NTP.conf pool vs server

[ray]

I would like to know the correct syntax for entering a server entry for stretch.

All the documentation I find says to list the ntp servers in the file as:
server 0.XX.pool.ntp.org
server 1.XX.pool.ntp.org

An example source from 2017 is https://wiki.debian.org/DateTime

When I open /etc/ntp.conf on my new stretch installation, I find this format:
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst

The latest Debian doc says to start the line with 'server'.
The latest Debian implementation starts the line with 'pool'.

Are these interchangeable?

Additionally, there is a parameter 'iburst' which I did not find in the Debian docs but found at http://doc.ntp.org/4.1.1/confopt.htm


Thanks,
Ray

[Greg Wooledge]

On Wed, Jun 07, 2017 at 05:56:59AM -0700, ray wrote:
> The latest Debian doc says to start the line with 'server'.
> The latest Debian implementation starts the line with 'pool'.
>
> Are these interchangeable?
>
> Additionally, there is a parameter 'iburst' which I did not find in the Debian docs but found at http://doc.ntp.org/4.1.1/confopt.htm

For whatever it's worth, "iburst" is in ntp.conf(5) but "pool" is not.

[Gene Heskett]

Begin rant:

From someone who is currently battling a fresh jessie install that didn't
even come with ntpdate installed, and which using the above format
in /etc/ntp.conf is still about 12 hours off on an rpi-3.

Installing ntpdate and attempting to start it gets me a no servers found
message, yet they are defined as discussed above, and the network is
fully accessible to all other forms of communication.

That doc on www.ntp.org is nice, but worthless to someone who just wants
it to work. I have quite a zoo of machines here, and I see little
advantage to each one banging on a network server, when it needs an
update. But does it give even a hint of how to make this machine, or
heaven forbid, my router, which keeps time via ntp, and which I believe
has the time broadcast enabled, (its dd-wrt in a buffalo box) into a
server that the rest of my machines can listen to to get the correct
time. If I could achieve that, it would reduce the loading on the time
servers at debian or pool.ntp.org by a factor of 5 or 6 just from my
home network.

But a manpage that actually tells us how to do that must be sick bird,
because its not been written yet. Man page writers please get real, and
tell us how to do something like getting our home networks all
synchronized to our routers which can then broadcast it to the rest of
our network.

Such a scheme can easily keep us on time with any errors within a few
milliseconds, more than adequate enough for the girls I go with. While
reducing the load on the servers by at least 80%.

So how about a manpage that tells us how to do that? If its not illegal
according to some rfc that is.

Rant off.

Thanks for reading.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

[Gene Heskett]

pool is normally a round robin server setup where any machine in
the "pool" of machines can answer the query. Its part of the net
address, not a keyword to ntp(date). If you ping -c1 pool.ntp.org,
you'll see the machines address that answered that ping, but you may not
get a reply from that same machine the next time you ping it.

[Greg Wooledge]

On Wed, Jun 07, 2017 at 10:35:23AM -0400, Gene Heskett wrote:
> Begin rant:
>
> From someone who is currently battling a fresh jessie install that didn't
> even come with ntpdate installed, and which using the above format
> in /etc/ntp.conf is still about 12 hours off on an rpi-3.

The ntpdate package has been deprecated for some time now, in Debian.
You don't need it. Simply install the ntp package, and configure the
/etc/ntp.conf file (which admittedly is not clearly documented).

Current versions of Debian have folded the ntpdate functionality into
ntp. The /etc/default/ntp file has (or should have!) this:

NTPD_OPTS='-g'

This starts ntpd with the -g option, which tells it that it's allowed
to slam the clock forward or backward exactly once when it starts up,
mimicking what ntpdate used to do.

> Installing ntpdate and attempting to start it gets me a no servers found
> message, yet they are defined as discussed above, and the network is
> fully accessible to all other forms of communication.

Sounds like something is misconfigured, though we can't tell what it is
without additional info.

> But a manpage that actually tells us how to do that must be sick bird,
> because its not been written yet. Man page writers please get real, and
> tell us how to do something like getting our home networks all
> synchronized to our routers which can then broadcast it to the rest of
> our network.

On the machine that you want to act as your local network's time server:

server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

And make sure you didn't change the lines under the comment that says
"By default, exchange time with everybody, but don't allow configuration."

On your other machines:

server your.time.server

That's basically it. Make sure the hostname is resolvable. If you have
issues with name resolution not being available sometimes, then you might
want to add your.time.server to /etc/hosts.

To verify that things are running, use ntpq -p:

svr5:~$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
-104.245.32.240 162.213.2.253 2 u 776 1024 377 80.415 -8.341 0.239
*clocka.ntpjs.or 18.26.4.105 2 u 250 1024 377 9.780 0.361 0.556
+up2.com 195.219.14.21 2 u 490 1024 377 31.761 -1.224 0.474
+jarvis.arlen.io 17.253.2.253 2 u 477 1024 377 36.764 -2.368 4.547

And that's why you use multiple public time servers -- they aren't very
accurate, so you need lots of them. The daemon can decide which ones
to ignore, and so on.

The output of this -p thing is not documented, so you have to guess what
it means. I think the "-" in column 1 means "this server sucks, so I'm
not really paying attention to it", and "+" means "pretty good", and "*"
means "this is my favorite". But that's just a guess. There's nothing
in the ntpq man page about it at all.

[Darac Marjal]

On Wed, Jun 07, 2017 at 10:35:23AM -0400, Gene Heskett wrote:

>On Wednesday 07 June 2017 08:56:59 ray wrote:
>
>> I would like to know the correct syntax for entering a server entry
>> for stretch.
>>
>> All the documentation I find says to list the ntp servers in the file
>> as: server 0.XX.pool.ntp.org
>> server 1.XX.pool.ntp.org
>>
>> An example source from 2017 is https://wiki.debian.org/DateTime
>>
>> When I open /etc/ntp.conf on my new stretch installation, I find this
>> format: pool 0.debian.pool.ntp.org iburst
>> pool 1.debian.pool.ntp.org iburst
>>
>> The latest Debian doc says to start the line with 'server'.
>> The latest Debian implementation starts the line with 'pool'.
>>
>> Are these interchangeable?

