ Closes: #588930: FTBFS [ia64,hppa]: "I don't know the values of the
+ _IOC_* constants on your architecture"
+
+ * $remote_fs was added in 1.24-1. Depending on networking is neither
+ necessary nor desireable.
+
+ Closes: #590888: Dependencies on init.d script insuficcient
+
+ * Still need to rewrite scripts.
+
+ -- John G. Hasler <jhasler@newsguy.com> Fri, 30 Jul 2010 20:32:55 -0500
+
+chrony (1.24-1) unstable; urgency=low
+
+ * New upstream release. The scripts will be rewritten and many more bugs
+ taken care of in -2. Right now I want to get 1.24 out there.
+
+ * Applied patch from Petter Reinholdtsen to init.d
+
+ Closes: #541806: misses syslog dependency in LSB headers
+
+ * Chrony cannot be linked to libreadline6 because it is GPLv2 only.
+
+ Closes: #553739 replacing libreadline5-dev build dependency with
+ libreadline-dev
+
+ * "configure" rewritten upstream, eliminating "+=".
+
+ Closes: #573036: RTC support disabled (due to Bashism in configure line 293)
+
+ * Removed "install-info" from scripts.
+
+ Closes: #568703: dpkg warnings
+
+ * client.c has been rewritten upstream.
+
+ Closes: #573032
+
+ * Fixed typos.
+
+ Closes: #434629: 'man chrony', 'cronyc', 'cronyd' typos: "parateters" x 2,
+ "priviliges"
+
+ * Added debian/source/format containing "1.0".
+
+ -- John G. Hasler <jhasler@newsguy.com> Tue, 22 Jun 2010 16:01:29 -0500
+
+chrony (1.23-7) unstable; urgency=high
+
+ * Applied patches from upstream to fix remote DOS:
+
+ CVE-2010-0292 Don't reply to invalid cmdmon packets
+
+ CVE-2010-0293 Limit client log memory size
+
+ CVE-2010-0294 Limit rate of syslog messages
+
+ -- John G. Hasler <jhasler@newsguy.com> Tue, 02 Feb 2010 19:37:50 -0600
+
+chrony (1.23-6) unstable; urgency=low
+
+ * Commented out rtcfile directive in chrony.conf because it can cause
+ lockups with certain combinations of motherboard and kernel (this is
+ a known kernel bug).
+
+ Closes: #508298: chronyd unreachable and does not work (clock drifts)
+
+ * Chrony no longer uses the ppp/ip-up.d and ppp/ip-up.d files and the new
+ init.d file won't hang if chronyc hangs.
+
+ Closes: #448481: /etc/ppp/ip-up.d/chrony doesn't work when bindaddress is set.
+
+ * Cannot reproduce on current version on amd64.
+
+ Closes: #412961: error in tracking report (on amd64?)
+
+ -- John Hasler <jhasler@debian.org> Wed, 10 Dec 2008 14:16:37 -0600
+
+chrony (1.23-5) unstable; urgency=low
+
+ * Replaced background kill with 'timelimit' in initscript.
+
+ Closes: #505094: chrony: kills random netstat processes
+
+ * Added 'Recommends: udev (>= 0.124-1)'
+
+ Closes: #497113: /dev/rtc renamed to /dev/rtc0 with linux-image-2.6-*/2.6.26+15
+
+ * Had previously applied patch from Nathanael Nerode to fix configure
+ bug but forgot to close the bug.
+
+ Closes: #392273: Recursive dependency disease: chrony shouldn't depend on ncurses
+
+ -- John Hasler <jhasler@debian.org> Sun, 09 Nov 2008 20:19:22 -0600
+
+chrony (1.23-4) unstable; urgency=low
+
+ * Fixed dependency of init script on Pppconfig ip-up.d script by moving
+ those lines into the init script.
+
+ * Added checks to try to make sure that Chronyd is really, really running.
+ Changed Netstat call to use -n, added code to kill it if it hangs.
+ Added code to kill Chronyc if it can't contact Chronyd.
+ Discussed the HPET/rtc problem in NEWS.Debian.
+
+ Closes: #504000: init script hangs for a while might break upgrade
+
+ * Added missing initialization to create_instance() in ntp_core.c.
+ This was why UTI_NormaliseTimeval() was being called with huge
+ values at times.
+
+ * See comment on #195620 in 1.21z-6 below. If you know of more LP64
+ bugs reopen #348412 with a patch.
+
+ Closes: #348412: chronyc not LP64 compliant
+
+ * Added comment about sources being discarded to chrony.conf as suggested
+ by Andreas Hübner in #268289.
+
+ * This is normal behavior.
+
+ Closes: #287060: trimrtc takes 40 seconds to take effect
+
+ -- John Hasler <jhasler@debian.org> Thu, 06 Nov 2008 10:38:58 -0600
+
+chrony (1.23-3) unstable; urgency=high
+
+ * Rewrote UTI_NormaliseTimeval()in util.c to use divide/remainder
+ instead of loops at the suggestion of Gabor Gombas. This prevents the
+ problem of the loop running until the sun goes out when the function
+ is called with a very large value for tv_usec on 64-bit architectures.
+ Also fixed some other spots where the same loop was being used.
+
+ Closes: #474294 Goes into endless loop
+ Closes: #447011 chronyd stalls with 100% CPU usage
+
+ I still don't know why the function is being called with such a
+ large value, however.
+
+ * Changed default servers in chrony,conf to Debian servers.
+
+ Closes: #434483: chrony: Should use NTP servers in Debian pool
+
+ -- John Hasler <jhasler@debian.org> Sat, 26 Apr 2008 11:47:44 -0500
+
+chrony (1.23-2) experimental; urgency=low
+
+ * Added default IOC's to io_linux.h.
+ Closes: #477043: chrony_1.23-1(ia64/experimental): FTBFS: IOC
+ constants unknown on ia64
+ Closes: #476963: chrony_1.23-1(hppa/experimental): FTBFS: "I don't
+ know the values of the _IOC_* constants for your architecture"
+
+ -- John Hasler <jhasler@debian.org> Sun, 20 Apr 2008 13:29:29 -0500
+
+chrony (1.23-1) experimental; urgency=low
+
+ * New upstream release
+ This is 1.23 with Debian patches applied (including some for LP64).
+ I'm uploading this to Experimental to get it tested on x86_64 to see
+ if #474294 is fixed.
+
+ -- John Hasler <jhasler@debian.org> Sat, 19 Apr 2008 14:49:15 -0500
+
+chrony (1.21z-6) unstable; urgency=low
+
+ * Applied patches from Eric Lammerts <eric@lammerts.org> and Goswin von
+ Brederlow <brederlo@informatik.uni-tuebingen.de> to cast the value
+ returned by ntohl to int32_t and so cause correct sign-extension near
+ line 1655 in client.c. Also fixed similar bugs in the same area. I'm
+ not sure this entirely fixes the chronyc number display problem,
+ though. I've not closed #348412 here because chrony is still not
+ fully LP64 compliant.
+ Closes: #195620: Strange "System time : xxx seconds slow of
+ NTP time" output
+
+ * Replaced addrfilt.c with addrfilt.c from upstream git repository.
+ This fixes the recursive structure definition problems.
+
+ * Replaced 'route' with 'netstat -r' in the initscript.
+
+ * Applied patch for configure script from Nathanael Nerode
+ <neroden@gcc.gnu.org> to delete the superfluous "lncurses" at line
+ 327.
+ Closes: #392273: Recursive dependency disease: chrony shouldn't depend
+ on ncurses
+
+ * Added test to reject servers claiming stratum less than 1 in
+ ntp_core.c "Test 7". Bill Unruh <unruh@physics.ubc.ca> has run across
+ a server that sometimes claims to be stratum 0, which causes
+ considerable confusion.
+
+ -- John Hasler <jhasler@debian.org> Fri, 16 Feb 2007 17:47:40 -0600
+
+chrony (1.21z-5) unstable; urgency=high
+
+ * Applied postinst patch from Lionel Elie Mamane to test for the
+ existence of old .keys and .conf files before renaming them.
+ Closes: #397759: fails to configure: mv: cannot stat `/etc/chrony/chrony.keys.1.21-2':
+ No such file or directory
+
+ * Added burst command to /etc/ppp/ip-up.d/chrony to give chronyd a kick in the butt.
+ Shouldn't need that, though.
+ Initscript now calls /etc/ppp/ip-up.d/chrony if a default route exists.
+ Closes: #397739: Not connecting to sources after reboot - dialup
+
+ -- John Hasler <jhasler@debian.org> Sun, 26 Nov 2006 08:07:20 -0600
+
+chrony (1.21z-4) unstable; urgency=low
+
+ * Added test for /usr/bin/mail to postinst.
+ Closes: #386651: chrony: Requires /usr/bin/mail but doesn't depend on it
+ Closes: #390280: chrony: missing dependency on mail
+
+ * Added LSB headers to initscript
+
+ * Corrected erroneous use of 'dpkg --compare-version' in preinst and postinst.
+ Closes: #386733: fails to configure (bad upgrade check)
+
+ * Added rm to postinst to remove keyfile possibly left by a failed install.
+ Closes: #390278: usage of tempfile /etc/chrony/chrony.keys is doubtful
+
+ -- John Hasler <jhasler@debian.org> Sat, 7 Oct 2006 13:39:49 -0500
+
+chrony (1.21z-3) unstable; urgency=low
+
+ * Changed upstream version number from 1.21 to 1.21z to satisfy Debian
+ archive software.
+
+ * Replaced impure chrony_1.21.orig.tar.gz.
+ Closes: #340030: chrony: Tarball is impure
+
+ * Now Provides, Conflicts, Replaces time-daemon
+ Closes: #330839: time-daemon pseudopackage
+
+ * Corrected typos.
+ Closes: #321121: chrony: typo in 'Conflicts:' field: s/ntpsimple/ntp-simple/ and s/ntprefclock/ntp-refclock/
+
+ * Rewrote postinst and postrm to use ucf. Wrote preinst to protect chrony.conf from dpkg.
