summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/.gitlab-ci.yml14
-rw-r--r--debian/NEWS58
-rw-r--r--debian/README.Debian29
-rw-r--r--debian/changelog2418
-rw-r--r--debian/chrony-dnssrv@.service17
-rw-r--r--debian/chrony-dnssrv@.timer9
-rwxr-xr-xdebian/chrony-helper264
-rw-r--r--debian/chrony.conf47
-rw-r--r--debian/chrony.default6
-rw-r--r--debian/chrony.dhcp27
-rw-r--r--debian/chrony.examples1
-rw-r--r--debian/chrony.if-post-down11
-rw-r--r--debian/chrony.if-up11
-rw-r--r--debian/chrony.keys10
-rw-r--r--debian/chrony.lintian-overrides11
-rw-r--r--debian/chrony.maintscript2
-rw-r--r--debian/chrony.ppp.ip-down13
-rw-r--r--debian/chrony.ppp.ip-up12
-rw-r--r--debian/chrony.service24
-rw-r--r--debian/clean1
-rw-r--r--debian/conf.d/README7
-rw-r--r--debian/control54
-rw-r--r--debian/copyright187
-rw-r--r--debian/dirs6
-rw-r--r--debian/docs3
-rw-r--r--debian/init69
-rw-r--r--debian/install7
-rw-r--r--debian/links5
-rw-r--r--debian/ntp-units.d/50-chrony.list1
-rw-r--r--debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch23
-rw-r--r--debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch33
-rw-r--r--debian/patches/allow-getuid32-in-seccomp-filter.patch24
-rw-r--r--debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch33
-rw-r--r--debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch17
-rw-r--r--debian/patches/series5
-rw-r--r--debian/postinst73
-rw-r--r--debian/postrm56
-rw-r--r--debian/preinst28
-rw-r--r--debian/prerm28
-rwxr-xr-xdebian/rules50
-rw-r--r--debian/source/format1
-rw-r--r--debian/sources.d/README11
-rw-r--r--debian/tests/control28
-rw-r--r--debian/tests/dynamically-add-source27
-rw-r--r--debian/tests/fragmented-configuration17
-rw-r--r--debian/tests/helper-functions50
-rw-r--r--debian/tests/ntp-server-and-nts-auth58
-rw-r--r--debian/tests/time-sources-from-dhcp-servers44
-rw-r--r--debian/tests/upstream-simulation-test-suite41
-rwxr-xr-xdebian/tests/upstream-system-tests24
-rw-r--r--debian/upstream/metadata8
-rw-r--r--debian/upstream/signing-key.asc29
-rw-r--r--debian/usr.sbin.chronyd81
-rw-r--r--debian/watch3
54 files changed, 4116 insertions, 0 deletions
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
new file mode 100644
index 0000000..9de3969
--- /dev/null
+++ b/debian/.gitlab-ci.yml
@@ -0,0 +1,14 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+# Skip the reprotest job as long as it is run as root due to problems with
+# chrony system tests.
+reprotest:
+ extends: .test-reprotest
+ only:
+ variables:
+ - $SEE_YOU_SOON_REPROTEST
+
+variables:
+ RELEASE: 'bullseye'
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..c25bd51
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,58 @@
+chrony (3.4-2) unstable; urgency=medium
+
+ To reduce the range of operations available to chronyd, and thereby decrease
+ the kernel attack surface, a system call filter is now active by default
+ wherever¹ possible.
+ Please, take into account that this change prevents the use of the
+ “mailonchange” directive in chrony.conf as the chronyd process will not be
+ allowed to fork and execute the sendmail binary. Therefore, it is fundamental
+ to disable the system call filter to continue using this directive!
+
+ To do so, edit the /etc/default/chrony file and substitute the “-F -1”
+ parameter with “-F 0”. Restart chrony afterward.
+
+ ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64
+ architectures due to lack of support in “libseccomp” and/or the Linux kernel.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 10 Feb 2019 18:44:22 +0100
+
+chrony (2.2.1-1) unstable; urgency=medium
+
+ In chrony versions before 2.2, the 'chrony.keys' file contained a command
+ key used for run-time configuration via the 'chronyc' command-line tool.
+ Starting from this version, support for this authentication method has been
+ dropped in favor of a Unix domain socket accessible only *locally* by root or
+ the _chrony system user. Consequently, if you refuse to use the 'chrony.keys'
+ file template provided by the maintainers when upgrading, please don’t forget
+ to manually remove the obsolete command key (ID 1) in the aforementioned file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 07 Feb 2016 17:02:30 +0100
+
+chrony (2.1.1-1) unstable; urgency=medium
+
+ From this version, 'chronyd' will strictly act as an NTP client by default. If
+ you want it to serve time to other systems, please do so by configuring the
+ 'allow' directive.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 12 Oct 2015 19:12:39 +0200
+
+chrony (1.31.1-1) unstable; urgency=medium
+
+ From now on, we use the "hwclockfile" directive in /etc/chrony/chrony.conf.
+ Basically, it makes the detection of the standard (Local or UTC time) set
+ in /etc/adjtime — and used by the hardware clock — clearer compared to the
+ text processing method we used to use in the post install script to complete
+ the same task. Note that it overrides the "rtconutc" directive.
+
+ Also, we now create the _chrony system user to which chronyd will drop root
+ privileges. For users already allowing chronyd to drop root privileges in
+ favor of the user configured by the "user" directive in
+ /etc/chrony/chrony.conf, your configuration will remain unchanged and will
+ still work as intended.
+ However, some users might use a custom init script to accomplish the same
+ task by invoking chronyd with the '-u' option. We advise you to drop this
+ option from your init script before upgrading, otherwise you’ll have to
+ readjust the owner of the /var/l{ib,og}/chrony directories (recursively) to
+ the user you configured in your init script.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:14:54 +0200
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..2188ed9
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,29 @@
+Chrony for Debian
+-----------------
+
+ Notes about Debian-specific changes:
+
+ - Default chrony’s configuration files are located in the /etc/chrony directory.
+ It is filled by two important files:
+ → chrony.conf (configuration of the chronyd daemon, see man 5 chrony.conf
+ for further information)
+
+ → chrony.keys (lists keys used for NTP packets authentication, see
+ the “keyfile” directive in the chrony.conf(5) man page)
+
+ - We also provide /etc/ppp/ip-up.d/chrony and /etc/ppp/ip-down.d/chrony
+ to put chronyd online/offline depending on the PPP link status.
+
+ - Since version 1.31.1-1, we create the _chrony system user to which chronyd
+ will drop root privileges on initialisation. For users already allowing
+ chronyd to drop root privileges in favor of the user configured by the "user"
+ directive in chrony.conf, your configuration will remain unchanged and will
+ still work as it did. However, if you don’t want to deviate from Debian’s
+ default configuration, delete or comment out the "user" directive in
+ chrony.conf and recursively change the owner of the /var/lib/chrony and
+ /var/log/chrony directories. For example:
+
+ # sed -i 's/^user/#user/' /etc/chrony/chrony.conf
+ # chown -R _chrony:_chrony /var/l{ib,og}/chrony
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 01 Mar 2019 19:02:12 +0100
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..6b9c518
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,2418 @@
+chrony (4.0-8+deb11u2) bullseye; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+ - Allow reading the chronyd configuration file that timemaster(8)
+ generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 14 Mar 2022 22:17:25 +0100
+
+chrony (4.0-8+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/:
+ - Add fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch to be able
+ to bind a socket to a network device with a name longer than 3 characters
+ when the system call filter is enabled. (Closes: #995207)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 19 Oct 2021 22:02:40 +0200
+
+chrony (4.0-8) unstable; urgency=medium
+
+ * debian/patches/:
+ - Add allow-BINDTODEVICE-option-in-seccomp-filter.patch to enable support
+ for binding sockets to a device without having to disable the seccomp
+ filter.
+ - Add allow-getuid32-in-seccomp-filter.patch. Upstream found out that
+ getuid32() needed to be allowed in the seccomp filter to enable some NTS
+ operations on i686. This may affect other 32-bits architectures.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 13 May 2021 16:51:41 +0200
+
+chrony (4.0-7) unstable; urgency=medium
+
+ * debian/patches/:
+ - Add allow-IP_TOS-socket-option-in-seccomp-filter.patch to enable the use
+ of the 'dscp' directive.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 08 Apr 2021 16:21:16 +0200
+
+chrony (4.0-6) unstable; urgency=medium
+
+ * debian/tests/helper-functions:
+ - Instead of running 'systemctl restart chrony.service', use
+ __restart_chronyd() in the __no_system_clock_control() function.
+ - Run 'sleep 3' only if chronyd has successfully restarted.
+
+ [ Christian Ehrhardt ]
+ * debian/tests/{dynamically-add-source,ntp-server-and-nts-auth}:
+ - Reduce default Ubuntu config to make space for testcase config.
+
+ * debian/tests/helper-functions:
+ - Add more common functions and update some tests to use them.
+ - Wait after restarting chronyd. Without this, some tests break on Ubuntu by
+ checking state too early.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 21 Feb 2021 21:59:22 +0100
+
+chrony (4.0-5) unstable; urgency=medium
+
+ * Follow DEP-14 branch naming conventions:
+ master -> debian/latest
+ upstream -> upstream/latest
+
+ * debian/chrony.service:
+ - Enable some hardening settings.
+
+ * debian/control:
+ - Remove Joachim Wiedorn from the Uploaders field. This decision was taken
+ in agreement with him. Thanks a lot, Joachim, for your work on chrony and
+ for your benevolence when you handed me its maintenance.
+ - Point Vcs-Git to the debian/latest branch.
+
+ * debian/dirs:
+ - Do not create the /etc/apparmor.d/force-complain directory. Not needed
+ anymore.
+
+ * debian/postrm:
+ - Remove /run/chrony-dhcp on purge.
+
+ * debian/preinst:
+ - Drop old migration code snippet. It was used to put the newly provided
+ AppArmor profile in complain mode when upgrading chrony to prevent
+ regressions this profile could have caused. (Closes: #905485)
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 04 Feb 2021 19:49:22 +0100
+
+chrony (4.0-4) unstable; urgency=medium
+
+ * debian/chrony.examples:
+ - Provide example configuration files.
+
+ * debian/postinst:
+ - Run adduser unconditionally.
+ - Use 'chronyd -p' to check the whole configuration.
+
+ * debian/tests/:
+ - Prevent dynamically-add-source and ntp-server-and-nts-auth tests from
+ failing on chronyd's preparation step.
+ - Don't pass 'set -u' to dynamically-add-source and
+ ntp-server-and-nts-auth scripts.
+
+ * debian/tests/control:
+ - Mark dynamically-add-source as skippable.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 21 Jan 2021 20:02:39 +0100
+
+chrony (4.0-3) unstable; urgency=medium
+
+ * debian/:
+ - chronyd's configuration can now be fragmented. Please see
+ /etc/chrony/conf.d/README for more information.
+ - NTP sources can be specified in /etc/chrony/sources.d. Please see
+ /etc/chrony/sources.d/README for more information.
+
+ * debian/chrony.conf:
+ - Include configuration files found in /etc/chrony/conf.d.
+ - Use NTP sources found in /etc/chrony/sources.d.
+ - Get TAI-UTC offset and leap seconds from the system tz database by using
+ the "leapsectz right/UTC" directive. This directive must be commented out
+ when using time sources serving leap-smeared time. (Closes: #974845)
+ - Add missing comment.
+
+ * debian/chrony.default:
+ - Switch the seccomp filter to level 1.
+
+ * debian/chrony.lintian-overrides:
+ - Override breakout-link.
+
+ * debian/control:
+ - Add tzdata to the dependencies.
+ - Bump Standards-Version to 4.5.1 (no changes required).
+
+ * debian/copyright:
+ - Update copyright year for debian/*.
+
+ * debian/postinst:
+ - Use dpkg-statoverride to manage mode bits and ownership of
+ /var/l{ib,og}/chrony.
+
+ * debian/postrm:
+ - Remove overrides for /var/l{ib,og}/chrony on purge.
+
+ * debian/rules:
+ - Drop '--without-readline' option. GNU readline support has been dropped
+ upstream due to license incompatibility.
+ - Replace -F -1 by -F 1 in the sed invocation.
+
+ * debian/tests/:
+ - Add fragmented-configuration autopkgtest.
+ - Add dynamically-add-source autopkgtest.
+ - Add ntp-server-and-nts-auth autopkgtest.
+
+ * debian/tests/control:
+ - Mark ntp-server-and-nts-auth as skippable.
+
+ * debian/tests/fragmented-configuration:
+ - Use another directive for the test since "leapsectz right/UTC" is now
+ used by default.
+
+ * debian/tests/helper-functions:
+ - Add __no_system_clock_control() function.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Always use the same seed to get deterministic results.
+
+ * debian/upstream/metadata:
+ - Remove obsolete field Name. Thanks to Debian Janitor <janitor@jelmer.uk>.
+
+ * debian/usr.sbin.chronyd:
+ - Make use of the @{run} variable.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 18 Jan 2021 21:58:52 +0100
+
+chrony (4.0-2) unstable; urgency=medium
+
+ * Merge branch 'experimental' into 'master'.
+
+ * Upload to unstable.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 13 Oct 2020 15:59:33 +0200
+
+chrony (4.0-1) experimental; urgency=medium
+
+ * Import upstream version 4.0:
+ - This release adds support for the Network Time Security (NTS)
+ authentication mechanism (RFC 8915).
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Oct 2020 19:14:51 +0200
+
+chrony (4.0~pre4-2) experimental; urgency=medium
+
+ * debian/postinst:
+ - Fix user and group ownership of "/var/lib/chrony" to allow chronyd
+ to write in it. This will also fix a regression in the 104-systemdirs
+ test.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 03 Oct 2020 11:20:02 +0200
+
+chrony (4.0~pre4-1) experimental; urgency=medium
+
+ * Import upstream version 4.0-pre4:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * Merge branch 'master' into experimental. (Closes: #970421)
+
+ * debian/chrony.conf:
+ - Use NTP sources from /run/chrony-dhcp.
+ - Save NTS keys and cookies in /var/lib/chrony/.
+
+ * debian/chrony-dnssrv@.service:
+ - Update "chrony-helper" path.
+
+ * debian/chrony.dhcp:
+ - Save NTP servers from DHCP to /run/chrony-dhcp/$interface.sources.
+
+ * debian/chrony.lintian-overrides:
+ - Override executable-in-usr-lib for NetworkManager dispatcher scripts.
+ - Update NetworkManager dispatcher script name.
+
+ * debian/chrony.ppp.ip-{down,up}:
+ - Update PID file path.
+
+ * debian/chrony.service:
+ - Update PID file path.
+ - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
+ needed anymore.
+
+ * debian/control:
+ - Build-depend on libgnutls28-dev to support NTS.
+ - Build-depend on gnutls-bin for the test suite.
+ - Bump debhelper-compat to 13.
+
+ * debian/copyright:
+ - Update copyright years.
+
+ * debian/dirs:
+ - Remove var/log/chrony as it will be created automatically if it doesn’t
+ exist.
+
+ * debian/if-{post-down,up}:
+ - Update PID file path.
+
+ * debian/init:
+ - Update PID file path.
+ - Drop the unnecessary '--remove pidfile' option from the stop target.
+ - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
+ needed anymore.
+
+ * debian/install:
+ - Move "chrony-helper" to "/usr/libexec/chrony".
+
+ * debian/links:
+ - Update source and destination filenames.
+
+ * debian/patches/:
+ - Drop patches applied upstream.
+ - Add nm-dispatcher-dhcp_Move-server_dir-to-run.patch.
+
+ * debian/postinst:
+ - Drop migration code from pre-Stretch.
+ - Migrate NTP sources obtained from DHCP to /run/chrony-dhcp on upgrade
+ from chrony < 4.0~pre4-1.
+ - Remove staled PID file when upgrading from chrony < 4.0~pre4-1.
+
+ * debian/rules:
+ - Change the default PID file location from /run to /run/chrony.
+ - Drop dh_missing --fail-missing. This is the default in debhelper 13.
+ - Enable seccomp support by default on riscv64.
+ - Update NetworkManager dispatcher script name from 20-chrony to
+ 20-chrony-onoffline.
+ - Add DHCP NetworkManager dispatcher script to allow chronyd to use
+ NTP sources obtained from NM's internal DHCP client.
+
+ * debian/tests/:
+ - Add some helper functions. Some tests will be updated thereafter
+ to use them.
+
+ * debian/tests/time-sources-from-dhcp-servers:
+ - Adapt to the new way of using time sources from DHCP.
+ - Improve sed invocation.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Update clknetsim version.
+ - Cosmetic changes.
+
+ * debian/tests/upstream-system-tests:
+ - No need to stop systemd-timesyncd anymore since it is no more
+ co-installable with chrony anymore.
+
+ * debian/usr.sbin.chronyd:
+ - Update PID file path.
+ - Add dac_override and dac_read_search capabilities to give "root" the
+ ability to write the PID file in /run/chrony/.
+ - Prefix flag definition by "flags=".
+ - Sort the capabilities.
+ - Grant CAP_NET_RAW capability to allow an NTP socket to be bound to a
+ device using the SO_BINDTODEVICE socket option on kernels before 5.7.
+ - Add comments regarding capabilities.
+ - Let chronyd create /var/l{ib,og}/chrony.
+ - Remove a superfluous rule.
+ - Allow reading of NTP sources in /run/chrony-dhcp/.
+
+ * debian/watch:
+ - Make use of special strings.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 02 Oct 2020 21:21:08 +0200
+
+chrony (3.5.1-1) unstable; urgency=medium
+
+ * Import upstream version 3.5.1:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+ - CVE-2020-14367: create new file when writing pidfile.
+
+ * debian/chrony.lintian-overrides:
+ - Remove unused override.
+
+ [ Ville Skyttä ]
+ * debian/chrony.conf:
+ - Comment spelling fix. (MR: !5)
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 20 Aug 2020 14:07:22 +0200
+
+chrony (3.5-9) unstable; urgency=medium
+
+ * debian/patches/:
+ - Add allow-some-*time64-syscalls-in-seccomp-filter.patch. Needed for
+ 32-bit architectures with new system calls using 64-bit time_t.
+ (LP: #1878005)
+
+ * debian/tests/control:
+ - Add needs-internet restriction to the upstream-simulation-test-suite
+ test.
+
+ [ Christian Ehrhardt ]
+ * debian/tests/upstream-simulation-test-suite:
+ - Skip if preparation steps fail.
+ - Make preparation steps more verbose.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 19 May 2020 16:42:18 +0200
+
+chrony (3.5-8) unstable; urgency=medium
+
+ * debian/postrm:
+ - Stop starting systemd-timesyncd in postrm. This is no longer relevant
+ since systemd-timesyncd is a standalone package declaring
+ Conflicts/Replaces/Provides: time-daemon. (Closes: #955773)
+
+ [ Christian Ehrhardt ]
+ * debian/tests/upstream-system-tests:
+ - Stop chrony/systemd-timesynd before running these tests. (LP: #1870144)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 05 Apr 2020 17:44:31 +0200
+
+chrony (3.5-7) unstable; urgency=medium
+
+ * debian/chrony.maintscript:
+ - Remove the /etc/NetworkManager/dispatcher.d/20-chrony conffile.
+
+ * debian/control:
+ - Support seccomp facility on riscv64. It should be noted that the system
+ call filter will stay disabled by default on this architecture until
+ Linux >= 5.5 hits unstable.
