Package: libu2f-udev Version: 1.1.6-1 Hi,
libu2f-udev makes U2F devices accessible to users by matching hidraw devices against a list of vendor/product pairs. This means that any newly-released device will not work until libu2f-host is updated to add it to this list. I noticed that Fedora takes a different approach: u2f-hidraw-policy[0] uses the discovery mechanism defined in the U2F HID spec[1] to determine whether a hidraw device supports U2F, and if so sets ID_U2F_TOKEN=1 and ID_SECURITY_TOKEN=1 on it. systemd ships a rule[2] which matches ID_SECURITY_TOKEN=1 and applies the "uaccess" tag, just as the rules shipped by libu2f-udev do. This has the nice property that newly-released devices work immediately, rather than needing an update to libu2f-host. Is there some reason to prefer the libu2f-udev approach? While looking into making U2F tokens work out of the box on Endless OS, I put together some packaging for u2f-hidraw-policy[3]. It seems to work fine, and the approach seems cleaner than the list-of-devices approach. However, we generally prefer to follow Debian where possible, so I'm wondering if there's any interest in Debian adopting this mechanism! Thanks, – Will [0] https://github.com/amluto/u2f-hidraw-policy/ [1] https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-hid-protocol-ps-20141009.html#hid-report-descriptor-and-device-discovery [2] https://salsa.debian.org/systemd-team/systemd/blob/master/src/login/70-uaccess.rules#L53-54 [3] https://salsa.debian.org/wjt-guest/u2f-hidraw-policy