+ Closes: #351332: chrony: conffile change prompt prevents smooth upgrade from sarge to etch
+
+ * Deleted last few lines of chrony.conf as they no longer apply.
+
+ * Deleted .arch-ids from contrib and examples.
+
+ * Fixed typo in chronyc.1
+ Closes: #349871: chrony: typo in chrnoyc.1 results in missing word
+
+ * Corrected references in man pages.
+ Closes: #345034: chrony: man pages refer to wrong sections
+
+ * Added "allow 172.16/12" to chrony.conf.
+ Closes: #252952: chrony: default allow should also have 172.16/12
+
+ * Channged server lines in chrony.conf to follow ntp.org current recommendation.
+ Closes: #243534: chrony: new pool.ntp.org setup doesn't work well
+
+ * Fixed FSF address in debian/copyright.
+
+ -- John Hasler <jhasler@debian.org> Fri, 1 Sep 2006 10:52:52 -0500
+
+chrony (1.21-2) unstable; urgency=high
+
+ * Patched io_linux.h to add missing architectures.
+ Closes: #339764: chrony - FTBFS: #error "I don't know the values of the
+ _IOC_* constants for your architecture"
+
+ * Fixed brown-bag error in rules.
+ Closes: #339853: /usr/sbin/chronyd is missing
+
+ -- John Hasler <jhasler@debian.org> Sat, 19 Nov 2005 10:12:49 -0600
+
+chrony (1.21-1) unstable; urgency=low
+
+ * New upstream release
+ Closes: #328292: New version of chrony avalaible
+ Closes: #301592: Fails to read RTC and floods logfiles
+
+ * Enabled RTC as upstream has installed a work-around for the HPET bug.
+
+ * Switched to libreadline5.
+ Closes: #326379: please rebuild with libreadline5-dev as build dependency
+
+ * Patched addrfilt.c to fix gcc 4.0 build problem.
+ Closes: #298709: chrony: FTBFS (amd64/gcc-4.0): array type has incomplete element type
+
+ * There are lots more minor things to fix but I'm uploading now to close
+ the serious bugs. I'll upload another version with some improvements
+ in a few weeks.
+
+ -- John Hasler <jhasler@debian.org> Tue, 15 Nov 2005 18:39:49 -0600
+
+chrony (1.20-8) unstable; urgency=high
+
+ * Added test for /usr/bin/mail in postinst.
+ Closes: #307061: Install failure: Cannot configure on system without mailx
+ I consider this bug serious because it can cause installation to fail
+ and so I want to get the fix into Sarge.
+
+ * Fixed typo in chrony.conf, replaced '/etc/init.d/chrony restart'
+ with 'invoke-rc.d chrony restart'.
+ Closes: #305090: Typo in chrony.conf, should mention invoke-rc.d
+
+ * Added README.Debian explaining that rtc is off by default.
+
+ -- John Hasler <jhasler@debian.org> Sat, 30 Apr 2005 18:47:30 -0500
+
+chrony (1.20-7) unstable; urgency=low
+
+ * Added info-4 to debian/rules.
+ Closes: #287142: chrony: Can't find chrony.info-4
+
+ * Corrected "See Also" section in chrony man page. Now mentions
+ chronyc(1), chronyd(8), and chrony.conf(5).
+ Closes: #287444: chrony.1.gz: SEE ALSO on man page has wrong section.
+
+ * Edited chrony.conf to disable rtc by default and explain why:
+ on some systems that use genrtc or the HPET real-time clock it
+ fails and causes chronyd to fill up the log. The failure is
+ probably due to a kernel bug, bug the logging should be
+ throttled.
+
+ * Added more explanatory comments at the servers directive in
+ chrony.conf.
+
+ * The postinst script now sends a message to root saying where the
+ password is, whether Chrony is assuming UTC or local time,
+ that rtc updating is disabled, why, and how to change it.
+
+ * Added missing '#' to
+ "Can't tell how your clock is set: assuming local time."
+ in postinst.
+
+ -- John Hasler <jhasler@debian.org> Tue, 12 Apr 2005 17:59:13 -0500
+
+chrony (1.20-6) unstable; urgency=low
+
+ * Fixed error in chrony.conf where the non-existent 'online' directive
+ was mentioned.
+ Closes: #257235 misleading instructions in chrony.conf
+
+ * Patched Makefile.in to generate faq.html.
+ Closes: #265936 /usr/share/doc/chrony/faq.txt.gz: how to read?
+
+ -- John Hasler <jhasler@debian.org> Sat, 4 Dec 2004 17:47:31 -0600
+
+chrony (1.20-5) unstable; urgency=low
+
+ * Put pool.ntp.org servers in chrony.conf as defaults.
+
+ * Fixed erroneous references to chronyd(1) in some man pages.
+ Closes: #241746 SEE ALSO chronyd(1) should be (8)
+
+ * I got a new motherboard and can no longer reproduce this.
+ If you can please reopen the bug.
+ Closes: #223518 Rtc stuff is broken
+
+ * Edited chrony.conf(5).
+ Closes: #241745 many more features have been added
+
+ * Edited chrony.conf to add logchange and mailonchange and to
+ enable rtc by default.
+ Closes: #226644 /etc/chrony/chrony.conf: rtc; not all options are noted in conf file
+
+ * Fixed upstream: see NEWS.
+ Closes: #124089 mistake in the chrony manual
+ Closes: #177366: trailing blank on log lines
+ Closes: #195618 failure to use /dev/misc/rtc floods logfiles
+ Closes: #53066 "acquisitionport" directive and doc fixes [patch]
+ Closes: #100880 RFE: don't use /proc when uname(2) will do
+ Closes: #163470: different bindaddresses for ntp port and control port
+ Closes: #200174: Chrony breaks under Kernel 2.5 (two bugs)
+
+ -- John Hasler <jhasler@debian.org> Sat, 10 Apr 2004 22:00:00 -0500
+
+chrony (1.20-4) unstable; urgency=low
+
+ * Added '#include <asm/types>' to rtc_linux.c to fix Alpha build problem.
+ Also removed spinlock stuff from configure.
+
+ -- John Hasler <jhasler@debian.org> Fri, 26 Dec 2003 21:00:00 -0600
+
+chrony (1.20-3) unstable; urgency=low
+
+ * Removed all inclusions of kernel headers.
+ Hopefully Chrony will now build on m68k.
+
+ -- John Hasler <jhasler@debian.org> Tue, 23 Dec 2003 19:00:00 -0600
+
+chrony (1.20-2) unstable; urgency=low
+
+ * Removed spinlock.h and mc146818.h from rtc_linux.c. linux/rtc.h and
+ RTC_UIE=0x10 provide everything needed now.
+ Closes: #223134 FTBFS: Errors in kernel headers
+
+ * However, rtc is now broken (and appears to have been broken for some time)
+ on 440BX chipsets with 2.4 kernels.
+
+ -- John Hasler <jhasler@debian.org> Fri, 12 Dec 2003 13:00:00 -0600
+
+chrony (1.20-1) unstable; urgency=low
+
+ * New upstream release.
+
+ * Frank Otto's patch to sys_linux.c, function guess_hz_and_shift_hz now
+ incorporated upstream.
+ Closes: #198557 Fatal error: chronyd can't determine hz for kernel with HZ=200
+
+ * Security and 64 bit patches are now incorporated upstream
+ along with most non-i386 architecture patches.
+
+ * Put correct links in /usr/share/doc/chrony/timeservers.
+ Closes: #189686 /usr/share/doc/timeservers links are broken
+
+ * Put correct links in chrony.conf.
+ Closes: #210886 bad link in chrony.conf
+
+ * Put missing newlines in apm and chrony.keys.
+ Closes: #211604 Build-warning: some files misses final newline
+
+ * Removed conflict with ntpdate.
+
+ -- John Hasler <jhasler@debian.org> Tue, 7 Oct 2003 22:00:00 -0500
+
+chrony (1.19-10) unstable; urgency=low
+
+ * Put linux/linkage.h ahead of linux/spinlock.h as I meant to in
+ the first place.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 13 Jul 2003 7:00:00 -0500
+
+chrony (1.19-9) unstable; urgency=low
+
+ * Added "#include <linux/linkage.h>" to rtc_linux.c to fix mips
+ build failure.
+ Closes: #200165 chrony doesn't build on mips and mipsel
+
+ -- John Hasler <john@dhh.gt.org> Sat, 12 Jul 2003 10:00:00 -0500
+
+chrony (1.19-8) unstable; urgency=low
+
+ * Added bison to build-depends because of addition of getdate.y
+
+ -- John Hasler <john@dhh.gt.org> Tue, 3 Jun 2003 10:00:00 -0500
+
+chrony (1.19-7) unstable; urgency=high
+
+ * Closes: #186498 chronyc hangs if no chronyd is running
+ Added test for running daemon to ip-{up|down} scripts.
+ Disabled trimrtc for ALPHA
+ Closes: #195615 GPL violation - generated file without source
+ * Added a copy of getdate.y to source.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 1 Jun 2003 7:00:00 -0500
+
+chrony (1.19-6) unstable; urgency=low
+
+ * Closes: #179842 "CROAK" redefined
+ Added '#undef CROAK' before CROAK redefiniton in pktlength.h,
+ added '-DALPHA' to 'alpha' condition in configure, added
+ 'ifdef ALPHA' around CROAK redefinition.
+ * Replaced many signed and unsigned longs as well as some ints,
+ shorts, and chars with stdint.h types in candm.h, md5.h, ntp.h,
+ clientlog.h, and ntp_io.c. This should fix all 64-bit problems.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 14 Mar 2003 19:00:00 -0600
+
+chrony (1.19-5) unstable; urgency=high
+
+ * Closes: #184065 Assertion `sizeof(NTP_int32) == 4' failed on alpha
+ Fixed several spots where the author assumed that a long is 32 bits.
+ There are many more misuses of long as well as several of short and
+ char but I think I got the only ones likely to cause trouble.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 14 Mar 2003 11:00:00 -0600
+
+chrony (1.19-4) unstable; urgency=low
+
+ * Closes: #179538 FTBFS: missing build-depends on makeinfo
+ Added texinfo to build-depends.