+ - Bump libseccomp-dev build-dep to 2.4.3-1~ to provide seccomp facility on
+ riscv64.
+ - Break network-manager (<< 1.20.0-1~). Prior to this version,
+ NetworkManager would not look for dispatcher scripts into
+ /usr/lib/NetworkManager/dispatcher.d/.
+
+ * debian/dirs:
+ - Create the usr/lib/NetworkManager/dispatcher.d subdirectories.
+
+ * debian/links:
+ - Change the location of the NetworkManager dispatcher script.
+
+ * debian/patches/:
+ - Add allow-renameat2-in-seccomp-filter.patch. Required as the riscv64
+ architecture does not support the rename() and renameat() system calls.
+
+ * debian/rules:
+ - Move the NetworkManager dispatcher script in
+ /usr/lib/NetworkManager/dispatcher.d/.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 17 Mar 2020 15:21:53 +0100
+
+chrony (3.5-6) unstable; urgency=medium
+
+ * debian/chrony.service:
+ - Don’t conflict with systemd-timesyncd.service.
+ A few users complain that chronyd does not start at boot. The way the
+ Conflict= directive works internally might cause both systemd-timesyncd
+ and chronyd to be inactive at boot. So by relying solely on the
+ disable-with-time-daemon.conf drop-in file provided by systemd, we should
+ get rid of this malfunction while still preventing these two time daemons
+ from being active at the same time. Kudos notably go to Santiago Vila for
+ the report and providing SSH access to a GCE instance where the issue was
+ reproducible and Michael Biebl for debugging. (Closes: #947936)
+
+ * debian/control:
+ - Bump Standards-Version to 4.5.0 (no changes required).
+ - No need to explicitly conflict with ntp as it now provides time-daemon.
+
+ * debian/copyright:
+ - Update copyright year for debian/*.
+
+ * debian/patches/:
+ - Add allow-clock_adjtime-in-seccomp-filter.patch.
+ glibc 2.31 switched the adjtimex() function to the clock_adjtime
+ system call.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Update clknetsim version. This new version supports glibc >= 2.31 headers.
+ (LP: #1866753)
+
+ * debian/tests/control:
+ - Run the upstream-simulation-test-suite as root.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 10 Mar 2020 19:17:16 +0100
+
+chrony (3.5-5) unstable; urgency=medium
+
+ * debian/control:
+ - Bump standard-version to 4.4.1 (no change required).
+
+ * debian/install:
+ - Install 50-chrony.list in /usr/lib/systemd/ntp-units.d.
+
+ * debian/ntp-units.d/50-chrony.list:
+ - Allow timedated to interact with chronyd.
+
+ * debian/patches/*:
+ - Cherry-pick upstream commits to better manage RTCs that don't support
+ interrupts. This fixes an issue exhibited when a specific upstream system
+ test is run on the Ubuntu CI. Thank to Christian Ehrhardt for working
+ with Miroslav Lichvar to address this problem.
+
+ * debian/tests/control:
+ - Use @builddeps@ as a test dependency for upstream_system_tests.
+
+ [ Christian Ehrhardt ]
+ * debian/tests/upstream-simulation-test-suite:
+ - Redirect stderr on make call to stdout. On some architectures (e.g. armhf)
+ the clksim tests compile but throw some warnings. (MR: !2)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 22 Dec 2019 17:30:40 +0100
+
+chrony (3.5-4) unstable; urgency=medium
+
+ * debian/tests/control:
+ - Add @builddeps@ to the list of dependencies needed by the
+ upstream-simulation-test-suite test.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 30 Aug 2019 00:49:20 +0200
+
+chrony (3.5-3) unstable; urgency=medium
+
+ * debian/chrony.lintian-overrides:
+ - Override package-supports-alternative-init-but-no-init.d-script. This
+ is a false positive. chrony-dnssrv@.service isn’t a daemon but a oneshot
+ service, not started at boot, whose role is to lookup for _ntp._udp DNS SRV
+ records.
+
+ * debian/chrony.service:
+ - Pull in time-sync.target and order chrony before it as recommended in
+ systemd.special(7).
+
+ * debian/control:
+ - Bump standard-version to 4.4.0 (no changes required).
+
+ * debian/.gitlab-ci.yml:
+ - Switch to standard Salsa Pipeline.
+ - Skip the reprotest job for as long as it is run as root due to problems
+ with chrony system tests.
+
+ * debian/tests/*:
+ - Revamp the upstream-simulation-test-suite test.
+ - Adjust dpkg dependencies for upstream-simulation-test-suite.
+ - Adjust restrictions for upstream-simulation-test-suite.
+ - Introduce upstream-system-tests. Add a new set of tests for testing
+ basic chronyd functionality. Destructive tests are run in a virtual
+ machine.
+ - Add ethtool to the list of dependencies needed by
+ run_destructive_system_tests.
+ - exit 77 if upstream-simulation-test-suite is run on non-Linux and mark
+ the test as skippable. Thanks to Paul Gevers <elbrus@debian.org> for the
+ suggestion.
+ - Make artifacts() exit 1. Again, thanks to Paul Gevers.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 13 Aug 2019 17:57:47 +0200
+
+chrony (3.5-2) unstable; urgency=medium
+
+ * Merge branch “experimental” into “master”.
+
+ * debian/chrony.dhcp:
+ - Fix shellcheck warnings. Patch imported from Fedora.
+
+ * debian/chrony-helper:
+ - Fix shellcheck warnings. Patch imported from Fedora.
+
+ * debian/clean:
+ - Drop obsolete entries.
+
+ * debian/copyright:
+ - Update copyright years.
+ - Update copyright holder for the configure script.
+
+ * debian/patches/*:
+ - Add update_processing_of_packet_log.patch. This fixes a regression in
+ the simulation tests exhibited by the recent clknetsim changes.
+ (Closes: #931181)
+
+ * debian/rules:
+ - Use dh_missing --fail-missing.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Use a known good clknetsim commit. This should prevent regressions from
+ on-going “clknetsim” development.
+
+ * debian/usr.sbin.chronyd:
+ - Grant access rights only to the ntp_signd socket. (Closes: #928170)
+
+ [ Christian Ehrhardt ]
+ * debian/postrm:
+ - Re-establish systemd-timesyncd on removal. (MR: !1)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 06 Jul 2019 20:33:41 +0200
+
+chrony (3.5-1) experimental; urgency=medium
+
+ * Import upstream version 3.5:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * debian/control:
+ - Ignore net-tools and procps build-dependencies if the profile nocheck is
+ active.
+
+ * debian/rules:
+ - No test suite should be run if nocheck is passed to DEB_BUILD_OPTIONS.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 15 May 2019 18:44:12 +0200
+
+chrony (3.5~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.5-pre1:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * debian/.gitlab-ci.yml:
+ - Use .build-package template job instead of .build-unstable. The latter
+ is deprecated.
+
+ * debian/chrony.keys:
+ - Fix the comment about the location of the list of supported hash
+ functions and output encoding. These information are now available by
+ consulting the “keyfile” directive in the chrony.conf(5) man page.
+
+ * debian/control:
+ - Drop dependency on lsb-base. Is is required when booting with sysvinit
+ and initscripts, however initscripts already Depends on lsb-base.
+ - Build-depend on net-tools and procps. kill, netstat and ps are needed
+ for the new system tests executed at build time (iff building as root).
+
+ * debian/copyright:
+ - Add an entry for test/system/* files.
+
+ * debian/patches/*:
+ - Drop all patches, they have been applied upstream.
+
+ * debian/postinst:
+ - Drop migration code from pre-stretch.
+
+ * debian/README.Debian:
+ - Fix information related to the chrony.keys file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 12 May 2019 22:16:14 +0200
+
+chrony (3.4-4) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Add allow-further-syscalls-in-seccomp-filter.patch. Supplementing the
+ seccomp filter whitelist with those syscalls is a prerequisite, notably for
+ the arm64 architecture.
+
+ [ Leigh Brown ]
+ * debian/patches/*:
+ - Add allow-recv-send-in-seccomp-filter.patch. Necessary on armel and
+ ppc64el. Other architectures might also be affected. (Closes: #924494)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 18 Mar 2019 19:35:34 +0100
+
+chrony (3.4-3) unstable; urgency=medium
+
+ * debian/.gitlab-ci.yml:
+ - Check for missing hardening flags.
+
+ * debian/patches/*:
+ - Add allow-_llseek-in-seccomp-filter.patch. Needed on various 32-bit
+ plateforms to log the {raw}measurements and statistics information when
+ the seccomp filter is enabled. Thanks a lot to Francesco Poli (wintermute)
+ <invernomuto@paranoici.org> for the report. (Closes: #923137)
+ - Add allow-waitpid-in-seccomp-filter.patch. Needed to correctly stop
+ chronyd on some plateforms when the seccomp filter is enabled.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 04 Mar 2019 23:32:12 +0100
+
+chrony (3.4-2) unstable; urgency=medium
+
+ * debian/.gitlab-ci.yml:
+ - Replace home-made GitLab CI with the standard Salsa pipeline.
+ - Allow autopkgtest job to fail. The time-sources-from-dhcp-servers test
+ currently fails due to a testbed issue on salsa CI.
+
+ * debian/chrony.default:
+ - Enable the system call filter by default.
+
+ * debian/control:
+ - Bump standard-version to 4.3.0 (no changes required).
+ - Use the new debhelper-compat (= 12) notation and drop d/compat.
+ - Add Pre-Depends: ${misc:Pre-Depends}. Debhelper compatibility level 12
+ makes use of the “--skip-systemd-native” flag from “invoke-rc.d”. Adding
+ Pre-Depends: ${misc:Pre-Depends} to d/control ensure that we have a recent
+ enough version of “init-system-helpers”.
+ - Suggest networkd-dispatcher.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2019.
+
+ * debian/links:
+ - Now that “networkd-dispatcher” is in the Debian archive, link
+ NetworkManager dispatcher script to networkd-dispatcher routable and off
+ states. Patch cherry-picked from Ubuntu; thanks to Christian Ehrhardt
+ <christian.ehrhardt@canonical.com> for working on this.
+
+ * debian/NEWS:
+ - Report that a system call filter is now enabled by default and the way
+ to disable it if needed.
+
+ * debian/rules:
+ - Don’t enable the system call filter on some architectures due to missing
+ support in the “libseccomp” and/or the Linux kernel.
+
+ * debian/upstream/:
+ - Strip upstream key from extra signatures. Thanks lintian!
+ - Remove the Miroslav-Lichvar.txt file as it serves no purpose.
+
+ * debian/usr.sbin.chronyd:
+ - Don’t include “tunables/sys”. The etc/apparmor.d/tunables/sys file has
+ been deprecated in AppArmor 2.13.1! The @{sys} variable is now defined in
+ “tunables/kernelvars” which is included in “tunables/global”.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 13 Feb 2019 17:08:17 +0100
+
+chrony (3.4-1) unstable; urgency=medium
+
+ * Import upstream version 3.4:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * Merge branch “experimental” into “master”.
+
+ * debian/chrony.service:
+ - Conflict with ntpsec.service.
+
+ * debian/copyright:
+ - Update copyright years.
+
+ * debian/patches/*:
+ - Remove fix-samplefilt-unit-test-to-work-with-low-precision-clock.patch,
+ fixed upstream.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 21 Sep 2018 14:12:03 +0200
+
+chrony (3.4~pre1-2) experimental; urgency=medium
+
+ * debian/patches/*:
+ - Cherry-pick upstream patch to fix samplefilt unit test to work with
+ low-precision clocks. This should prevent chrony from failing to build
+ from source on HPPA and Alpha.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 10 Sep 2018 18:39:58 +0200
+
+chrony (3.4~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.4-pre1:
+ - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
+
+ * debian/:
+ - Add “.gitlab-ci.yml” file to use GitLab Continuous Integration.
+
+ * debian/chrony.if-{post-down,up}:
+ - Use the new “onoffline” command to tell chronyd to switch all sources to
+ the online or offline status according to the current network configuration.
+
+ * debian/chrony.ppp.ip-{down,up}:
+ - As for ifupdown scripts, use the “onoffline” command.
+
+ * debian/control:
+ - Bump standard-version to 4.2.1 (no changes required).
+
+ * debian/patches/*:
+ - Remove fall-back-to-urandom.patch. Applied in this prerelease.
+
+ * debian/post{inst,rm}:
+ - Use “command -v” instead of “which” to enhance portability.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 02 Sep 2018 19:14:08 +0200
+
+chrony (3.3-3) unstable; urgency=medium
+
+ * debian/:
+ - Normalize packaging with “wrap-and-sort -ab”.
+
+ * debian/control:
+ - Bump standard-version to 4.2.0:
+ ↳ Install upstream release notes as “/usr/share/doc/chrony/NEWS.gz”.
+ Installing these as “/usr/share/doc/package/changelog.gz” is now
+ deprecated.
+
+ * debian/patches/:
+ - Cherry-pick upstream patch to avoid hangs when starting
+ chronyd on newer kernels by falling back to urandom.
+ Thanks to Gustavo Scalet <gustavo.scalet@collabora.com> for the report and
+ the initial patch. (LP: #1787366, Closes: #906276)
+
+ * debian/upstream/metadata:
+ - Add DEP12 upstream metadata file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 18 Aug 2018 16:23:19 +0200
+
+chrony (3.3-2) unstable; urgency=medium
+
+ * debian/chrony.service:
+ - Conflict with ntp.service.
+
+ * debian/control:
+ - Bump standard-version to 4.1.4 (no changes required).
+ - Switch to the Nettle cryptographic library for hash functions.
+
+ [ Helmut Grohne ]
+ * debian/rules:
+ - Pass CC to make and set “--host-system” to fix FTCBFS. (Closes: #895852)
+
+ [ Christian Ehrhardt ]
+ * debian/usr.sbin.chronyd:
+ - Support all paths suggested in the man page.
+ (LP: #1771028, Closes: #898614)
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 14 May 2018 21:37:30 +0200
+
+chrony (3.3-1) unstable; urgency=medium
+
+ * Import upstream version 3.3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * Merge branch “experimental” into “master”.
+
+ * debian/copyright:
+ - Update copyright year.
+
+ * debian/usr.sbin.chronyd:
+ - Allow CAP_NET_ADMIN to support HW timestamping. (LP: #1761327)
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 05 Apr 2018 02:08:31 +0200
+
+chrony (3.3~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.3-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/copyright:
+ - Add “hash_nettle.c” copyright information and update copyright year of
+ test/unit/*
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 15 Mar 2018 13:58:21 +0100
+
+chrony (3.2-5) unstable; urgency=medium
+
+ [ Christian Ehrhardt ]
+ * debian/usr.sbin.chronyd:
+ - Allow write access to RTC, PPS and PTP devices.
+ (Closes: #891201, LP: #1751241)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 28 Feb 2018 17:31:08 +0100
+
+chrony (3.2-4) unstable; urgency=medium
+
+ * debian/changelog:
+ - Remove trailing spaces.
+
+ * debian/chrony-dnssrv@.service:
+ - Use NTP servers obtained from DNS SRV records.
+
+ * debian/chrony-dnssrv@.timer:
+ - Periodic lookup of DNS SRV records.
+
+ * debian/chrony-helper:
+ - New helper script to make use of NTP servers obtained from DHCP and
+ _ntp._udp DNS SRV records.
+
+ * debian/chrony.dhcp:
+ - Add a dhclient-exit-hook script to add/remove NTP servers depending
+ on the operations invoked by the DHCP client. (Closes: #889656)
+
+ * debian/chrony.service:
+ - Run “/usr/lib/chrony/chrony-helper update-daemon” after starting chronyd.
+
+ * debian/control:
+ - Suggest dnsutils. The dig utility is used to update files with NTP
+ servers from DNS SRV records.
+
+ * debian/init:
+ - Run “/usr/lib/chrony/chrony-helper update-daemon” after starting chronyd.
+
+ * debian/install:
+ - Install the chrony-helper script in /usr/lib/chrony.
+ - Install chrony-dnssrv@.* files in /lib/systemd/system.
+
+ * debian/postinst:
+ - Don’t use recursive chown as this is vulnerable to hardlink attacks on
+ mainline, non-Debian kernels that do not have fs.protected_hardlinks=1.
+ Thanks Lintian!
+
+ * debian/postrm:
+ - Remove “/run/chrony” on purge.
+
+ * debian/rules:
+ - Install the dhclient-exit-hook script in /etc/dhcp/dhclient-enter-hooks.
+
+ * debian/tests/:
+ - Use autopkgtest to ensure that chronyd can use NTP servers obtained from
+ DHCP servers.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 20 Feb 2018 18:27:10 +0100
+
+chrony (3.2-3) unstable; urgency=medium
+
+ [ Christian Ehrhardt ]
+ * debian/chrony.default:
+ - Mention systemd service file in the comment.
+
+ * debian/chrony.service:
+ - Support the DAEMON_OPTS variable from “/etc/default/chrony” in systemd
+ environment. (LP: #1746081, Closes: #889012)
+
+ * debian/usr.sbin.chronyd:
+ - Allow the creation of /run/chrony on demand.
+ (LP: #1746444, Closes: #889011)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 07 Feb 2018 21:27:09 +0100
+
+chrony (3.2-2) unstable; urgency=medium
+
+ * Initial AppArmor profile for chronyd. Thanks to Jamie
+ Strandboge <jamie@ubuntu.com>. (Closes: #888038)
+
+ * debian/compat:
+ - Bump to debhelper compat 11.
+
+ * debian/control:
+ - Bump standard-version to 4.1.3 (no changes required).
+ - Build depend on debhelper ≥ 11.
+ - Set “Rules-Requires-Root: no”.
+ - Move Vcs-* to salsa.debian.org.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2018.
+
+ * debian/postinst:
+ - Don’t force removal of cron file since it doesn’t exist anymore.
+
+ * debian/preinst:
+ - Update the chrony version on which to act.
+ - Add the debhelper token.
+
+ * debian/usr.sbin.chronyd:
+ - Improve AppArmor profile to support more chronyd features and ease
+ portability with other distros.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 28 Jan 2018 19:33:46 +0100
+
+chrony (3.2-1) unstable; urgency=medium
+
+ * Import upstream version 3.2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 15 Sep 2017 11:37:10 +0200
+
+chrony (3.2~pre2-1) experimental; urgency=medium
+
+ * Import upstream version 3.2-pre2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/control:
+ - Bump standard-version to 4.1.0 (no changes required).
+
+ * debian/copyright:
+ - Update copyright years.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 30 Aug 2017 15:48:37 +0200
+
+chrony (3.2~pre1-1) experimental; urgency=medium
+
+ * Import upstream version 3.2-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/patches/*:
+ - Remove allow_getpid_in_seccomp_filter.patch and update the series file
+ accordingly.
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Run tests in multiple iterations.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 25 Jul 2017 21:13:22 +0200
+
+chrony (3.1-5) unstable; urgency=medium
+
+ * debian/chrony.if-up:
+ - Do not pass the “burst” command to chronyc as the script could return an
+ error in certain situations. As a consequence, that would prevent ifupdown
+ from writing the current state of the interfaces in /run/network/ifstate.
+ Thanks to John Eikenberry <jae@zhar.net> for reporting that issue.
+ (Closes: #868491)
+
+ * debian/chrony.ppp.ip-up:
+ - Take the same action as for the “chrony.if-up” script as a precautionary
+ measure.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 17 Jul 2017 16:47:56 +0200
+
+chrony (3.1-4) unstable; urgency=medium
+
+ * Now that Stretch has been released (\o/), let’s upload chrony 3.1 to
+ unstable.
