Rename pools to avoid confusion (refs: #15428)

People get confused by the use of pal/neutral/foe: they think we need
to particularly trust members of the "pal" pool, which is incorrect
and can lead to useless controversy.

So let's fix this by renaming the pools and clarifying our design doc.

config/chroot_local-includes/etc/default/htpdate.pools

-HTP_POOL_PAL="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
-HTP_POOL_NEUTRAL="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
-HTP_POOL_FOE="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"
+HTP_POOL_1="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
+HTP_POOL_2="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
+HTP_POOL_3="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"

config/chroot_local-includes/lib/systemd/system/htpdate.service

@@ -11,10 +11,10 @@ Environment=SUCCESS_FILE=/run/htpdate/success
 Environment=LOG=/var/log/htpdate.log
 EnvironmentFile=/etc/default/htpdate.*
 ExecStartPre=/bin/sh -c \
-    '[ -n "${HTTP_USER_AGENT}"  ] && \
-     [ -n "${HTP_POOL_PAL}"     ] && \
-     [ -n "${HTP_POOL_NEUTRAL}" ] && \
-     [ -n "${HTP_POOL_FOE}"     ]'
+    '[ -n "${HTTP_USER_AGENT}" ] && \
+     [ -n "${HTP_POOL_1}"      ] && \
+     [ -n "${HTP_POOL_2}"      ] && \
+     [ -n "${HTP_POOL_3}"      ]'
 ExecStartPre=/bin/rm -f "${DONE_FILE}"
 ExecStartPre=/bin/rm -f "${SUCCESS_FILE}"
 ExecStartPre=/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
@@ -26,9 +26,9 @@ ExecStart=/usr/local/sbin/htpdate                   \
               --user htp                            \
               --done_file    "${DONE_FILE}"         \
               --success_file "${SUCCESS_FILE}"      \
-              --pal_pool     "${HTP_POOL_PAL}"      \
-              --neutral_pool "${HTP_POOL_NEUTRAL}"  \
-              --foe_pool     "${HTP_POOL_FOE}"      \
+              --pool1        "${HTP_POOL_1}"        \
+              --pool2        "${HTP_POOL_2}"        \
+              --pool3        "${HTP_POOL_3}"        \
               --proxy        127.0.0.1:9062
 RemainAfterExit=yes
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_SETUID CAP_SYS_TIME

config/chroot_local-includes/usr/local/sbin/htpdate

@@ -95,15 +95,15 @@ sub parseCommandLine () {
         [ 'log_file|l:s', "log to this file rather than to STDOUT" ],
         [ 'done_file|D:s', "create this file after quitting in any way" ],
         [ 'success_file|T:s', "create this file after setting time successfully" ],
-        [ 'pal_pool=s@', "distrusted hostnames" ],
-        [ 'neutral_pool=s@', "neutral hostnames" ],
-        [ 'foe_pool=s@', "distrusted hostnames" ],
+        [ 'pool1=s@', "first pool of hostnames" ],
+        [ 'pool2=s@', "second pool of hostnames" ],
+        [ 'pool3=s@', "third pool of hostnames" ],
         [ 'allowed_per_pool_failure_ratio:f', "ratio (0.0-1.0) of allowed per-pool failure", { default => 1.0 } ],
         [ 'proxy|p:s', "what to pass to curl's --socks5-hostname (if unset, environment variables may affect curl's behavior -- see curl(1) for details)" ],
     );
 
     usage() if $opt->help;
-    usage() unless $opt->pal_pool && $opt->neutral_pool && $opt->foe_pool;
+    usage() unless $opt->pool1 && $opt->pool2 && $opt->pool3;
 
     $runas       = $opt->user if $opt->user;
     $>           = getpwnam($runas) if $runas;
@@ -122,7 +122,7 @@ sub parseCommandLine () {
                 $_ = 'https://'.$_ unless $_ =~ /^http/i;
             } split(/,/, join(',', @{$_}))
         ]
-    } ($opt->pal_pool, $opt->neutral_pool, $opt->foe_pool);
+    } ($opt->pool1, $opt->pool2, $opt->pool3);
 }
 
 sub usage () {

wiki/src/contribute/design/Time_syncing.mdwn

@@ -156,11 +156,15 @@ unlikely to share logs (or other identifying data), or to agree to
 send fake time information, with a member from
 the the other pools. The pools are as follows:
 
-* The "pal" pool are run by groups that are likely to take great care
+* The first pool are run by groups that are likely to take great care
   of their visitors' privacy.
-* The "foe" pool are managed by adversaries of the "pal" pool.
-* The "neutral" pool members have a neutral raltionship to both the
-  "pal" and "foe" pool.
+* The second pool members have a neutral relationship to both the
+  members of the other pools.
+* The third pool are managed by adversaries of the first pool.
+
+This design does not require that we particularly trust even members
+of the first pool: what we need is to minimize the chance members of
+different pools conspire together against Tails users.
 
 The pools are listed in [[!tails_gitweb config/chroot_local-includes/etc/default/htpdate.pools]].