+ * CLoses: #179508: chrony(c|d) show wrong version numbers
+ Removed spurious version.h.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 2 Feb 2003 19:00:00 -0600
+
+chrony (1.19-3) unstable; urgency=low
+
+ * Updated author's address in copyright file.
+ * Closes: #163446 patch, that scripts can handle all commandkeys
+ Applied debugged patch.
+ * Closes: #107863 doesn't know about APM
+ Put apm script in debian/ and added rules to copy it to
+ etc/apm/event.d as instructed by the apmd maintainer.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 31 Jan 2003 18:00:00 -0600
+
+chrony (1.19-2) unstable; urgency=low
+
+ * Closes: #100879 unnecessary dependency on libm
+ Applied patch from Zack Weinberg <zack@codesourcery.com>
+ * Closes: #124091 the force-reload command of /etc/init.d/chrony should
+ use the -r option.
+ Added -r option.
+
+ -- John Hasler <john@dhh.gt.org> Wed, 29 Jan 2003 10:00:00 -0600
+
+chrony (1.19-1) unstable; urgency=low
+
+ * New upstream release.
+ * Closes: #178338 New upstream version fixes crashes caused by adjtimex
+ failure
+ * Closes: #178101 /etc/ppp/ip-{up,down}.d/chrony installed with
+ incorrect permissions
+ This bug was previously reported and fixed in 18-1
+ * Closes: #176130 got an error when I use ppp_on_boot
+ Changed 'update-rc.d chrony defaults 83' to
+ 'update-rc.d chrony defaults 14' in init.d so that chrony
+ will come up before ppp.
+ * Added code to postinst to read /etc/default/rcS and
+ set rtconutc appropriately in chrony.conf.
+ * Rewrote password generator in postinst.
+ * Closes: #100879 unnecessary dependency on libm
+ I don't know why this wasn't closed months ago.
+ * Closes: #103447 typo in "/etc/init.d/chrony"
+ * Closes: #124087 problems with /etc/init.d/chrony
+ Fixed script.
+ * Closes: #161350 /etc/ppp/ip-down.d/chrony cat unnecessary
+ Fixed scripts.
+ * Closes: #113840 ntp has been split - add conflicts?
+ Added ntp-simple and ntp-refclock to conflicts.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 26 Jan 2003 15:00:00 -0600
+
+chrony (1.18-2) unstable; urgency=low
+
+ * Corrects error in changelog which resulted
+ in uploads being erroneously classified as NMUs.
+ * Closes: #138142, #104774, #142670, #105344, #101039
+ * Closes: #162427, #56756, #98951, #99799, #139633
+ * Closes: #163469, #163408, #167416
+
+ -- John Hasler <john@dhh.gt.org> Sun, 3 Nov 2002 20:00:00 -0600
+
+chrony (1.18-1) unstable; urgency=low
+
+ * New upstream release.
+ * Closes: #138142 new upstream release
+ * Added Mark Brown's Alpha and PowerPC patch.
+ * Closes: #104774 hppa build failure
+ Applied patch.
+ * Closes: #142670 compilation errors on sparc
+ Applied patch.
+ * Closes: #105344 ip-{up, down}.d/chrony not executable
+ Fixed debian/rules.
+ * Closes: #101039 does not run on Alpha
+ Fixed by above mentioned Mark Brown patch.
+ * Closes: #162427 description should mention NTP
+ Fixed description.
+ * Closes: #56756 README.debian should caution about hwclock
+ Fixed README.debian.
+ * Closes: #98951 no chrony.keys file installed
+ Not reproducible, probable user error.
+ * Closes: #99799 logs world readable
+ Added umask 022 to log script.
+ * Closes: #139633 documentation error
+ Added rtconutc to chrony.conf.
+ * Closes: #163469 no default case in init.d script
+ Corrected typo.
+ * Closes: #163408 PIDFILE wrongly defined in ip-{up,down}
+ No chrony script uses any such variable.
+ * Closes: #167416 needs Build-Depends: libreadline4-dev
+
+ -- <john@dhh.gt.org> Sun, 3 Nov 2002 10:00:00 -0600
+
+chrony (1.14-7) unstable; urgency=medium
+
+ * Changed rtc_linux.c to not include linux/mc146818rtc.h
+ when building for sparc, because Moshe Zadka says this
+ will allow chrony to build there.
+ * Closes: #142670
+
+ -- <jhasler@debian.org> Wed, 17 Apr 2002 17:00:00 -0500
+
+chrony (1.14-6) unstable; urgency=low
+
+ * Changed architecture back to 'any'.
+ * Applied portability patch from LaMont Jones.
+ * Closes: #104774
+
+ -- <jhasler@debian.org> Mon, 1 Apr 2002 21:00:00 -0600
+
+chrony (1.14-5) unstable; urgency=low
+
+ * Changed architecture from 'any' to 'i386 sparc'.
+ Neither I nor the author can test on anything but i386. If
+ you want chrony on anything else send me a tested patch.
+ * Closes: #101039
+ * Closes: #104774
+
+ -- <john@dhh.gt.org> Fri, 28 Dec 2001 20:10:00 -0600
+
+chrony (1.14-4) unstable; urgency=low
+
+ * Fixed bug in man pages.
+ * Closes: #95134
+
+ -- <john@dhh.gt.org> Tue, 24 Apr 2001 20:10:00 -0500
+
+chrony (1.14-3) unstable; urgency=low
+
+ * Replaced <linux/spinlock.h> in rtc_linux.c with
+ typedef int spinlock_t as suggested by Paul Slootman.
+ * Put #define CROAK(message) assert(0) in pktlength.h
+ to fix Alpha build problem.
+ * Closes: #86991
+
+ -- <john@dhh.gt.org> Sat, 24 Feb 2001 22:45:00 -0600
+
+chrony (1.14-2) unstable; urgency=low
+
+ * Closes: #84597
+
+ -- <john@dhh.gt.org> Sat, 3 Feb 2001 21:25:00 -0600
+
+chrony (1.14-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fixed more sprintfs.
+ * Closes: #50793, #52570, #48216, #65209, #62924, #70377, #61485, #76661
+
+ -- <john@dhh.gt.org> Mon, 20 Nov 2000 20:25:00 -0600
+
+chrony (1.10-3) unstable; urgency=low
+
+ * Patched cron,weekly script with (corrected) patch
+ from Rene H. Larsen <renehl@post1.tele.dk>.
+ * Updated author address in copyright file.
+ * Compiled with egcs.
+ * Closes: #41885, #41551
+
+ -- <john@dhh.gt.org> Sun, 25 July 1999 12:14:00 -0500
+
+chrony (1.10-2) unstable; urgency=low
+
+ * Patched rtc_linux.c with patch for SPARC from
+ bmc@visi.net.
+
+ -- <john@dhh.gt.org> Mon, 17 May 1999 22:30:00 -0500
+
+chrony (1.10-1) unstable; urgency=low
+
+ * New upstream release.
+ * Upstream version number is 1.1. Debian version
+ number is 1.10 because previous upstream number
+ was 1.02.
+
+ -- <john@dhh.gt.org> Wed, 12 May 1999 20:30:00 -0500
+
+chrony (1.02-7) unstable; urgency=low
+
+ * Changed configure to permit building on non-Intel.
+
+ -- <john@dhh.gt.org> Wed, 5 May 1999 18:00:00 -0500
+
+chrony (1.02-6) unstable; urgency=low
+
+ * Fixed postrm bug.
+
+ -- <john@dhh.gt.org> Thur, 29 Apr 1999 18:00:00 -0500
+
+chrony (1.02-5) unstable; urgency=low
+
+ * Fixed bugs 34954 and 36921.
+ * Moved to priority extra.
+ * Added README.debian text about rtc.
+
+ -- <john@dhh.gt.org> Thur, 15 Apr 1999 21:30:00 -0500
+
+chrony (1.02-4) unstable; urgency=low
+
+ * Replaced sprintf's with snprintf's.
+
+ -- <john@dhh.gt.org> Sun, 28 Feb 1999 16:53:00 -0600
+
+chrony (1.02-3) unstable; urgency=low
+
+ * Fixed bugs in cron.weekly, ip-up.d, and ip-down.d.
+ * Bug 29981 is also fixed.
+
+ -- <john@dhh.gt.org> Sun, 6 Dec 1998 9:53:00 -0600
+
+chrony (1.02-2) unstable; urgency=low
+
+ * Added cron.weekly.
+ * Changed ip-up.d, ip-down.d, and cron.weekly to read the
+ password from chrony.keys.
+ * Added code to postinst to generate a random password and
+ put it in chrony.keys.
+
+ -- <john@dhh.gt.org> Thur, 3 Dec 1998 19:00:08 -0600
+
+chrony (1.02-1) unstable; urgency=low
+
+ * Initial Release.
+
+ -- <john@dhh.gt.org> Fri, 6 Nov 1998 23:00:08 -0600
diff --git a/debian/chrony-dnssrv@.service b/debian/chrony-dnssrv@.service
new file mode 100644
index 0000000..a565fa2
--- /dev/null
+++ b/debian/chrony-dnssrv@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=DNS SRV lookup of %I for chrony
+After=chrony.service network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/chrony/chrony-helper update-dnssrv-servers %I
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectHome=yes
+ReadWritePaths=/run
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
diff --git a/debian/chrony-dnssrv@.timer b/debian/chrony-dnssrv@.timer
new file mode 100644
index 0000000..8495e01
--- /dev/null
+++ b/debian/chrony-dnssrv@.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Periodic DNS SRV lookup of %I for chrony
+
+[Timer]
+OnActiveSec=0
+OnUnitInactiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff --git a/debian/chrony-helper b/debian/chrony-helper
new file mode 100755
index 0000000..0f95bd8
--- /dev/null
+++ b/debian/chrony-helper
@@ -0,0 +1,251 @@
+#!/bin/bash
+# This script configures running chronyd to use NTP servers obtained from
+# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
+# externally (e.g. by a dhclient script). Files with servers from DNS SRV
+# records are updated here using the dig utility. The script can also list
+# and set static sources in the chronyd configuration file.
