Bug#824532: udev: Include udev rules for more U2F devices

2017-07-27 Thread Michael Biebl 
Hi Nicolas,

Am 03.07.2017 um 18:56 schrieb Michael Biebl:
> Given Nicolas' concerns, I've applied his patch from
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824532#118
> 
> This will go into unstable first as a preparation for a stable upload
> for 9.1.

This change went into 9.1.
Going forward, I'd like to drop the udev rules from the udev package in
one of the next uploads as I mentioned earlier.
Incidentally, this was discussed upstream now:
https://github.com/systemd/systemd/pull/6469

There is an interesting alternative to shipping a udev rules database,
which is bound to be lagging behind.

https://github.com/amluto/u2f-hidraw-policy/

Apparently Fedora has chosen this approach.

Nicolas, would you be interested in packaging this udev helper?

Regards,
Michael




signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-07-03 Thread Michael Biebl 
Given Nicolas' concerns, I've applied his patch from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824532#118

This will go into unstable first as a preparation for a stable upload
for 9.1.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-05 Thread Alessio Di Mauro 
Hi,

no we were not able to test all the different U2F devices before merging
them since we do not own most of them.
However, the way I see it, and feel free to disagree, is that adding an
entry in that udev rule (or an equivalent one) is a required step for any
device to work. The library itself may still be incompatible with a
specific device for different reasons, but I don't think that incorporating
a bigger list poses an issue.

That being said, if it helps we can make a new release of libu2f-host.

A.

On 2 June 2017 at 22:50, Nicolas Braud-Santoni 
wrote:

> X-Debbugs-CC: ales...@yubico.com, k...@yubico.com
>
> On Fri, Jun 02, 2017 at 05:10:52PM +0200, Michael Biebl wrote:
> > Am 02.06.2017 um 16:14 schrieb Andreas Gnau:
> > > Hello,
> > > that patch seems to be a bit old. The latest GIT-version has quite a
> few
> > > more HW-IDs and I think it would be very beneficial to have the latest
> > > version in stretch in order to provide out-of-the-box support for as
> > > many tokens as possible.
> > >
> > > https://github.com/Yubico/libu2f-host/blob/
> e6ee395fc7ee66884adefb2056a40a8e4ca514fd/70-u2f.rules
> >
> > Nicolas, your call. Feel free to send me an updated patch or let me know
> > if I should use the one you sent earlier.
>
> I would not be super-comfortable shipping the ruleset from libu2f-host's
> development version in stretch, given that I cannot test it with any of the
> new devices.
>
> Were this a released version, I would feel much more confident about it,
> if only because it would be exposed to users.
>
> @Alessio, Klas: Were you able to test those rules before merging upstream?
> Do you have a new release planned soon?
>



-- 
Alessio Di Mauro
Software Engineer | Yubico

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Nicolas Braud-Santoni 
X-Debbugs-CC: ales...@yubico.com, k...@yubico.com

On Fri, Jun 02, 2017 at 05:10:52PM +0200, Michael Biebl wrote:
> Am 02.06.2017 um 16:14 schrieb Andreas Gnau:
> > Hello,
> > that patch seems to be a bit old. The latest GIT-version has quite a few
> > more HW-IDs and I think it would be very beneficial to have the latest
> > version in stretch in order to provide out-of-the-box support for as
> > many tokens as possible.
> > 
> > https://github.com/Yubico/libu2f-host/blob/e6ee395fc7ee66884adefb2056a40a8e4ca514fd/70-u2f.rules
> 
> Nicolas, your call. Feel free to send me an updated patch or let me know
> if I should use the one you sent earlier.

I would not be super-comfortable shipping the ruleset from libu2f-host's
development version in stretch, given that I cannot test it with any of the
new devices.

Were this a released version, I would feel much more confident about it,
if only because it would be exposed to users.

