[tz] leap-seconds.list format

Mon Feb 12 18:33:55 UTC 2024

Paul Eggert wrote:
> On 2/8/24 06:21, Martin Burnicki via tz wrote:
> 
>> https://kb.meinbergglobal.com/kb/time_sync/ntp/configuration/ntp_leap_second_file
> 
> Thanks, I installed the attached patch to refer to that page.

Thanks!

> A few comments about its contents:
> 
>> For higher security the file should be signed using a public key 
>> certificate which can also be checked after the file has already been 
>> downloaded. However, this is currently not implemented
> 
> As per Internet RFC 6557 (2012) section 3, TZDB distributions are signed 
> via a PGP signature. This signature is published in each distribution's 
> announcement, so effectively you can obtain a signed leap-seconds.list 
> from a TZDB distribution. This practice started in 2012e, in response to 
> the RFC.
> 
> Also, TZDB releases have signed tags in the Github development 
> repository; this is another way to verify leap-seconds.list
> 
> Admittedly neither of these techniques are the same as having the IERS 
> sign the file, which would be preferable.

I've now made a few changes to my page:

All occurrences of "TZ DB" have been replaced with "TZDB".

The section about the TAI Offset Table
https://wiki.py.meinberg.de/kb:time_sync:ntp:configuration:ntp_leap_second_file#tai_offset_table

now contains a note that the leap second table can use space or tabs as 
field separators, depending on the origin of the file.

The section about the SHA1 hash now mentions the signature of the TZDB 
version
https://wiki.py.meinberg.de/kb:time_sync:ntp:configuration:ntp_leap_second_file#sha1_hash

The section about the TZDB/IANA version now mentions the signatures.

[...]
> One other link you might want to mention is:
> 
> https://raw.githubusercontent.com/eggert/tz/main/leap-seconds.list
> 
> This is the latest version of leap-seconds.list in the TZDB development 
> repository. It is more up-to-date than 
> <https://data.iana.org/time-zones/tzdb/leap-seconds.list>, though less 
> up-to-date than the IERS primary copy. Github likely resists DDoS 
> attacks better than the other sites; see 
> <https://github.blog/2018-03-01-ddos-incident-report/>.

@Paul: I've added the URL to my page. Please let me know if I should 
keep the other links to the Github repo and your homepage, or whether I 
should remove them.

Concerning the PGP signatures of the download archives:

IMO checking the signatures would be much easier for potential users of 
the .gz or .lz archives if the signatures would be available for 
download as files at https://www.iana.org/time-zones, e.g.

tzdb-2024a.tar.lz.asc for an ASCII signature, or
tzdb-2024a.tar.lz.sig for a binary signature.

Doing so would make this very much easier for folks who just come across 
the download page, but are not on (one of) the mailing list(s).

I have to admit that I didn't even notice that the signatures are part 
of the announcement emails because I usually just read the subject if it 
just tells that a new TZDB version has been released.

I also find it much harder to copy a signature text block from an email 
to verify the integrity of a downloaded file.

At Meinberg, I provide this information as file, see e.g.
https://www.meinbergglobal.com/english/sw/#linux

so it's very easy to download the .gz file and the signature file an run 
a simple command line program to verify the integrity.

Just my 2 ct. ;-)

Martin
-- 
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki at meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Natalie Meinberg, Werner Meinberg, 
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/tz/attachments/20240212/fd1c4136/attachment.sig>