+#
+# Modified for Debian by Vincent Blut <vincent.debian@free.fr>.
+
+chronyc=/usr/bin/chronyc
+chrony_conf=/etc/chrony/chrony.conf
+chrony_service=chrony.service
+helper_dir=/run/chrony-helper
+added_servers_file=$helper_dir/added_servers
+
+dhclient_servers_files=/var/lib/dhcp/chrony.servers.*
+dnssrv_servers_files=$helper_dir/dnssrv@*
+dnssrv_timer_prefix=chrony-dnssrv@
+
+chrony_command() {
+ $chronyc -n -m "$1"
+}
+
+is_running() {
+ chrony_command "tracking" &> /dev/null
+}
+
+get_servers_files() {
+ echo "$dhclient_servers_files"
+ echo "$dnssrv_servers_files"
+}
+
+is_update_needed() {
+ for file in $(get_servers_files) $added_servers_file; do
+ [ -e "$file" ] && return 0
+ done
+ return 1
+}
+
+update_daemon() {
+ local all_servers_with_args all_servers added_servers
+
+ if ! is_running; then
+ rm -f $added_servers_file
+ return 0
+ fi
+
+ all_servers_with_args=$(cat $(get_servers_files) 2> /dev/null)
+
+ all_servers=$(
+ echo "$all_servers_with_args" |
+ while read server serverargs; do
+ echo "$server"
+ done | sort -u)
+ added_servers=$( (
+ cat $added_servers_file 2> /dev/null
+ echo "$all_servers_with_args" |
+ while read server serverargs; do
+ [ -z "$server" ] && continue
+ chrony_command "add server $server $serverargs" &> /dev/null &&
+ echo "$server"
+ done) | sort -u)
+
+ comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
+ while read server; do
+ chrony_command "delete $server" &> /dev/null
+ done
+
+ added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
+
+ [ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file ||
+ rm -f $added_servers_file
+}
+
+get_dnssrv_servers() {
+ local name=$1 output
+
+ if ! command -v dig &> /dev/null; then
+ echo "Missing dig (DNS lookup utility)" >&2
+ return 1
+ fi
+
+ output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null)
+ [ $? -ne 0 ] && return 0
+
+ echo "$output" | while read prio weight port target; do
+ server=${target%.}
+ [ -z "$server" ] && continue
+ echo "$server port $port iburst"
+ done
+}
+
+check_dnssrv_name() {
+ local name=$1
+
+ if [ -z "$name" ]; then
+ echo "No DNS SRV name specified" >&2
+ return 1
+ fi
+
+ if [ "${name:0:9}" != _ntp._udp ]; then
+ echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
+ return 1
+ fi
+}
+
+update_dnssrv_servers() {
+ local name=$1
+ local srv_file=$helper_dir/dnssrv@$name servers
+
+ check_dnssrv_name "$name" || return 1
+
+ servers=$(get_dnssrv_servers "$name")
+ [ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file"
+}
+
+set_dnssrv_timer() {
+ local state=$1 name=$2
+ local srv_file=$helper_dir/dnssrv@$name servers
+ local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer
+
+ check_dnssrv_name "$name" || return 1
+
+ if [ "$state" = enable ]; then
+ systemctl enable "$timer"
+ systemctl start "$timer"
+ elif [ "$state" = disable ]; then
+ systemctl stop "$timer"
+ systemctl disable "$timer"
+ rm -f "$srv_file"
+ fi
+}
+
+list_dnssrv_timers() {
+ systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
+ sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
+ while read -r name; do
+ systemd-escape --unescape "$name"
+ done
+}
+
+prepare_helper_dir() {
+ mkdir -p $helper_dir
+ exec 100> $helper_dir/lock
+ if ! flock -w 20 100; then
+ echo "Failed to lock $helper_dir" >&2
+ return 1
+ fi
+}
+
+is_source_line() {
+ local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
+ [[ "$1" =~ $pattern ]]
+}
+
+list_static_sources() {
+ while read line; do
+ is_source_line "$line" && echo "$line" || :
+ done < $chrony_conf
+}
+
+set_static_sources() {
+ local new_config tmp_conf
+
+ new_config=$(
+ sources=$(
+ while read line; do
+ is_source_line "$line" && echo "$line"
+ done)
+
+ while read line; do
+ if ! is_source_line "$line"; then
+ echo "$line"
+ continue
+ fi
+
+ tmp_sources=$(
+ local removed=0
+
+ echo "$sources" | while read line2; do
+ [ "$removed" -ne 0 -o "$line" != "$line2" ] && \
+ echo "$line2" || removed=1
+ done)
+
+ [ "$sources" == "$tmp_sources" ] && continue
+ sources=$tmp_sources
+ echo "$line"
+ done < $chrony_conf
+
+ echo "$sources"
+ )
+
+ tmp_conf=${chrony_conf}.tmp
+
+ cp -a $chrony_conf $tmp_conf &&
+ echo "$new_config" > $tmp_conf &&
+ mv $tmp_conf $chrony_conf || return 1
+
+ systemctl try-restart $chrony_service
+}
+
+print_help() {
+ echo "Usage: $0 COMMAND"
+ echo
+ echo "Commands:"
+ echo " update-daemon"
+ echo " update-dnssrv-servers NAME"
+ echo " enable-dnssrv NAME"
+ echo " disable-dnssrv NAME"
+ echo " list-dnssrv"
+ echo " list-static-sources"
+ echo " set-static-sources < sources.list"
+ echo " is-running"
+ echo " command CHRONYC-COMMAND"
+}
+
+case "$1" in
+ update-daemon|add-dhclient-servers|remove-dhclient-servers)
+ is_update_needed || exit 0
+ prepare_helper_dir && update_daemon
+ ;;
+ update-dnssrv-servers)
+ prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
+ ;;
+ enable-dnssrv)
+ set_dnssrv_timer enable "$2"
+ ;;
+ disable-dnssrv)
+ set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
+ ;;
+ list-dnssrv)
+ list_dnssrv_timers
+ ;;
+ list-static-sources)
+ list_static_sources
+ ;;
+ set-static-sources)
+ set_static_sources
+ ;;
+ is-running)
+ is_running
+ ;;
+ command|forced-command)
+ chrony_command "$2"
+ ;;
+ *)
+ print_help
+ exit 2
+esac
+
+exit $?
diff --git a/debian/chrony.conf b/debian/chrony.conf
new file mode 100644
index 0000000..6c19767
--- /dev/null
+++ b/debian/chrony.conf
@@ -0,0 +1,28 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usuable directives.
+pool 2.debian.pool.ntp.org iburst
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
diff --git a/debian/chrony.default b/debian/chrony.default
new file mode 100644
index 0000000..eead3e6
--- /dev/null
+++ b/debian/chrony.default
@@ -0,0 +1,6 @@
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-F -1"
diff --git a/debian/chrony.dhcp b/debian/chrony.dhcp
new file mode 100644
index 0000000..690f3ab
--- /dev/null
+++ b/debian/chrony.dhcp
@@ -0,0 +1,25 @@
+SERVERFILE=/var/lib/dhcp/chrony.servers.$interface
+
+chrony_config() {
+ rm -f $SERVERFILE
+ for server in $new_ntp_servers; do
+ echo "$server iburst" >> $SERVERFILE
+ done
+ /usr/lib/chrony/chrony-helper update-daemon || :
+}
+
+chrony_restore() {
+ if [ -f $SERVERFILE ]; then
+ rm -f $SERVERFILE
+ /usr/lib/chrony/chrony-helper update-daemon || :
+ fi
+}
+
+case $reason in
+ BOUND|RENEW|REBIND|REBOOT)
+ chrony_config
+ ;;
+ EXPIRE|FAIL|RELEASE|STOP)
+ chrony_restore
+ ;;
+esac
diff --git a/debian/chrony.if-post-down b/debian/chrony.if-post-down
new file mode 100644
index 0000000..2505e5a
--- /dev/null
+++ b/debian/chrony.if-post-down
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+[ -x /usr/sbin/chronyd ] || exit 0
+
+if [ -e /run/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.if-up b/debian/chrony.if-up
new file mode 100644
index 0000000..2505e5a
--- /dev/null
+++ b/debian/chrony.if-up
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+[ -x /usr/sbin/chronyd ] || exit 0
+
+if [ -e /run/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.keys b/debian/chrony.keys
new file mode 100644
index 0000000..cee70b3
--- /dev/null
+++ b/debian/chrony.keys
@@ -0,0 +1,10 @@
+# This file is solely used for NTP authentication with symmetric keys
+# as defined by RFC 1305 and RFC 5905.
+#
+# It can contain ID/key pairs which can be generated using the “keygen” option
+# from “chronyc”; for example:
+# chronyc keygen 1 SHA256 256 >> /etc/chrony/chrony.keys
+# would generate a 256-bit SHA-256 key using ID 1.
+#
+# A list of supported hash functions and output encoding can be found in
+# the "keyfile" section from the "/usr/share/doc/chrony/chrony.txt.gz" file.
diff --git a/debian/chrony.lintian-overrides b/debian/chrony.lintian-overrides
new file mode 100644
index 0000000..d2577ef
--- /dev/null
+++ b/debian/chrony.lintian-overrides
@@ -0,0 +1,3 @@
+# The “chrony.keys” file must not be world readable as it could contain
+# symmetric keys used for NTP authentication.
+chrony: non-standard-file-perm usr/share/chrony/chrony.keys 0640 != 0644
diff --git a/debian/chrony.maintscript b/debian/chrony.maintscript
new file mode 100644
index 0000000..6ec1068
--- /dev/null
+++ b/debian/chrony.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/apm/event.d/01chrony 2.4.1-3~ chrony
diff --git a/debian/chrony.ppp.ip-down b/debian/chrony.ppp.ip-down
new file mode 100644
index 0000000..da15be4
--- /dev/null
+++ b/debian/chrony.ppp.ip-down
@@ -0,0 +1,13 @@
+#!/bin/sh
+# This script tells chronyd that the connection is down
+# so that it won't try to contact the server.