+
+ * debian/:
+ - Remove the menu file used to launch “chronyc”. It is a CLI only tool,
+ thus it probably does not make a lot of sense to keep it in the Debian
+ menu.
+
+ * debian/control:
+ - Drop dependency on pre-jessie util-linux version.
+ - Bump standard-version to 4.0.0 (no changes required).
+
+ * debian/tests/upstream-simulation-test-suite:
+ - Fix the leading comment which mentioned “vm” despite the fact that the
+ test runs in a container.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 19 Jun 2017 02:30:10 +0200
+
+chrony (3.1-3) experimental; urgency=medium
+
+ * debian/chrony.if-{post-down,up}:
+ - Remove unnecessary “else” statements.
+
+ * debian/chrony.ppp.ip-down:
+ - Don’t check and delete “/var/run/chrony-ppp-up”, that file doesn’t exist
+ anymore.
+ - Check for pid file existence instead of calling “pidof”.
+
+ * debian/chrony.ppp.ip-up:
+ - Don’t create “/var/run/chrony-ppp-up” file after the ppp link came up.
+ - Check for pid file existence instead of calling “pidof”.
+ - Don’t call “chronyc” using its absolute path.
+ - Check for the presence of a default route before advising “chronyd” that
+ the network connectivity to the sources is ready.
+
+ * debian/init:
+ - Check if “$PIDFILE” exists before taking action.
+ - Do not print informational messages.
+ - Remove the “chronyd” pid file when stopping as it doesn’t do it on
+ its own.
+ - Rework the “restart|force-reload” pattern.
+ - Make use of some init-functions.
+ - Print a message if “chronyd” is already running while attempting to start
+ it.
+ - Do not delete “/var/run/chrony-ppp-up”, that file doesn’t exist anymore.
+
+ * d/rules:
+ - Move the default pid file from “/var/run” to “/run”.
+
+ * d/tests/*:
+ - Use autopkgtest facility to run the upstream simulation test suite.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 14 May 2017 17:26:15 +0200
+
+chrony (3.1-2) experimental; urgency=medium
+
+ * Merge branch 'master' into experimental. (Closes: #861258)
+
+ * debian/patches/*:
+ - Remove the “fix_time_smoothing_in_interleaved_mode.patch” patch. Not
+ needed anymore.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 26 Apr 2017 21:17:43 +0200
+
+chrony (3.1-1) experimental; urgency=medium
+
+ * Import upstream version 3.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.conf:
+ - Remove the “hwclockfile” directive. Unneeded now that the configure
+ script allows us to set the default path to the adjtime file via the
+ “--with-hwclockfile” option.
+
+ * debian/copyright:
+ - Update copyright years.
+
+ * debian/rules:
+ - Specify default path to hwclock adjtime file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 02 Feb 2017 19:24:30 +0100
+
+chrony (3.0-4) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Backport commit 768bce799bfe to make chrony operable with the syscall
+ filtering feature enabled in level 1. (Closes: #861258)
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 26 Apr 2017 17:39:44 +0200
+
+chrony (3.0-3) unstable; urgency=medium
+
+ * debian/patches/*:
+ - Backport an upstream patch to fix time smoothing in interleaved mode.
+ (Closes: #854424)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 07 Feb 2017 00:37:24 +0100
+
+chrony (3.0-2) unstable; urgency=medium
+
+ * debian/chrony.conf:
+ - Disable logging by default, it waste some disk space and users are
+ probably better served by “chronyc sources” and “chronyc sourcestats”
+ commands anyway.
+
+ * debian/chrony.service:
+ - Remove the “Restart=on-failure” option. There are possible security
+ implications for NTP clients.
+
+ * debian/dirs:
+ - Add etc/logrotate.d to avoid build failure.
+
+ * Remove our logrotate configuration file in favour of the upstream’s one.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 Jan 2017 15:26:31 +0100
+
+chrony (3.0-1) unstable; urgency=medium
+
+ * Import upstream version 3.0:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * Merge branch “experimental”:
+ - Enable support for MS-SNTP authentication in Samba.
+ - Rename --chronysockdir to --chronyrundir.
+ - Enable seccomp facility on powerpcspe.
+
+ * debian/chrony.conf:
+ - Make use of the “makestep” directive to step the system clock instead of
+ slewing it when necessary.
+ - Drop the “offline” option as per upstream’s advice to render chrony’s
+ start-up sequence safer.
+
+ * debian/chrony.service:
+ - Reflect init-helper script deletion.
+
+ * debian/copyright:
+ - Add myself as a copyright holder for 2017.
+ - Adjust copyright holders and update some copyright years. Kudos to Paul
+ Gevers <elbrus@debian.org> for spotting the necessary updates.
+
+ * debian/init:
+ - Reflect init-helper script deletion.
+
+ * debian/install:
+ - Don’t install the init-helper script, it has been deleted.
+
+ * debian/README.Debian:
+ - Remove obsolete information.
+
+ * Remove the init-helper script as it no longer needed.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 17 Jan 2017 22:05:31 +0100
+
+chrony (3.0~pre3-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 06 Jan 2017 14:20:13 +0100
+
+chrony (3.0~pre2-2) experimental; urgency=low
+
+ * Merge branch “master”.
+
+ * Enable seccomp facility on powerpcspe.
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 03 Jan 2017 18:17:13 +0100
+
+chrony (3.0~pre2-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre2:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 15 Dec 2016 15:23:44 +0100
+
+chrony (3.0~pre1-1) experimental; urgency=low
+
+ * Import upstream version 3.0-pre1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/copyright:
+ - Mention new files.
+
+ * debian/rules:
+ - Enable support for MS-SNTP authentication in Samba.
+ - Rename --chronysockdir to --chronyrundir.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 10 Dec 2016 16:30:19 +0100
+
+chrony (2.4.1-3) unstable; urgency=medium
+
+ * debian/apm:
+ - Removing that script as APM as been replaced by ACPI long time ago, thus
+ it’s highly probable that it isn’t useful anymore.
+
+ * debian/chrony.maintscript:
+ - Remove the apm script’s conffile.
+
+ * debian/chrony.service:
+ - Supply a systemd service file.
+ - Update unit section’s description. Add chronyc and chrony.conf man pages
+ information and remove reference to “/usr/share/doc/chrony.txt.gz” which
+ is not generated anymore.
+ - Update unit section’s documentation.
+
+ * debian/dirs:
+ - Don’t create etc/apm/event.d as the apm script isn’t provided anymore.
+
+ * debian/init:
+ - Convert to use the init-helper script.
+
+ * debian/init-helper:
+ - Add a helper script that will be used to maintain feature parity between
+ the SysV script and the systemd service file.
+
+ * debian/install:
+ - Install the init-helper script in “/usr/lib/chrony”.
+
+ * debian/rules:
+ - Don’t install the now removed apm script.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 22 Dec 2016 02:16:54 +0100
+
+chrony (2.4.1-2) unstable; urgency=medium
+
+ * debian/chrony.conf:
+ - Don’t create sample histories by default. Using that feature does not
+ make a lot of sense when using a pool of rapidely rotating time servers.
+ - Remove unused directives.
+ - Improve (well, I hope! ;-) ) the configuration file readability.
+ - Reword the driftfile directive commentary.
+ - Shorten the lead-in comment.
+
+ * debian/control:
+ - Build-depend on pps-tools only on linux.
+ - Remove libnss3-dev from Build-Depends until #846012 is fixed.
+
+ * debian/init:
+ - Don’t pass the “-r” option when restarting chronyd as we have disabled
+ the creation of sample histories by default.
+
+ * debian/rules:
+ - Drop dh_auto_build override. Nowadays, the documentation is built by
+ default.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 9 Dec 2016 16:58:32 +0100
+
+chrony (2.4.1-1) unstable; urgency=medium
+
+ * Import upstream version 2.4.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.default:
+ - New file used to pass options to chronyd. Thanks to nutzteil
+ <nutzteil@web.de> for the suggestion and the initial patch.
+ (Closes: #834240)
+
+ * debian/compat:
+ - Bump to debhelper compat 10.
+
+ * debian/control:
+ - Build depend on debhelper ≥ 10.
+
+ * debian/copyright:
+ - Use HTTPS for all URI.
+
+ * debian/init:
+ - Read and execute options assigned to the “DAEMON_OPTS” variable.
+
+ * debian/rules:
+ - Drop dh “--parallel” option. Enabled by default in debhelper 10.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 21 Nov 2016 12:58:05 +0100
+
+chrony (2.4-1) unstable; urgency=medium
+
+ The “Fix decade-old bug reports” release.
+
+ * Import upstream version 2.4:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/chrony.if-{up,post-down}:
+ - New scripts used to put chronyd online/offline depending on the
+ state of the connection. (Closes: #240528,#312092,#389961)
+
+ * debian/chrony.keys:
+ - Highlight “chronyc keygen” command to generate keys.
+
+ * debian/chrony.ppp.ip-down:
+ - Be sure that there is no default route before going offline.
+ (Closes: #252131)
+
+ * debian/control:
+ - Remove install-info dependency.
+ - Remove texinfo build dependency since documentation in Texinfo format
+ has been dropped upstream.
+ - Build depend on asciidoctor ≥ 1.5.3-1~. The version constraint is
+ important since chrony’s man pages are generated from “adoc” files, a
+ functionality that has been added in asciidoctor 1.5.3.
+
+ * debian/dirs:
+ - Add “etc/NetworkManager/dispatcher.d”.
+
+ * debian/doc-base:
+ - Remove the file since we do not generate chrony.{html,txt} anymore.
+
+ * debian/docs:
+ - Remove references to chrony.{html,txt}.
+
+ * debian/patches/*:
+ - Drop fix-ftbfs-on-powerpc-ppc64-ppc64el.diff; applied upstream.
+ - Update the “series” file accordingly.
+
+ * debian/postinst:
+ - Use ucfr to associate chrony with its configuration files. Suggested by
+ Paul Gevers <elbrus@debian.org>
+
+ * debian/postrm:
+ - Remove all vestiges of the association between chrony and its
+ configuration files. Also suggested by Paul Gevers <elbrus@debian.org>
+
+ * debian/rules:
+ - Provide upstream NetworkManager dispatcher script.
+
+ * debian/watch:
+ - Use HTTPS to fetch new upstream releases.
+ - Switch to version 4 format.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 17 Jun 2016 17:20:08 +0200
+
+chrony (2.3-2) unstable; urgency=low
+
+ * Cherry pick upstream patch to fix FTBFS on PowerPC, ppc64 and ppc64el
+ architectures.
+
+ -- Vincent Blut <vincent.debian@free.fr> Fri, 20 May 2016 14:21:14 +0200
+
+chrony (2.3-1) unstable; urgency=low
+
+ * Import upstream version 2.3:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+ (Closes: #818235)
+
+ * debian/chrony.conf:
+ - Drop the “logchange” directive. Upstream has enabled “logchange” by
+ default with a threshold of 1 second. We now use that instead of our custom
+ threshold of 0,5 second which tended to spam syslog.
+ - Remove obsolete comment.
+
+ * debian/chrony.lintian-overrides:
+ - Update “chrony.keys” path
+
+ * debian/control:
+ - Bump standard-version to 3.9.8 (no changes required).
+ - Use HTTPS transport protocol for the homepage URL.
+
+ * debian/copyright:
+ - Add some entries about new or untracked files.
+
+ * debian/postinst:
+ - Move /usr/share/chrony/chrony.keys template to /etc/chrony using ucf.
+ - Avoid displaying needless prompt when upgrading to chrony ≥ 2.2.1-1.
+ (Closes: #820087)
+
+ * debian/postrm:
+ - Remove chrony.keys on purge.
+ - Remove all vestiges of chrony.keys from the state hashfile.
+
+ * debian/rules:
+ - Re-enable test suite.
+ - Remove dh_installinit override. The init script is LSB-compliant so
+ passing the “default” option or the two-digit sequence number is unneeded.
+ - Explicitly set the NTP era. With this change, the NTP time will be
+ mapped from 1970-01-01T00:00:00Z to 2106-02-07T06:28:16Z. Thanks to this
+ fixed value, chrony build should be reproducible.
+ - Move the key file template (chrony.keys) in /usr/share/chrony.
+ - Force /usr/share/chrony/chrony.keys to use 0640 modes.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 May 2016 23:13:05 +0200
+
+chrony (2.2.1-1) unstable; urgency=medium
+
+ * Import upstream versions 2.2 and 2.2.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+ - The 2.2.1 release version fixes CVE-2016-1567. (Closes: #812923)
+
+ * debian/chrony.conf:
+ - Drop the commandkey directive. It is obsolete since the introduction of a
+ Unix domain command socket in chrony 2.2.
+ - Fix keyfile directive commentary.
+
+ * debian/chrony.keys:
+ - New file template.
+
+ * debian/chrony.lintian-overrides:
+ - New file used to force lintian to stop complaining about the “chrony.keys”
+ file modes (0640).
+
+ * debian/chrony.ppp.ip-down:
+ - Drop obsolete authentication method to the chronyd daemon. This is now
+ handled by the usage of a Unix domain command socket.
+
+ * debian/chrony.ppp.ip-up:
+ - Drop obsolete authentication method to the chronyd daemon. This is now
+ handled by the usage of a Unix domain command socket.
+ - Reinstate the “burst” chronyc command.
+
+ * debian/control:
+ - Build depend on libseccomp-dev ≥ 2.2.3-3~. We need it to provide syscall
+ filtering.
+ - Fix a typo relative to the name of an architecture.
+ - Build depend on pkg-config.
+ - Restrict libcap-dev build dependency on Linux only.
+ - Depend on iproute2 instead of net-tools.
+ - Drop timelimit dependency.
+ - Update Vcs-Git to use HTTPS.
+ - Bump standard-version to 3.9.7 (no changes required).
+
+ * debian/copyright:
+ - Update copyright year for debian/*.
+
+ * debian/init:
+ - Make use of “ip r” instead of “netstat -rn”. (Closes: #818234)
+ - Delete unused “FLAGS” variable.
+ - Do not execute ip and chronyc through timelimit.
+ - Don’t call chronyc using its absolute path.
+ - Check if the value of the DAEMON variable is executable.
+ - Drop the two seconds delay as it should be unnecessary.
+ - Drop obsolete authentication method from the putonline() function.
+ - Fix indentation issue in the putonline() function.
+
+ * debian/logrotate:
+ - Do not pass the “-a” option to chronyc, it’s no longer necessary.
+
+ * debian/NEWS:
+ - Add a comment about the command key suppression from the “chrony.keys”
+ file.
+
+ * debian/patches/:
+ - Drop 01_do-not-install-copying-file.patch, not needed anymore.
+ ↳ Remove reference to that patch from the series file.
+
+ * debian/postinst:
+ - Do not create an ID/key pair for command authentication. Configuration
+ and monitoring via chronyc is now done using Unix domain socket accessible
+ by root or by the system user to which chronyd will drop root privileges,
+ i.e. _chrony.
+
+ * debian/postrm:
+ - Remove /var/lib/chrony content only on purge. (Closes: #568492)
+
+ * debian/README.Debian:
+ - Drop obsolete statement.
+
+ * debian/rules:
+ - Build with --enable-scfilter.
+ - Install the “chrony.keys” file in /etc/chrony/ with 0640 modes.
+ - Override dh_fixperms to prevent it from modifying modes of the
+ “chrony.keys” file. By default, dh_fixperms tries to set the default modes
+ (0644).
+ - Move the “chronyd.sock” file from /var/run/chrony to /run/chrony.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sat, 19 Mar 2016 14:42:23 +0100
+
+chrony (2.1.1-1) unstable; urgency=medium
+
+ * Import upstream version 2.0 and 2.1.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for the release notes.
+
+ * debian/:
+ - Rename ppp scripts from ip-{up,down} to chrony.ppp.ip-{up,down}.
+ Necessary to let dh_installppp do its magic.
+
+ * debian/chrony.conf:
+ - Use the new 'pool' directive to specify the pool of NTP servers.
+ - Use the iburst option to speed up the initial synchronization.
+ - Drop the minpoll option. There is no point to deviate from upstream here.
+ Consequently, the default minimum polling interval is now 64 seconds
+ instead of 256 seconds.
+ - Enable kernel synchronization of the RTC via the 'rtcsync' directive.
+ - Drop the commented out 'rtcfile' directive in the configuration file.
+ - Stricly act as an NTP client by default. Serving time to other systems
+ should be the decision of the administrator(s). (Closes: #778770)
+ - Clarify some comments.
+ - Improve comment about the 'commandkey' directive.
+
+ * debian/control:
+ - Drop 'Recommends: udev (>= 0.124-1)' since it predates Debian squeeze.
+
+ * debian/copyright:
+ - Update copyright years.
+ - Various cleanups.
+ - Update relative to sys_macosx.{c,h} files.
+ - The test/simulation/test.common file is under the GPL-2+ license.
+ Thanks to Paul Gevers <elbrus@debian.org> for catching it.
+
+ * debian/NEWS:
+ - Comment the deactivation of the NTP server capability by default.
+
+ * debian/patches/:
+ - Refresh 01_do-not-install-copying-file.patch.
+
+ * debian/README.Debian:
+ - Fix misleading information.
+
+ * debian/rules:
+ - No need to install ppp scripts from the 'rules' script. Let dh_installppp
+ handle that.
+
+ -- Vincent Blut <vincent.debian@free.fr> Wed, 18 Nov 2015 00:11:23 +0100
+
+chrony (1.31.1-2) unstable; urgency=medium
+
+ * Rename the NEWS.Debian file to NEWS. dh_installchangelogs doesn’t seems
+ to be able to deal with the former name.
+
+ -- Vincent Blut <vincent.debian@free.fr> Thu, 17 Sep 2015 21:50:30 +0200
+
+chrony (1.31.1-1) unstable; urgency=medium
+
+ * Import upstream version 1.31 and 1.31.1:
+ - Please see /usr/share/doc/chrony/changelog.gz for release notes.
+
+ * debian/chrony.conf:
+ - Use the 'hwclockfile' directive. Avoid using text processing methods in
+ the post install script to find out if the RTC keeps local time or UTC.
+ (Closes: #778710)
+
+ * debian/clean:
+ - Add getdate.c
+
+ * debian/control:
+ - Move chrony from admin to net section.
+ - Change priority from extra to optional.
+ - Build depends on libcap-dev. (Closes: #768803)
+ - Bump standards-version to 3.9.6 (no changes required).
+ - Set myself as maintainer and Joachim as uploader.
+ - Update Vcs-Browser URL to use cgit and https.
+ - Build depends on pps-tools. Provides PPSAPI (RFC-2783) support.
+ - Improve the synopsis.
+ - Depend on util-linux (>= 2.20.1-5). Ensure that the 'UTC=' setting
+ from the '/etc/default/rcS' file have been migrated to UTC/LOCAL in
+ '/etc/adjtime'.
+ - Depends on adduser. Needed to create "_chrony" system user/group.
+
+ * debian/copyright:
+ - Add myself to copyright holders.
+ - Remove spaces from short name license (fix Lintian warning)
+ - Filled short license field (RSA-MD) (fix Lintian warning)
+ - Move comment to the "Comment:" field
+
+ * debian/logrotate:
+ - Simplify postrotate script. Thanks to Frédéric Brière
+ <fbriere@fbriere.net> for reporting and diagnosing the issue.
