Comment 5 for bug 104525

I'm concerned with the security implications of using a pool of unknown time servers per default. If I understand correctly, anyone can volunteer to participate in the pool. If the end user's ntpd is started with the -g option, overriding the 1000 seconds sanity check (as was the default in Ubuntu 7.10), and the server selects only one time server from the pool to synchronize from, an attacker who controls a single server in the pool can set the time of many Ubuntu hosts over the world. Also, he will know the IP addresses of the victims. If any of them happen to be interesting targets for the attacker, he can then mount further attacks on all cryptographic protocols that depend on correct time-keeping (for example, to prevent replay attacks). That would be a serious security threat for the users.