FS#57027 : [dnscrypt-proxy] abandoned then restarted upstream

FS#57027 - [dnscrypt-proxy] abandoned then restarted upstream

Attached to Project: Community Packages
Opened by Jared H (govgoat) - Tuesday, 09 January 2018, 16:18 GMT
Last edited by David Runge (dvzrv) - Friday, 06 April 2018, 18:49 GMT

Task Type	Bug Report
Category	Upstream Bugs
Status	Closed
Assigned To	Felix Yan (felixonmars)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	5 David Runge (dvzrv) (2018-03-17) Amal Karunarathna (r3b311i0n) (2018-03-14) AnAkkk (AnAkkk) (2018-03-01) Soroush Mirzaei (soroush) (2018-02-18) buttcake (buttcake) (2018-02-06)
Private	No

Details

Description:
Upstream has abandoned the project. dnscrypt.org now redirects to dnsprivacy.org, and the github repo has been deleted. The source in the PKGBUILD now is an unresolved hostname. I did find that dyne.org has taken over maintenance of the project, found here -> https://github.com/dyne/dnscrypt-proxy. Hopefully this isn't unnecessary noise, wasn't sure where/how to make you the maintainer aware. Thanks!

This task depends upon

Closed by David Runge (dvzrv)
Friday, 06 April 2018, 18:49 GMT
Reason for closing: Fixed
Additional comments about closing: 2.0.8 is now in community.

Comment by David McAdoo (geecroof) - Saturday, 27 January 2018, 21:04 GMT

There was an U-turn and original upstream is back with something that smash the old project: https://github.com/jedisct1/dnscrypt-proxy/#current-statusfeatures

It's already available in AUR: https://aur.archlinux.org/packages/dnscrypt-proxy-go/

I recommend to replace this package with 2.0 version after it comes out of beta phase.

Comment by buttcake (buttcake) - Tuesday, 06 February 2018, 20:53 GMT

https://github.com/jedisct1/dnscrypt-proxy/releases/tag/2.0.0

it's out

Comment by David Runge (dvzrv) - Saturday, 17 March 2018, 14:18 GMT

Hm, while there has been conflicting information about the initial (and now again current) maintainer Frank Denis, it seems going with the aforementioned version 2.0.6 would be the way to go.
However, the problem with ~~FS#49881~~ still remains!

Comment by buttcake (buttcake) - Sunday, 18 March 2018, 12:49 GMT

I'm interested in this package. is there any way I can help ?

Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 11:04 GMT

I install dnscrypt-proxy2 and then it started with system user already with DynamicUser=yes in service file.
Hope that the developer will support version 2 too.

Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 11:19 GMT

@Severus: I'm currently trying to upstream this and other settings in the service file.

Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 11:22 GMT

@Severus: Also, plainly using DynamicUser will only work for ports > 1024

Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 12:39 GMT

@davezerave it doesnot relate to DynamicUser, it works as unix design, only privilege user can bind port < 1024 ( 1024 can be used by non privileges user ).

Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 13:34 GMT

https://aur.archlinux.org/packages/dnscrypt-proxy-go uses socket activation which should listen on 53 port wit DynamicUser

Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 13:38 GMT

Socket activation is run by systemd, it requires root privilege, it doesnot relate to DynamicUser.

Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 14:04 GMT

@Janick.Hauck92: Correct, but that's still not upstream.
@Severus: That's why there is CapabilityBoundingSet and AmbientCapabilities, which can be set to CAP_NET_BIND_SERVICE to explicitely allow that behavior for an unprivileged user.

The new design of the dnscrypt-proxy doesn't really require setting up several services, if one wants to use several distinct servers on separate ports, as it can deal with more than one server (and their disappearance) through its configuration.
Also, it is not required to use socket activation (but it is one possible way to get around the unprivileged port binding issue).

Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 14:11 GMT

you can use pdnsd then dnscrypt-proxy as backend.

Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 14:19 GMT

I just see the patch you mention, but I don't think it's good way to fix this issue with systemd.
https://github.com/jedisct1/dnscrypt-proxy/pull/255/commits/a57f6815b5f307418d2ee5c72c48a64fd3b06d44

Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 14:33 GMT

@Severus
Not sure what you are talking about. Only root can start system-wide systemd services but then they can run unprivileged with DynamiUser option set. With socket activation they can listen on arbitrary defined port at the same time. This is what https://aur.archlinux.org/packages/dnscrypt-proxy-go already does.

@davezerave
You don't need additional capabilities and you don't need to upstream anything as everything is already here in AUR.

https://github.com/jedisct1/dnscrypt-proxy/pull/255/commits/a57f6815b5f307418d2ee5c72c48a64fd3b06d44 will break 99% usecases, I highly doubt it will be accepted.

Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 16:14 GMT

@Severus/Janick.Hauck92: Pull request 255 is not my contribution.

@Janick.Hauck92: So what keeps you from upstreaming such a general setting then? DynamicUser can be used by any Linux distribution utilizing systemd.
As I wrote before: DynamicUser alone will still not enable you to bind to ports < 1024 (if you're not also using socket activation). If this (socket activation) is meant as the default setup for all use-cases (standalone, as backend for other DNS servers, etc.), then sure, it'll work.
In any case: These settings should be upstreamed.

Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 17:07 GMT

I don't have need to upstream anything. I'm happy with what downstream currently provides. Everyone is free to send PR.

Socket activation is already in upstream https://github.com/jedisct1/dnscrypt-proxy/blob/master/systemd/dnscrypt-proxy.socket .

Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 18:51 GMT

@davezerave I see those changes are somewhat upstreamed (commented out by default):
https://github.com/jedisct1/dnscrypt-proxy/commit/bdc32cee90e099a49214c0b5315ea429959ea8c1

Comment by David Runge (dvzrv) - Saturday, 31 March 2018, 22:08 GMT

@felixonmars A solution to ~~FS#49881~~ has been merged upstream. If you find the time, switch to the new version! :)

Comment by Ike Rippin (Janick.Hauck92) - Monday, 02 April 2018, 14:07 GMT

I seriously doubt that waiting months for update package in repos makes sense when AUR version is updated within hours after upstream release. If maintainer doesn't have time for it, then it's better to drop this.

Comment by Sebastian Jug (jugs) - Monday, 02 April 2018, 14:17 GMT

Can we please update this package yet, this is a bit rediculous...

Comment by Ike Rippin (Janick.Hauck92) - Wednesday, 04 April 2018, 11:19 GMT

This is beyond any critique, absolutely no words to describe it:

https://lists.archlinux.org/pipermail/aur-requests/2018-April/023329.html
https://lists.archlinux.org/pipermail/aur-requests/2018-April/023330.html

Comment by David Runge (dvzrv) - Wednesday, 04 April 2018, 22:28 GMT

I just moved dnscrypt-proxy 2.0.8 to community-testing.
Feel free to test and report back!

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#57668 - [dnscrypt-proxy] Replace by forked version which is still mainta~~

Arch Linux

FS#57027 - [dnscrypt-proxy] abandoned then restarted upstream

Details

Loading...