+ (Closes: #763542)
+
+ * debian/patches:
+ - Drop patches for issues fixed upstream.
+ - Rename and update patch. Update the series file accordingly.
+
+ * debian/postinst:
+ - Pass the '--three-way' option to ucf.
+ - Remove useless text processing methods as we now use the 'hwclockfile'
+ directive. (Closes: #778711)
+ - Create "_chrony" system user/group.
+ - Update the "new_file" path in the ucf invocation.
+ - Remove the MAILPASSWORD shell variable as we don’t use it.
+
+ * debian/postrm:
+ - Drop removal instruction of /etc/cron.weekly/chrony.
+ - Remove "_chrony" system user/group on purge.
+ - Don’t pass the --group option to deluser.
+
+ * debian/NEWS.Debian:
+ - New file incorporating worthwhile changes in this release.
+
+ * debian/README.Debian:
+ - Fix typo, thanks to Paul Gevers <elbrus@debian.org> for catching it.
+ - Missing word added.
+
+ * debian/rules:
+ - Build with all hardening flags.
+ - Ease the reading of configure options.
+ - Specify "_chrony" as default chronyd user. This is the system user to
+ which chronyd will drop root privileges. You'll find further information
+ in /usr/share/doc/chrony/README.Debian.
+ (Closes: #688971)
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:39:22 +0200
+
+chrony (1.30-2) unstable; urgency=medium
+
+ * With the following security bugfixes (Closes: #782160):
+ - Fix CVE-2015-1853: Protect authenticated symmetric NTP
+ associations against DoS attacks.
+ - Fix CVE-2015-1821: Fix access configuration with subnet
+ size indivisible by 4.
+ - Fix CVE-2015-1822: Fix initialization of reply slots for
+ authenticated commands.
+ * debian/control:
+ - Update e-mail address of myself.
+ - Add Vincent Blut as co-maintainer.
+
+ -- Joachim Wiedorn <joodebian@joonet.de> Fri, 10 Apr 2015 11:41:31 +0200
+
+chrony (1.30-1) unstable; urgency=medium
+
+ * New upstream release with following bugfixes:
+ - Fix crash when selecting with multiple preferred sources.
+ - Fix frequency calculation with large frequency offsets.
+ - Fix code writing drift and RTC files to compile correctly.
+ - Fix -4/-6 options in chronyc to not reset hostname set by -h.
+ - Fix refclock sample validation with sub-second polling interval.
+ - Set stratum correctly with non-PPS SOCK refclock and local stratum.
+ - Modify dispersion accounting in refclocks to prevent PPS getting
+ stuck with large dispersion and not accepting new samples.
+ - Move faq.txt (PHP style) to a plain text file FAQ. Closes: #415729
+
+ * Add gpg signature of upstream developer for use with uscan.
+ * Update debian/watch, add check of upstream gpg signature.
+ * Update all patches.
+
+ * Bugfix: Use /etc/adjtime in postinst script to recognize
+ UTC hardware clock. Closes: #680498
+ * Use logrotate instead of cron script. Closes: #323966
+ * debian/rules: disable test simulation.
+
+ * debian/control: remove obsolete build dependency to dpkg-dev.
+ * debian/install, debian/dirs, debian/clean: Update.
+ * debian/copyright: Update and add entries.
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Sun, 10 Aug 2014 19:10:35 +0200
+
+chrony (1.29.1-1) unstable; urgency=high
+
+ * New upstream release with bugfix:
+ - Closes: #737644: Fixing vulnerability:
+ CVE-2014-0021 - traffic amplification in cmdmon protocol
+ (incompatible with previous protocol version, but chronyc
+ supports both).
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Thu, 06 Feb 2014 15:51:47 +0100
+
+chrony (1.29-1) unstable; urgency=medium
+
+ * New upstream release with some bugfixes:
+ - Closes: #719132: new upstream version, fixes security bugs.
+ - Closes: #719203: Fixing vulnerabilities:
+ CVE-2012-4502 - Buffer overflow,
+ CVE-2012-4503 - Uninitialized data.
+
+ * debian/control:
+ - Set myself as new maintainer. Closes: #705768
+ - Bump to Standards-Version 3.9.5.
+ - Move to debhelper >= 9 and compat level 9.
+ - Update package descriptions.
+ - Add Vcs fields to new git repository.
+ - Add dependency to lsb-base (for init script).
+ - Add build dependency to libtomcrypt-dev.
+ * Move to source format 3.0 (quilt).
+ * Add the following patch files: (Closes: #637514)
+ - 01_fix-small-typo-in-manpages
+ - 03_recreate-always-getdate-c
+ - 04_do-not-look-for-ncurses (Closes: #646732)
+ - 05_disable-installation-of-license
+ * debian/rules:
+ - Move to dh-based rules file.
+ - Enable parallel builds.
+
+ * Add debian/watch file.
+ * Full update of debian/copyright file.
+ * Add debian/doc-base file.
+ * Full update of debian/README.Debian file.
+ * Update debian/postinst, debian/postrm, debian/prerm.
+ * Remove obsolete debian/preinst. Reduce mailing within postinst.
+ * Do not use old md5sum file anymore for ucf in postinst script.
+ * Add status action in init script (debian/init). Closes: #652207
+ * Add debian/install file for installing example of chrony.conf.
+ * Reduce debian/dirs file for use with debhelper 9.
+
+ -- Joachim Wiedorn <ad_debian@joonet.de> Fri, 20 Dec 2013 23:35:25 +0100
+
+chrony (1.26-4) unstable; urgency=low
+
+ * QA upload.
+ * Depend on net-tools, for netstat (closes: #707260).
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 08 Jul 2013 18:00:45 +0100
+
+chrony (1.26-3) unstable; urgency=low
+
+ * Orphaned.
+
+ -- John G. Hasler <jhasler@debian.org> Fri, 19 Apr 2013 13:08:31 -0500
+
+chrony (1.26-2) unstable; urgency=low
+
+ * Fixed Makefile.in so that getdate.c gets made (and removed
+ in "clean"). This will go upstream. Moved faq stuff in rules
+ from binary-indep to binary-arch.
+ * Restored accidently deleted nmu changelog entry.
+
+ * Applied patch from Moritz Muehlenhoff <jmm@debian.org>
+ Closes: #655123 Please enabled hardened build flags
+
+ * Fixed upstream.
+ Closes: #518385 Chrony segfaults on startup (narrowed down to
+ chronyc and "burst")
+
+ * Added DEB_BUILD_OPTIONS=noopt to rules.
+ Added build-arch and build-indep to rules.
+ Prefix is now 'usr'.
+ Changed to dh_installman.
+ Fixed "clean:" target.
+ Closes: #479389 Improvements for debian/rules
+
+ * Fixed upstream.
+ Closes: #195620 Strange "System time : xxx seconds slow of NTP time"
+ output
+
+ * Upstream changes should have fixed this.
+ Closes:#294030 chronyd makes the whole system briefly (< 1 second)
+ freeze
+
+ * Fixed by upstream changes and new LSB headers.
+ Closes: #407466 Chrony won't access hardware clock but prevents
+ hwclock from doing so either
+
+ -- John G. Hasler <jhasler@debian.org> Sun, 01 Jul 2012 22:05:56 -0500
+
+chrony (1.26-1) unstable; urgency=low
+
+ * New upstream release
+ Closes: #348554: chrony and hwclock packages not coordinated.
+ Closes: #572964: RTC support is missing.
+ Closes: #642209: add RTC support for linux 3.0.
+ Closes: #644241: new upstream version 1.26 available.
+
+ * Applied patches from Joachim Wiedorn <ad_debian@joonet.de>:
+ Fixed several typos in man pages and README.
+ Added version.h.
+ Moved default chrony.conf to debian/ .
+ Renamed cron and init files.
+ Removed debian/NEWS.Debian, debian/info.
+ Added debian/clean.
+ Updated debian/copyright. COPYING stays. Upstream requires it.
+ Fixed debian/menu, debian/control, updated debian/compat.
+ Added "--without-readline" to debian/rules: rewrite later.
+ Minor fixes to initscript: rewrite later.
+
+ Closes: #646732 Move from readline support to editline support.
+ Closes: #598253 Fix typo in LSB init headers ($hwclock to $time).
+ Closes: #600403 Fix init check with PPP connection.
+
+ -- John G. Hasler <jhasler@debian.org> Sun, 17 Jun 2012 21:55:47 -0500
+
+chrony (1.24-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add patch (directly over the source...), to work with kernels > 3.0.0,
+ by Paul Martin at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628919#15.
+ (Closes: #628919)
+ * Fix readline build-depends from "libreadline5-dev | libreadline-dev" to
+ libreadline-gplv2-dev because chrony is GPLv2 only. (Closes: #634447)
+ * Update copyright file to say that chrony is GPLv2 only. (Closes: #637526)
+
+ -- Ana Beatriz Guerrero Lopez <ana@debian.org> Fri, 12 Aug 2011 12:32:26 +0200
+
+chrony (1.24-3) unstable; urgency=high
+
+ * Applied (modifed) patch from Gregor Herrmann.
+
+ Closes: #593145: fails to configure on installation
+ Closes: #552162: chrony incorrectly thinks that it has failed to
+ (re)start
+ Closes: #592930: invoke-rc.d: initscript chrony, action "start" failed.
+
+ -- John G. Hasler <jhasler@debian.org> Tue, 14 Sep 2010 10:06:47 -0500
+
+chrony (1.24-2) unstable; urgency=low
+
+ * Fixed regression that caused default CHRONY_IOC_ lines to
+ vanish from io_linux.h thereby breaking hppa and ia64.
+
+ Closes: #588930: FTBFS [ia64,hppa]: "I don't know the values of the
+ _IOC_* constants on your architecture"
+
+ * $remote_fs was added in 1.24-1. Depending on networking is neither
+ necessary nor desireable.
+
+ Closes: #590888: Dependencies on init.d script insuficcient
+
+ * Still need to rewrite scripts.
+
+ -- John G. Hasler <jhasler@newsguy.com> Fri, 30 Jul 2010 20:32:55 -0500
+
+chrony (1.24-1) unstable; urgency=low
+
+ * New upstream release. The scripts will be rewritten and many more bugs
+ taken care of in -2. Right now I want to get 1.24 out there.
+
+ * Applied patch from Petter Reinholdtsen to init.d
+
+ Closes: #541806: misses syslog dependency in LSB headers
+
+ * Chrony cannot be linked to libreadline6 because it is GPLv2 only.
+
+ Closes: #553739 replacing libreadline5-dev build dependency with
+ libreadline-dev
+
+ * "configure" rewritten upstream, eliminating "+=".
+
+ Closes: #573036: RTC support disabled (due to Bashism in configure line 293)
+
+ * Removed "install-info" from scripts.
+
+ Closes: #568703: dpkg warnings
+
+ * client.c has been rewritten upstream.
+
+ Closes: #573032
+
+ * Fixed typos.
+
+ Closes: #434629: 'man chrony', 'cronyc', 'cronyd' typos: "parateters" x 2,
+ "priviliges"
+
+ * Added debian/source/format containing "1.0".
+
+ -- John G. Hasler <jhasler@newsguy.com> Tue, 22 Jun 2010 16:01:29 -0500
+
+chrony (1.23-7) unstable; urgency=high
+
+ * Applied patches from upstream to fix remote DOS:
+
+ CVE-2010-0292 Don't reply to invalid cmdmon packets
+
+ CVE-2010-0293 Limit client log memory size
+
+ CVE-2010-0294 Limit rate of syslog messages
+
+ -- John G. Hasler <jhasler@newsguy.com> Tue, 02 Feb 2010 19:37:50 -0600
+
+chrony (1.23-6) unstable; urgency=low
+
+ * Commented out rtcfile directive in chrony.conf because it can cause
+ lockups with certain combinations of motherboard and kernel (this is
+ a known kernel bug).
+
+ Closes: #508298: chronyd unreachable and does not work (clock drifts)
+
+ * Chrony no longer uses the ppp/ip-up.d and ppp/ip-up.d files and the new
+ init.d file won't hang if chronyc hangs.
+
+ Closes: #448481: /etc/ppp/ip-up.d/chrony doesn't work when bindaddress is set.
+
+ * Cannot reproduce on current version on amd64.
+
+ Closes: #412961: error in tracking report (on amd64?)
+
+ -- John Hasler <jhasler@debian.org> Wed, 10 Dec 2008 14:16:37 -0600
+
+chrony (1.23-5) unstable; urgency=low
+
+ * Replaced background kill with 'timelimit' in initscript.
+
+ Closes: #505094: chrony: kills random netstat processes
+
+ * Added 'Recommends: udev (>= 0.124-1)'
+
+ Closes: #497113: /dev/rtc renamed to /dev/rtc0 with linux-image-2.6-*/2.6.26+15
+
+ * Had previously applied patch from Nathanael Nerode to fix configure
+ bug but forgot to close the bug.
+
+ Closes: #392273: Recursive dependency disease: chrony shouldn't depend on ncurses
+
+ -- John Hasler <jhasler@debian.org> Sun, 09 Nov 2008 20:19:22 -0600
+
+chrony (1.23-4) unstable; urgency=low
+
+ * Fixed dependency of init script on Pppconfig ip-up.d script by moving
+ those lines into the init script.
+
+ * Added checks to try to make sure that Chronyd is really, really running.
+ Changed Netstat call to use -n, added code to kill it if it hangs.
+ Added code to kill Chronyc if it can't contact Chronyd.
+ Discussed the HPET/rtc problem in NEWS.Debian.
+
+ Closes: #504000: init script hangs for a while might break upgrade
+
+ * Added missing initialization to create_instance() in ntp_core.c.
+ This was why UTI_NormaliseTimeval() was being called with huge
+ values at times.
+
+ * See comment on #195620 in 1.21z-6 below. If you know of more LP64
+ bugs reopen #348412 with a patch.
+
+ Closes: #348412: chronyc not LP64 compliant
+
+ * Added comment about sources being discarded to chrony.conf as suggested
+ by Andreas Hübner in #268289.
+
+ * This is normal behavior.
+
+ Closes: #287060: trimrtc takes 40 seconds to take effect
+
+ -- John Hasler <jhasler@debian.org> Thu, 06 Nov 2008 10:38:58 -0600
+
+chrony (1.23-3) unstable; urgency=high
+
+ * Rewrote UTI_NormaliseTimeval()in util.c to use divide/remainder
+ instead of loops at the suggestion of Gabor Gombas. This prevents the
+ problem of the loop running until the sun goes out when the function
+ is called with a very large value for tv_usec on 64-bit architectures.
+ Also fixed some other spots where the same loop was being used.
+
+ Closes: #474294 Goes into endless loop
+ Closes: #447011 chronyd stalls with 100% CPU usage
+
+ I still don't know why the function is being called with such a
+ large value, however.
+
+ * Changed default servers in chrony,conf to Debian servers.
+
+ Closes: #434483: chrony: Should use NTP servers in Debian pool
+
+ -- John Hasler <jhasler@debian.org> Sat, 26 Apr 2008 11:47:44 -0500
+
+chrony (1.23-2) experimental; urgency=low
+
+ * Added default IOC's to io_linux.h.
+ Closes: #477043: chrony_1.23-1(ia64/experimental): FTBFS: IOC
+ constants unknown on ia64
+ Closes: #476963: chrony_1.23-1(hppa/experimental): FTBFS: "I don't
+ know the values of the _IOC_* constants for your architecture"
+
+ -- John Hasler <jhasler@debian.org> Sun, 20 Apr 2008 13:29:29 -0500
+
+chrony (1.23-1) experimental; urgency=low
+
+ * New upstream release
+ This is 1.23 with Debian patches applied (including some for LP64).
+ I'm uploading this to Experimental to get it tested on x86_64 to see
+ if #474294 is fixed.
+
+ -- John Hasler <jhasler@debian.org> Sat, 19 Apr 2008 14:49:15 -0500
+
+chrony (1.21z-6) unstable; urgency=low
+
+ * Applied patches from Eric Lammerts <eric@lammerts.org> and Goswin von
+ Brederlow <brederlo@informatik.uni-tuebingen.de> to cast the value
+ returned by ntohl to int32_t and so cause correct sign-extension near
+ line 1655 in client.c. Also fixed similar bugs in the same area. I'm
+ not sure this entirely fixes the chronyc number display problem,
+ though. I've not closed #348412 here because chrony is still not
+ fully LP64 compliant.
+ Closes: #195620: Strange "System time : xxx seconds slow of
+ NTP time" output
+
+ * Replaced addrfilt.c with addrfilt.c from upstream git repository.
+ This fixes the recursive structure definition problems.
+
+ * Replaced 'route' with 'netstat -r' in the initscript.
+
+ * Applied patch for configure script from Nathanael Nerode
+ <neroden@gcc.gnu.org> to delete the superfluous "lncurses" at line
+ 327.
+ Closes: #392273: Recursive dependency disease: chrony shouldn't depend
+ on ncurses
+
+ * Added test to reject servers claiming stratum less than 1 in
+ ntp_core.c "Test 7". Bill Unruh <unruh@physics.ubc.ca> has run across
+ a server that sometimes claims to be stratum 0, which causes
+ considerable confusion.
+
+ -- John Hasler <jhasler@debian.org> Fri, 16 Feb 2007 17:47:40 -0600
+
+chrony (1.21z-5) unstable; urgency=high
+
+ * Applied postinst patch from Lionel Elie Mamane to test for the
+ existence of old .keys and .conf files before renaming them.
+ Closes: #397759: fails to configure: mv: cannot stat `/etc/chrony/chrony.keys.1.21-2':
+ No such file or directory
+
+ * Added burst command to /etc/ppp/ip-up.d/chrony to give chronyd a kick in the butt.
+ Shouldn't need that, though.
+ Initscript now calls /etc/ppp/ip-up.d/chrony if a default route exists.
+ Closes: #397739: Not connecting to sources after reboot - dialup
+
+ -- John Hasler <jhasler@debian.org> Sun, 26 Nov 2006 08:07:20 -0600
+
+chrony (1.21z-4) unstable; urgency=low
+
+ * Added test for /usr/bin/mail to postinst.
+ Closes: #386651: chrony: Requires /usr/bin/mail but doesn't depend on it
+ Closes: #390280: chrony: missing dependency on mail
+
+ * Added LSB headers to initscript
+
+ * Corrected erroneous use of 'dpkg --compare-version' in preinst and postinst.
+ Closes: #386733: fails to configure (bad upgrade check)
+
+ * Added rm to postinst to remove keyfile possibly left by a failed install.
+ Closes: #390278: usage of tempfile /etc/chrony/chrony.keys is doubtful
+
+ -- John Hasler <jhasler@debian.org> Sat, 7 Oct 2006 13:39:49 -0500
+
+chrony (1.21z-3) unstable; urgency=low
+
+ * Changed upstream version number from 1.21 to 1.21z to satisfy Debian
+ archive software.
+
+ * Replaced impure chrony_1.21.orig.tar.gz.
+ Closes: #340030: chrony: Tarball is impure
+
+ * Now Provides, Conflicts, Replaces time-daemon
+ Closes: #330839: time-daemon pseudopackage
+
+ * Corrected typos.
+ Closes: #321121: chrony: typo in 'Conflicts:' field: s/ntpsimple/ntp-simple/ and s/ntprefclock/ntp-refclock/
+
+ * Rewrote postinst and postrm to use ucf. Wrote preinst to protect chrony.conf from dpkg.