@Alessio, Klas: Were you able to test those rules before merging upstream?
Do you have a new release planned soon?


signature.asc
Description: PGP signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Michael Biebl 
Am 02.06.2017 um 16:14 schrieb Andreas Gnau:
> Hello,
> that patch seems to be a bit old. The latest GIT-version has quite a few
> more HW-IDs and I think it would be very beneficial to have the latest
> version in stretch in order to provide out-of-the-box support for as
> many tokens as possible.
> 
> https://github.com/Yubico/libu2f-host/blob/e6ee395fc7ee66884adefb2056a40a8e4ca514fd/70-u2f.rules

Nicolas, your call. Feel free to send me an updated patch or let me know
if I should use the one you sent earlier.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Andreas Gnau 

Hello,
that patch seems to be a bit old. The latest GIT-version has quite a few 
more HW-IDs and I think it would be very beneficial to have the latest 
version in stretch in order to provide out-of-the-box support for as 
many tokens as possible.


https://github.com/Yubico/libu2f-host/blob/e6ee395fc7ee66884adefb2056a40a8e4ca514fd/70-u2f.rules

Regards, Andreas

On 2017-06-02 14:00, Nicolas Braud-Santoni wrote:

Control: tags -1 +patch -moreinfo

On Fri, Jun 02, 2017 at 03:36:06AM +0200, Michael Biebl wrote:


Nicolas, please send me a patch against

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/extra/rules/70-debian-uaccess.rules?h=stretch

including all the entries you want to see added for Stretch. I will try
to get this into 9.0 or 9.1 then.


Patch attached.



I plan to remove debian/extra/rules/70-debian-uaccess.rules once buster
opens for development. So please get this sorted out for buster.


RFS #848327 should sort this out properly, and I am planning to get it in sid 
soon.


Best,

   Nicolas

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Nicolas Braud-Santoni 
Control: tags -1 +patch -moreinfo

On Fri, Jun 02, 2017 at 03:36:06AM +0200, Michael Biebl wrote:
> 
> Nicolas, please send me a patch against
> 
> https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/extra/rules/70-debian-uaccess.rules?h=stretch
> 
> including all the entries you want to see added for Stretch. I will try
> to get this into 9.0 or 9.1 then.

Patch attached.


> I plan to remove debian/extra/rules/70-debian-uaccess.rules once buster
> opens for development. So please get this sorted out for buster.

RFS #848327 should sort this out properly, and I am planning to get it in sid 
soon.


Best,

  Nicolas
commit 97350d3e5dcae092c90a0090c089dabd684bf068
Author: Nicolas Braud-Santoni 
Date:   Fri Jun 2 13:26:57 2017 +0200

debian/extra/rules: Use updated U2F ruleset

This ruleset comes from Yubico's libu2f-host.
See BTS#848327 for a long-term solution.

Closes #824532

diff --git a/debian/extra/rules/70-debian-uaccess.rules b/debian/extra/rules/70-debian-uaccess.rules
index 18d61371d..f94948c75 100644
--- a/debian/extra/rules/70-debian-uaccess.rules
+++ b/debian/extra/rules/70-debian-uaccess.rules
@@ -1,19 +1,22 @@
-# FIDO u2f devices for two-factor authentication; current clients access the
-# device directly
-ACTION!="add|change", GOTO="fido_u2f_end"
-SUBSYSTEM!="hidraw", GOTO="fido_u2f_end"
-KERNEL!="hidraw*", GOTO="fido_u2f_end"
+# this udev file should be used with udev 188 and newer
+ACTION!="add|change", GOTO="u2f_end"
 
-# FIDO u2f devices, until there is a proper kernel driver
-ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
+# Yubico YubiKey
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0402|0403|0406|0407|0410", TAG+="uaccess"
 
-# Happlink (formaly Plug-Up) Security KEY
-ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
+# Happlink (formerly Plug-Up) Security KEY
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
 
-# Neowave Keydo
-ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0", TAG+="uaccess"
+#  Neowave Keydo and Keydo AES
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess"
 
 # HyperSecu HyperFIDO
-ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0880", TAG+="uaccess"
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess"
 
-LABEL="fido_u2f_end"
+# Feitian ePass FIDO
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850", TAG+="uaccess"
+
+# JaCarta U2F
+KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101", TAG+="uaccess"
+
+LABEL="u2f_end"


signature.asc
Description: PGP signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Michael Biebl 
Am 02.06.2017 um 13:33 schrieb Nicolas Braud-Santoni:
> On Fri, Jun 02, 2017 at 03:36:06AM +0200, Michael Biebl wrote:
>>
>> Nicolas, please send me a patch against

> 
> Patch attached.