+# John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+# Modified by Vincent Blut <vincent.debian@free.fr>
+
+if [ -e /run/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.ppp.ip-up b/debian/chrony.ppp.ip-up
new file mode 100644
index 0000000..7bc92de
--- /dev/null
+++ b/debian/chrony.ppp.ip-up
@@ -0,0 +1,12 @@
+#!/bin/sh
+# This script tells chronyd that the connection is up so that it can
+# contact the server. John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+# Modified by Vincent Blut <vincent.debian@free.fr>
+
+if [ -e /run/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.service b/debian/chrony.service
new file mode 100644
index 0000000..3e4451a
--- /dev/null
+++ b/debian/chrony.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=chrony, an NTP client/server
+Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
+Conflicts=systemd-timesyncd.service openntpd.service ntp.service ntpsec.service
+After=network.target
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chronyd.pid
+EnvironmentFile=-/etc/default/chrony
+ExecStart=/usr/sbin/chronyd $DAEMON_OPTS
+ExecStartPost=-/usr/lib/chrony/chrony-helper update-daemon
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+
+[Install]
+Alias=chronyd.service
+WantedBy=multi-user.target
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..e97d7de
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1,3 @@
+config.h
+config.log
+getdate.c
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..54c4ccc
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,51 @@
+Source: chrony
+Section: net
+Priority: optional
+Maintainer: Vincent Blut <vincent.debian@free.fr>
+Uploaders: Joachim Wiedorn <joodebian@joonet.de>
+Standards-Version: 4.3.0
+Build-Depends: asciidoctor (>= 1.5.3-1~),
+ bison,
+ debhelper-compat (= 12),
+ dh-apparmor,
+ libcap-dev [linux-any],
+ libedit-dev,
+ libseccomp-dev (>= 2.2.3-3~) [amd64 arm64 armel armhf hppa i386 mips mipsel mips64el powerpc powerpcspe ppc64 ppc64el s390x x32],
+ nettle-dev,
+ pkg-config,
+ pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any]
+Homepage: https://chrony.tuxfamily.org
+Vcs-Git: https://salsa.debian.org/debian/chrony.git
+Vcs-Browser: https://salsa.debian.org/debian/chrony
+Rules-Requires-Root: no
+
+Package: chrony
+Architecture: linux-any
+Pre-Depends: ${misc:Pre-Depends}
+Depends: adduser,
+ iproute2 [linux-any],
+ lsb-base,
+ ucf,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Suggests: dnsutils,
+ networkd-dispatcher
+Conflicts: ntp,
+ time-daemon
+Provides: time-daemon
+Replaces: time-daemon
+Description: Versatile implementation of the Network Time Protocol
+ It consists of a pair of programs:
+ .
+ chronyd: This is a daemon which runs in background on the system.
+ It obtains measurements (e.g. via the network) of the system's offset
+ relative to other systems and adjusts the system time accordingly. For
+ isolated systems, the user can periodically enter the correct time by
+ hand (using 'chronyc'). In either case 'chronyd' determines the rate
+ at which the computer gains or loses time, and compensates for this.
+ Chronyd implements the NTP protocol and can act as either a client or
+ a server.
+ .
+ chronyc: This is a command-line driven control and monitoring program.
+ An administrator can use this to fine-tune various parameters within
+ the daemon, add or delete servers etc whilst the daemon is running.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..0898fdf
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,182 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: chrony
+Upstream-Contact: Miroslav Lichvar <mlichvar@redhat.com>
+Source: https://download.tuxfamily.org/chrony/
+
+Files: *
+Copyright: 2009-2018, Miroslav Lichvar
+ 1997-2007, Richard P. Curnow
+License: GPL-2
+
+Files: main.c
+ sys_linux.c
+Copyright: 2009-2018, Miroslav Lichvar
+ 2009, John G. Hasler
+ 1997-2003, Richard P. Curnow
+License: GPL-2
+
+Files: ntp_io.c
+Copyright: 2009, 2013-2016, 2018, Miroslav Lichvar
+ 2009, Timo Teras
+ 1997-2003, Richard P. Curnow
+License: GPL-2
+
+Files: sys_macosx.?
+Copyright: 2015, 2017, Bryan Christianson
+ 2001, J. Hannken-Illjes
+ 1997-2001, Richard P. Curnow
+License: GPL-2
+
+Files: sys_netbsd.?
+Copyright: 2001, J. Hannken-Illjes
+ 1997-2001, Richard P. Curnow
+License: GPL-2
+
+Files: debian/*
+Copyright: 2015-2019, Vincent Blut
+ 2012-2014, Joachim Wiedorn
+ 2000-2012, John Hasler
+License: GPL-2
+
+Files: test/simulation/test.common
+Copyright: 2013-2014, Miroslav Lichvar
+License: GPL-2+
+
+Files: privops.c
+Copyright: 2015, Bryan Christianson
+ 2017, Miroslav Lichvar
+License: GPL-2
+
+Files: privops.h
+Copyright: 2015, Bryan Christianson
+License: GPL-2
+
+Files: contrib/bryan_christianson_1/chronylogrotate.sh
+Copyright: 2015, Bryan Christianson
+License: GPL-2
+
+Files: test/unit/*
+Copyright: 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: hwclock.?
+Copyright: 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: ntp_io_linux.?
+Copyright: 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: ntp_signd.?
+Copyright: 2016, Miroslav Lichvar
+License: GPL-2
+
+Files: client.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Lonnie Abelbeck
+ 2009-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: configure
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Bryan Christianson
+ 2009, 2012-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: doc/chrony.conf.adoc
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Stephen Wadeley
+ 2009-2017, Miroslav Lichvar
+ 2017, Bryan Christianson
+License: GPL-2
+
+Files: doc/chronyc.adoc
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Stephen Wadeley
+ 2009-2017, Miroslav Lichvar
+License: GPL-2
+
+Files: refclock.c
+Copyright: 2009-2011, 2013-2014, 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: refclock_phc.c
+Copyright: 2013, 2017, Miroslav Lichvar
+License: GPL-2
+
+Files: regress.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011, 2016-2017, Miroslav Lichvar
+License: GPL-2
+
+Files: sched.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011, 2013-2016, Miroslav Lichvar
+License: GPL-2
+
+Files: sourcestats.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011-2014, 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: stubs.c
+Copyright: 2014-2016, Miroslav Lichvar
+License: GPL-2
+
+Files: hash_nettle.c
+Copyright: 2018, Miroslav Lichvar
+License: GPL-2
+
+Files: md5.*
+Copyright: 1990, RSA Data Security, Inc. All rights reserved.
+License: RSA-MD
+ License to copy and use this software is granted provided that
+ it is identified as the "RSA Data Security, Inc. MD5 Message-
+ Digest Algorithm" in all material mentioning or referencing this
+ software or this function.
+ .
+ License is also granted to make and use derivative works
+ provided that such works are identified as "derived from the RSA
+ Data Security, Inc. MD5 Message-Digest Algorithm" in all
+ material mentioning or referencing the derived work.
+ .
+ RSA Data Security, Inc. makes no representations concerning
+ either the merchantability of this software or the suitability
+ of this software for any particular purpose. It is provided "as
+ is" without express or implied warranty of any kind.
+ .
+ These notices must be retained in any copies of any part of this
+ documentation and/or software.
+
+License: GPL-2
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 2 can be found in the file `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 0000000..477f42d
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,8 @@
+etc/NetworkManager/dispatcher.d
+etc/apparmor.d/force-complain
+etc/chrony
+etc/logrotate.d
+etc/ppp/ip-down.d
+etc/ppp/ip-up.d
+var/lib/chrony
+var/log/chrony
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..e12f653
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,3 @@
+FAQ
+NEWS
+README
diff --git a/debian/init b/debian/init
new file mode 100644
index 0000000..bc376b5
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,73 @@
+#! /bin/sh
+#
+# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
+# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+# Modified for Debian by Christoph Lameter <clameter@debian.org>
+# Modified for chrony by John Hasler <jhasler@debian.org> 1998-2012
+# Modified for Debian by Vincent Blut <vincent.debian@free.fr>
+
+### BEGIN INIT INFO
+# Provides: chrony
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Should-Start: $syslog $network $named $time
+# Should-Stop: $syslog $network $named $time
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Controls chronyd NTP time daemon
+# Description: Chronyd is the NTP time daemon in the Chrony package
+### END INIT INFO
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/chronyd
+NAME="chronyd"
+DESC="time daemon"
+PIDFILE=/run/chronyd.pid
+CHRONY_HELPER=/usr/lib/chrony/chrony-helper
+
+[ -x "$DAEMON" ] || exit 0
+
+. /lib/lsb/init-functions
+
+# Override this variable by editing /etc/default/chrony.
+DAEMON_OPTS=""
+if [ -f /etc/default/chrony ]; then
+ . /etc/default/chrony
+fi
+
+case "$1" in
+ start)
+ if $0 status > /dev/null ; then
+ log_success_msg "$NAME is already running"
+ else
+ log_daemon_msg "Starting $DESC" "$NAME"
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
+ if [ -x $CHRONY_HELPER ]; then
+ $CHRONY_HELPER update-daemon
+ fi
+ log_end_msg $?
+ fi
+ ;;
+
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --remove-pidfile --exec $DAEMON
+ log_end_msg $?
+ ;;
+
+ restart|force-reload)
+ $0 stop
+ $0 start
+ ;;
+
+ status)
+ status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+
+ *)
+ log_action_msg "Usage: /etc/init.d/chrony {start|stop|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..db2e305
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,4 @@
+debian/chrony-dnssrv@.* lib/systemd/system
+debian/chrony-helper usr/lib/chrony
+debian/chrony.conf usr/share/chrony
+debian/usr.sbin.chronyd etc/apparmor.d
diff --git a/debian/links b/debian/links
new file mode 100644
index 0000000..71e2c52
--- /dev/null
+++ b/debian/links
@@ -0,0 +1,5 @@
+# Update sources in response to systemd-networkd events (LP: #1718227).