As I understand it "server" will do name resolution once and pick an IP
from the result. "pool" will periodically refresh the name and cycle to
a different member of the pool.

>>
>> Additionally, there is a parameter 'iburst' which I did not find in
>> the Debian docs but found at http://doc.ntp.org/4.1.1/confopt.htm

Did you install ntp-doc? Did you check there?

>>
>>
>> Thanks,
>> Ray
>
>Begin rant:
>
>From someone who is currently battling a fresh jessie install that didn't
>even come with ntpdate installed, and which using the above format
>in /etc/ntp.conf is still about 12 hours off on an rpi-3.
>
>Installing ntpdate and attempting to start it gets me a no servers found
>message, yet they are defined as discussed above, and the network is
>fully accessible to all other forms of communication.
>
>That doc on www.ntp.org is nice, but worthless to someone who just wants
>it to work. I have quite a zoo of machines here, and I see little
>advantage to each one banging on a network server, when it needs an
>update. But does it give even a hint of how to make this machine, or
>heaven forbid, my router, which keeps time via ntp, and which I believe
>has the time broadcast enabled, (its dd-wrt in a buffalo box) into a
>server that the rest of my machines can listen to to get the correct
>time. If I could achieve that, it would reduce the loading on the time
>servers at debian or pool.ntp.org by a factor of 5 or 6 just from my
>home network.

By a factor of 5 or 6? You think you own 5 or 6 times more servers than
everyone else combined? (I think you just mean "reduce [...] by 5 or
6").

Does your router inform other devices on the network that it should be
used as a time server? In the DHCP specification there is an option
called "time-servers". The idea is that a network administrator sets
this to be the approved time servers for the network and clients
synchronise to that. In debian, this is facilitated by
/etc/dchp/dhclient-exit-hooks.d/ntp (at least, if you use the ISC DHCP
client). That script will read the "time-servers" option from the DHCP
packet, write /var/lib/ntp/ntp.conf.dhcp and ensure that file is
included from your main ntp.conf. As far as I'm aware, this is default
behaviour.

>
>But a manpage that actually tells us how to do that must be sick bird,
>because its not been written yet. Man page writers please get real, and
>tell us how to do something like getting our home networks all
>synchronized to our routers which can then broadcast it to the rest of
>our network.

There's an XY problem here. You probably shouldn't put this information
into the NTP man pages, as it's not NTP that's doing the work. The
information about the "time-servers" option *is* in the DHCP manpage,
but probably there's no information about the specific hook being
included.

If the NTP hook is Debian-specific, then... I don't know where that
should be documented. If it's upstream, then... Well, if every project
documented every decision for creating every file, then there'd be a lot
to wade through.

>
>Such a scheme can easily keep us on time with any errors within a few
>milliseconds, more than adequate enough for the girls I go with. While
>reducing the load on the servers by at least 80%.
>
>So how about a manpage that tells us how to do that? If its not illegal
>according to some rfc that is.
>
>Rant off.
>
>Thanks for reading.
>
>Cheers, Gene Heskett
>--
>"There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
>-Ed Howdershelt (Author)
>Genes Web page <http://geneslinuxbox.net:6309/gene>
>

--
For more information, please reread.

[Kushal Kumaran]

ray <r...@aarden.us> writes:

> I would like to know the correct syntax for entering a server entry for stretch.
>
> All the documentation I find says to list the ntp servers in the file as:
> server 0.XX.pool.ntp.org
> server 1.XX.pool.ntp.org
>
> An example source from 2017 is https://wiki.debian.org/DateTime
>
> When I open /etc/ntp.conf on my new stretch installation, I find this format:
> pool 0.debian.pool.ntp.org iburst
> pool 1.debian.pool.ntp.org iburst
>
> The latest Debian doc says to start the line with 'server'.
> The latest Debian implementation starts the line with 'pool'.
>
> Are these interchangeable?
>

No. A server entry will setup a single NTP server. A pool entry can
setup several. You can experiment by configuring a single pool and then
looking at how may peers are reported by ntpq -c peers. I don't know
the details of how it works, but I'm guessing "server" looks up IPs for
hostname and uses only one of those (like typical uses of hostname),
while "pool" looks up IPs and uses all of them.

> Additionally, there is a parameter 'iburst' which I did not find in the Debian docs but found at http://doc.ntp.org/4.1.1/confopt.htm
>
>
> Thanks,
> Ray

--
regards,
kushal

[Greg Wooledge]

On Wed, Jun 07, 2017 at 03:54:26PM +0100, Darac Marjal wrote:
> As I understand it "server" will do name resolution once and pick an IP
> from the result. "pool" will periodically refresh the name and cycle to
> a different member of the pool.

Really? Why isn't this documented? Is it simply urban legend passed
from user to user?

I largely agree with Gene. The man pages are incredibly silly. They
don't tell you how to do the Most Basic Common Thing. Instead they
talk about "type s and r addresses" and "a preemptable association
is mobilized" and "mobilizes a persistent symmetric-active mode
association" and "type b and m addresses" and other such gibberish.

I guess Ill try changing one of my intranet time servers from "server"
to "pool" and see what happens.

[Darac Marjal]

On Wed, Jun 07, 2017 at 03:54:26PM +0100, Darac Marjal wrote:

>On Wed, Jun 07, 2017 at 10:35:23AM -0400, Gene Heskett wrote:
>>On Wednesday 07 June 2017 08:56:59 ray wrote:
>>
>>>I would like to know the correct syntax for entering a server entry
>>>for stretch.
>>>
>>>All the documentation I find says to list the ntp servers in the file
>>>as: server 0.XX.pool.ntp.org
>>>server 1.XX.pool.ntp.org
>>>
>>>An example source from 2017 is https://wiki.debian.org/DateTime
>>>
>>>When I open /etc/ntp.conf on my new stretch installation, I find this
>>>format: pool 0.debian.pool.ntp.org iburst
>>>pool 1.debian.pool.ntp.org iburst
>>>
>>>The latest Debian doc says to start the line with 'server'.
>>>The latest Debian implementation starts the line with 'pool'.
>>>
>>>Are these interchangeable?
>
>As I understand it "server" will do name resolution once and pick an IP
>from the result. "pool" will periodically refresh the name and cycle to
>a different member of the pool.