Hm, the patch seems missing.

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2017-06-02 Thread Nicolas Braud-Santoni 
Control: tags -1 +patch -moreinfo

On Fri, Jun 02, 2017 at 03:36:06AM +0200, Michael Biebl wrote:
> 
> Nicolas, please send me a patch against
> 
> https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/extra/rules/70-debian-uaccess.rules?h=stretch
> 
> including all the entries you want to see added for Stretch. I will try
> to get this into 9.0 or 9.1 then.

Patch attached.


> I plan to remove debian/extra/rules/70-debian-uaccess.rules once buster
> opens for development. So please get this sorted out for buster.

RFS #848327 should sort this out properly, and I am planning to get it in sid 
soon.


Best,

  Nicolas


signature.asc
Description: PGP signature

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-30 Thread Michael Biebl 
Am 13.11.2016 um 23:57 schrieb Michael Biebl:
> Am 13.11.2016 um 16:06 schrieb Michael Biebl:
>> Am 13.11.2016 um 07:46 schrieb Simon Josefsson:
>>> Hi. The udev file is needed by all applications using u2f, and not all
>>> uses libu2f-host. For example, chromium needs the udev rule to work. It
>>> just needs to be present on all systems for u2f to work. Alternatively,
>>> every package that wants to talk to a u2f device needs to ship the file
>>> which doesn't scale very well. 
>>
>> Or such applications depend on a libu2f-common package.
>>
> 
> Btw, splitting out the udev rules from the libu2f-host0 library package
> seems like something you should do in any case. Otherwise it makes
> soname bumps needlessly complicated as the two library packages need to
> conflict with each other.

I've talked to Martin Pitt on IRC and we agreed that splitting out the
udev rules is our preferred way to go here.

I've filed #846358 and #846359 for that.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-13 Thread Michael Biebl 
Am 13.11.2016 um 16:06 schrieb Michael Biebl:
> Am 13.11.2016 um 07:46 schrieb Simon Josefsson:
>> Hi. The udev file is needed by all applications using u2f, and not all
>> uses libu2f-host. For example, chromium needs the udev rule to work. It
>> just needs to be present on all systems for u2f to work. Alternatively,
>> every package that wants to talk to a u2f device needs to ship the file
>> which doesn't scale very well. 
> 
> Or such applications depend on a libu2f-common package.
> 

Btw, splitting out the udev rules from the libu2f-host0 library package
seems like something you should do in any case. Otherwise it makes
soname bumps needlessly complicated as the two library packages need to
conflict with each other.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-13 Thread Michael Biebl 
Am 13.11.2016 um 07:46 schrieb Simon Josefsson:
> Hi. The udev file is needed by all applications using u2f, and not all
> uses libu2f-host. For example, chromium needs the udev rule to work. It
> just needs to be present on all systems for u2f to work. Alternatively,
> every package that wants to talk to a u2f device needs to ship the file
> which doesn't scale very well. 

Or such applications depend on a libu2f-common package.

Is there any history regarding other udev
> files for hardware with similar properties?

You mean like mtp (libmtp-common → /lib/udev/rules.d/69-libmtp.rules),
gphotos (/lib/udev/rules.d/60-libgphoto2-6.rules), argyll
(/lib/udev/rules.d/55-Argyll.rules) or sane
(/lib/udev/rules.d/60-libsane.rules), just to name a few?


You can try and convince systemd/udev upstream, to ship those rules. If
they agree to that, I have no objection. I object though to ship that as
a downstream patch.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-12 Thread Simon Josefsson 
Hi. The udev file is needed by all applications using u2f, and not all uses 
libu2f-host.  For example, chromium needs the udev rule to work. It just needs 
to be present on all systems for u2f to work. Alternatively, every package that 
wants to talk to a u2f device needs to ship the file which doesn't scale very 
well. Is there any history regarding other udev files for hardware with similar 
properties?

