From 980457c06a3ac4af01a58e9030bf2b83e7e5270b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 14 Oct 2022 00:28:51 +0200
Subject: [PATCH 1/4] Update to 0.4.2 (#1974450)

---
 .gitignore                   |  1 +
 sources                      |  2 +-
 stubby-0.3.1-dnssec-ta.patch | 11 -----------
 stubby.spec                  |  7 +++++--
 4 files changed, 7 insertions(+), 14 deletions(-)
 delete mode 100644 stubby-0.3.1-dnssec-ta.patch

diff --git a/.gitignore b/.gitignore
index 00e9789..4a8d2f6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 /stubby-0.3.1.tar.gz
 /stubby-0.4.0.tar.gz
+/stubby-0.4.2.tar.gz
diff --git a/sources b/sources
index bea98d2..1d95bfe 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (stubby-0.4.0.tar.gz) = 2529a42cc786f4363e9d0ea12e40fc30c197492cbec4722763f6839cc9ec922985219374f8bf7df02dea51a1029b41b46a1547028492776efbf4d7a45fe86958
+SHA512 (stubby-0.4.2.tar.gz) = baa75d78f912de7701607578846df5837fdd810f9854a9d7593395e21f2684d3fb4431eb827454d3fcbaab8906d302a9011bb0ad289dbdf788de6eea4ed478be
diff --git a/stubby-0.3.1-dnssec-ta.patch b/stubby-0.3.1-dnssec-ta.patch
deleted file mode 100644
index 4018f79..0000000
--- a/stubby-0.3.1-dnssec-ta.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -up getdns-1.6.0/stubby/stubby.yml.example.anchor getdns-1.6.0/stubby/stubby.yml.example
---- getdns-1.6.0/stubby/stubby.yml.example.anchor	2020-03-11 23:57:32.380258063 +0100
-+++ getdns-1.6.0/stubby/stubby.yml.example	2020-03-11 23:59:59.545636591 +0100
-@@ -157,6 +157,7 @@ listen_addresses:
- # Specify the location of the installed trust anchor file to override the 
- # default location (see above)
- # dnssec_trust_anchors: "/etc/unbound/getdns-root.key"
-+dnssec_trust_anchors: "/var/lib/unbound/root.key"
- 
- 
- ##################################  UPSTREAMS  ################################
diff --git a/stubby.spec b/stubby.spec
index 3781d50..1aab4ab 100644
--- a/stubby.spec
+++ b/stubby.spec
@@ -1,6 +1,6 @@
 Name:           stubby
-Version:        0.4.0
-Release:        3%{?dist}
+Version:        0.4.2
+Release:        1%{?dist}
 Summary:        Application that act as a local DNS Privacy stub resolver
 
 License:        BSD
@@ -64,6 +64,9 @@ fi
 
 
 %changelog
+* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-1
+- Update to 0.4.2 (#1974450)
+
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 

From 32ea84638af9d85aae857c416e22653f8a285c28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 14 Oct 2022 00:36:06 +0200
Subject: [PATCH 2/4] Use unbound-anchor key again

---
 stubby-0.3.1-dnssec-ta.patch | 28 ++++++++++++++++++++++++++++
 stubby.spec                  |  3 +++
 2 files changed, 31 insertions(+)
 create mode 100644 stubby-0.3.1-dnssec-ta.patch

diff --git a/stubby-0.3.1-dnssec-ta.patch b/stubby-0.3.1-dnssec-ta.patch
new file mode 100644
index 0000000..4694013
--- /dev/null
+++ b/stubby-0.3.1-dnssec-ta.patch
@@ -0,0 +1,28 @@
+From 81ab1eb15280b99d2384fe4e6b512e79d4b1d543 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 14 Oct 2022 00:34:15 +0200
+Subject: [PATCH] Use trust anchor maintained by unbound-anchor
+
+Other packages use it as well. Point to single file, which might be
+reused by other packages.
+---
+ stubby.yml.example | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/stubby.yml.example b/stubby.yml.example
+index 1af0468..2296b73 100644
+--- a/stubby.yml.example
++++ b/stubby.yml.example
+@@ -172,6 +172,9 @@ listen_addresses:
+ # default location (see above)
+ # dnssec_trust_anchors:
+ #   - "/etc/unbound/getdns-root.key"
++# Fedora package maintains it in this location
++dnssec_trust_anchors:
++    - "/var/lib/unbound/root.key"
+ 
+ 
+ ##################################  UPSTREAMS  ################################
+-- 
+2.37.3
+
diff --git a/stubby.spec b/stubby.spec
index 1aab4ab..3ee0040 100644
--- a/stubby.spec
+++ b/stubby.spec
@@ -11,6 +11,8 @@ Provides:       getdns-stubby = 1.7.0-1
 Obsoletes:      getdns-stubby < 1.7.0-1
 %{?systemd_requires}
 
+Patch1:         stubby-0.3.1-dnssec-ta.patch
+
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: cmake
@@ -66,6 +68,7 @@ fi
 %changelog
 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-1
 - Update to 0.4.2 (#1974450)
+- Use unbound-anchor key again
 