See also https://www.eecis.udel.edu/~mills/ntp/html/confopt.html#pool

My mistake, the correct option is "ntp-servers".

https://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.12.

[Joshua Schaeffer]

On Wed, Jun 7, 2017 at 9:06 AM, Greg Wooledge <woo...@eeg.ccf.org> wrote:

I largely agree with Gene.  The man pages are incredibly silly.  They
don't tell you how to do the Most Basic Common Thing.  Instead they
talk about "type s and r addresses" and "a preemptable association
is mobilized" and "mobilizes a persistent  symmetric-active  mode
association" and "type b and m addresses" and other such gibberish.

That is one of the ideas behind the info pages. Man pages have always been technically oriented and are generally very focused. They don't really offer context. Now, I'm not saying that info pages accomplish this (some do, some don't), but that was one of the original ideas behind info pages, is to be more real world and comprehensive. There are trade offs to both approaches.

You typically get a dichotomy of groups about man pages and documentation in general. Some people prefer the more technical nature of the man pages, while others find it frustrating. Can be further exacerbated by the fact that people tell other people to RTFM, but even reading a man page top to bottom doesn't help when it actually comes to setting up a piece of software (as you probably experienced yourself).

In general man pages are more helpful when you already understand the software in question and are looking for specific information.

Thanks,

Joshua Schaeffer

[Greg Wooledge]

Hey look, there's already a bug open:

<https://bugs.debian.org/803709> "ntp: Please document 'pool' in ntp.conf"

Filed November 1, 2015.

Except... it's not open. It's been closed. They sat on it for two
years until the stretch freeze, and then "fixed" it in experimental.
So we won't even get it in stretch.

[Henrique de Moraes Holschuh]

On Wed, 07 Jun 2017, Greg Wooledge wrote:
> On Wed, Jun 07, 2017 at 03:54:26PM +0100, Darac Marjal wrote:
> > As I understand it "server" will do name resolution once and pick an IP
> > from the result. "pool" will periodically refresh the name and cycle to
> > a different member of the pool.
>
> Really? Why isn't this documented? Is it simply urban legend passed

It is. In the full documentation, package ntp-doc.

--
Henrique Holschuh

[John Hasler]

Remove Ntp and install Chrony.
--
John Hasler
jha...@newsguy.com
Elmwood, WI USA

[Brian]

On Wed 07 Jun 2017 at 10:30:54 -0500, John Hasler wrote:

> Remove Ntp and install Chrony.

Too easy. There would be nothing to rant about. :)

https://chrony.tuxfamily.org/comparison.html

--
Brian.

[Jim Ohlstein]

Hello,

$ sudo ntpdate -s pool.ntp.org

--
Jim Ohlstein
Professional Mailman Hosting
https://mailman-hosting.com/

[Gene Heskett]

On Wednesday 07 June 2017 10:54:26 Darac Marjal wrote:

> On Wed, Jun 07, 2017 at 10:35:23AM -0400, Gene Heskett wrote:
> >On Wednesday 07 June 2017 08:56:59 ray wrote:
> >> I would like to know the correct syntax for entering a server entry
> >> for stretch.
> >>
> >> All the documentation I find says to list the ntp servers in the
> >> file as: server 0.XX.pool.ntp.org
> >> server 1.XX.pool.ntp.org
> >>
> >> An example source from 2017 is https://wiki.debian.org/DateTime
> >>
> >> When I open /etc/ntp.conf on my new stretch installation, I find
> >> this format: pool 0.debian.pool.ntp.org iburst
> >> pool 1.debian.pool.ntp.org iburst
> >>
> >> The latest Debian doc says to start the line with 'server'.
> >> The latest Debian implementation starts the line with 'pool'.
> >>
> >> Are these interchangeable?
>
> As I understand it "server" will do name resolution once and pick an
> IP from the result. "pool" will periodically refresh the name and
> cycle to a different member of the pool.
>
> >> Additionally, there is a parameter 'iburst' which I did not find in
> >> the Debian docs but found at http://doc.ntp.org/4.1.1/confopt.htm
>
> Did you install ntp-doc? Did you check there?

I haven't gotten around to checking that, its on a raspberry pi3b, which
has a fan on its heat sinks, but isn't terribly stable, I've locked it
up tight at least a dozen times so far today with my horsing around.

But I did appear to get ntp to do its job, by adding "server " in front
of the fqdn's in /etc/ntp.conf.

[...]

Now, if I could just make it use the routers broadcasts. Or could at
least prove it is broadcasting. Yes it is, I caught a broadcast at
xx.xx.xx.255:

14:16:14.760909 IP coyote.coyote.den.ntp > xx.xx.xx.255.ntp: NTPv4,
Broadcast, length 48

So it is broadcasting. Now the trick is to make the rest of my machines
use it. Hints & examnples welcomed.

And I did install ntp-doc just now. A wee bit more verbose, but still no
examples.

[Teemu Likonen]

John Hasler [2017-06-07 10:30:54-05] wrote:

> Remove Ntp and install Chrony.

Or remove both of those and run:

sudo timedatectl set-ntp true

And that's about it.

--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///

[Curt]

On 2017-06-08, Teemu Likonen <tlik...@iki.fi> wrote:
>
> John Hasler [2017-06-07 10:30:54-05] wrote:
>
>> Remove Ntp and install Chrony.
>
> Or remove both of those and run:
>
> sudo timedatectl set-ntp true
>
> And that's about it.
>

I forgot about the built-in systemd-timesyncd.

Only functions as a client, though. And the OP's still on Wheezy, I
believe. But aside from that, good suggestion.

https://wiki.archlinux.org/index.php/Systemd-timesyncd

--
"It might be a vision--of a shell, of a wheelbarrow, of a fairy kingdom on the
far side of the hedge; or it might be the glory of speed; no one knew." --Mrs.
Ramsay, speculating on why her little daughter might be dashing about, in "To
the Lighthouse," by Virginia Woolf.