/Simon

Michael Biebl  skrev: (12 november 2016 21:10:20 CET)
>Control: tags -1 + moreinfo
>
>On Tue, 17 May 2016 17:43:45 +1000 Robert Norris 
>wrote:
>> Package: udev
>> Version: 229-6
>> Severity: wishlist
>> 
>> 70-debian-uaccess.rules includes rules for Yubico U2F devices. There
>are
>> other U2F devices coming onto the market, and it would be good to
>> include those too.
>> 
>> https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
>> 
>
>Hm, I'm not sure if shipping 70-debian-uaccess.rules in the udev
>package
>was a good idea in the first place. Imho this file should be maintained
>by the libu2f-host package, and apparently it already ships a rules
>file
>for that
>
>Martin, can we please drop debian/extra/rules/70-debian-uaccess.rules
>and reassign this bug to libu2f-host?
>
>I see that the rules file currently shipped by libu2f-host0 is using
>group plugdev, but that is a bug in the package. It should have a
>build-depends on udev, so it installs the correct version:
>
>PKG_CHECK_MODULES([UDEV], [udev >= 188],
>  udevrulesfile=70-u2f.rules,
>  udevrulesfile=70-old-u2f.rules,
>  )
>
>The package should install 70-u2f.rules and not 70-old-u2f.rules
>-- 
>Why is it that all of the instruments seeking intelligent life in the
>universe are pointed away from Earth?

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-12 Thread Michael Biebl 
Am 12.11.2016 um 23:07 schrieb Rob N ★:
> On Sun, Nov 13, 2016, at 07:10 AM, Michael Biebl wrote:
>> Hm, I'm not sure if shipping 70-debian-uaccess.rules in the udev
>> package was a good idea in the first place. Imho this file should be
>> maintained by the libu2f-host package, and apparently it already ships
>> a rules file for that
> 
> I would argue that the rules file should be shipped wherever standard
> device support stuff is shipped (I think that is udev, though anything
> else installed as "standard" would be fine).

I'm not willing to maintain a hardware database *downstream* in udev.


> libu2f-host is not required to use U2F devices. A supporting web browser
> is all that's needed, typically Chromium etc, and soon Firefox.

Maybe libu2f-host should split those rules out into a -common package
then, which chromium, firefox and those applications, that need it, can
depend on.





-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-12 Thread Rob N ★ 
On Sun, Nov 13, 2016, at 07:10 AM, Michael Biebl wrote:
> Hm, I'm not sure if shipping 70-debian-uaccess.rules in the udev
> package was a good idea in the first place. Imho this file should be
> maintained by the libu2f-host package, and apparently it already ships
> a rules file for that

I would argue that the rules file should be shipped wherever standard
device support stuff is shipped (I think that is udev, though anything
else installed as "standard" would be fine).

libu2f-host is not required to use U2F devices. A supporting web browser
is all that's needed, typically Chromium etc, and soon Firefox.

Including it makes these devices work out-of-the-box, which is what
people expect. Requiring a library package to be installed that isn't
even used just raises the bar unnecessarily.

(just like every other device I don't own but have udev rules
installed for).

Bug#824532: udev: Include udev rules for more U2F devices

2016-11-12 Thread Michael Biebl 
Control: tags -1 + moreinfo

On Tue, 17 May 2016 17:43:45 +1000 Robert Norris 
wrote:
> Package: udev
> Version: 229-6
> Severity: wishlist
> 
> 70-debian-uaccess.rules includes rules for Yubico U2F devices. There are
> other U2F devices coming onto the market, and it would be good to
> include those too.
> 
> https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
> 

Hm, I'm not sure if shipping 70-debian-uaccess.rules in the udev package
was a good idea in the first place. Imho this file should be maintained
by the libu2f-host package, and apparently it already ships a rules file
for that

Martin, can we please drop debian/extra/rules/70-debian-uaccess.rules
and reassign this bug to libu2f-host?

I see that the rules file currently shipped by libu2f-host0 is using
group plugdev, but that is a bug in the package. It should have a
build-depends on udev, so it installs the correct version:

PKG_CHECK_MODULES([UDEV], [udev >= 188],
  udevrulesfile=70-u2f.rules,
  udevrulesfile=70-old-u2f.rules,
  )

The package should install 70-u2f.rules and not 70-old-u2f.rules
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature