Investigate security consequences of restarting htpdate until it succeeds

While implementing #10494 (closed), concerns were raised if restarting htpdate wouldn’t just break one of its main goal, which is to fail if one of its pool seems to be compromised because it reached allowed_per_pool_failure_ratio.

Before deciding what to do with #10494 (closed), we should research about its security consequences.

Related issues

Blocks #10494 (closed)

Original created by @bertagaz on 11574 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information