[Darac Marjal]

Apparently, the word "broadcastclient" in ntp.conf is what you want:

broadcastclient
Enable reception of broadcast server messages to any local interface
(type b address). Ordinarily, upon receiving a broadcast message
for the first time, the broadcast client measures the nominal server
propagation delay using a brief client/server exchange, after which
it continues in listen-only mode. If a nonzero value is specified in
the broadcastdelay command, the value becomes the delay and the
volley is not executed. Note: the novolley option has been
deprecated for future enhancements. Note that, in order to avoid
accidental or malicious disruption in this mode, both the server and
client should operate using symmetric key or public key
authentication as described in the Authentication Options page. Note
that the volley is required with public key authentication in order
to run the Autokey protocol.

This information IS in the ntp.conf manpage, and fairly apparent if
searching that for the work "broadcast".

>
>14:16:14.760909 IP coyote.coyote.den.ntp > xx.xx.xx.255.ntp: NTPv4,
>Broadcast, length 48
>
>So it is broadcasting. Now the trick is to make the rest of my machines
>use it. Hints & examnples welcomed.
>
>And I did install ntp-doc just now. A wee bit more verbose, but still no
>examples.
>
>Cheers, Gene Heskett
>--
>"There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
>-Ed Howdershelt (Author)
>Genes Web page <http://geneslinuxbox.net:6309/gene>
>

[Adiel Plasencia Herrera]

How to generate the certificate and the key to make a very 
basic  configuration of the https connection.

As 
basic as possible.
regards






On 08/06/17 03:28, Adiel Plasencia Herrera wrote:
> > Hello, > > They would help me with a 
configuration of my squid that I want to  > implement. > 
> My proxy passes all traffic to a parent proxy and I want clients 
to  > connect to my proxy via https. > > Can 
you help me how to implement the connection to my proxy via https? 
> > To better explain what I want attached 2 pictures. The 
image with  > 1.jpg name shows my proxy configuration with type 
HTTp that connects  > well to internet. > > 
What I want is for the connection to my proxy to be by the form of the  
> 2.jpg image that uses the HTTPS type. > > Or if 
it is possible then leave the 2 forms. 
What operating system are you using, and what applications are you 
wanting to use this proxy connection?

The normal configuration is simply to add an https_port line with cert= 
parameter to your squid.conf. More details on that below.


> > > This is my current configuration: >
 acl trabajadores src 10.5.7.3 10.5.7.5 > <snip>
> > http_access allow trabajadores > http_access 
deny !Safe_ports > http_access deny CONNECT !SSL_ports 
You custom http_access rules ("allow trabajadores") should be down 
here 
after the basic security checks.

> http_access deny all > > > http_port 
3128 

Date: Thu, 8 Jun 2017 01:04:31 +1200
From: Amos Jeffries <squ...@treenet.co.nz>
To: squid...@lists.squid-cache.org
Subject: Re: [squid-users] https_port
Message-ID: <764ecd5f-6f6c-0eb5...@treenet.co.nz
>
Content-Type: text/plain; charset=utf-8; format=flowed
The above port is for receiving plain-text connections to the proxy. 
Most software supports this, with a few exceptions (usually Java apps).


To accept TLS connections to the proxy (not HTTPS *over* the proxy), 
what you do is add an https_port line here. That https_port line needs a 
cert= parameter containing the proxy server certificate. You may need 
other TLS/SSL parameters to fine tune what the TLS does, but just start 
with getting that basic setup to work.
  <
http://www.squid-cache.org/Doc/config/https_port/>

For example:
   https_port 3129 cert=/etc/squid/proxy.pem

(the proxy.pem file here contains both the public server cert and 
private server key for that cert).

Many GUI applications (most notably browsers) do not support this type 
of connection to a proxy (or not well if they do). Which is where the 
Q's about your OS and applications come in. You may need to setup 
environment variables or PAC files to get the applications to work.


Note that this is *very* different situation to intercepting port 443 
traffic. Much more different than port 3128 vs. intercepted port 80. 
HTTPS traffic goes through these TLS proxy connections with 
double-layered encryption, so this setup does *not* magically make the 
proxy able to see inside HTTPS if that is what you are really after.

Amos

[Darac Marjal]

On Thu, Jun 08, 2017 at 08:41:14AM -0700, Adiel Plasencia Herrera wrote:
> How to generate the certificate and the key to make a very
> basic configuration of the https connection.

NTP doesn't use HTTPS. It uses its own port, it's own protocol and
implements standard cryptography in a manner more suited to the
protocol.

See https://www.eecis.udel.edu/~mills/ntp/html/autokey.html for more
details.

> [1]http://www.squid-cache.org/Doc/config/https_port/>

>
> For example:
> https_port 3129 cert=/etc/squid/proxy.pem
>
> (the proxy.pem file here contains both the public server cert and
> private server key for that cert).
>
> Many GUI applications (most notably browsers) do not support this type
> of connection to a proxy (or not well if they do). Which is where the
> Q's about your OS and applications come in. You may need to setup
> environment variables or PAC files to get the applications to work.
>
>
> Note that this is *very* different situation to intercepting port 443
> traffic. Much more different than port 3128 vs. intercepted port 80.
> HTTPS traffic goes through these TLS proxy connections with
> double-layered encryption, so this setup does *not* magically make the
> proxy able to see inside HTTPS if that is what you are really after.
>
> Amos
>

>References
>
> Visible links
> 1. http://www.squid-cache.org/Doc/config/https_port/

[Gene Heskett]

On Thursday 08 June 2017 01:54:41 Teemu Likonen wrote:

> John Hasler [2017-06-07 10:30:54-05] wrote:
> > Remove Ntp and install Chrony.
>
> Or remove both of those and run:
>
> sudo timedatectl set-ntp true
>
> And that's about it.

And it looks like this may have solved my pi's clock problem. pi's do not
have a hardware clock, only a software clock.