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

From 6b14bf1a91ddb044569f676c5f09b868e51ec8c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Sat, 15 Oct 2022 13:32:38 +0200
Subject: [PATCH 3/4] Private users do not work with dynamic users

Used dynamic user together with private users does not work.
---
 stubby-0.4-systemd.service.patch | 25 +++++++++++++++++++++++++
 stubby.spec                      |  9 +++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 stubby-0.4-systemd.service.patch

diff --git a/stubby-0.4-systemd.service.patch b/stubby-0.4-systemd.service.patch
new file mode 100644
index 0000000..d44c127
--- /dev/null
+++ b/stubby-0.4-systemd.service.patch
@@ -0,0 +1,25 @@
+From 1e2779daa85957701c91bbe491693a35790e4d73 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Sat, 15 Oct 2022 13:52:53 +0200
+Subject: [PATCH] Private users prevents running on systemd
+
+Original value does not work on systemd v250, Fedora 36.
+---
+ systemd/stubby.service | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/systemd/stubby.service b/systemd/stubby.service
+index 3cba0e6..f0e631b 100644
+--- a/systemd/stubby.service
++++ b/systemd/stubby.service
+@@ -18,7 +18,6 @@ MemoryDenyWriteExecute=true
+ NoNewPrivileges=true
+ PrivateDevices=true
+ PrivateTmp=true
+-PrivateUsers=true
+ ProtectClock=true
+ ProtectControlGroups=true
+ ProtectHome=true
+-- 
+2.37.3
+
diff --git a/stubby.spec b/stubby.spec
index 3ee0040..a109c6a 100644
--- a/stubby.spec
+++ b/stubby.spec
@@ -1,6 +1,6 @@
 Name:           stubby
 Version:        0.4.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Application that act as a local DNS Privacy stub resolver
 
 License:        BSD
@@ -12,6 +12,8 @@ Obsoletes:      getdns-stubby < 1.7.0-1
 %{?systemd_requires}
 
 Patch1:         stubby-0.3.1-dnssec-ta.patch
+# https://github.com/getdnsapi/stubby/pull/324
+Patch2:         stubby-0.4-systemd.service.patch
 
 BuildRequires: gcc
 BuildRequires: make
@@ -27,7 +29,7 @@ Stubby encrypts DNS queries sent from a client machine to a
 DNS Privacy resolver increasing end user privacy.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %cmake -DCMAKE_BUILD_TYPE:STRING=Release .
@@ -66,6 +68,9 @@ fi
 
 
 %changelog
+* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-2
+- Private users do not work with dynamic users
+
 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-1
 - Update to 0.4.2 (#1974450)
 - Use unbound-anchor key again

From 2125cd2af0f95db168a988ced63798340c4f885d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Sat, 15 Oct 2022 14:23:07 +0200
Subject: [PATCH 4/4] Provide path to unbound-anchor key, but commented out

---
 stubby-0.3.1-dnssec-ta.patch | 26 +++++++++++++-------------
 stubby.spec                  |  1 +
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/stubby-0.3.1-dnssec-ta.patch b/stubby-0.3.1-dnssec-ta.patch
index 4694013..6454043 100644
--- a/stubby-0.3.1-dnssec-ta.patch
+++ b/stubby-0.3.1-dnssec-ta.patch
@@ -1,25 +1,25 @@
-From 81ab1eb15280b99d2384fe4e6b512e79d4b1d543 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 14 Oct 2022 00:34:15 +0200
-Subject: [PATCH] Use trust anchor maintained by unbound-anchor
+From 3dc07827ba060247b714efdc00f2fc5617163204 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Sat, 15 Oct 2022 14:21:39 +0200
+Subject: [PATCH] Use trust anchor path maintained by unbound-anchor
 
 Other packages use it as well. Point to single file, which might be
-reused by other packages.
+reused by other packages. But keep the path commented out and use by
+default just built-in trust anchor.
 ---
- stubby.yml.example | 3 +++
- 1 file changed, 3 insertions(+)
+ stubby.yml.example | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/stubby.yml.example b/stubby.yml.example
-index 1af0468..2296b73 100644
+index 1af0468..b86cd65 100644
 --- a/stubby.yml.example
 +++ b/stubby.yml.example
-@@ -172,6 +172,9 @@ listen_addresses:
+@@ -171,7 +171,7 @@ listen_addresses:
+ # Specify the location of the installed trust anchor files to override the
  # default location (see above)
  # dnssec_trust_anchors:
- #   - "/etc/unbound/getdns-root.key"
-+# Fedora package maintains it in this location
-+dnssec_trust_anchors:
-+    - "/var/lib/unbound/root.key"
+-#   - "/etc/unbound/getdns-root.key"
++#   - "/var/lib/unbound/root.key"
  
  
  ##################################  UPSTREAMS  ################################
diff --git a/stubby.spec b/stubby.spec
index a109c6a..c4f53dd 100644
--- a/stubby.spec
+++ b/stubby.spec
@@ -70,6 +70,7 @@ fi
 %changelog
 * Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-2
 - Private users do not work with dynamic users
+- Provide path to unbound-anchor key, but keep it commented out
 
 * Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 0.4.2-1
 - Update to 0.4.2 (#1974450)