"ios-ntp is often (mostly?) used to make sure someone hasn't fiddled with the system clock. The complications involved in using multiple servers and averaging time offsets is overkill for this purpose. The following skeleton code is all that is needed to check the time."
And that "skeleton" contacts just "time.apple.com"
But the library really has the default possibility of contacting a lot of the ntp.org servers from a big list ("createAssociations" with no parameters!) and it's bad.
As we know, the developers like to just "copy-paste" whatever is where. Or use any defaults. "Hey it works."
I think it's pretty safe to assume that the developers have no idea that things like vendor zones exists. NTP, like DNS or SMTP, is ubiquitous infrastructure, not something the average developer sets aside time to understand.
They didn't have to use ntp.org pool at all. They obviously wanted to check if somebody changed the time on the phone and to still use "the internet time." And for that contacting one Apple's server (time.apple.com) were enough.
It seems that the iOS library author "helpfully" provided the default of contacting 30 servers from the ntp.org pool.
I'm guessing of cause, but it's entirely possible that they used the ntp.org pool, because that's what a quick Google search would tell you to do. Getting a vendor zone require that you know it exists.
> I'm guessing of cause, (...) they used the ntp.org pool, because that's what a quick Google search would tell you to do
You're wrong, see my upper comment in this very thread, I've wrote already: they used the third-party library which has as default in the call without any arguments the huge number of the ntp.org servers. The servers hit and the servers in the library sources match exactly. They used that default, resulting in 30 servers being hit at once from a single app (and the app is probably used by tens of millions of people).
" I wrote this library a long time ago for the iPhone 3GS and earlier. At that time, as best I could tell, the iPhone obtained its time from the phone company and, for me in South-East Michigan, it was not unusual for the iPhone time to be at up to two minutes variance from true time. Since my app was predicting the location of the International Space Station and a two minute error represented about 600 miles, I wrote this library so people wouldn't be staring at the wrong side of the sky!"
"Since then, the world has changed. First, iOS devices use the NTP protocol as a time source -- I stopped using my own library years ago because iPhones were delivering sub-second accurate times natively."
"I've thought for a while that this library had passed its "sell-by" date and was of minimal value; this Snapchat incident (about which I've heard only a little, and that obliquely), makes me want to remove it. I've been involved in network software, on and off, for about forty years and regard myself as a good net citizen."
The defaults up to now were really, really bad. His correction now is to remove the list. But if then the users just use any list, they are doing it wrong again. For effectively all the scenarios in practice, just time.apple.com instead of any other list and the limited number of IP addresses used from there, by default 1, should be enough for the iOS apps, or even better that they use their own servers. The swift library with the similar goals, mentioned elsewhere, has that IP-limiting loop, this library probably not.
This is a really weird comment format. It almost suggests a lack of syntax highlighting.
/*┌──────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Prepare a sort-descriptor to sort associations based on their dispersion, and then create an │
│ empty array for associations to fill .. │
└──────────────────────────────────────────────────────────────────────────────────────────────────┘*/
for use of two different styles of boxes, + some additional typographic experiments.
I actually kind of like it. Not enough to start using it yet, but then again, in Lisp code I make a judicious use[0] of ^L characters and form-feed-mode. Form feed character seems to be a forgotten but pretty neat invention.
https://github.com/jbenet/ios-ntp
Specifically, all the servers(!) from here are contacted: https://github.com/jbenet/ios-ntp/blob/master/ios-ntp-lib/Ne...
Note that the library author wrote:
"ios-ntp is often (mostly?) used to make sure someone hasn't fiddled with the system clock. The complications involved in using multiple servers and averaging time offsets is overkill for this purpose. The following skeleton code is all that is needed to check the time."
And that "skeleton" contacts just "time.apple.com"
But the library really has the default possibility of contacting a lot of the ntp.org servers from a big list ("createAssociations" with no parameters!) and it's bad.
As we know, the developers like to just "copy-paste" whatever is where. Or use any defaults. "Hey it works."