Paul Eggert wrote:
On 2/8/24 06:21, Martin Burnicki via tz wrote:
https://kb.meinbergglobal.com/kb/time_sync/ntp/configuration/ntp_leap_second...
Thanks, I installed the attached patch to refer to that page.
Thanks!
A few comments about its contents:
For higher security the file should be signed using a public key certificate which can also be checked after the file has already been downloaded. However, this is currently not implemented
As per Internet RFC 6557 (2012) section 3, TZDB distributions are signed via a PGP signature. This signature is published in each distribution's announcement, so effectively you can obtain a signed leap-seconds.list from a TZDB distribution. This practice started in 2012e, in response to the RFC.
Also, TZDB releases have signed tags in the Github development repository; this is another way to verify leap-seconds.list
Admittedly neither of these techniques are the same as having the IERS sign the file, which would be preferable.
I've now made a few changes to my page: All occurrences of "TZ DB" have been replaced with "TZDB". The section about the TAI Offset Table https://wiki.py.meinberg.de/kb:time_sync:ntp:configuration:ntp_leap_second_f... now contains a note that the leap second table can use space or tabs as field separators, depending on the origin of the file. The section about the SHA1 hash now mentions the signature of the TZDB version https://wiki.py.meinberg.de/kb:time_sync:ntp:configuration:ntp_leap_second_f... The section about the TZDB/IANA version now mentions the signatures. [...]
One other link you might want to mention is:
https://raw.githubusercontent.com/eggert/tz/main/leap-seconds.list
This is the latest version of leap-seconds.list in the TZDB development repository. It is more up-to-date than <https://data.iana.org/time-zones/tzdb/leap-seconds.list>, though less up-to-date than the IERS primary copy. Github likely resists DDoS attacks better than the other sites; see <https://github.blog/2018-03-01-ddos-incident-report/>.
@Paul: I've added the URL to my page. Please let me know if I should keep the other links to the Github repo and your homepage, or whether I should remove them. Concerning the PGP signatures of the download archives: IMO checking the signatures would be much easier for potential users of the .gz or .lz archives if the signatures would be available for download as files at https://www.iana.org/time-zones, e.g. tzdb-2024a.tar.lz.asc for an ASCII signature, or tzdb-2024a.tar.lz.sig for a binary signature. Doing so would make this very much easier for folks who just come across the download page, but are not on (one of) the mailing list(s). I have to admit that I didn't even notice that the signatures are part of the announcement emails because I usually just read the subject if it just tells that a new TZDB version has been released. I also find it much harder to copy a signature text block from an email to verify the integrity of a downloaded file. At Meinberg, I provide this information as file, see e.g. https://www.meinbergglobal.com/english/sw/#linux so it's very easy to download the .gz file and the signature file an run a simple command line program to verify the integrity. Just my 2 ct. ;-) Martin -- Martin Burnicki Senior Software Engineer MEINBERG Funkuhren GmbH & Co. KG Email: martin.burnicki@meinberg.de Phone: +49 5281 9309-414 Linkedin: https://www.linkedin.com/in/martinburnicki/ Lange Wand 9, 31812 Bad Pyrmont, Germany Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Managing Directors: Natalie Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Websites: https://www.meinberg.de https://www.meinbergglobal.com