+# This is reusing the NetworkManager dispatch script which has no hard
+# dependency to NetworkManager (not using any of its arguments)
+etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/routable.d/chrony
+etc/NetworkManager/dispatcher.d/20-chrony usr/lib/networkd-dispatcher/off.d/chrony
diff --git a/debian/patches/allow-_llseek-in-seccomp-filter.patch b/debian/patches/allow-_llseek-in-seccomp-filter.patch
new file mode 100644
index 0000000..c0745ea
--- /dev/null
+++ b/debian/patches/allow-_llseek-in-seccomp-filter.patch
@@ -0,0 +1,31 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Thu, 28 Feb 2019 14:39:13 +0100
+Subject: sys_linux: allow _llseek in seccomp filter
+
+This is needed on various 32-bit platforms to reposition read/write file
+offset on {raw}measurements and statistics log files.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923137
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00003.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=e392d1fde94db26b88a0a017850415f1d34266d7
+---
+ sys_linux.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -498,10 +498,10 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+ SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+ /* Filesystem */
+- SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown), SCMP_SYS(chown32),
+- SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
+- SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat), SCMP_SYS(stat64),
+- SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++ SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
++ SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
++ SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
++ SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+ /* Socket */
+ SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+ SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
diff --git a/debian/patches/allow-further-syscalls-in-seccomp-filter.patch b/debian/patches/allow-further-syscalls-in-seccomp-filter.patch
new file mode 100644
index 0000000..4cea484
--- /dev/null
+++ b/debian/patches/allow-further-syscalls-in-seccomp-filter.patch
@@ -0,0 +1,41 @@
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Fri, 15 Mar 2019 00:03:24 +0100
+Subject: sys_linux: allow further syscalls in seccomp filter
+
+Adding these syscalls in the seccomp filter whitelist is a prerequisite for
+the arm64 architecture.
+
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00001.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ddd0ae23181f529bf0e8abaecfc9c726d672568
+---
+ sys_linux.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -499,9 +499,11 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
+ /* Filesystem */
+ SCMP_SYS(_llseek), SCMP_SYS(access), SCMP_SYS(chmod), SCMP_SYS(chown),
+- SCMP_SYS(chown32), SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents),
+- SCMP_SYS(getdents64), SCMP_SYS(lseek), SCMP_SYS(rename), SCMP_SYS(stat),
+- SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
++ SCMP_SYS(chown32), SCMP_SYS(faccessat), SCMP_SYS(fchmodat), SCMP_SYS(fchownat),
++ SCMP_SYS(fstat), SCMP_SYS(fstat64), SCMP_SYS(getdents), SCMP_SYS(getdents64),
++ SCMP_SYS(lseek), SCMP_SYS(newfstatat), SCMP_SYS(rename), SCMP_SYS(renameat),
++ SCMP_SYS(stat), SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64),
++ SCMP_SYS(unlink), SCMP_SYS(unlinkat),
+ /* Socket */
+ SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+ SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+@@ -510,8 +512,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(socketcall),
+ /* General I/O */
+ SCMP_SYS(_newselect), SCMP_SYS(close), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(pipe),
+- SCMP_SYS(poll), SCMP_SYS(read), SCMP_SYS(futex), SCMP_SYS(select),
+- SCMP_SYS(set_robust_list), SCMP_SYS(write),
++ SCMP_SYS(pipe2), SCMP_SYS(poll), SCMP_SYS(ppoll), SCMP_SYS(pselect6), SCMP_SYS(read),
++ SCMP_SYS(futex), SCMP_SYS(select), SCMP_SYS(set_robust_list), SCMP_SYS(write),
+ /* Miscellaneous */
+ SCMP_SYS(getrandom), SCMP_SYS(sysinfo), SCMP_SYS(uname),
+ };
diff --git a/debian/patches/allow-recv-send-in-seccomp-filter.patch b/debian/patches/allow-recv-send-in-seccomp-filter.patch
new file mode 100644
index 0000000..67b8696
--- /dev/null
+++ b/debian/patches/allow-recv-send-in-seccomp-filter.patch
@@ -0,0 +1,24 @@
+From: Leigh Brown <leigh@solinno.co.uk>
+Date: Wed, 13 Mar 2019 17:56:08 +0100
+Subject: [PATCH] sys_linux: allow recv and send in seccomp filter
+
+The lack of these two system calls has been problematic for the armv5tel
+architecture. Other architectures might also be affected.
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924494
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/03/msg00000.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=79db0b7eca3ffff1b6c6a86cf1a342a40cc76d2f
+---
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -504,8 +504,8 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(stat64), SCMP_SYS(statfs), SCMP_SYS(statfs64), SCMP_SYS(unlink),
+ /* Socket */
+ SCMP_SYS(bind), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(getsockopt),
+- SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
+- SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
++ SCMP_SYS(recv), SCMP_SYS(recvfrom), SCMP_SYS(recvmmsg), SCMP_SYS(recvmsg),
++ SCMP_SYS(send), SCMP_SYS(sendmmsg), SCMP_SYS(sendmsg), SCMP_SYS(sendto),
+ /* TODO: check socketcall arguments */
+ SCMP_SYS(socketcall),
+ /* General I/O */
diff --git a/debian/patches/allow-waitpid-in-seccomp-filter.patch b/debian/patches/allow-waitpid-in-seccomp-filter.patch
new file mode 100644
index 0000000..a4a01b6
--- /dev/null
+++ b/debian/patches/allow-waitpid-in-seccomp-filter.patch
@@ -0,0 +1,22 @@
+From 2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a Mon Sep 17 00:00:00 2001
+From: Vincent Blut <vincent.debian@free.fr>
+Date: Thu, 28 Feb 2019 16:43:56 +0100
+Subject: sys_linux: allow waitpid in seccomp filter
+
+Forwarded: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2019/02/msg00001.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=2ebba7fbaaf7c86d1840cacb7aa78b62d0166d5a
+---
+ sys_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -493,7 +493,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ SCMP_SYS(clone), SCMP_SYS(exit), SCMP_SYS(exit_group), SCMP_SYS(getpid),
+ SCMP_SYS(getrlimit), SCMP_SYS(rt_sigaction), SCMP_SYS(rt_sigreturn),
+ SCMP_SYS(rt_sigprocmask), SCMP_SYS(set_tid_address), SCMP_SYS(sigreturn),
+- SCMP_SYS(wait4),
++ SCMP_SYS(wait4), SCMP_SYS(waitpid),
+ /* Memory */
+ SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mmap), SCMP_SYS(mmap2),
+ SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), SCMP_SYS(shmdt),
diff --git a/debian/patches/create-new-file-when-writing-pidfile.patch b/debian/patches/create-new-file-when-writing-pidfile.patch
new file mode 100644
index 0000000..96defbf
--- /dev/null
+++ b/debian/patches/create-new-file-when-writing-pidfile.patch
@@ -0,0 +1,187 @@
+From f00fed20092b6a42283f29c6ee1f58244d74b545 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 6 Aug 2020 09:31:11 +0200
+Subject: main: create new file when writing pidfile
+
+When writing the pidfile, open the file with the O_CREAT|O_EXCL flags
+to avoid following a symlink and writing the PID to an unexpected file,
+when chronyd still has the root privileges.
+
+The Linux open(2) man page warns about O_EXCL not working as expected on
+NFS versions before 3 and Linux versions before 2.6. Saving pidfiles on
+a distributed filesystem like NFS is not generally expected, but if
+there is a reason to do that, these old kernel and NFS versions are not
+considered to be supported for saving files by chronyd.
+
+This is a minimal backport specific to this issue of the following
+commits:
+- commit 2fc8edacb810 ("use PATH_MAX")
+- commit f4c6a00b2a11 ("logging: call exit() in LOG_Message()")
+- commit 7a4c396bba8f ("util: add functions for common file operations")
+- commit e18903a6b563 ("switch to new util file functions")
+
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+
+--- a/logging.c
++++ b/logging.c
+@@ -171,6 +171,7 @@ void LOG_Message(LOG_Severity severity,
+ system_log = 0;
+ log_message(1, severity, buf);
+ }
++ exit(1);
+ break;
+ default:
+ assert(0);
+--- a/main.c
++++ b/main.c
+@@ -281,13 +281,9 @@ write_pidfile(void)
+ if (!pidfile[0])
+ return;
+
+- out = fopen(pidfile, "w");
+- if (!out) {
+- LOG_FATAL("Could not open %s : %s", pidfile, strerror(errno));
+- } else {
+- fprintf(out, "%d\n", (int)getpid());
+- fclose(out);
+- }
++ out = UTI_OpenFile(NULL, pidfile, NULL, 'W', 0644);
++ fprintf(out, "%d\n", (int)getpid());
++ fclose(out);
+ }
+
+ /* ================================================== */
+--- a/sysincl.h
++++ b/sysincl.h
+@@ -37,6 +37,7 @@
+ #include <glob.h>
+ #include <grp.h>
+ #include <inttypes.h>
++#include <limits.h>
+ #include <math.h>
+ #include <netdb.h>
+ #include <netinet/in.h>
+--- a/util.c
++++ b/util.c
+@@ -1179,6 +1179,101 @@ UTI_CheckDirPermissions(const char *path
+
+ /* ================================================== */
+
++static int
++join_path(const char *basedir, const char *name, const char *suffix,
++ char *buffer, size_t length, LOG_Severity severity)
++{
++ const char *sep;
++
++ if (!basedir) {
++ basedir = "";
++ sep = "";
++ } else {
++ sep = "/";
++ }
++
++ if (!suffix)
++ suffix = "";
++
++ if (snprintf(buffer, length, "%s%s%s%s", basedir, sep, name, suffix) >= length) {
++ LOG(severity, "File path %s%s%s%s too long", basedir, sep, name, suffix);
++ return 0;
++ }
++
++ return 1;
++}
++
++/* ================================================== */
++
++FILE *
++UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm)
++{
++ const char *file_mode;
++ char path[PATH_MAX];
++ LOG_Severity severity;
++ int fd, flags;
++ FILE *file;
++
++ severity = mode >= 'A' && mode <= 'Z' ? LOGS_FATAL : LOGS_ERR;
++
++ if (!join_path(basedir, name, suffix, path, sizeof (path), severity))
++ return NULL;
++
++ switch (mode) {
++ case 'r':
++ case 'R':
++ flags = O_RDONLY;
++ file_mode = "r";
++ if (severity != LOGS_FATAL)
++ severity = LOGS_DEBUG;
++ break;
++ case 'w':
++ case 'W':
++ flags = O_WRONLY | O_CREAT | O_EXCL;
++ file_mode = "w";
++ break;
++ case 'a':
++ case 'A':
++ flags = O_WRONLY | O_CREAT | O_APPEND;
++ file_mode = "a";
++ break;
++ default:
++ assert(0);
++ return NULL;
++ }
++
++try_again:
++ fd = open(path, flags, perm);
++ if (fd < 0) {
++ if (errno == EEXIST) {
++ if (unlink(path) < 0) {
++ LOG(severity, "Could not remove %s : %s", path, strerror(errno));
++ return NULL;
++ }
++ DEBUG_LOG("Removed %s", path);
++ goto try_again;
++ }
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ return NULL;
++ }
++
++ UTI_FdSetCloexec(fd);
++
++ file = fdopen(fd, file_mode);
++ if (!file) {
++ LOG(severity, "Could not open %s : %s", path, strerror(errno));
++ close(fd);
++ return NULL;
++ }
++
++ DEBUG_LOG("Opened %s fd=%d mode=%c", path, fd, mode);
++
++ return file;
++}
++
++/* ================================================== */
++
+ void
+ UTI_DropRoot(uid_t uid, gid_t gid)
+ {
+--- a/util.h
++++ b/util.h
+@@ -176,6 +176,17 @@ extern int UTI_CreateDirAndParents(const
+ permissions and its uid/gid must match the specified values. */
+ extern int UTI_CheckDirPermissions(const char *path, mode_t perm, uid_t uid, gid_t gid);
+
++/* Open a file. The full path of the file is constructed from the basedir
++ (may be NULL), '/' (if basedir is not NULL), name, and suffix (may be NULL).