My router keeps ntp time, and broadcasts it from time to time. And I'd
lie to use that broadcast to sync the rest of my home networks machines
as opposed to haveing nearly a dozen machines querying the internets
time servers at pool.ntp.net.
I see, after having stopped ntp, and issued the set-ntp true, htop shows
a couple copies of /lib/systemd/systemd-timesyncd running, clear at the
bottom of the sorted by cpu listing, and that issueing a timedatectl as
the user elicits this response:

pi@picncsheldon:/etc $ timedatectl
Local time: Thu 2017-06-08 03:38:58 EDT
Universal time: Thu 2017-06-08 07:38:58 UTC
RTC time: n/a
Time zone: America/New_York (EDT, -0400)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2017-03-12 01:59:59 EST
Sun 2017-03-12 03:00:00 EDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2017-11-05 01:59:59 EDT
Sun 2017-11-05 01:00:00 EST

Which looks to me to have solved my problem on an armhf/jessie with a
realtime kernel, which I need to pin as the application cannot run with
a stock kernel.

I thank you very much. Works a treat on a pi/jessie install.

But for my wheezy machines, neither ntpd nor chrony has a listen to
address command that I can find. Chrony is working but its banging on
servers all over the planet. No better or worse than ntp IMNSHO.

Why can't it simply listen to the broadcasts my router is doing?

Perhaps an even better question is why, when I run chronyc as root,
everything I try to do except look at the stats, is a 501/denied return.
Isn't chronyc supposed to be the command and control facility?, but it
cannot control anything, only show sources and stats.

Thanks for any chrony as client clues shared.

[Gene Heskett]

Ok, on my test machine I have reinstalled ntp, and edited its .conf file,
commenting out the server pool, and enabled the noauth and
broadcastclient options at the bottom of that file. So we will see in
due time if its actually using it. That particular machine has a quite
low drift clock.

I must say that I am impressed with timedatectl, a systemd clock manager,
but its not available to a wheezy install.

Thank you.

[Henrique de Moraes Holschuh]

On Thu, 08 Jun 2017, Darac Marjal wrote:
> On Thu, Jun 08, 2017 at 08:41:14AM -0700, Adiel Plasencia Herrera wrote:
> >How to generate the certificate and the key to make a very
> >basic configuration of the https connection.
>
> NTP doesn't use HTTPS. It uses its own port, it's own protocol and
> implements standard cryptography in a manner more suited to the
> protocol.
>
> See https://www.eecis.udel.edu/~mills/ntp/html/autokey.html for more
> details.

Don't bother with autokey, it is not worth the pain. If you can use ntp
symmetric key authentication, that one should take care of your servers
well enough.

There is no security for anything that is based on SNTP, though (that
"S" is for Simple, not Secure), you'd have to do it in a lower layer
(local firewall, IPSEC AH, whatever).

--
Henrique Holschuh

[Adiel Plasencia Herrera]

Hello,
I do not look for security, is that having no real internet ip in my company I need certain programs to go to the internet and for that I use proxycap (http://www.proxycap.com/) that makes me this function perfectly through the proxy . What happens is that with HTTP does not work and I need to pass my squid to use HTTPS authentication for the program (proxycap) to work well.

A friend told me that for https_port to work I needed validated certificates, not self-generated ones. I do not know to what extent this has to be so because the configuration I need is customized for me only and would be internal to my company that does not have visibility to the internet because this squid is a child of another that is the one that has the real internet ip .

I need the help to correctly create those certificates and the options to put in the line https_port.

I am very novice in squid and linux.

Thank you

[Darac Marjal]

On Thu, Jun 08, 2017 at 11:18:16AM -0700, Adiel Plasencia Herrera wrote:
> Hello,
> I do not look for security, is that having no real internet ip in my
> company I need certain programs to go to the internet and for that I
> use proxycap (http://www.proxycap.com/) that makes me this function
> perfectly through the proxy . What happens is that with HTTP does not
> work and I need to pass my squid to use HTTPS authentication for the
> program (proxycap) to work well.

I don't think squid works with NTP at all, but it's been a few years
since I played with Squid, so maybe someone else will be able to give
better advice.

>
> A friend told me that for https_port to work I needed validated
> certificates, not self-generated ones. I do not know to what extent
> this has to be so because the configuration I need is customized for
> me only and would be internal to my company that does not have
> visibility to the internet because this squid is a child of another
> that is the one that has the real internet ip .
>
> I need the help to correctly create those certificates and the
> options to put in the line https_port.
>
> I am very novice in squid and linux.
>
> Thank you
>
> -----Original Message-----
> From: Henrique de Moraes Holschuh <h...@debian.org>
> To: debia...@lists.debian.org
> Date: Thu, 8 Jun 2017 11:55:38 -0300
> Subject: Re: https_port
>
> On Thu, 08 Jun 2017, Darac Marjal wrote:
> > On Thu, Jun 08, 2017 at 08:41:14AM -0700, Adiel Plasencia Herrera
> wrote:
> > >How to generate the certificate and the key to make a very
> > >basic  configuration of the https connection.
> >
> > NTP doesn't use HTTPS. It uses its own port, it's own protocol
> and
> > implements standard cryptography in a manner more suited to the
> > protocol.
> >

> > See [1]https://www.eecis.udel.edu/~mills/ntp/html/autokey.html

> for more
> > details.
>
> Don't bother with autokey, it is not worth the pain.  If you can
> use ntp
> symmetric key authentication, that one should take care of your
> servers
> well enough.
>
> There is no security for anything that is based on SNTP, though
> (that
> "S" is for Simple, not Secure), you'd have to do it in a lower
> layer
> (local firewall, IPSEC AH, whatever).
>
> --
>   Henrique Holschuh
>

>References
>
> Visible links
> 1. https://www.eecis.udel.edu/~mills/ntp/html/autokey.html

[Greg Wooledge]

On Thu, Jun 08, 2017 at 04:25:11PM +0100, Darac Marjal wrote:
> On Thu, Jun 08, 2017 at 11:18:16AM -0700, Adiel Plasencia Herrera wrote:
> > Hello,
> > I do not look for security, is that having no real internet ip in my
> > company I need certain programs to go to the internet and for that I
> > use proxycap (http://www.proxycap.com/) that makes me this function
> > perfectly through the proxy . What happens is that with HTTP does not
> > work and I need to pass my squid to use HTTPS authentication for the
> > program (proxycap) to work well.
>
> I don't think squid works with NTP at all, but it's been a few years
> since I played with Squid, so maybe someone else will be able to give
> better advice.

I don't think he's *asking* about NTP at all.

[Darac Marjal]

Ah. You mean he's a politician (replying to a topic by introducing one's
own, unrelated, topic)?

