FS#57027 - [dnscrypt-proxy] abandoned then restarted upstream

Attached to Project: Community Packages
Opened by Jared H (govgoat) - Tuesday, 09 January 2018, 16:18 GMT
Last edited by David Runge (dvzrv) - Friday, 06 April 2018, 18:49 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No


Upstream has abandoned the project. dnscrypt.org now redirects to dnsprivacy.org, and the github repo has been deleted. The source in the PKGBUILD now is an unresolved hostname. I did find that dyne.org has taken over maintenance of the project, found here -> https://github.com/dyne/dnscrypt-proxy. Hopefully this isn't unnecessary noise, wasn't sure where/how to make you the maintainer aware. Thanks!
This task depends upon

Closed by  David Runge (dvzrv)
Friday, 06 April 2018, 18:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  2.0.8 is now in community.
Comment by David McAdoo (geecroof) - Saturday, 27 January 2018, 21:04 GMT
There was an U-turn and original upstream is back with something that smash the old project: https://github.com/jedisct1/dnscrypt-proxy/#current-statusfeatures

It's already available in AUR: https://aur.archlinux.org/packages/dnscrypt-proxy-go/

I recommend to replace this package with 2.0 version after it comes out of beta phase.
Comment by buttcake (buttcake) - Tuesday, 06 February 2018, 20:53 GMT Comment by David Runge (dvzrv) - Saturday, 17 March 2018, 14:18 GMT
Hm, while there has been conflicting information about the initial (and now again current) maintainer Frank Denis, it seems going with the aforementioned version 2.0.6 would be the way to go.
However, the problem with  FS#49881  still remains!
Comment by buttcake (buttcake) - Sunday, 18 March 2018, 12:49 GMT
I'm interested in this package. is there any way I can help ?
Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 11:04 GMT
I install dnscrypt-proxy2 and then it started with system user already with DynamicUser=yes in service file.
Hope that the developer will support version 2 too.
Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 11:19 GMT
@Severus: I'm currently trying to upstream this and other settings in the service file.
Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 11:22 GMT
@Severus: Also, plainly using DynamicUser will only work for ports > 1024
Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 12:39 GMT
@davezerave it doesnot relate to DynamicUser, it works as unix design, only privilege user can bind port < 1024 ( 1024 can be used by non privileges user ).
Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 13:34 GMT
https://aur.archlinux.org/packages/dnscrypt-proxy-go uses socket activation which should listen on 53 port wit DynamicUser
Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 13:38 GMT
Socket activation is run by systemd, it requires root privilege, it doesnot relate to DynamicUser.
Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 14:04 GMT
@Janick.Hauck92: Correct, but that's still not upstream.
@Severus: That's why there is CapabilityBoundingSet and AmbientCapabilities, which can be set to CAP_NET_BIND_SERVICE to explicitely allow that behavior for an unprivileged user.

The new design of the dnscrypt-proxy doesn't really require setting up several services, if one wants to use several distinct servers on separate ports, as it can deal with more than one server (and their disappearance) through its configuration.
Also, it is not required to use socket activation (but it is one possible way to get around the unprivileged port binding issue).
Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 14:11 GMT
you can use pdnsd then dnscrypt-proxy as backend.
Comment by NgoHuy (Severus) - Saturday, 24 March 2018, 14:19 GMT
I just see the patch you mention, but I don't think it's good way to fix this issue with systemd.
Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 14:33 GMT
Not sure what you are talking about. Only root can start system-wide systemd services but then they can run unprivileged with DynamiUser option set. With socket activation they can listen on arbitrary defined port at the same time. This is what https://aur.archlinux.org/packages/dnscrypt-proxy-go already does.

You don't need additional capabilities and you don't need to upstream anything as everything is already here in AUR.

https://github.com/jedisct1/dnscrypt-proxy/pull/255/commits/a57f6815b5f307418d2ee5c72c48a64fd3b06d44 will break 99% usecases, I highly doubt it will be accepted.
Comment by David Runge (dvzrv) - Saturday, 24 March 2018, 16:14 GMT
@Severus/Janick.Hauck92: Pull request 255 is not my contribution.

@Janick.Hauck92: So what keeps you from upstreaming such a general setting then? DynamicUser can be used by any Linux distribution utilizing systemd.
As I wrote before: DynamicUser alone will still not enable you to bind to ports < 1024 (if you're not also using socket activation). If this (socket activation) is meant as the default setup for all use-cases (standalone, as backend for other DNS servers, etc.), then sure, it'll work.
In any case: These settings should be upstreamed.
Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 17:07 GMT
I don't have need to upstream anything. I'm happy with what downstream currently provides. Everyone is free to send PR.

Socket activation is already in upstream https://github.com/jedisct1/dnscrypt-proxy/blob/master/systemd/dnscrypt-proxy.socket .
Comment by Ike Rippin (Janick.Hauck92) - Saturday, 24 March 2018, 18:51 GMT
@davezerave I see those changes are somewhat upstreamed (commented out by default):
Comment by David Runge (dvzrv) - Saturday, 31 March 2018, 22:08 GMT
@felixonmars A solution to  FS#49881  has been merged upstream. If you find the time, switch to the new version! :)
Comment by Ike Rippin (Janick.Hauck92) - Monday, 02 April 2018, 14:07 GMT
I seriously doubt that waiting months for update package in repos makes sense when AUR version is updated within hours after upstream release. If maintainer doesn't have time for it, then it's better to drop this.
Comment by Sebastian Jug (jugs) - Monday, 02 April 2018, 14:17 GMT
Can we please update this package yet, this is a bit rediculous...
Comment by Ike Rippin (Janick.Hauck92) - Wednesday, 04 April 2018, 11:19 GMT Comment by David Runge (dvzrv) - Wednesday, 04 April 2018, 22:28 GMT
I just moved dnscrypt-proxy 2.0.8 to community-testing.
Feel free to test and report back!