On Sat 2017-10-28 20:57:06 +0200, Jason A. Donenfeld wrote:
> 1) wg-quick isn't a daemon, though openvpn is.

wg-quick could be invoked from a network management daemon.  Part of the
brilliance of wireguard is that the in-kernel stuff *doesn't* try to
integrate fancy configuration/setup policy.  But that does mean that
it's likely that there needs to be some user-space policy agent for
system integration.

> 2) I can think of at least 5 ways to implement a resolvconf binary without
> requiring root, making your argument moot. There's nothing inherent in the
> resolvconf model that would require it.
>
> If you're interested in spending the time implementing this for openresolv,
> I can spec those out in detail for you.

Please report these suggestions to openresolv or any other resolvconf
implementations.  My point is about what exists today, not about what is
theoretically possible.  This argument will be moot when any widely-used
resolvconf implementation doesn't have to be executed as the superuser
by default.  Please, make it moot! :)

> Alternatively, you can just wait for the systemd devs to add a
> resolvconf for controlling systemd-resolved, if that's the horse
> you're betting on.

That'd be fine with me, thanks for pushing on it.

       --dkg