+ Closes: #351332: chrony: conffile change prompt prevents smooth upgrade from sarge to etch
+
+ * Deleted last few lines of chrony.conf as they no longer apply.
+
+ * Deleted .arch-ids from contrib and examples.
+
+ * Fixed typo in chronyc.1
+ Closes: #349871: chrony: typo in chrnoyc.1 results in missing word
+
+ * Corrected references in man pages.
+ Closes: #345034: chrony: man pages refer to wrong sections
+
+ * Added "allow 172.16/12" to chrony.conf.
+ Closes: #252952: chrony: default allow should also have 172.16/12
+
+ * Channged server lines in chrony.conf to follow ntp.org current recommendation.
+ Closes: #243534: chrony: new pool.ntp.org setup doesn't work well
+
+ * Fixed FSF address in debian/copyright.
+
+ -- John Hasler <jhasler@debian.org> Fri, 1 Sep 2006 10:52:52 -0500
+
+chrony (1.21-2) unstable; urgency=high
+
+ * Patched io_linux.h to add missing architectures.
+ Closes: #339764: chrony - FTBFS: #error "I don't know the values of the
+ _IOC_* constants for your architecture"
+
+ * Fixed brown-bag error in rules.
+ Closes: #339853: /usr/sbin/chronyd is missing
+
+ -- John Hasler <jhasler@debian.org> Sat, 19 Nov 2005 10:12:49 -0600
+
+chrony (1.21-1) unstable; urgency=low
+
+ * New upstream release
+ Closes: #328292: New version of chrony avalaible
+ Closes: #301592: Fails to read RTC and floods logfiles
+
+ * Enabled RTC as upstream has installed a work-around for the HPET bug.
+
+ * Switched to libreadline5.
+ Closes: #326379: please rebuild with libreadline5-dev as build dependency
+
+ * Patched addrfilt.c to fix gcc 4.0 build problem.
+ Closes: #298709: chrony: FTBFS (amd64/gcc-4.0): array type has incomplete element type
+
+ * There are lots more minor things to fix but I'm uploading now to close
+ the serious bugs. I'll upload another version with some improvements
+ in a few weeks.
+
+ -- John Hasler <jhasler@debian.org> Tue, 15 Nov 2005 18:39:49 -0600
+
+chrony (1.20-8) unstable; urgency=high
+
+ * Added test for /usr/bin/mail in postinst.
+ Closes: #307061: Install failure: Cannot configure on system without mailx
+ I consider this bug serious because it can cause installation to fail
+ and so I want to get the fix into Sarge.
+
+ * Fixed typo in chrony.conf, replaced '/etc/init.d/chrony restart'
+ with 'invoke-rc.d chrony restart'.
+ Closes: #305090: Typo in chrony.conf, should mention invoke-rc.d
+
+ * Added README.Debian explaining that rtc is off by default.
+
+ -- John Hasler <jhasler@debian.org> Sat, 30 Apr 2005 18:47:30 -0500
+
+chrony (1.20-7) unstable; urgency=low
+
+ * Added info-4 to debian/rules.
+ Closes: #287142: chrony: Can't find chrony.info-4
+
+ * Corrected "See Also" section in chrony man page. Now mentions
+ chronyc(1), chronyd(8), and chrony.conf(5).
+ Closes: #287444: chrony.1.gz: SEE ALSO on man page has wrong section.
+
+ * Edited chrony.conf to disable rtc by default and explain why:
+ on some systems that use genrtc or the HPET real-time clock it
+ fails and causes chronyd to fill up the log. The failure is
+ probably due to a kernel bug, bug the logging should be
+ throttled.
+
+ * Added more explanatory comments at the servers directive in
+ chrony.conf.
+
+ * The postinst script now sends a message to root saying where the
+ password is, whether Chrony is assuming UTC or local time,
+ that rtc updating is disabled, why, and how to change it.
+
+ * Added missing '#' to
+ "Can't tell how your clock is set: assuming local time."
+ in postinst.
+
+ -- John Hasler <jhasler@debian.org> Tue, 12 Apr 2005 17:59:13 -0500
+
+chrony (1.20-6) unstable; urgency=low
+
+ * Fixed error in chrony.conf where the non-existent 'online' directive
+ was mentioned.
+ Closes: #257235 misleading instructions in chrony.conf
+
+ * Patched Makefile.in to generate faq.html.
+ Closes: #265936 /usr/share/doc/chrony/faq.txt.gz: how to read?
+
+ -- John Hasler <jhasler@debian.org> Sat, 4 Dec 2004 17:47:31 -0600
+
+chrony (1.20-5) unstable; urgency=low
+
+ * Put pool.ntp.org servers in chrony.conf as defaults.
+
+ * Fixed erroneous references to chronyd(1) in some man pages.
+ Closes: #241746 SEE ALSO chronyd(1) should be (8)
+
+ * I got a new motherboard and can no longer reproduce this.
+ If you can please reopen the bug.
+ Closes: #223518 Rtc stuff is broken
+
+ * Edited chrony.conf(5).
+ Closes: #241745 many more features have been added
+
+ * Edited chrony.conf to add logchange and mailonchange and to
+ enable rtc by default.
+ Closes: #226644 /etc/chrony/chrony.conf: rtc; not all options are noted in conf file
+
+ * Fixed upstream: see NEWS.
+ Closes: #124089 mistake in the chrony manual
+ Closes: #177366: trailing blank on log lines
+ Closes: #195618 failure to use /dev/misc/rtc floods logfiles
+ Closes: #53066 "acquisitionport" directive and doc fixes [patch]
+ Closes: #100880 RFE: don't use /proc when uname(2) will do
+ Closes: #163470: different bindaddresses for ntp port and control port
+ Closes: #200174: Chrony breaks under Kernel 2.5 (two bugs)
+
+ -- John Hasler <jhasler@debian.org> Sat, 10 Apr 2004 22:00:00 -0500
+
+chrony (1.20-4) unstable; urgency=low
+
+ * Added '#include <asm/types>' to rtc_linux.c to fix Alpha build problem.
+ Also removed spinlock stuff from configure.
+
+ -- John Hasler <jhasler@debian.org> Fri, 26 Dec 2003 21:00:00 -0600
+
+chrony (1.20-3) unstable; urgency=low
+
+ * Removed all inclusions of kernel headers.
+ Hopefully Chrony will now build on m68k.
+
+ -- John Hasler <jhasler@debian.org> Tue, 23 Dec 2003 19:00:00 -0600
+
+chrony (1.20-2) unstable; urgency=low
+
+ * Removed spinlock.h and mc146818.h from rtc_linux.c. linux/rtc.h and
+ RTC_UIE=0x10 provide everything needed now.
+ Closes: #223134 FTBFS: Errors in kernel headers
+
+ * However, rtc is now broken (and appears to have been broken for some time)
+ on 440BX chipsets with 2.4 kernels.
+
+ -- John Hasler <jhasler@debian.org> Fri, 12 Dec 2003 13:00:00 -0600
+
+chrony (1.20-1) unstable; urgency=low
+
+ * New upstream release.
+
+ * Frank Otto's patch to sys_linux.c, function guess_hz_and_shift_hz now
+ incorporated upstream.
+ Closes: #198557 Fatal error: chronyd can't determine hz for kernel with HZ=200
+
+ * Security and 64 bit patches are now incorporated upstream
+ along with most non-i386 architecture patches.
+
+ * Put correct links in /usr/share/doc/chrony/timeservers.
+ Closes: #189686 /usr/share/doc/timeservers links are broken
+
+ * Put correct links in chrony.conf.
+ Closes: #210886 bad link in chrony.conf
+
+ * Put missing newlines in apm and chrony.keys.
+ Closes: #211604 Build-warning: some files misses final newline
+
+ * Removed conflict with ntpdate.
+
+ -- John Hasler <jhasler@debian.org> Tue, 7 Oct 2003 22:00:00 -0500
+
+chrony (1.19-10) unstable; urgency=low
+
+ * Put linux/linkage.h ahead of linux/spinlock.h as I meant to in
+ the first place.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 13 Jul 2003 7:00:00 -0500
+
+chrony (1.19-9) unstable; urgency=low
+
+ * Added "#include <linux/linkage.h>" to rtc_linux.c to fix mips
+ build failure.
+ Closes: #200165 chrony doesn't build on mips and mipsel
+
+ -- John Hasler <john@dhh.gt.org> Sat, 12 Jul 2003 10:00:00 -0500
+
+chrony (1.19-8) unstable; urgency=low
+
+ * Added bison to build-depends because of addition of getdate.y
+
+ -- John Hasler <john@dhh.gt.org> Tue, 3 Jun 2003 10:00:00 -0500
+
+chrony (1.19-7) unstable; urgency=high
+
+ * Closes: #186498 chronyc hangs if no chronyd is running
+ Added test for running daemon to ip-{up|down} scripts.
+ Disabled trimrtc for ALPHA
+ Closes: #195615 GPL violation - generated file without source
+ * Added a copy of getdate.y to source.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 1 Jun 2003 7:00:00 -0500
+
+chrony (1.19-6) unstable; urgency=low
+
+ * Closes: #179842 "CROAK" redefined
+ Added '#undef CROAK' before CROAK redefiniton in pktlength.h,
+ added '-DALPHA' to 'alpha' condition in configure, added
+ 'ifdef ALPHA' around CROAK redefinition.
+ * Replaced many signed and unsigned longs as well as some ints,
+ shorts, and chars with stdint.h types in candm.h, md5.h, ntp.h,
+ clientlog.h, and ntp_io.c. This should fix all 64-bit problems.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 14 Mar 2003 19:00:00 -0600
+
+chrony (1.19-5) unstable; urgency=high
+
+ * Closes: #184065 Assertion `sizeof(NTP_int32) == 4' failed on alpha
+ Fixed several spots where the author assumed that a long is 32 bits.
+ There are many more misuses of long as well as several of short and
+ char but I think I got the only ones likely to cause trouble.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 14 Mar 2003 11:00:00 -0600
+
+chrony (1.19-4) unstable; urgency=low
+
+ * Closes: #179538 FTBFS: missing build-depends on makeinfo
+ Added texinfo to build-depends.
+ * CLoses: #179508: chrony(c|d) show wrong version numbers
+ Removed spurious version.h.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 2 Feb 2003 19:00:00 -0600
+
+chrony (1.19-3) unstable; urgency=low
+
+ * Updated author's address in copyright file.
+ * Closes: #163446 patch, that scripts can handle all commandkeys
+ Applied debugged patch.
+ * Closes: #107863 doesn't know about APM
+ Put apm script in debian/ and added rules to copy it to
+ etc/apm/event.d as instructed by the apmd maintainer.
+
+ -- John Hasler <john@dhh.gt.org> Fri, 31 Jan 2003 18:00:00 -0600
+
+chrony (1.19-2) unstable; urgency=low
+
+ * Closes: #100879 unnecessary dependency on libm
+ Applied patch from Zack Weinberg <zack@codesourcery.com>
+ * Closes: #124091 the force-reload command of /etc/init.d/chrony should
+ use the -r option.
+ Added -r option.
+
+ -- John Hasler <john@dhh.gt.org> Wed, 29 Jan 2003 10:00:00 -0600
+
+chrony (1.19-1) unstable; urgency=low
+
+ * New upstream release.
+ * Closes: #178338 New upstream version fixes crashes caused by adjtimex
+ failure
+ * Closes: #178101 /etc/ppp/ip-{up,down}.d/chrony installed with
+ incorrect permissions
+ This bug was previously reported and fixed in 18-1
+ * Closes: #176130 got an error when I use ppp_on_boot
+ Changed 'update-rc.d chrony defaults 83' to
+ 'update-rc.d chrony defaults 14' in init.d so that chrony
+ will come up before ppp.
+ * Added code to postinst to read /etc/default/rcS and
+ set rtconutc appropriately in chrony.conf.
+ * Rewrote password generator in postinst.
+ * Closes: #100879 unnecessary dependency on libm
+ I don't know why this wasn't closed months ago.
+ * Closes: #103447 typo in "/etc/init.d/chrony"
+ * Closes: #124087 problems with /etc/init.d/chrony
+ Fixed script.
+ * Closes: #161350 /etc/ppp/ip-down.d/chrony cat unnecessary
+ Fixed scripts.
+ * Closes: #113840 ntp has been split - add conflicts?
+ Added ntp-simple and ntp-refclock to conflicts.
+
+ -- John Hasler <john@dhh.gt.org> Sun, 26 Jan 2003 15:00:00 -0600
+
+chrony (1.18-2) unstable; urgency=low
+
+ * Corrects error in changelog which resulted
+ in uploads being erroneously classified as NMUs.
+ * Closes: #138142, #104774, #142670, #105344, #101039
+ * Closes: #162427, #56756, #98951, #99799, #139633
+ * Closes: #163469, #163408, #167416
+
+ -- John Hasler <john@dhh.gt.org> Sun, 3 Nov 2002 20:00:00 -0600
+
+chrony (1.18-1) unstable; urgency=low
+
+ * New upstream release.
+ * Closes: #138142 new upstream release
+ * Added Mark Brown's Alpha and PowerPC patch.
+ * Closes: #104774 hppa build failure
+ Applied patch.
+ * Closes: #142670 compilation errors on sparc
+ Applied patch.
+ * Closes: #105344 ip-{up, down}.d/chrony not executable
+ Fixed debian/rules.
+ * Closes: #101039 does not run on Alpha
+ Fixed by above mentioned Mark Brown patch.
+ * Closes: #162427 description should mention NTP
+ Fixed description.
+ * Closes: #56756 README.debian should caution about hwclock
+ Fixed README.debian.
+ * Closes: #98951 no chrony.keys file installed
+ Not reproducible, probable user error.
+ * Closes: #99799 logs world readable
+ Added umask 022 to log script.
+ * Closes: #139633 documentation error
+ Added rtconutc to chrony.conf.
+ * Closes: #163469 no default case in init.d script
+ Corrected typo.
+ * Closes: #163408 PIDFILE wrongly defined in ip-{up,down}
+ No chrony script uses any such variable.
+ * Closes: #167416 needs Build-Depends: libreadline4-dev
+
+ -- <john@dhh.gt.org> Sun, 3 Nov 2002 10:00:00 -0600
+
+chrony (1.14-7) unstable; urgency=medium
+
+ * Changed rtc_linux.c to not include linux/mc146818rtc.h
+ when building for sparc, because Moshe Zadka says this
+ will allow chrony to build there.
+ * Closes: #142670
+
+ -- <jhasler@debian.org> Wed, 17 Apr 2002 17:00:00 -0500
+
+chrony (1.14-6) unstable; urgency=low
+
+ * Changed architecture back to 'any'.
+ * Applied portability patch from LaMont Jones.
+ * Closes: #104774
+
+ -- <jhasler@debian.org> Mon, 1 Apr 2002 21:00:00 -0600
+
+chrony (1.14-5) unstable; urgency=low
+
+ * Changed architecture from 'any' to 'i386 sparc'.
+ Neither I nor the author can test on anything but i386. If
+ you want chrony on anything else send me a tested patch.
+ * Closes: #101039
+ * Closes: #104774
+
+ -- <john@dhh.gt.org> Fri, 28 Dec 2001 20:10:00 -0600
+
+chrony (1.14-4) unstable; urgency=low
+
+ * Fixed bug in man pages.
+ * Closes: #95134
+
+ -- <john@dhh.gt.org> Tue, 24 Apr 2001 20:10:00 -0500
+
+chrony (1.14-3) unstable; urgency=low
+
+ * Replaced <linux/spinlock.h> in rtc_linux.c with
+ typedef int spinlock_t as suggested by Paul Slootman.
+ * Put #define CROAK(message) assert(0) in pktlength.h
+ to fix Alpha build problem.
+ * Closes: #86991
+
+ -- <john@dhh.gt.org> Sat, 24 Feb 2001 22:45:00 -0600
+
+chrony (1.14-2) unstable; urgency=low
+
+ * Closes: #84597
+
+ -- <john@dhh.gt.org> Sat, 3 Feb 2001 21:25:00 -0600
+
+chrony (1.14-1) unstable; urgency=low
+
+ * New upstream release.
+ * Fixed more sprintfs.
+ * Closes: #50793, #52570, #48216, #65209, #62924, #70377, #61485, #76661
+
+ -- <john@dhh.gt.org> Mon, 20 Nov 2000 20:25:00 -0600
+
+chrony (1.10-3) unstable; urgency=low
+
+ * Patched cron,weekly script with (corrected) patch
+ from Rene H. Larsen <renehl@post1.tele.dk>.
+ * Updated author address in copyright file.
+ * Compiled with egcs.
+ * Closes: #41885, #41551
+
+ -- <john@dhh.gt.org> Sun, 25 July 1999 12:14:00 -0500
+
+chrony (1.10-2) unstable; urgency=low
+
+ * Patched rtc_linux.c with patch for SPARC from
+ bmc@visi.net.
+
+ -- <john@dhh.gt.org> Mon, 17 May 1999 22:30:00 -0500
+
+chrony (1.10-1) unstable; urgency=low
+
+ * New upstream release.
+ * Upstream version number is 1.1. Debian version
+ number is 1.10 because previous upstream number
+ was 1.02.
+
+ -- <john@dhh.gt.org> Wed, 12 May 1999 20:30:00 -0500
+
+chrony (1.02-7) unstable; urgency=low
+
+ * Changed configure to permit building on non-Intel.
+
+ -- <john@dhh.gt.org> Wed, 5 May 1999 18:00:00 -0500
+
+chrony (1.02-6) unstable; urgency=low
+
+ * Fixed postrm bug.
+
+ -- <john@dhh.gt.org> Thur, 29 Apr 1999 18:00:00 -0500
+
+chrony (1.02-5) unstable; urgency=low
+
+ * Fixed bugs 34954 and 36921.
+ * Moved to priority extra.
+ * Added README.debian text about rtc.
+
+ -- <john@dhh.gt.org> Thur, 15 Apr 1999 21:30:00 -0500
+
+chrony (1.02-4) unstable; urgency=low
+
+ * Replaced sprintf's with snprintf's.
+
+ -- <john@dhh.gt.org> Sun, 28 Feb 1999 16:53:00 -0600
+
+chrony (1.02-3) unstable; urgency=low
+
+ * Fixed bugs in cron.weekly, ip-up.d, and ip-down.d.
+ * Bug 29981 is also fixed.
+
+ -- <john@dhh.gt.org> Sun, 6 Dec 1998 9:53:00 -0600
+
+chrony (1.02-2) unstable; urgency=low
+
+ * Added cron.weekly.
+ * Changed ip-up.d, ip-down.d, and cron.weekly to read the
+ password from chrony.keys.
+ * Added code to postinst to generate a random password and
+ put it in chrony.keys.
+
+ -- <john@dhh.gt.org> Thur, 3 Dec 1998 19:00:08 -0600
+
+chrony (1.02-1) unstable; urgency=low
+
+ * Initial Release.
+
+ -- <john@dhh.gt.org> Fri, 6 Nov 1998 23:00:08 -0600
diff --git a/debian/chrony-dnssrv@.service b/debian/chrony-dnssrv@.service
new file mode 100644
index 0000000..86d374f
--- /dev/null
+++ b/debian/chrony-dnssrv@.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=DNS SRV lookup of %I for chrony
+After=chrony.service network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/chrony/chrony-helper update-dnssrv-servers %I
+ProtectSystem=strict
+PrivateDevices=yes
+ProtectHome=yes
+ReadWritePaths=/run
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
diff --git a/debian/chrony-dnssrv@.timer b/debian/chrony-dnssrv@.timer
new file mode 100644
index 0000000..8495e01
--- /dev/null
+++ b/debian/chrony-dnssrv@.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Periodic DNS SRV lookup of %I for chrony
+
+[Timer]
+OnActiveSec=0
+OnUnitInactiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff --git a/debian/chrony-helper b/debian/chrony-helper
new file mode 100755
index 0000000..5099161
--- /dev/null
+++ b/debian/chrony-helper
@@ -0,0 +1,264 @@
+#!/bin/bash
+# This script configures running chronyd to use NTP servers obtained from
+# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
+# externally (e.g. by a dhclient script). Files with servers from DNS SRV
+# records are updated here using the dig utility. The script can also list
+# and set static sources in the chronyd configuration file.
+#
+# Modified for Debian by Vincent Blut <vincent.debian@free.fr>.
+
+chronyc=/usr/bin/chronyc
+chrony_conf=/etc/chrony/chrony.conf
+chrony_service=chrony.service
+helper_dir=/run/chrony-helper
+added_servers_file=$helper_dir/added_servers
+
+dhclient_servers_files="/var/lib/dhcp/chrony.servers.*"
+dnssrv_servers_files="$helper_dir/dnssrv@*"
+dnssrv_timer_prefix=chrony-dnssrv@
+
+chrony_command() {
+ $chronyc -n -m "$1"
+}
+
+is_running() {
+ chrony_command "tracking" &> /dev/null
+}
+
+get_servers_files() {
+ echo "$dhclient_servers_files"
+ echo "$dnssrv_servers_files"
+}
+
+is_update_needed() {
+ for file in $(get_servers_files) $added_servers_file; do
+ [ -e "$file" ] && return 0
+ done
+ return 1
+}
+
+update_daemon() {
+ local all_servers_with_args all_servers added_servers
+
+ if ! is_running; then
+ rm -f $added_servers_file
+ return 0
+ fi
+
+ all_servers_with_args=$(cat $(get_servers_files) 2> /dev/null)
+
+ all_servers=$(
+ echo "$all_servers_with_args" |
+ while read -r server serverargs; do
+ echo "$server"
+ done | sort -u)
+ added_servers=$( (
+ cat $added_servers_file 2> /dev/null
+ echo "$all_servers_with_args" |
+ while read -r server serverargs; do
+ [ -z "$server" ] && continue
+ chrony_command "add server $server $serverargs" &> /dev/null &&
+ echo "$server"
+ done) | sort -u)
+
+ comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
+ while read -r server; do
+ chrony_command "delete $server" &> /dev/null
+ done
+
+ added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
+
+ if [ -n "$added_servers" ]; then
+ echo "$added_servers" > $added_servers_file
+ else
+ rm -f $added_servers_file
+ fi
+}
+
+get_dnssrv_servers() {
+ local name=$1 output
+
+ if ! command -v dig &> /dev/null; then
+ echo "Missing dig (DNS lookup utility)" >&2
+ return 1
+ fi
+
+ output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null) || return 0
+
+ echo "$output" | while read -r _ _ port target; do
+ server=${target%.}
+ [ -z "$server" ] && continue
+ echo "$server port $port iburst"
+ done
+}
+
+check_dnssrv_name() {
+ local name=$1
+
+ if [ -z "$name" ]; then
+ echo "No DNS SRV name specified" >&2
+ return 1
+ fi
+
+ if [ "${name:0:9}" != _ntp._udp ]; then
+ echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
+ return 1
+ fi
+}
+
+update_dnssrv_servers() {
+ local name=$1
+ local srv_file=$helper_dir/dnssrv@$name servers
+
+ check_dnssrv_name "$name" || return 1
+
+ servers=$(get_dnssrv_servers "$name")
+ if [ -n "$servers" ]; then
+ echo "$servers" > "$srv_file"
+ else
+ rm -f "$srv_file"
+ fi
+}
+
+set_dnssrv_timer() {
+ local state=$1 name=$2
+ local srv_file=$helper_dir/dnssrv@$name servers
+ local timer
+
+ timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer || return 1
+
+ check_dnssrv_name "$name" || return 1
+
+ if [ "$state" = enable ]; then
+ systemctl enable "$timer"
+ systemctl start "$timer"
+ elif [ "$state" = disable ]; then
+ systemctl stop "$timer"
+ systemctl disable "$timer"
+ rm -f "$srv_file"
+ fi
+}
+
+list_dnssrv_timers() {
+ systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
+ sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
+ while read -r name; do
+ systemd-escape --unescape "$name"
+ done
+}
+
+prepare_helper_dir() {
+ mkdir -p $helper_dir
+ exec 100> $helper_dir/lock
+ if ! flock -w 20 100; then
+ echo "Failed to lock $helper_dir" >&2
+ return 1
+ fi
+}
+
+is_source_line() {
+ local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
+ [[ "$1" =~ $pattern ]]
+}
+
+list_static_sources() {
+ while read -r line; do
+ if is_source_line "$line"; then
+ echo "$line"
+ fi
+ done < $chrony_conf
+}
+
+set_static_sources() {
+ local new_config tmp_conf
+
+ new_config=$(
+ sources=$(
+ while read -r line; do
+ is_source_line "$line" && echo "$line"
+ done)
+
+ while read -r line; do
+ if ! is_source_line "$line"; then
+ echo "$line"
+ continue
+ fi
+
+ tmp_sources=$(
+ local removed=0
+
+ echo "$sources" | while read -r line2; do
+ if [ "$removed" -ne 0 ] || [ "$line" != "$line2" ]; then
+ echo "$line2"
+ else
+ removed=1
+ fi
+ done)
+
+ [ "$sources" == "$tmp_sources" ] && continue
+ sources=$tmp_sources
+ echo "$line"
+ done < $chrony_conf
+
+ echo "$sources"
+ )
+
+ tmp_conf=${chrony_conf}.tmp
+
+ cp -a $chrony_conf $tmp_conf &&
+ echo "$new_config" > $tmp_conf &&
+ mv $tmp_conf $chrony_conf || return 1
+
+ systemctl try-restart $chrony_service
+}
+
+print_help() {
+ echo "Usage: $0 COMMAND"
+ echo
+ echo "Commands:"
+ echo " update-daemon"
+ echo " update-dnssrv-servers NAME"
+ echo " enable-dnssrv NAME"
+ echo " disable-dnssrv NAME"
+ echo " list-dnssrv"
+ echo " list-static-sources"
+ echo " set-static-sources < sources.list"
+ echo " is-running"
+ echo " command CHRONYC-COMMAND"
+}
+
+case "$1" in
+ update-daemon|add-dhclient-servers|remove-dhclient-servers)
+ is_update_needed || exit 0
+ prepare_helper_dir && update_daemon
+ ;;
+ update-dnssrv-servers)
+ prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
+ ;;
+ enable-dnssrv)
+ set_dnssrv_timer enable "$2"
+ ;;
+ disable-dnssrv)
+ set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
+ ;;
+ list-dnssrv)
+ list_dnssrv_timers
+ ;;
+ list-static-sources)
+ list_static_sources
+ ;;
+ set-static-sources)
+ set_static_sources
+ ;;
+ is-running)
+ is_running
+ ;;
+ command|forced-command)
+ chrony_command "$2"
+ ;;
+ *)
+ print_help
+ exit 2
+esac
+
+exit $?
diff --git a/debian/chrony.conf b/debian/chrony.conf
new file mode 100644
index 0000000..b3a9510
--- /dev/null
+++ b/debian/chrony.conf
@@ -0,0 +1,47 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usable directives.
+
+# Include configuration files found in /etc/chrony/conf.d.
+confdir /etc/chrony/conf.d
+
+# Use Debian vendor zone.
+pool 2.debian.pool.ntp.org iburst
+
+# Use time sources from DHCP.
+sourcedir /run/chrony-dhcp
+
+# Use NTP sources found in /etc/chrony/sources.d.
+sourcedir /etc/chrony/sources.d
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Save NTS keys and cookies.
+ntsdumpdir /var/lib/chrony
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+# This directive must be commented out when using time sources serving
+# leap-smeared time.
+leapsectz right/UTC
diff --git a/debian/chrony.default b/debian/chrony.default
new file mode 100644
index 0000000..028f63d
--- /dev/null
+++ b/debian/chrony.default
@@ -0,0 +1,6 @@
+# This is a configuration file for /etc/init.d/chrony and
+# /lib/systemd/system/chrony.service; it allows you to pass various options to
+# the chrony daemon without editing the init script or service file.
+
+# Options to pass to chrony.
+DAEMON_OPTS="-F 1"
diff --git a/debian/chrony.dhcp b/debian/chrony.dhcp
new file mode 100644
index 0000000..f3dacd7
--- /dev/null
+++ b/debian/chrony.dhcp
@@ -0,0 +1,27 @@
+CHRONY_SOURCEDIR=/run/chrony-dhcp
+SERVERFILE=$CHRONY_SOURCEDIR/$interface.sources
+
+chrony_config() {
+ rm -f "$SERVERFILE"
+ mkdir -p "$CHRONY_SOURCEDIR"
+ for server in $new_ntp_servers; do
+ echo "server $server iburst" >> "$SERVERFILE"
+ done
+ /usr/bin/chronyc reload sources > /dev/null 2>&1 || :
+}
+
+chrony_restore() {
+ if [ -f "$SERVERFILE" ]; then
+ rm -f "$SERVERFILE"
+ /usr/bin/chronyc reload sources > /dev/null 2>&1 || :
+ fi
+}
+
+case $reason in
+ BOUND|RENEW|REBIND|REBOOT)
+ chrony_config
+ ;;
+ EXPIRE|FAIL|RELEASE|STOP)
+ chrony_restore
+ ;;
+esac
diff --git a/debian/chrony.examples b/debian/chrony.examples
new file mode 100644
index 0000000..1a0e8e2
--- /dev/null
+++ b/debian/chrony.examples
@@ -0,0 +1 @@
+examples/chrony.conf*
diff --git a/debian/chrony.if-post-down b/debian/chrony.if-post-down
new file mode 100644
index 0000000..4cc0796
--- /dev/null
+++ b/debian/chrony.if-post-down
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+[ -x /usr/sbin/chronyd ] || exit 0
+
+if [ -e /run/chrony/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.if-up b/debian/chrony.if-up
new file mode 100644
index 0000000..4cc0796
--- /dev/null
+++ b/debian/chrony.if-up
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+[ -x /usr/sbin/chronyd ] || exit 0
+
+if [ -e /run/chrony/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.keys b/debian/chrony.keys
new file mode 100644
index 0000000..a2d655d
--- /dev/null
+++ b/debian/chrony.keys
@@ -0,0 +1,10 @@
+# This file is solely used for NTP authentication with symmetric keys
+# as defined by RFC 1305 and RFC 5905.
+#
+# It can contain ID/key pairs which can be generated using the “keygen” option
+# from “chronyc”; for example:
+# chronyc keygen 1 SHA256 256 >> /etc/chrony/chrony.keys
+# would generate a 256-bit SHA-256 key using ID 1.
+#
+# A list of supported hash functions and output encoding is available by
+# consulting the "keyfile" directive in the chrony.conf(5) man page.
diff --git a/debian/chrony.lintian-overrides b/debian/chrony.lintian-overrides
new file mode 100644
index 0000000..a8c3d27
--- /dev/null
+++ b/debian/chrony.lintian-overrides
@@ -0,0 +1,11 @@
+# The “chrony.keys” file must not be world readable as it could contain
+# symmetric keys used for NTP authentication.
+chrony: non-standard-file-perm usr/share/chrony/chrony.keys 0640 != 0644
+
+# NetworkManager does not execute dispatcher scripts in /usr/libexec.
+chrony: executable-in-usr-lib usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
+chrony: executable-in-usr-lib usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
+
+# Being architecture-independent, these symlinks should be harmless.
+chrony: breakout-link usr/lib/networkd-dispatcher/off.d/chrony-onoffline -> usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
+chrony: breakout-link usr/lib/networkd-dispatcher/routable.d/chrony-onoffline -> usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
diff --git a/debian/chrony.maintscript b/debian/chrony.maintscript
new file mode 100644
index 0000000..bb74681
--- /dev/null
+++ b/debian/chrony.maintscript
@@ -0,0 +1,2 @@
+rm_conffile /etc/apm/event.d/01chrony 2.4.1-3~ chrony
+rm_conffile /etc/NetworkManager/dispatcher.d/20-chrony 3.5-7~ chrony
diff --git a/debian/chrony.ppp.ip-down b/debian/chrony.ppp.ip-down
new file mode 100644
index 0000000..c077551
--- /dev/null
+++ b/debian/chrony.ppp.ip-down
@@ -0,0 +1,13 @@
+#!/bin/sh
+# This script tells chronyd that the connection is down
+# so that it won't try to contact the server.
+# John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+# Modified by Vincent Blut <vincent.debian@free.fr>
+
+if [ -e /run/chrony/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.ppp.ip-up b/debian/chrony.ppp.ip-up
new file mode 100644
index 0000000..9c8d089
--- /dev/null
+++ b/debian/chrony.ppp.ip-up
@@ -0,0 +1,12 @@
+#!/bin/sh
+# This script tells chronyd that the connection is up so that it can
+# contact the server. John Hasler <jhasler@debian.org> 1998-2003
+# Any possessor of a copy of this program may treat it as if it
+# were in the public domain. I waive all rights.
+# Modified by Vincent Blut <vincent.debian@free.fr>
+
+if [ -e /run/chrony/chronyd.pid ]; then
+ chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0
diff --git a/debian/chrony.service b/debian/chrony.service
new file mode 100644
index 0000000..29e6382
--- /dev/null
+++ b/debian/chrony.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=chrony, an NTP client/server
+Documentation=man:chronyd(8) man:chronyc(1) man:chrony.conf(5)
+Conflicts=openntpd.service ntp.service ntpsec.service
+Wants=time-sync.target
+Before=time-sync.target
+After=network.target
+ConditionCapability=CAP_SYS_TIME
+
+[Service]
+Type=forking
+PIDFile=/run/chrony/chronyd.pid
+EnvironmentFile=-/etc/default/chrony
+ExecStart=/usr/sbin/chronyd $DAEMON_OPTS
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+
+[Install]
+Alias=chronyd.service
+WantedBy=multi-user.target
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..70f5857
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1 @@
+getdate.c
diff --git a/debian/conf.d/README b/debian/conf.d/README
new file mode 100644
index 0000000..de1fa8e
--- /dev/null
+++ b/debian/conf.d/README
@@ -0,0 +1,7 @@
+Files found under the /etc/chrony/conf.d directory with the .conf suffix are
+parsed in the lexicographical order of the file names when chronyd starts up.
+This enables a fragmented configuration of chronyd.
+
+Although those files can contain any directives listed in chrony.conf(5),
+it would be wiser to add NTP sources in the /etc/chrony/sources.d
+directory. Please read /etc/chrony/sources.d/README for more information.
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..ca53b93
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,54 @@
+Source: chrony
+Section: net
+Priority: optional
+Maintainer: Vincent Blut <vincent.debian@free.fr>
+Standards-Version: 4.5.1
+Build-Depends: asciidoctor (>= 1.5.3-1~),
+ bison,
+ debhelper-compat (= 13),
+ dh-apparmor,
+ gnutls-bin <!nocheck>,
+ libcap-dev [linux-any],
+ libedit-dev,
+ libgnutls28-dev,
+ libseccomp-dev (>= 2.4.3-1~) [amd64 arm64 armel armhf hppa i386 mips mipsel mips64el powerpc powerpcspe ppc64 ppc64el riscv64 s390x x32],
+ net-tools <!nocheck>,
+ nettle-dev,
+ pkg-config,
+ pps-tools (>= 0.20120406+g0deb9c7e-2) [linux-any],
+ procps <!nocheck>
+Homepage: https://chrony.tuxfamily.org
+Vcs-Git: https://salsa.debian.org/debian/chrony.git -b debian/bullseye
+Vcs-Browser: https://salsa.debian.org/debian/chrony
+Rules-Requires-Root: no
+
+Package: chrony
+Architecture: linux-any
+Pre-Depends: ${misc:Pre-Depends}
+Depends: adduser,
+ iproute2 [linux-any],
+ tzdata,
+ ucf,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Suggests: dnsutils,
+ networkd-dispatcher
+Breaks: network-manager (<< 1.20.0-1~)
+Conflicts: time-daemon
+Provides: time-daemon
+Replaces: time-daemon
+Description: Versatile implementation of the Network Time Protocol
+ It consists of a pair of programs:
+ .
+ chronyd: This is a daemon which runs in background on the system.
+ It obtains measurements (e.g. via the network) of the system's offset
+ relative to other systems and adjusts the system time accordingly. For
+ isolated systems, the user can periodically enter the correct time by
+ hand (using 'chronyc'). In either case 'chronyd' determines the rate
+ at which the computer gains or loses time, and compensates for this.
+ Chronyd implements the NTP protocol and can act as either a client or
+ a server.
+ .
+ chronyc: This is a command-line driven control and monitoring program.
+ An administrator can use this to fine-tune various parameters within
+ the daemon, add or delete servers etc whilst the daemon is running.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..a9e0040
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,187 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: chrony
+Upstream-Contact: Miroslav Lichvar <mlichvar@redhat.com>
+Source: https://download.tuxfamily.org/chrony/
+
+Files: *
+Copyright: 2009-2020, Miroslav Lichvar
+ 1997-2007, Richard P. Curnow
+License: GPL-2
+
+Files: main.c
+ sys_linux.c
+Copyright: 2012-2020, Miroslav Lichvar
+ 2009, John G. Hasler
+ 1997-2003, Richard P. Curnow
+License: GPL-2
+
+Files: ntp_io.c
+Copyright: 2009, 2013-2016, 2018-2020, Miroslav Lichvar
+ 2009, Timo Teras
+ 1997-2003, Richard P. Curnow
+License: GPL-2
+
+Files: sys_macosx.?
+Copyright: 2015, 2017, 2020, Bryan Christianson
+ 2001, J. Hannken-Illjes
+ 1997-2001, Richard P. Curnow
+License: GPL-2
+
+Files: sys_netbsd.?
+Copyright: 2001, J. Hannken-Illjes
+ 1997-2001, Richard P. Curnow
+License: GPL-2
+
+Files: debian/*
+Copyright: 2015-2021, Vincent Blut
+ 2012-2014, Joachim Wiedorn
+ 2000-2012, John Hasler
+License: GPL-2
+
+Files: test/simulation/test.common
+Copyright: 2013-2014, Miroslav Lichvar
+License: GPL-2+
+
+Files: privops.c
+Copyright: 2015, Bryan Christianson
+ 2017, Miroslav Lichvar
+License: GPL-2
+
+Files: privops.h
+Copyright: 2015, Bryan Christianson
+License: GPL-2
+
+Files: contrib/bryan_christianson_1/chronylogrotate.sh
+Copyright: 2015, Bryan Christianson
+License: GPL-2
+
+Files: test/unit/*
+Copyright: 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: hwclock.?
+Copyright: 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: ntp_io_linux.?
+Copyright: 2016-2019, Miroslav Lichvar
+License: GPL-2
+
+Files: ntp_signd.?