[Adiel Plasencia Herrera]

I just do not understand how to respond in the list, maybe I did wrong and that's why they are confused, I beg my apologies if it is so.
I'm not talking about NTP, in fact I do not know what it is.
Yesterday I sent my question hbaia with the subject https_port but when I answered I did not know how it was to respond again and what I did was create an email and send it to the list with the subject Re: https_port.
This was the one that wanted to respond

Http://lists.squid-cache.org/pipermail/squid-users/2017-June/015565.html

 

-----Original Message-----
From: Darac Marjal <maili...@darac.org.uk>
To: debia...@lists.debian.org

[Jim Ohlstein]

Hello,

On Thu, 2017-06-08 at 11:51 -0700, Adiel Plasencia Herrera wrote:
> I just do not understand how to respond in the list, maybe I did
> wrong and that's why they are confused, I beg my apologies if it is
> so.
> I'm not talking about NTP, in fact I do not know what it is.
> Yesterday I sent my question hbaia with the subject https_port but
> when I answered I did not know how it was to respond again and what I
> did was create an email and send it to the list with the subject Re:
> https_port.
> This was the one that wanted to respond
> Http://lists.squid-cache.org/pipermail/squid-users/2017-
> June/015565.html

While you're figuring out how to use a mailing list, please also set
the clock on your computer correctly.

[Charlie Kravetz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 08 Jun 2017 11:51:35 -0700
"Adiel Plasencia Herrera" <adi...@estereocentro.icrt.cu> wrote:

>I just do not understand how to
>respond in the list, maybe I did wrong and that's why they are confused, I
>beg my apologies if it is so.
>
>I'm not talking about NTP, in fact I do not know what it is.
>
>Yesterday I sent my question hbaia with the subject https_port but
>when I answered I did not know how it was to respond again and what I did
>was create an email and send it to the list with the subject Re:
>https_port.
>
>This was the one that wanted to respond
>
>Http://lists.squid-cache.org/pipermail/squid-users/2017-June/015565.html

>[http://lists.squid-cache.org/pipermail/squid-users/2017-June/015565.html]

>
>
>-----Original Message-----
>
>From: Darac Marjal <maili...@darac.org.uk>
>
>To: debia...@lists.debian.org
>
>Date: Thu, 8 Jun 2017 16:43:57 +0100
>
>Subject: Re: https_port
>
>
>
>
>On Thu, Jun 08, 2017 at 11:34:20AM -0400, Greg Wooledge wrote:
>
>>On Thu, Jun 08, 2017 at 04:25:11PM +0100, Darac Marjal wrote:
>
>>> On Thu, Jun 08, 2017 at 11:18:16AM -0700, Adiel Plasencia Herrera wrote:
>
>>> > Hello,
>
>>> > I do not look for security, is that having no real internet ip in my
>
>>> > company I need certain programs to go to the internet and for that I
>

>>> > use proxycap (http://www.proxycap.com/ [http://www.proxycap.com/])

>that makes me this function
>
>>> > perfectly through the proxy . What happens is that with HTTP does not
>
>>> > work and I need to pass my squid to use HTTPS authentication for the
>
>>> > program (proxycap) to work well.
>
>>>
>
>>> I don't think squid works with NTP at all, but it's been a few years
>
>>> since I played with Squid, so maybe someone else will be able to give
>
>>> better advice.
>
>>
>
>>I don't think he's *asking* about NTP at all.
>
>>
>
>
>
>Ah. You mean he's a politician (replying to a topic by introducing one's
>
>own, unrelated, topic)?
>
>
>
>
>

When replying to the mailing list, hit reply. Do not use "Reply to
All", since that sends individual emails to the person you are
answering. Most people are members of the mailing list, and do not want
individual emails. If there is a "Reply to mailing list", it is okay to
use that. The subject should fill itself in.

When asking a question on the mailing list, hit "New Message" or
"Compose". Use a statement in the Subject to describe what you are
asking, and tell us in the message body what you need. The more
information you give, the better the answers you will get.

- --
Charlie Kravetz
Linux Registered User Number 425914
[http://linuxcounter.net/user/425914.html]
Never let anyone steal your DREAM. [http://keepingdreams.com]
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEG5QK93YKrQMH22ZTiq6LjqbJ0IAFAlk6rGoACgkQiq6LjqbJ
0IB6+Qf/T5wybVTiO8ufwMJcuh6lRBahGFpA3RhUzUjkZC2EAqtqlgGC6JUcSbug
SCab9tZ2PU8AuFvXn43tUOXxcS3pFQY7Nw8hqekBam0n1xwe0dBe7pJATvhAu9WG
IEBlf5DaFit0lffbsyWcR9EozmU9QMr3NT/HpUoifNIlroiXE/twNiu+GQiY4fVJ
LSpfharxwYvGjBbvZ1y6DjOrZ0JfzWE2B0BJNcirwLHqVhKOiQtN2duhyBZD6Aox
Kkeg4AfR1zUmhat2llhr1vJN/jbA4BVKBuU2Lgh8351ec1ISy81A9hizZz4+irdI
geGVopHkYSXXSMG464UGuc6PTeATKg==
=VTXc
-----END PGP SIGNATURE-----

[Nicolas George]

Le primidi 21 prairial, an CCXXV, Charlie Kravetz a écrit :

> When replying to the mailing list, hit reply. Do not use "Reply to
> All", since that sends individual emails to the person you are
> answering.

This recommendation is unsustainable and should be eliminated from the
guidelines. It only exists because the mailing-list server is not
configured correctly.

The reply-to-list feature is flawed because it requires the user to give
special attention each time "am I replying to a personal mail or to a
mailing-list"? The correct behaviour should be the default, always,
because that is the only way to minimize mistakes. This is what happens
with mailing-list servers properly configured.

When replying to a mail, any mail, use reply-to-all, unless you actively
know you want to reply to an unusual subset of recipients. (But heed the
reply-to headers, of course.)

If somebody complain, tell them to set up their mail headers, just as I
did mine.