++ Created files have specified permissions (umasked). Returns NULL on error.
++ The following modes are supported (if the mode is an uppercase character,
++ errors are fatal):
++ r/R - open an existing file for reading
++ w/W - open a new file for writing (remove existing file)
++ a/A - open an existing file for appending (create if does not exist) */
++extern FILE *UTI_OpenFile(const char *basedir, const char *name, const char *suffix,
++ char mode, mode_t perm);
++
+ /* Set process user/group IDs and drop supplementary groups */
+ extern void UTI_DropRoot(uid_t uid, gid_t gid);
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ada08f7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,5 @@
+allow-_llseek-in-seccomp-filter.patch
+allow-waitpid-in-seccomp-filter.patch
+allow-recv-send-in-seccomp-filter.patch
+allow-further-syscalls-in-seccomp-filter.patch
+create-new-file-when-writing-pidfile.patch
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 0000000..adc86b8
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,86 @@
+#!/bin/sh
+# postinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+# targets: configure|abort-upgrade|abort-remove|abort-deconfigure
+
+case "$1" in
+ configure)
+
+ if ! getent passwd _chrony > /dev/null 2>&1
+ then
+ echo "Creating '_chrony' system user/group for the chronyd daemon…"
+ adduser --force-badname \
+ --system \
+ --group \
+ --quiet \
+ --gecos "Chrony daemon" \
+ --home /var/lib/chrony \
+ --no-create-home _chrony
+ fi
+
+ # Change the owner of "/var/l{ib,og}/chrony" directories and their
+ # subfiles to "_chrony" only if the user has not set the "user"
+ # directive in chrony.conf
+ if ! grep "^user" /etc/chrony/chrony.conf > /dev/null 2>&1; then
+ chown _chrony:_chrony /var/lib/chrony
+ if [ -d /var/log/chrony ]; then
+ chown _chrony:_chrony /var/log/chrony
+ fi
+ fi
+
+ # Before version 2.2.1-1, we used to create the chrony.keys file from
+ # the post-installation script and fed it with a random command password.
+ # Since that command password isn’t needed anymore, a simple key file
+ # template has been created which is then copied to its destination by ucf.
+ # The consequence of this move was a prompt presented to the user on
+ # upgrade even if the key file has been unmodified; this is a violation
+ # of Debian policy § 10.7.3! The script below workaround that issue by
+ # deleting the key file when upgrading from chrony < 2.2.1-1 iff a single
+ # key if found in the file and that the key ID correspond to the ID
+ # specified by the commandkey ID found in “chrony.conf” and that the
+ # original key file has the same modes and owners than the new template
+ # key file.
+ # Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820087
+ if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.2.1-1"; then
+ commandkey_id=$(awk '$1 ~ /^commandkey$/ { print $2; exit }' /etc/chrony/chrony.conf)
+ key_id=$(awk '{ print $1; exit }' /etc/chrony/chrony.keys)
+ orig_keyfile_perm=$(stat -c "%a%u%g" /etc/chrony/chrony.keys 2> /dev/null)
+ keyfile_tml_perm=$(stat -c "%a%u%g" /usr/share/chrony/chrony.keys 2> /dev/null)
+ if [ "$(grep -c "^[0-9]" /etc/chrony/chrony.keys)" -eq 1 ] &&
+ [ "$commandkey_id" -eq "$key_id" ] 2>/dev/null &&
+ [ "$orig_keyfile_perm" = "$keyfile_tml_perm" ]; then
+ rm -f /etc/chrony/chrony.keys
+ fi
+ fi
+
+ if command -v ucf >/dev/null
+ then
+ ucf --three-way /usr/share/chrony/chrony.conf /etc/chrony/chrony.conf
+ ucf --three-way /usr/share/chrony/chrony.keys /etc/chrony/chrony.keys
+ if [ -x "$(command -v ucfr)" ]; then
+ ucfr chrony /etc/chrony/chrony.conf
+ ucfr chrony /etc/chrony/chrony.keys
+ fi
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 0000000..ed3bac1
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,50 @@
+#!/bin/sh
+# postrm script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear
+
+case "$1" in
+ purge)
+ rm -f /var/lib/chrony/*
+ rm -f /etc/chrony/chrony.conf
+ rm -f /etc/chrony/chrony.keys
+ if command -v ucf >/dev/null
+ then
+ ucf --purge /etc/chrony/chrony.conf
+ ucf --purge /etc/chrony/chrony.keys
+ if [ -x "$(command -v ucfr)" ]; then
+ ucfr --purge chrony /etc/chrony/chrony.conf
+ ucfr --purge chrony /etc/chrony/chrony.keys
+ fi
+ fi
+ rm -rf /etc/chrony
+ rm -rf /run/chrony || true
+ rm -rf /var/lib/chrony
+ rm -rf /var/log/chrony
+ # Remove "_chrony" system user/group
+ if [ -x "$(command -v deluser)" ]
+ then
+ deluser --quiet --system _chrony > /dev/null 2>&1 || true
+ fi
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 0000000..7536816
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,36 @@
+#!/bin/sh
+# preinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: install|upgrade|abort-upgrade
+
+case "$1" in
+ upgrade)
+ APP_PROFILE="usr.sbin.chronyd"
+ APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+ APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+ # force-complain on upgrade from pre-shipped profile
+ if dpkg --compare-versions "$2" lt "3.2-2" ; then
+ mkdir -p `dirname "$APP_COMPLAIN"` 2>/dev/null || true
+ ln -sf "$APP_CONFFILE" "$APP_COMPLAIN"
+ fi
+ ;;
+
+ install|abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 0000000..ec12057
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,28 @@
+#!/bin/sh
+# prerm script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: remove|upgrade|deconfigure|failed-upgrade
+
+case "$1" in
+ remove|upgrade|deconfigure)
+ ;;
+
+ failed-upgrade)
+ ;;
+
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..64aa275
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,45 @@
+#!/usr/bin/make -f
+
+-include /usr/share/dpkg/buildtools.mk
+export CC
+
+include /usr/share/dpkg/architecture.mk
+
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
+BASE=debian/chrony
+
+%:
+ dh $@
+
+override_dh_auto_configure:
+ dh_auto_configure -- --mandir=/usr/share/man \
+ --sysconfdir=/etc/chrony \
+ --without-readline \
+ --with-user=_chrony \
+ --enable-scfilter \
+ --chronyrundir=/run/chrony \
+ --with-ntp-era=$(shell date -d '1970-01-01 00:00:00+00:00' +'%s') \
+ --enable-ntp-signd \
+ --with-hwclockfile=/etc/adjtime \
+ --with-pidfile=/run/chronyd.pid \
+ --host-system=Linux
+
+override_dh_install:
+ dh_install
+ install -m 0640 -t $(BASE)/usr/share/chrony/ debian/chrony.keys
+ install -m 0755 -T examples/chrony.nm-dispatcher $(BASE)/etc/NetworkManager/dispatcher.d/20-chrony
+ install -m 0644 -T examples/chrony.logrotate $(BASE)/etc/logrotate.d/chrony
+ dh_apparmor --profile-name=usr.sbin.chronyd -pchrony
+ install -D -p -m 0644 debian/chrony.dhcp $(BASE)/etc/dhcp/dhclient-exit-hooks.d/chrony
+
+override_dh_fixperms:
+ dh_fixperms -X usr/share/chrony/chrony.keys
+
+override_dh_installinit:
+ dh_installinit
+# Disable the system call filter on architectures mentioned below
+# due to missing support in libseccomp and/or in the Linux kernel.
+ifneq (,$(filter $(DEB_HOST_ARCH), alpha ia64 m68k riscv64 sh4 sparc64))
+ sed -i '/DAEMON_OPTS=/s/"-F -1"/""/' $(BASE)/etc/default/chrony
+endif
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..fb124dc
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,7 @@
+Tests: upstream-simulation-test-suite
+Depends: @, git, build-essential, ca-certificates
+Restrictions: isolation-container, needs-root, allow-stderr, rw-build-tree, build-needed
+
+Tests: time-sources-from-dhcp-servers
+Depends: @, isc-dhcp-server, isc-dhcp-client, iproute2, kmod
+Restrictions: isolation-machine, needs-root
diff --git a/debian/tests/time-sources-from-dhcp-servers b/debian/tests/time-sources-from-dhcp-servers
new file mode 100644
index 0000000..d5d21c2
--- /dev/null
+++ b/debian/tests/time-sources-from-dhcp-servers
@@ -0,0 +1,42 @@
+#!/bin/sh
+# Ensure that NTP servers obtained from DHCP are made available to chronyd and
+# that they are removed when releasing the DHCP lease.