+Copyright: 2016, Miroslav Lichvar
+License: GPL-2
+
+Files: client.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Lonnie Abelbeck
+ 2009-2020, Miroslav Lichvar
+License: GPL-2
+
+Files: configure
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Bryan Christianson
+ 2009, 2012-2020, Miroslav Lichvar
+ 2019, Stefan R. Filipek
+License: GPL-2
+
+Files: doc/chrony.conf.adoc
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Stephen Wadeley
+ 2009-2020, Miroslav Lichvar
+ 2017, Bryan Christianson
+License: GPL-2
+
+Files: doc/chronyc.adoc
+Copyright: 1997-2003, Richard P. Curnow
+ 2016, Stephen Wadeley
+ 2009-2020, Miroslav Lichvar
+License: GPL-2
+
+Files: refclock.c
+Copyright: 2009-2011, 2013-2014, 2016-2019, Miroslav Lichvar
+License: GPL-2
+
+Files: refclock_phc.c
+Copyright: 2013, 2017, Miroslav Lichvar
+License: GPL-2
+
+Files: regress.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011, 2016-2017, Miroslav Lichvar
+License: GPL-2
+
+Files: sched.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011, 2013-2016, Miroslav Lichvar
+License: GPL-2
+
+Files: sourcestats.c
+Copyright: 1997-2003, Richard P. Curnow
+ 2011-2014, 2016-2018, Miroslav Lichvar
+License: GPL-2
+
+Files: stubs.c
+Copyright: 2014-2016, Miroslav Lichvar
+License: GPL-2
+
+Files: hash_nettle.c
+Copyright: 2018, Miroslav Lichvar
+License: GPL-2
+
+Files: test/system/*
+Copyright: 2019, Miroslav Lichvar
+License: GPL-2
+
+Files: md5.*
+Copyright: 1990, RSA Data Security, Inc. All rights reserved.
+License: RSA-MD
+ License to copy and use this software is granted provided that
+ it is identified as the "RSA Data Security, Inc. MD5 Message-
+ Digest Algorithm" in all material mentioning or referencing this
+ software or this function.
+ .
+ License is also granted to make and use derivative works
+ provided that such works are identified as "derived from the RSA
+ Data Security, Inc. MD5 Message-Digest Algorithm" in all
+ material mentioning or referencing the derived work.
+ .
+ RSA Data Security, Inc. makes no representations concerning
+ either the merchantability of this software or the suitability
+ of this software for any particular purpose. It is provided "as
+ is" without express or implied warranty of any kind.
+ .
+ These notices must be retained in any copies of any part of this
+ documentation and/or software.
+
+License: GPL-2
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 2 can be found in the file `/usr/share/common-licenses/GPL-2'.
+
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General Public License
+ version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/debian/dirs b/debian/dirs
new file mode 100644
index 0000000..152a039
--- /dev/null
+++ b/debian/dirs
@@ -0,0 +1,6 @@
+etc/chrony
+etc/logrotate.d
+etc/ppp/ip-down.d
+etc/ppp/ip-up.d
+usr/lib/NetworkManager/dispatcher.d
+var/lib/chrony
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..e12f653
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,3 @@
+FAQ
+NEWS
+README
diff --git a/debian/init b/debian/init
new file mode 100644
index 0000000..ce121d7
--- /dev/null
+++ b/debian/init
@@ -0,0 +1,69 @@
+#! /bin/sh
+#
+# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
+# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+# Modified for Debian by Christoph Lameter <clameter@debian.org>
+# Modified for chrony by John Hasler <jhasler@debian.org> 1998-2012
+# Modified for Debian by Vincent Blut <vincent.debian@free.fr>
+
+### BEGIN INIT INFO
+# Provides: chrony
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Should-Start: $syslog $network $named $time
+# Should-Stop: $syslog $network $named $time
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Controls chronyd NTP time daemon
+# Description: Chronyd is the NTP time daemon in the Chrony package
+### END INIT INFO
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/sbin/chronyd
+NAME="chronyd"
+DESC="time daemon"
+PIDFILE=/run/chrony/chronyd.pid
+
+[ -x "$DAEMON" ] || exit 0
+
+. /lib/lsb/init-functions
+
+# Override this variable by editing /etc/default/chrony.
+DAEMON_OPTS=""
+if [ -f /etc/default/chrony ]; then
+ . /etc/default/chrony
+fi
+
+case "$1" in
+ start)
+ if $0 status > /dev/null ; then
+ log_success_msg "$NAME is already running"
+ else
+ log_daemon_msg "Starting $DESC" "$NAME"
+ start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_OPTS
+ log_end_msg $?
+ fi
+ ;;
+
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --exec $DAEMON
+ log_end_msg $?
+ ;;
+
+ restart|force-reload)
+ $0 stop
+ $0 start
+ ;;
+
+ status)
+ status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+
+ *)
+ log_action_msg "Usage: /etc/init.d/chrony {start|stop|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..e7dc12a
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,7 @@
+debian/chrony-dnssrv@.* lib/systemd/system
+debian/chrony-helper usr/libexec/chrony
+debian/chrony.conf usr/share/chrony
+debian/conf.d etc/chrony
+debian/ntp-units.d/50-chrony.list usr/lib/systemd/ntp-units.d
+debian/sources.d etc/chrony
+debian/usr.sbin.chronyd etc/apparmor.d
diff --git a/debian/links b/debian/links
new file mode 100644
index 0000000..31cfb4a
--- /dev/null
+++ b/debian/links
@@ -0,0 +1,5 @@
+# Update sources in response to systemd-networkd events (LP: #1718227).
+# This is reusing the NetworkManager dispatch script which has no hard
+# dependency to NetworkManager (not using any of its arguments)
+usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline usr/lib/networkd-dispatcher/routable.d/chrony-onoffline
+usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline usr/lib/networkd-dispatcher/off.d/chrony-onoffline
diff --git a/debian/ntp-units.d/50-chrony.list b/debian/ntp-units.d/50-chrony.list
new file mode 100644
index 0000000..6b9cca0
--- /dev/null
+++ b/debian/ntp-units.d/50-chrony.list
@@ -0,0 +1 @@
+chrony.service
diff --git a/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
new file mode 100644
index 0000000..6841494
--- /dev/null
+++ b/debian/patches/allow-BINDTODEVICE-option-in-seccomp-filter.patch
@@ -0,0 +1,23 @@
+From b9f5ce83b02e765ad5a65a264e88352528d6b2b3 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 12:35:49 +0200
+Subject: sys_linux: allow BINDTODEVICE option in seccomp filter
+
+Fixes: 4ef944b73436 ("socket: add support for binding sockets to device")
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=b9f5ce83b02e765ad5a65a264e88352528d6b2b3
+Last-Update: 2021-05-13
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -619,6 +619,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ #ifdef FEAT_IPV6
+ { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
++#ifdef SO_BINDTODEVICE
++ { SOL_SOCKET, SO_BINDTODEVICE },
++#endif
+ { SOL_SOCKET, SO_BROADCAST }, { SOL_SOCKET, SO_REUSEADDR },
+ #ifdef SO_REUSEPORT
+ { SOL_SOCKET, SO_REUSEPORT },
diff --git a/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch b/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
new file mode 100644
index 0000000..3793048
--- /dev/null
+++ b/debian/patches/allow-IP_TOS-socket-option-in-seccomp-filter.patch
@@ -0,0 +1,33 @@
+From 966e6fd939df724235a93e7a89dd7cf67178f99d Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@forstwoof.ru>
+Date: Sun, 4 Apr 2021 15:12:17 +0200
+Subject: sys_linux: allow setsockopt(SOL_IP, IP_TOS) in seccomp
+
+This system call is required by the DSCP marking feature introduced in commit
+6a5665ca5877 ("conf: add dscp directive").
+
+Before this change, enabling seccomp filtering (chronyd -F 1) and specifying a
+custom DSCP value in the configuration (for example "dscp 46") caused the
+process to be killed by seccomp due to IP_TOS not being allowed by the filter.
+
+Tested before and after the change on Ubuntu 21.04, kernel 5.11.0-13-generic.
+IP_TOS is available since Linux 1.0, so I didn't add any ifdefs for it.
+
+Signed-off-by: Foster Snowhill <forst@forstwoof.ru>
+
+Bug: https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-dev/2021/04/msg00000.html
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=966e6fd939df724235a93e7a89dd7cf67178f99d
+Last-Update: 2021-04-08
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -615,7 +615,7 @@ SYS_Linux_EnableSystemCallFilter(int lev
+ };
+
+ const static int socket_options[][2] = {
+- { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND },
++ { SOL_IP, IP_PKTINFO }, { SOL_IP, IP_FREEBIND }, { SOL_IP, IP_TOS },
+ #ifdef FEAT_IPV6
+ { SOL_IPV6, IPV6_V6ONLY }, { SOL_IPV6, IPV6_RECVPKTINFO },
+ #endif
diff --git a/debian/patches/allow-getuid32-in-seccomp-filter.patch b/debian/patches/allow-getuid32-in-seccomp-filter.patch
new file mode 100644
index 0000000..626713e
--- /dev/null
+++ b/debian/patches/allow-getuid32-in-seccomp-filter.patch
@@ -0,0 +1,24 @@
+From 9cdfc15e310887d86c74beb0d6b748572624201c Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Thu, 29 Apr 2021 16:53:40 +0200
+Subject: sys_linux: allow getuid32 in seccomp filter
+
+This was triggered on x86 in an NTS test.
+
+Applied-Upstream: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=9cdfc15e310887d86c74beb0d6b748572624201c
+Last-Update: 2021-05-13
+diff --git a/sys_linux.c b/sys_linux.c
+index be5d44d..57b4e0f 100644
+--- a/sys_linux.c
++++ b/sys_linux.c
+@@ -508,6 +508,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+ SCMP_SYS(getpid),
+ SCMP_SYS(getrlimit),
+ SCMP_SYS(getuid),
++ SCMP_SYS(getuid32),
+ SCMP_SYS(rt_sigaction),
+ SCMP_SYS(rt_sigreturn),
+ SCMP_SYS(rt_sigprocmask),
+--
+cgit v0.10.2
+
diff --git a/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch b/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
new file mode 100644
index 0000000..3bd9acd
--- /dev/null
+++ b/debian/patches/fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
@@ -0,0 +1,33 @@
+From 29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387 Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar <mlichvar@redhat.com>
+Date: Wed, 6 Oct 2021 10:02:34 +0200
+Subject: sys_linux: fix seccomp filter for BINDTODEVICE option
+
+The BINDTODEVICE socket option is the first option in the seccomp filter
+setting a string instead of int. Remove the length check from the
+setsockopt rules to allow a device name longer than 3 characters.
+
+This was reported in Debian bug #995207.
+
+Fixes: b9f5ce83b02e ("sys_linux: allow BINDTODEVICE option in seccomp filter")
+
+Origin: upstream, https://git.tuxfamily.org/chrony/chrony.git/commit/?id=29d7d3176d9d1b208039a9d2ca3f26bc3cc5a387
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995207
+
+Index: chrony/sys_linux.c
+===================================================================
+--- chrony.orig/sys_linux.c
++++ chrony/sys_linux.c
+@@ -694,10 +694,9 @@ SYS_Linux_EnableSystemCallFilter(int lev
+
+ /* Allow selected socket options */
+ for (i = 0; i < sizeof (socket_options) / sizeof (*socket_options); i++) {
+- if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 3,
++ if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
+ SCMP_A1(SCMP_CMP_EQ, socket_options[i][0]),
+- SCMP_A2(SCMP_CMP_EQ, socket_options[i][1]),
+- SCMP_A4(SCMP_CMP_LE, sizeof (int))) < 0)
++ SCMP_A2(SCMP_CMP_EQ, socket_options[i][1])))
+ goto add_failed;
+ }
+
diff --git a/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch b/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch
new file mode 100644
index 0000000..29b37c5
--- /dev/null
+++ b/debian/patches/nm-dispatcher-dhcp_Move-server_dir-to-run.patch
@@ -0,0 +1,17 @@
+Description: Move server_dir path to /run
+Author: Vincent Blut <vincent.debian@free.fr>
+Forwarded: no
+Last-Update: 2020-09-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/examples/chrony.nm-dispatcher.dhcp
++++ b/examples/chrony.nm-dispatcher.dhcp
+@@ -11,7 +11,7 @@ action=$2
+
+ chronyc=/usr/bin/chronyc
+ default_server_options=iburst
+-server_dir=/var/run/chrony-dhcp
++server_dir=/run/chrony-dhcp
+
+ dhcp_server_file=$server_dir/$interface.sources
+ # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4037174
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,5 @@
+allow-IP_TOS-socket-option-in-seccomp-filter.patch
+nm-dispatcher-dhcp_Move-server_dir-to-run.patch
+allow-BINDTODEVICE-option-in-seccomp-filter.patch
+allow-getuid32-in-seccomp-filter.patch
+fix-seccomp-filter-for-BINDTODEVICE-socket-option.patch
diff --git a/debian/postinst b/debian/postinst
new file mode 100644
index 0000000..903add9
--- /dev/null
+++ b/debian/postinst
@@ -0,0 +1,73 @@
+#!/bin/sh
+# postinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+# targets: configure|abort-upgrade|abort-remove|abort-deconfigure
+
+case "$1" in
+ configure)
+
+ adduser --force-badname \
+ --system \
+ --group \
+ --quiet \
+ --gecos "Chrony daemon" \
+ --home /var/lib/chrony \
+ --no-create-home _chrony
+
+ if command -v ucf >/dev/null
+ then
+ ucf --three-way /usr/share/chrony/chrony.conf /etc/chrony/chrony.conf
+ ucf --three-way /usr/share/chrony/chrony.keys /etc/chrony/chrony.keys
+ if [ -x "$(command -v ucfr)" ]; then
+ ucfr chrony /etc/chrony/chrony.conf
+ ucfr chrony /etc/chrony/chrony.keys
+ fi
+ fi
+
+ # Change the user and group ownership of "/var/l{ib,og}/chrony" iif
+ # the chronyd's configuration does not contain the "user" directive.
+ # Also, update these directories' mode bits to 0750 to follow upstream.
+ if ! chronyd -p 2>/dev/null | grep -q "^user"; then
+ for d in /var/lib/chrony /var/log/chrony; do
+ if ! dpkg-statoverride --list "$d" >/dev/null; then
+ dpkg-statoverride --update --add _chrony _chrony 0750 "$d"
+ fi
+ done
+ fi
+
+ if [ -n "$2" ] && dpkg --compare-versions "$2" lt 4.0~pre4-1; then
+ # Migrate NTP sources obtained from DHCP to /run/chrony-dhcp
+ mkdir -p /run/chrony-dhcp
+ for file in $(find /var/lib/dhcp/ -type f -name "chrony.servers.*"); do
+ sed 's/.*/server &/' < "$file" > /run/chrony-dhcp/"${file##*servers.}.sources"
+ done
+
+ # Remove the staled PID file resulting from migrating its path from
+ # /run to /run/chrony/. Overriding dh_installinit and
+ # dh_systemd_start to use the --no-restart-after-upgrade option
+ # was a possibility but chronyd would have been down even longer
+ # during the upgrade.
+ rm -f /run/chronyd.pid
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/postrm b/debian/postrm
new file mode 100644
index 0000000..b864a94
--- /dev/null
+++ b/debian/postrm
@@ -0,0 +1,56 @@
+#!/bin/sh
+# postrm script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear
+
+case "$1" in
+ purge)
+ rm -f /var/lib/chrony/*
+ rm -f /etc/chrony/chrony.conf
+ rm -f /etc/chrony/chrony.keys
+ if command -v ucf >/dev/null
+ then
+ ucf --purge /etc/chrony/chrony.conf
+ ucf --purge /etc/chrony/chrony.keys
+ if [ -x "$(command -v ucfr)" ]; then
+ ucfr --purge chrony /etc/chrony/chrony.conf
+ ucfr --purge chrony /etc/chrony/chrony.keys
+ fi
+ fi
+ rm -rf /etc/chrony
+ rm -rf /run/chrony || true
+ rm -rf /run/chrony-dhcp || true
+ rm -rf /var/lib/chrony
+ rm -rf /var/log/chrony
+ # Remove "_chrony" system user/group
+ if [ -x "$(command -v deluser)" ]
+ then
+ deluser --quiet --system _chrony > /dev/null 2>&1 || true
+ fi
+
+ for d in /var/lib/chrony /var/log/chrony; do
+ if dpkg-statoverride --list "$d" >/dev/null; then
+ dpkg-statoverride --remove "$d"
+ fi
+ done
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/preinst b/debian/preinst
new file mode 100644
index 0000000..08be098
--- /dev/null
+++ b/debian/preinst
@@ -0,0 +1,28 @@
+#!/bin/sh
+# preinst script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: install|upgrade|abort-upgrade
+
+case "$1" in
+ upgrade)
+ ;;
+
+ install|abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/prerm b/debian/prerm
new file mode 100644
index 0000000..ec12057
--- /dev/null
+++ b/debian/prerm
@@ -0,0 +1,28 @@
+#!/bin/sh
+# prerm script for chrony
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# targets: remove|upgrade|deconfigure|failed-upgrade
+
+case "$1" in
+ remove|upgrade|deconfigure)
+ ;;
+
+ failed-upgrade)
+ ;;
+
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..33a2809
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,50 @@
+#!/usr/bin/make -f
+
+-include /usr/share/dpkg/buildtools.mk
+export CC
+
+include /usr/share/dpkg/architecture.mk
+
+export DEB_BUILD_MAINT_OPTIONS=hardening=+all
+
+BASE=debian/chrony
+
+%:
+ dh $@
+
+override_dh_auto_configure:
+ dh_auto_configure -- --mandir=/usr/share/man \
+ --sysconfdir=/etc/chrony \
+ --with-user=_chrony \
+ --enable-scfilter \
+ --chronyrundir=/run/chrony \
+ --with-ntp-era=$(shell date -d '1970-01-01 00:00:00+00:00' +'%s') \
+ --enable-ntp-signd \
+ --with-hwclockfile=/etc/adjtime \
+ --with-pidfile=/run/chrony/chronyd.pid \
+ --host-system=Linux
+
+override_dh_install:
+ dh_install
+ install -m 0640 -t $(BASE)/usr/share/chrony/ debian/chrony.keys
+ install -m 0755 -T examples/chrony.nm-dispatcher.dhcp ${BASE}/usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
+ install -m 0755 -T examples/chrony.nm-dispatcher.onoffline $(BASE)/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
+ install -m 0644 -T examples/chrony.logrotate $(BASE)/etc/logrotate.d/chrony
+ dh_apparmor --profile-name=usr.sbin.chronyd -pchrony
+ install -D -p -m 0644 debian/chrony.dhcp $(BASE)/etc/dhcp/dhclient-exit-hooks.d/chrony
+
+override_dh_fixperms:
+ dh_fixperms -X usr/share/chrony/chrony.keys
+
+override_dh_installinit:
+ dh_installinit
+# Disable the system call filter on architectures mentioned below
+# due to missing support in libseccomp and/or in the Linux kernel.
+ifneq (,$(filter $(DEB_HOST_ARCH), alpha ia64 m68k sh4 sparc64))
+ sed -i '/DAEMON_OPTS=/s/"-F 1"/""/' $(BASE)/etc/default/chrony
+endif
+
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+ dh_auto_test
+endif
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/sources.d/README b/debian/sources.d/README
new file mode 100644
index 0000000..268544d
--- /dev/null
+++ b/debian/sources.d/README
@@ -0,0 +1,11 @@
+Only NTP sources can be specified in the /etc/chrony/sources.d directory.
+Files in this directory must end with the ".sources" suffix, and can only
+contain the "peer", "pool" and "server" directives.
