{"id":37127533,"url":"https://github.com/e-zk/stsd","last_synced_at":"2026-01-14T14:51:05.542Z","repository":{"id":107932914,"uuid":"428243551","full_name":"e-zk/stsd","owner":"e-zk","description":"Secure Time Sync Daemon ","archived":false,"fork":false,"pushed_at":"2021-12-08T05:34:48.000Z","size":53,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":2,"default_branch":"trunk","last_synced_at":"2025-10-10T10:20:28.866Z","etag":null,"topics":["time-synchronization"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/e-zk.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-15T11:53:28.000Z","updated_at":"2021-12-15T01:15:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"eeafe796-4e17-4029-bcd7-d7f1dc7b0c53","html_url":"https://github.com/e-zk/stsd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/e-zk/stsd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-zk%2Fstsd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-zk%2Fstsd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-zk%2Fstsd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-zk%2Fstsd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/e-zk","download_url":"https://codeload.github.com/e-zk/stsd/tar.gz/refs/heads/trunk","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/e-zk%2Fstsd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28424001,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["time-synchronization"],"created_at":"2026-01-14T14:51:05.068Z","updated_at":"2026-01-14T14:51:05.534Z","avatar_url":"https://github.com/e-zk.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"stsd - Secure Time Sync Daemon\n==============================\n\nSet system date based on HTTP 'date' headers over TLS.\nInspired by Whonix's sdwdate, and Madaidan's secure-time-sync script.\n\n\nWhat's wrong with NTP?\n----------------------\nStandard NTP does not make use any kind of cryptography. No encryption, no\nauthentication. This means NTP requests can be sniffed and tampered with\nto send a system the wrong time [1].\nCorrect system time is essential for the use of modern public key cryptography\n(TLS/SSL for example).\n\nstsd aims to overcome these shortcomings of NTP and provide a secure way of\nkeeping a system's time accurate.\n\n\nHow it works\n------------\nAt random intervals (between 64 seconds and 1024 seconds) stsd sets the system\ntime based on the timestamp extracted from HTTP headers (RFC2616) over TLS.\nThe website it gets this header from is randomly selected from a pool file.\n\nOptionally stsd can do this all over Tor; favouring onion addresses specified\nin the pool file.\n\n\nCaveats\n-------\nCurrently stsd does a few things that are generally not ideal for\nsecurity-critical software:\n\n 1. It must be run as root, since on most systems only root can change the\n    system's date.\n 2. It shells out to date(1) to update the system time.\n\nIn regard to the first caveat, stsd aims to follow the principle of least\nprivilege by only making network requests via an unprivileged child processs.\nThis unprivilged \"network\" process makes the necessary network request, then\nsends the date information back to the parent process via a socket.\nThe parent process then sets the system time using its root privilges.\n\n\nOS support\n----------\nAs mentioned previously stsd works by shelling out to date(1) to set the system\ntime - as a side-effect of this all systems with a POSIX compliant date(1)\ncommand are supported. This includes: \n\n - {Net,Free,DragonFly,Open}BSD\n - MacOS\n - Most Linux distributions\n\n\nUsage\n-----\nusage: stsd [--date-cmd=path] [--user=username] [--pool-file=file]\n            [--use-proxy=proxy | --use-tor[=proxy]]\nwhere:\n  --date-cmd=path    absolute path to date command (default: '/bin/date').\n  --user=username    user to run child process as (default: '_stsd').\n  --pool-file=file   use the specified pool file (default: '/etc/stsd_pool').\n  --use-proxy=proxy  proxy network requests through 'proxy' url.\n  --use-tor          use tor for network requests. favours onion addresses\n                     from the pool file. tor's proxy url can be configured\n                     by passing as an argument flag: '--use-tor=proxy'\n                     (default tor proxy url: 'socks5://localhost:9050').\n\n\nPool file format\n----------------\nThe pool file contains a newline separated list of HTTPS URLs. Each URL can\noptionally have an associated onion address.\nThe optional onion address will be favoured over the clearnet address when the\n--use-tor argument is given.\n\nEach line in the file is of the format:\n\n\t\u003curl\u003e[,onion]\n\nEmpty lines, and lines starting with a '#' are ignored.\nAn example pool file (stsd_pool_example) is provided.\n\n\nSee also\n--------\nIf you use OpenBSD's OpenNTPD, it is possible to set 'constraint' URLs.\nThese tell ntpd to make use of HTTPS date headers to act as an authenticated\nconstraint - NTP packets falling outside of the range of the constraint are\ndiscarded and NTP servers sending these packets are marked as invalid [2].\nThis strikes a good balance between the accuracy of NTP and authentication\nvia TLS.\n\nsdwdate: https://www.whonix.org/wiki/Sdwdate\nsecure-time-sync: https://gitlab.com/madaidan/secure-time-sync\n\n\nReferences\n----------\n1: https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html\n2: https://man.openbsd.org/ntpd.conf#CONSTRAINTS (https://openntpd.org/)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fe-zk%2Fstsd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fe-zk%2Fstsd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fe-zk%2Fstsd/lists"}