+
+set -e
+
+added_servers="/run/chrony-helper/added_servers"
+
+prepare_iface() {
+ modprobe dummy
+ ip link add name dummy0 type dummy
+ ip address add 192.168.1.1/24 dev dummy0
+ ip link set dev dummy0 up
+}
+
+dhcpd_config() {
+cat <<EOF > /etc/dhcp/dhcpd.conf
+default-lease-time 600;
+max-lease-time 7200;
+authorative;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ option subnet-mask 255.255.255.0;
+ option broadcast-address 192.168.1.255;
+ option ntp-servers 192.168.1.50;
+ range 192.168.1.42 192.168.1.100;
+}
+EOF
+
+sed -i 's/INTERFACESv4=""/INTERFACESv4="dummy0"/' /etc/default/isc-dhcp-server
+}
+
+printf "Preparing the dummy network interface and dhcpd configuration…\n"
+if prepare_iface && dhcpd_config; then
+ systemctl restart isc-dhcp-server && dhclient dummy0 && printf "Done!\n\n"
+fi
+
+printf "Check if the NTP server is made available to chronyd…\n"
+grep -q 192.168.1.50 $added_servers && printf "SUCCESS!\n\n"
+
+printf "Release the current lease and check if the NTP server has been correctly removed…\n"
+dhclient -r dummy0 > /dev/null 2>&1 && [ ! -d "$added_servers" ] && printf "SUCCESS!\n\n"
diff --git a/debian/tests/upstream-simulation-test-suite b/debian/tests/upstream-simulation-test-suite
new file mode 100644
index 0000000..037ca36
--- /dev/null
+++ b/debian/tests/upstream-simulation-test-suite
@@ -0,0 +1,26 @@
+#!/bin/sh
+#Upstream makes use of “clknetsim” to test how well “chronyd” controls the
+#system clocks in various conditions. Due to “clknetsim” not being available
+#in Debian, let’s use autopkgtest facility to build it in a container and
+#test “chronyd” from there.
+
+set -e
+
+if ! dpkg-architecture -ilinux-any; then
+ echo "Simulation tests supported only on Linux…"
+ exit 0
+fi
+
+cd test/simulation
+
+if [ ! -d clknetsim ]; then
+ if git clone https://github.com/mlichvar/clknetsim; then
+ cd clknetsim && git checkout 58c5e8b
+ fi
+fi
+
+if [ ! -x "clknetsim" ] && [ ! -e "clknetsim.so" ]; then
+ make
+fi
+
+cd - && ./run -i 20 -m 2
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..1f6799e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,9 @@
+Name: chrony
+Documentation: https://chrony.tuxfamily.org/documentation.html
+Changelog: https://chrony.tuxfamily.org/news.html
+FAQ: https://chrony.tuxfamily.org/faq.html
+Contact: chrony-users@chrony.tuxfamily.org
+Security-Contact: Miroslav Lichvar <mlichvar@redhat.com>
+Bug-Submit: chrony-users@chrony.tuxfamily.org
+Repository: https://git.tuxfamily.org/chrony/chrony.git
+Repository-Browse: https://git.tuxfamily.org/chrony/chrony.git/
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..ce59e23
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBEYLz1cRBADYNM9gn8g1Bw8t2Zj+HT9hbSHVs9ofSdxqdLEVAbNySeLftOlZ
+ba+4CU+lIfC/6XHZ0r+UvTBVK+r/KLjFxWz5cWGGFVUrXOSjo2PDXDqWrs9VALtT
+zH8sr0/7qJCByF9fnryPO1fmMKlh9R0+X5cF7vZjlWbM+BV/yxARi4lb4wCgpf9M
+7uo9hJUcMyy2zJSdzjUPkcMEAMVyDpw7kwTjnWzwaOHnPlT/x31OkGAO2sZgzRGu
+VE1zGN4Ruv36GS7hNPndtpTGZuPtmLrE2wJS2exer4kTYANfiGj/JDTiuGQYF2jp
+9cN3zJL7e7Bik004TZVUGg3HzpuWWc/uiTXgrZxIDz4uPxjy5kdDfbhUziNsy9Uj
+igOZBADQ9T6XYQBTfRmGUkl7hEeAeu+WfEGDVlHP+EpMtk/uANUqYef5xUG4RomE
+EyjRlrEXwG7Ly2HhH3UADBuPjkP68AGN8WslbCNx5Na+nZr6r1sT1+Z3OdUDprpY
+PQxCu5WWYsYgzroO/JEA2d3pYgaaHEAhyZxau1UtW4hpAn8svbQmTWlyb3NsYXYg
+TGljaHZhciA8bWxpY2h2YXJAcmVkaGF0LmNvbT6IZgQTEQIAJgIbAwYLCQgHAwIE
+FQIIAwQWAgMBAh4BAheABQJbt20rBQkb2aQNAAoJEF/wbym6HgE7MOkAnjdG94MF
+4XAVLnzCVbrJb/Ishao4AJ9o1EL9U/at8KzvfZdpPyNrmoeq+bkCDQRGC89XEAgA
+medsNk8FIYdzJYyP2eaIYKMTpSCFgTKE1EHdiRaX5n3oo9o26+vfA1NfIwKM8G54
+3Ddr1yl2PRmQermHMQahMMsXcehQXjsJoZXTglJq6kw5Xb1V1K6SyXQv/sLmWGxw
+T91T+0I+9g+UqMeqR8B2hj950BbfWn6Pu5CRk2voTsYEU2ecejKOWOOrbUnD/5wy
+mkSD/1g+T7bgGOHMrSgYWH3Fk7dWNKpGBtQn3cL7fKy+cn4koDW1L3ebxg4zWpFo
+l51m3u8DXc9lqUjg9AoqJH1bc9eQPQvJKxd5syU2pkgtHhT2rlSqpRtsKsgRNfBC
+qBbK9gtEM3DRUD+EbbEZgwADBQf8CTSksVEUs5svpQlldZERwViUwwVb4TMszKKq
+nEti6zu6oMkIDreGzSISDsrWq1WxzUv9IYumwanzkgTpVVfFPxK7samtol8Lol5V
+r3Zbil3Q0IGJ9thhitMHRSU3ClhVRZF5QF/MhSzD1j0cXK4Ls0np5DePT3H4tItZ
++OcEhZcDb8k2DMcJW/REuiisWOElwIDM0o0kZyQiy+5QRfE2xancu3n8+wGtwc0N
+2Yp/elmIigreu0xuK7HaFOiScUYv00BJa/ZEO2aOkRuiKkdp3oxtz3MIdDYyGbI6
+mL4h+X8079i95yu+L2tUJGHeN5u+X0Hsg9sE6TpVEggQEI30YYhPBBgRAgAPAhsM
+BQJbt22dBQkb2aZBAAoJEF/wbym6HgE7rJYAn1gpOMPrFyjezpaYsloAwjSZhu8t
+AKCTJlsZByvaTTXjUMyQy2z7tjnVpw==
+=4XBU
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/usr.sbin.chronyd b/debian/usr.sbin.chronyd
new file mode 100644
index 0000000..dac4e76
--- /dev/null
+++ b/debian/usr.sbin.chronyd
@@ -0,0 +1,64 @@
+# Last Modified: Sat Jan 20 10:45:05 2018
+#include <tunables/global>
+
+/usr/sbin/chronyd (attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability sys_time,
+ capability net_bind_service,
+ capability setuid,
+ capability setgid,
+ capability sys_nice,
+ capability sys_resource,
+ # for /run/chrony to be created
+ capability chown,
+ # Needed to support HW timestamping
+ capability net_admin,
+
+ /usr/sbin/chronyd mr,
+
+ /etc/chrony/{,**} r,
+ /{,var/}run/chronyd.pid w,
+ /{,var/}run/chrony/{,*} rw,
+ /var/lib/chrony/{,*} r,
+ /var/lib/chrony/* w,
+ /var/log/chrony/{,*} r,
+ /var/log/chrony/* w,
+
+ # Using the “tempcomp” directive gives chronyd the ability to improve
+ # the stability and accuracy of the clock by compensating the temperature
+ # changes measured by a sensor close to the oscillator.
+ @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
+ @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input r,
+
+ # Support all paths suggested in the man page (LP: #1771028). Assume these
+ # are common use cases; others should be set as local include (see below).
+ # Configs using a 'chrony.' prefix like the tempcomp config file example
+ /etc/chrony.* r,
+ # Example gpsd socket is outside /{,var/}run/chrony/
+ /{,var/}run/chrony.tty{,*}.sock rw,
+ # To sign replies to MS-SNTP clients by the smbd daemon
+ /var/lib/samba/ntp_signd r,
+ /var/lib/samba/ntp_signd/{,*} rw,
+
+ # rtc
+ /etc/adjtime r,
+ /dev/rtc{,[0-9]*} rw,
+
+ # gps devices
+ /dev/pps[0-9]* rw,
+ /dev/ptp[0-9]* rw,
+
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ /{,var/}run/timemaster/chrony.conf r,
+
+ # For use with clocks that report via shared memory (e.g. gpsd),
+ # you may need to give ntpd access to all of shared memory, though
+ # this can be considered dangerous. See https://launchpad.net/bugs/722815
+ # for details. To enable, add this to local/usr.sbin.chronyd:
+ # capability ipc_owner,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.chronyd>
+}
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..a13ee59
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,3 @@
+version=4
+opts=pgpsigurlmangle=s/\.tar\.gz$/-tar-gz-asc.txt/ \
+https://download.tuxfamily.org/chrony/chrony-([\d\.]*)\.tar\.gz