Regards,

--
Nicolas George

[The Wanderer]

On 2017-06-09 at 10:47, Nicolas George wrote:

> Le primidi 21 prairial, an CCXXV, Charlie Kravetz a écrit :
>
>> When replying to the mailing list, hit reply. Do not use "Reply to
>> All", since that sends individual emails to the person you are
>> answering.
>
> This recommendation is unsustainable and should be eliminated from
> the guidelines. It only exists because the mailing-list server is
> not configured correctly.
>
> The reply-to-list feature is flawed because it requires the user to
> give special attention each time "am I replying to a personal mail or
> to a mailing-list"? The correct behaviour should be the default,
> always, because that is the only way to minimize mistakes. This is
> what happens with mailing-list servers properly configured.

Agreed.

> When replying to a mail, any mail, use reply-to-all, unless you
> actively know you want to reply to an unusual subset of recipients.
> (But heed the reply-to headers, of course.)

Disagreed. This results in sending extra copies to people who are
subscribed to the list, which is incorrect. The only time you should
send a copy of a message both to the list and to someone who is
subscribed to the list is when you specifically want to draw that
person's attention to that particular message, e.g. if you think they
might otherwise miss it among the rest of the list traffic, or if you
have the mistaken impression that they are not subscribed to the list.

Just as it's bad to require the user to check "am I replying to a
personal mail or to the mailing list?" every time, it's equally bad to
require the user to check "did this reply include addressees which it
shouldn't, or omit ones which it should?" every time. Using "Reply to
All" as your default action leads to the latter situation.

Ideally, things would be configured so that simple Reply would work
correctly in all cases (and I have indistinct memories of mailing-list
discussions in years long past where this seemed to in fact be the
case); however, I'm not certain of how to achieve that in practice.
Regardless, Reply-to-All as the "use as baseline default" is simply not
a good approach.

> If somebody complain, tell them to set up their mail headers, just as
> I did mine.

Are there pages out there documenting how to configure various mail
clients (much less Webmail!) to do this automatically?

Because tweaking mail headers by hand on every reply is unwieldy and
impractical, and people are simply not going to do that.

--
The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw

[Fungi4All]

UTC Time: June 9, 2017 2:47 PM

From: geo...@nsup.org

To: Charlie Kravetz <c...@teamcharliesangels.com>

debia...@lists.debian.org

Le primidi 21 prairial, an CCXXV, Charlie Kravetz a écrit :

> When replying to the mailing list, hit reply. Do not use "Reply to

> All", since that sends individual emails to the person you are

> answering.

This recommendation is unsustainable and should be eliminated from the

guidelines. It only exists because the mailing-list server is not

configured correctly.

The reply-to-list feature is flawed because it requires the user to give

special attention each time "am I replying to a personal mail or to a

mailing-list"? The correct behaviour should be the default, always,

because that is the only way to minimize mistakes. This is what happens

with mailing-list servers properly configured.

right before I replied to xorriso Thomas and the reply went personal.  I hit reply

to this message and it is going to the list.  So I agree with you, it is always 

easier to delete the unwanted than to edit an addition and/or both.

When replying to a mail, any mail, use reply-to-all, unless you actively

know you want to reply to an unusual subset of recipients. (But heed the

reply-to headers, of course.)

I think it seems affected by the post of each member and transmits some

but not all headers for threading.  I can't explain it otherwise.

Even if the list was misconfigured it should have been consistent for all

messages and all recipients.  Here we have supernatural evidence of ghost

in the machine.

Whatever happened to bounce instead of forward?  Is it illegal now?  Is this

list utilizing this action, bouncing instead of trimming and forwarding?

If somebody complain, tell them to set up their mail headers, just as I

did mine.

and some laxatives for side dish.

Regards,

Nicolas George

[Gene Heskett]

Or use an email agent that does properly support a "reply to mailing
list" function. Such as this old kmail still included as part of the
tde (trinity) desktop.

I do not use the reply-all format unless I am aware the OP is not
subscribed. Those mailing lists I am subscribed to that do not require
the poster to be subscribed are also flooded with spam. And debian-user
is one such list, and because of that, and my ISP's reject policy, I get
threats from bendel of being unsubscribed because of bounces. It will
never happen because when I get the bounce msg from bendel, its obvious
why mail.shentel.net rejected it. IMO debian needs to fix that, but its
been made very clear that they will not go to a subscription required to
post model. Ever. Sigh.... It is what it is.

[Nicolas George]

Le primidi 21 prairial, an CCXXV, The Wanderer a écrit :

> Disagreed. This results in sending extra copies to people who are
> subscribed to the list, which is incorrect.

Not if the list is properly configured.

Debian's lists are badly configured, it results in burden to all users,
but the users should reject that burden. I do.

I will not answer Gene's message, he obviously missed the whole point of
my mail.

Regards,

--
Nicolas George

[The Wanderer]

On 2017-06-09 at 11:57, Nicolas George wrote:

> Le primidi 21 prairial, an CCXXV, The Wanderer a écrit :
>
>> Disagreed. This results in sending extra copies to people who are
>> subscribed to the list, which is incorrect.
>
> Not if the list is properly configured.

What configuration would avoid this result, when using "Reply to All"?

When using "Reply", a mailing-list configuration which sets Reply-To to
point back to the list (presumably in addition to any Reply-To set by
the user, or only when the user did not set such) would avoid that
result, but I've seen arguments presented in the past that it also
results in undesirable results of other types in some cases; although I
didn't retain those arguments in full, I was also not able to come up
with effective counterarguments at the time.

When using "Reply to All", at least with some mail clients, Reply-To
will be ignored - and in fact, I think I might argue that any mail
client which does not ignore Reply-To in the case of "Reply to All" is
broken, since that is failing to do what the user explicitly requested.

Even if using a mail client which does treat Reply-To as overriding
"Reply to All", that just means that the user is required to keep track
of which mailing lists set Reply-To (and use "Reply to All" in those
cases), which don't (and use some other reply method in those cases),
and also which specific messages on some lists have changed the Reply-To
configuration (and then have to decide whether to override that
manually, including potentially copying some or all of the addresses
from the original mail by hand since the mail client won't do it for you).

*Maybe* that's better than any of the known alternatives as a practical,
real-world matter, but it hardly seems anything remotely close to ideal,
in my view.

> Debian's lists are badly configured, it results in burden to all users,
> but the users should reject that burden. I do.