+
+There is no need to restart chronyd for these time sources to be usable,
+running 'chronyc reload sources' is sufficient.
+
+Example:
+
+# echo 'server 192.0.2.1 iburst' > /etc/chrony/sources.d/local-ntp-server.sources
+# chronyc reload sources
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..5586711
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,28 @@
+Tests: upstream-simulation-test-suite
+Depends: @builddeps@, build-essential, ca-certificates, wget
+Restrictions: isolation-container, build-needed, skippable, needs-root, needs-internet
+
+Tests: time-sources-from-dhcp-servers
+Depends: @, isc-dhcp-server, isc-dhcp-client, iproute2, kmod
+Restrictions: isolation-machine, needs-root
+
+Features: test-name=run_system_tests
+Test-Command: debian/tests/upstream-system-tests
+Depends: @builddeps@
+Restrictions: build-needed, isolation-container, needs-root
+
+Features: test-name=run_destructive_system_tests
+Test-Command: debian/tests/upstream-system-tests -d 1[0-9][0-9]-*
+Depends: @, @builddeps@, ethtool
+Restrictions: build-needed, isolation-machine, needs-root
+
+Tests: fragmented-configuration
+Restrictions: isolation-container, needs-root
+
+Tests: dynamically-add-source
+Depends: @, dpkg-dev
+Restrictions: isolation-container, needs-root, skippable
+
+Tests: ntp-server-and-nts-auth
+Depends: @, dpkg-dev, gnutls-bin
+Restrictions: isolation-container, needs-root, skippable
diff --git a/debian/tests/dynamically-add-source b/debian/tests/dynamically-add-source
new file mode 100644
index 0000000..62eac75
--- /dev/null
+++ b/debian/tests/dynamically-add-source
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Make sure that NTP sources from /etc/chrony/sources.d are usable.
+
+set -e
+
+. debian/tests/helper-functions
+
+server_addr="192.0.2.1"
+
+printf "Preparing chronyd configuration: "
+__no_system_clock_control && __test_ok || __test_skip
+
+printf "Adding a dummy server to the list of NTP sources: "
+printf "server $server_addr" > /etc/chrony/sources.d/dummy-server.sources && __test_ok || __test_fail
+
+printf "Reloading NTP sources: "
+__reload_sources
+
+printf "Checking for dummy server availability: "
+__check_sources "$server_addr"
+
+printf "Checking for dummy server availability after restarting chronyd: "
+__restart_chronyd
+sleep 2
+__check_sources "$server_addr"
+
+exit 0
diff --git a/debian/tests/fragmented-configuration b/debian/tests/fragmented-configuration
new file mode 100644
index 0000000..cda1c41
--- /dev/null
+++ b/debian/tests/fragmented-configuration
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Make sure that fragmented configuration works as expected.
+
+set -e
+
+. debian/tests/helper-functions
+
+printf 'Setting "authselectmode prefer" as authentication policy: '
+echo "authselectmode prefer" > /etc/chrony/conf.d/authentication-policy.conf && __test_ok || __test_fail
+
+printf "Restart chronyd: "
+systemctl --quiet restart chrony.service && __test_ok || __test_fail
+
+printf "Checking that chronyd uses the defined authentication policy: "
+chronyd -p 2> /dev/null | grep -q "authselectmode prefer" && __test_ok || __test_fail
+
+exit 0
diff --git a/debian/tests/helper-functions b/debian/tests/helper-functions
new file mode 100644
index 0000000..6c340d0
--- /dev/null
+++ b/debian/tests/helper-functions
@@ -0,0 +1,50 @@
+__no_system_clock_control() {
+ if ! dpkg-vendor --derives-from Ubuntu; then
+ sed -i '/^DAEMON_OPTS=/s/"\(.*\)"/"\1 -x"/' /etc/default/chrony
+ mkdir -p /etc/systemd/system/chrony.service.d
+ cat <<EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+ systemctl daemon-reload && __restart_chronyd && sleep 3
+ fi
+}
+
+__test_fail() {
+ printf 'FAIL\n' >&2
+ return 1
+}
+
+__test_ok() {
+ printf 'OK\n'
+ return 0
+}
+
+__test_skip() {
+ [ -n "$1" ] && printf 'SKIP: (%s)\n' "$1" || printf 'SKIP\n'
+ exit 77
+}
+
+__reload_sources() {
+ chronyc reload sources > /dev/null 2>&1 && __test_ok || __test_fail
+}
+
+__restart_chronyd() {
+ systemctl --quiet restart chrony.service
+}
+
+__check_sources() {
+ chronyc sources | grep -q "$1" && __test_ok || __test_fail
+}
+
+__check_auth() {
+ chronyc -c authdata | grep -q "$1" && __test_ok || __test_fail
+}
+
+# Ubuntu's default config is fully populated causing issues with the test
+# If any of those tests run on Ubuntu, clear some and restart the daemon
+# to pick this up before entering the tests.
+if grep -q "^pool.*ubuntu.pool.ntp.org" /etc/chrony/chrony.conf; then
+ sudo sed -i -e '/^pool.*ubuntu.pool.ntp.org/d' /etc/chrony/chrony.conf
+ __restart_chronyd
+fi
diff --git a/debian/tests/ntp-server-and-nts-auth b/debian/tests/ntp-server-and-nts-auth
new file mode 100644
index 0000000..93c44f8
--- /dev/null
+++ b/debian/tests/ntp-server-and-nts-auth
@@ -0,0 +1,58 @@
+#!/bin/sh
+# Check that chronyd is able to authenticate NTP packets when NTS is enabled
+# on the server.
+
+set -e
+
+. debian/tests/helper-functions
+
+cert_dir="/var/lib/chrony"
+cert_template="$cert_dir/cert.cfg"
+cert_file="$cert_dir/server.crt"
+priv_key="$cert_dir/server.key"
+server_addr="127.0.1.1"
+server_name="chrony-nts-test"
+
+create_cert_template() {
+ printf "Creating certificate template: "
+ cat <<EOF > "$cert_template"
+cn = "$server_name"
+serial = 001
+activation_date = "$(date -d '1 year ago' +'%Y-%m-%d') 00:00:00 UTC"
+expiration_date = "$(date -d '1 year' +'%Y-%m-%d') 00:00:00 UTC"
+signing_key
+encryption_key
+EOF
+}
+
+generate_cert() {
+ printf "Generating self-signed certificate: "
+ certtool --generate-privkey --key-type=ed25519 --outfile "$priv_key" > /dev/null 2>&1
+ certtool --generate-self-signed --load-privkey "$priv_key" --template "$cert_template" \
+ --outfile "$cert_file" > /dev/null 2>&1
+}
+
+server_config() {
+ printf "Preparing chronyd configuration: "
+ cat <<EOF > /etc/chrony/conf.d/local-server-config.conf
+server $server_name nts minpoll -6 maxpoll -6
+ntsserverkey $priv_key
+ntsservercert $cert_file
+ntstrustedcerts $cert_file
+EOF
+
+ __no_system_clock_control
+}
+
+echo "$server_addr $server_name" >> /etc/hosts
+
+create_cert_template && __test_ok || __test_skip "unable to create certificate template"
+
+generate_cert && __test_ok || __test_skip "unable to generate self-signed certificate"
+
+server_config && __test_ok || __test_skip
+
+printf "Checking if server authenticates NTP packets: "
+__check_auth "$server_addr,NTS"
+
+exit 0
diff --git a/debian/tests/time-sources-from-dhcp-servers b/debian/tests/time-sources-from-dhcp-servers
new file mode 100644
index 0000000..f5e7899
--- /dev/null
+++ b/debian/tests/time-sources-from-dhcp-servers
@@ -0,0 +1,44 @@
+#!/bin/sh
+# Ensure that NTP servers obtained from DHCP are made available to chronyd and
+# that they are removed when releasing the DHCP lease.
+
+set -e
+
+prepare_iface() {
+ modprobe dummy
+ ip link add name dummy0 type dummy
+ ip address add 192.168.1.1/24 dev dummy0
+ ip link set dev dummy0 up
+}
+
+dhcpd_config() {
+cat <<EOF > /etc/dhcp/dhcpd.conf
+default-lease-time 600;
+max-lease-time 7200;
+authorative;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+ option subnet-mask 255.255.255.0;
+ option broadcast-address 192.168.1.255;
+ option ntp-servers 192.168.1.50;
+ range 192.168.1.42 192.168.1.100;
+}
+EOF
+
+sed -i '/INTERFACESv4=/s/".*"/"dummy0"/' /etc/default/isc-dhcp-server
+}
+
+chk_time_src() {
+ chronyc -n sources | grep -q -F '192.168.1.50'
+}
+
+printf "Preparing the dummy network interface and dhcpd configuration…\n"
+if prepare_iface && dhcpd_config; then
+ systemctl restart isc-dhcp-server && dhclient dummy0 && printf "Done!\n\n"
+fi
+
+printf "Check if the NTP server is made available to chronyd…\n"
+chk_time_src && printf "SUCCESS!\n\n"
+
+printf "Release the current lease and check if the NTP server has been correctly removed…\n"
+dhclient -r dummy0 > /dev/null 2>&1 && ! chk_time_src && printf "SUCCESS!\n\n"
diff --git a/debian/tests/upstream-simulation-test-suite b/debian/tests/upstream-simulation-test-suite
new file mode 100644
index 0000000..cee406d
--- /dev/null
+++ b/debian/tests/upstream-simulation-test-suite
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Upstream makes use of “clknetsim” to test how well “chronyd” controls the
+# system clocks in various conditions. Due to “clknetsim” not being available
+# in Debian, let’s use autopkgtest facility to build it in a container and
+# test “chronyd” from there.
+
+set -e
+
+testdir="$PWD/test/simulation"
+clknetsim_ver=c4ccc2d
+clknetsim_src=https://github.com/mlichvar/clknetsim/archive/"$clknetsim_ver"/clknetsim-"$clknetsim_ver".tar.gz
+clknetsim_archive=$(basename "$clknetsim_src")
+
+export CLKNETSIM_PATH="$AUTOPKGTEST_TMP"
+
+# Always use the same seed to get deterministic results
+export CLKNETSIM_RANDOM_SEED=24505
+
+DEB_HOST_MULTIARCH=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
+
+# The simulation tests are only supported on Linux.
+dpkg-architecture -ilinux-any || exit 77
+
+prepare_clknetsim() {
+ # This symbolic link is necessary to prevent clknetsim from FTBFS.
+ ln -s /usr/include/"$DEB_HOST_MULTIARCH"/sys/time.h /usr/include/sys/
+
+ wget -P "$CLKNETSIM_PATH" "$clknetsim_src" 2>&1 || exit 77
+ tar -xvzf "$CLKNETSIM_PATH"/"$clknetsim_archive" \
+ -C "$CLKNETSIM_PATH" --strip-components=1 2>&1 || exit 77
+
+ if [ ! -x "$CLKNETSIM_PATH/clknetsim" ] && [ ! -e "$CLKNETSIM_PATH/clknetsim.so" ]; then
+ make -C "$CLKNETSIM_PATH" 2>&1
+ fi
+}
+
+run_test() {
+ cd "$testdir" && ./run -i 20 -m 2
+}
+
+prepare_clknetsim && run_test
diff --git a/debian/tests/upstream-system-tests b/debian/tests/upstream-system-tests
new file mode 100755
index 0000000..bd28a0c
--- /dev/null
+++ b/debian/tests/upstream-system-tests
@@ -0,0 +1,24 @@
+#!/bin/sh
+# Run the upstream system tests in a container. Destructive tests will be run in
+# a VM as they may adjust/step the system clock, block the RTC, etc.
+# In case of failure, test’s logs will be put into the directory specified by
+# the $AUTOPKGTEST_ARTIFACTS environment variable.
+
+set -e
+
+testdir=$PWD/test/system
+logdir="$testdir/tmp/*"
+
+# some tests need chrony installed, but make sure to avoid the test daemon is
+# fighting with the systems chrony service over the clock
+systemctl stop chrony.service 2>/dev/null || true
+
+run_test() {
+ cd "$testdir" && ./run "$@"
+}
+
+artifacts() {
+ cp $logdir "$AUTOPKGTEST_ARTIFACTS" && exit 1
+}
+
+run_test "$@" || artifacts
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..937fa97
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,8 @@
+Documentation: https://chrony.tuxfamily.org/documentation.html
+Changelog: https://chrony.tuxfamily.org/news.html
+FAQ: https://chrony.tuxfamily.org/faq.html
+Contact: chrony-users@chrony.tuxfamily.org
+Security-Contact: Miroslav Lichvar <mlichvar@redhat.com>
+Bug-Submit: chrony-users@chrony.tuxfamily.org
+Repository: https://git.tuxfamily.org/chrony/chrony.git
+Repository-Browse: https://git.tuxfamily.org/chrony/chrony.git/
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..ce59e23
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBEYLz1cRBADYNM9gn8g1Bw8t2Zj+HT9hbSHVs9ofSdxqdLEVAbNySeLftOlZ
+ba+4CU+lIfC/6XHZ0r+UvTBVK+r/KLjFxWz5cWGGFVUrXOSjo2PDXDqWrs9VALtT
+zH8sr0/7qJCByF9fnryPO1fmMKlh9R0+X5cF7vZjlWbM+BV/yxARi4lb4wCgpf9M
+7uo9hJUcMyy2zJSdzjUPkcMEAMVyDpw7kwTjnWzwaOHnPlT/x31OkGAO2sZgzRGu
+VE1zGN4Ruv36GS7hNPndtpTGZuPtmLrE2wJS2exer4kTYANfiGj/JDTiuGQYF2jp
+9cN3zJL7e7Bik004TZVUGg3HzpuWWc/uiTXgrZxIDz4uPxjy5kdDfbhUziNsy9Uj
+igOZBADQ9T6XYQBTfRmGUkl7hEeAeu+WfEGDVlHP+EpMtk/uANUqYef5xUG4RomE
+EyjRlrEXwG7Ly2HhH3UADBuPjkP68AGN8WslbCNx5Na+nZr6r1sT1+Z3OdUDprpY
+PQxCu5WWYsYgzroO/JEA2d3pYgaaHEAhyZxau1UtW4hpAn8svbQmTWlyb3NsYXYg
+TGljaHZhciA8bWxpY2h2YXJAcmVkaGF0LmNvbT6IZgQTEQIAJgIbAwYLCQgHAwIE
+FQIIAwQWAgMBAh4BAheABQJbt20rBQkb2aQNAAoJEF/wbym6HgE7MOkAnjdG94MF
+4XAVLnzCVbrJb/Ishao4AJ9o1EL9U/at8KzvfZdpPyNrmoeq+bkCDQRGC89XEAgA
+medsNk8FIYdzJYyP2eaIYKMTpSCFgTKE1EHdiRaX5n3oo9o26+vfA1NfIwKM8G54
+3Ddr1yl2PRmQermHMQahMMsXcehQXjsJoZXTglJq6kw5Xb1V1K6SyXQv/sLmWGxw
+T91T+0I+9g+UqMeqR8B2hj950BbfWn6Pu5CRk2voTsYEU2ecejKOWOOrbUnD/5wy
+mkSD/1g+T7bgGOHMrSgYWH3Fk7dWNKpGBtQn3cL7fKy+cn4koDW1L3ebxg4zWpFo
+l51m3u8DXc9lqUjg9AoqJH1bc9eQPQvJKxd5syU2pkgtHhT2rlSqpRtsKsgRNfBC
+qBbK9gtEM3DRUD+EbbEZgwADBQf8CTSksVEUs5svpQlldZERwViUwwVb4TMszKKq
+nEti6zu6oMkIDreGzSISDsrWq1WxzUv9IYumwanzkgTpVVfFPxK7samtol8Lol5V
+r3Zbil3Q0IGJ9thhitMHRSU3ClhVRZF5QF/MhSzD1j0cXK4Ls0np5DePT3H4tItZ
++OcEhZcDb8k2DMcJW/REuiisWOElwIDM0o0kZyQiy+5QRfE2xancu3n8+wGtwc0N
+2Yp/elmIigreu0xuK7HaFOiScUYv00BJa/ZEO2aOkRuiKkdp3oxtz3MIdDYyGbI6
+mL4h+X8079i95yu+L2tUJGHeN5u+X0Hsg9sE6TpVEggQEI30YYhPBBgRAgAPAhsM
+BQJbt22dBQkb2aZBAAoJEF/wbym6HgE7rJYAn1gpOMPrFyjezpaYsloAwjSZhu8t
+AKCTJlsZByvaTTXjUMyQy2z7tjnVpw==
+=4XBU
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/usr.sbin.chronyd b/debian/usr.sbin.chronyd
new file mode 100644
index 0000000..fc23892
--- /dev/null
+++ b/debian/usr.sbin.chronyd
@@ -0,0 +1,81 @@
+# Last Modified: Sat Jan 20 10:45:05 2018
+#include <tunables/global>
+
+/usr/sbin/chronyd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ # For /run/chrony to be created
+ capability chown,
+
+ # Give “root” the ability to read and write the PID file
+ capability dac_override,
+ capability dac_read_search,
+
+ # Needed to support HW timestamping
+ capability net_admin,
+
+ # Needed to allow NTP server sockets to be bound to a privileged port
+ capability net_bind_service,
+
+ # Needed to allow an NTP socket to be bound to a device using the
+ # SO_BINDTODEVICE socket option on kernels before 5.7
+ capability net_raw,
+
+ # Needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ # Needed to set the SCHED_FIFO real-time scheduler at the specified priority
+ # using the '-P' option
+ capability sys_nice,
+
+ # Needed to lock chronyd into RAM
+ capability sys_resource,
+
+ # Needed to set the system/real-time clock
+ capability sys_time,
+
+ /usr/sbin/chronyd mr,
+
+ /etc/chrony/{,**} r,
+ /var/lib/chrony/{,*} rw,
+ /var/log/chrony/{,*} rw,
+ @{run}/chrony/{,*} rw,
+ @{run}/chrony-dhcp/{,*} r,
+
+ # Using the “tempcomp” directive gives chronyd the ability to improve
+ # the stability and accuracy of the clock by compensating the temperature
+ # changes measured by a sensor close to the oscillator.
+ @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,
+ @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input r,
+
+ # Support all paths suggested in the man page (LP: #1771028). Assume these
+ # are common use cases; others should be set as local include (see below).
+ # Configs using a 'chrony.' prefix like the tempcomp config file example
+ /etc/chrony.* r,
+ # Example gpsd socket is outside @{run}/chrony/
+ @{run}/chrony.tty{,*}.sock rw,
+ # To sign replies to MS-SNTP clients by the smbd daemon
+ /var/lib/samba/ntp_signd/socket rw,
+
+ # rtc
+ /etc/adjtime r,
+ /dev/rtc{,[0-9]*} rw,
+
+ # gps devices
+ /dev/pps[0-9]* rw,
+ /dev/ptp[0-9]* rw,
+
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ @{run}/timemaster/chrony.conf r,
+
+ # For use with clocks that report via shared memory (e.g. gpsd),
+ # you may need to give ntpd access to all of shared memory, though
+ # this can be considered dangerous. See https://launchpad.net/bugs/722815
+ # for details. To enable, add this to local/usr.sbin.chronyd:
+ # capability ipc_owner,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.chronyd>
+}
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..09e7386
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,3 @@
+version=4
+opts=pgpsigurlmangle=s/\.tar\.gz$/-tar-gz-asc.txt/ \
+https://download.tuxfamily.org/@PACKAGE@/@PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@