And your chosen method of avoiding this burden seems to result both in
burden to you (in the form of having to modify message headers every
time you compose a reply) and in burden to others (in this case, in the
form of me receiving two copies of your reply, rather than only the copy
sent through the mailing list).

I'm not sure I'd agree that that's better.

[Joel Rees]

There was a time when mailing lists were e-mail, and newsgroups were
newsgroups. Newsgroups have unfortunately mostly gone the way of the
dodo, and mailing list participants want the mailing lists to behave like
newsgroups.

And Now Google Doesn't Think Users Should Ever Set Headers.

Progress is progress.

--
Joel Rees

One of these days I'll get someone to pay me
to design a language that combines the best of Forth and C.
Then I'll be able to leap wide instruction sets with a single #ifdef,
run faster than a speeding infinite loop with a #define,
and stop all integer size bugs with a bare cast.

More of my delusions:
http://reiisi.blogspot.com/2017/05/do-not-pay-modern-danegeld-ransomware.html
http://reiisi.blogspot.jp/p/novels-i-am-writing.html

[Fungi4All]

UTC Time: June 10, 2017 2:13 AM

From: joel...@gmail.com

On Sat, Jun 10, 2017 at 12:57 AM, Nicolas George <geo...@nsup.org> wrote:

> Le primidi 21 prairial, an CCXXV, The Wanderer a écrit :

>> Disagreed. This results in sending extra copies to people who are

>> subscribed to the list, which is incorrect.

>

> Not if the list is properly configured.

>

> Debian's lists are badly configured, it results in burden to all users,

> but the users should reject that burden. I do.

>

> I will not answer Gene's message, he obviously missed the whole point of

> my mail.

> Nicolas George

And Now Google Doesn't Think Users Should Ever Set Headers.

Progress is progress.

Progress in a society comes when they collectively pursue in common something

that would improve their lives and conditions.  If the few and powerful coerce or

blackmail a society to move a certain direction because that advances the interests

of the few I wouldn't dare call this progress.  Rarely in history did such moves lasted

and stabilized, as for every action there is a reaction.  Just give it some time and

the vast majority of the world will be really happy to see google/fb/ms collapse

and vanish.  That may be progress, being without the pests.

Would you call android and win10 progress?  I hope not.  Vehicles were progress

over horses and carriages in some respects, people walking and one in

ten thousands being driven in a Rolls Royce where the passengers were covered

and the driver was outside was not progress.  Model A was progress at

a cost.

Progress is not made by following rulers and those in power, it comes

from the dialectic of resisting and reacting to power and oligarchy.

Joel Rees

(AK)

[Joel Rees]

Yeah.

Progress is progress.

ahem. Sorry. I guess I forgot something.

{irony}Progress is progress.{end-irony}

[Fungi4All]

From: joel...@gmail.com

> And Now Google Doesn't Think Users Should Ever Set Headers.

> Progress is progress.

Yeah.

Progress is progress.

ahem. Sorry. I guess I forgot something.

{irony}Progress is progress.{end-irony}

--

Joel Rees

If you live in a cave this may actually have some meaning among your cavemates

[David Wright]

On Wed 07 Jun 2017 at 17:26:30 (+0100), Brian wrote:

> On Wed 07 Jun 2017 at 10:30:54 -0500, John Hasler wrote:
>
> > Remove Ntp and install Chrony.
>

> Too easy. There would be nothing to rant about. :)
>
> https://chrony.tuxfamily.org/comparison.html

I read this and did exactly that:

Start-Date: 2017-06-07 12:58:22
Install: […], chrony:i386 (1.30-2+deb8u2), […]

I looked at, but didn't change, the configuration file.

Two days later, the laptop¹ was still running about five seconds
slow, so:

Start-Date: 2017-06-09 17:39:56
Purge: […], chrony:i386 (1.30-2+deb8u2), […]

Start-Date: 2017-06-09 17:43:19
Install: […], ntp:i386 (4.2.6.p5+dfsg-7+deb8u2)

I looked at, but didn't change, the configuration file.

By the time I had brought up two swissclocks (from my server
and other laptop) all three second hands were marching in step
(and within one second of the radio wall clock).

¹ had been "running free".

Cheers,
David.

[Brian]

On Sun 11 Jun 2017 at 10:57:51 -0500, David Wright wrote:

> On Wed 07 Jun 2017 at 17:26:30 (+0100), Brian wrote:
> > On Wed 07 Jun 2017 at 10:30:54 -0500, John Hasler wrote:
> >
> > > Remove Ntp and install Chrony.
> >
> > Too easy. There would be nothing to rant about. :)
> >
> > https://chrony.tuxfamily.org/comparison.html
>
> I read this and did exactly that:

It's good to see someone testing things.

> Start-Date: 2017-06-07 12:58:22
> Install: […], chrony:i386 (1.30-2+deb8u2), […]
>
> I looked at, but didn't change, the configuration file.

Three machines running chrony here. One (which is always on) has an
original chrony.conf and the only change to the other one (a laptop
which is suspended overnight) is to use my ISP's time servers. The
third one has just been booted after not being used for fourteen
days; it uses a single one of my ISP's time servers.

> Two days later, the laptop¹ was still running about five seconds
> slow, so:
>
> Start-Date: 2017-06-09 17:39:56
> Purge: […], chrony:i386 (1.30-2+deb8u2), […]
>
> Start-Date: 2017-06-09 17:43:19
> Install: […], ntp:i386 (4.2.6.p5+dfsg-7+deb8u2)
>
> I looked at, but didn't change, the configuration file.
>
> By the time I had brought up two swissclocks (from my server
> and other laptop) all three second hands were marching in step
> (and within one second of the radio wall clock).
>
> ¹ had been "running free".

Machines number 1 and 2 are in step with my radio clock. Machine
number 3 came up three seconds slow. Within 6 minutes it agreed
with the other machines. I cannot account for this because I've
never had cause to examine chrony's configuration or internal
workings. Perhaps it has to do with frequency of polling? At the
moment my motivation to find out why is not high.

All my other machines use systemd-timesyncd on the basis it is
already available on them. The first three have used chrony for
nearly ten years without a discernable problem.

--
Brian.