Date: Mon, 8 Jan 2024 11:36:37 -0700 From: Warner Losh <imp@bsdimp.com> To: Kyle Evans <kevans@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: Move u2f-devd into base? Message-ID: <CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ@mail.gmail.com> In-Reply-To: <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org> References: <ZZwLx1RxlY6xuvFV@lorvorc.mips.inka.de> <CANCZdfqpbL=QNgTwBveUpBooucX2MbfZnR9dw4w25_TXYOyuDg@mail.gmail.com> <20240109013058.22807f3816603829316cef4c@dec.sakura.ne.jp> <b38c7956-17d8-4c6a-a56a-42befdf35c17@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Mon, Jan 8, 2024 at 9:35 AM Kyle Evans <kevans@freebsd.org> wrote:
> On 1/8/24 10:30, Tomoaki AOKI wrote:
> > On Mon, 8 Jan 2024 08:18:38 -0700
> > Warner Losh <imp@bsdimp.com> wrote:
> >
> >> On Mon, Jan 8, 2024, 7:55〓AM Christian Weisgerber <naddy@mips.inka.de>
> >> wrote:
> >>
> >>> We have FIDO/U2F support for SSH in base.
> >>>
> >>> We also have a group "u2f", 116, in the default /etc/group file.
> >>>
> >>> Why do we keep the devd configuration (to chgrp the device nodes)
> >>> in a port, security/u2f-devd? Can't we just add this to base, too?
> >>> It's just another devd configuration file.
> >>>
> >>
> >> This properly belongs to devfs.conf no? Otherwise it's a race...
> >>
> >> Warner
> >>
> >> --
> >>> Christian "naddy" Weisgerber
> naddy@mips.inka.de
> >
> > It's devd.conf materials. It actually is security/usf-devd/files
> > u2f.conf and its contents is sets of notify 100 { match "vendor" ...
> > match "product" ... action "chgrpy u2f ..." };.
> > Some hase more items in it, though.
> >
> > So it should be in ports to adapt for latest products more quickly than
> > in base, I think.
> >
>
> I don't see any obvious reason that we can't compromise and have a
> baseline of products in base and just use the port for new products not
> yet known to base. These vendors presumably aren't going to quickly
> repurpose some PID for a non-u2f thing, much less in a way that we care
> about.
>
Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What are
we missing from that to make this doable generically? If we want it safe, we
may need some additional work around the whole ugen thing it uses.
Warner
[-- Attachment #2 --]
<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 8, 2024 at 9:35 AM Kyle Evans <<a href="mailto:kevans@freebsd.org">kevans@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 1/8/24 10:30, Tomoaki AOKI wrote:<br>
> On Mon, 8 Jan 2024 08:18:38 -0700<br>
> Warner Losh <<a href="mailto:imp@bsdimp.com" target="_blank">imp@bsdimp.com</a>> wrote:<br>
> <br>
>> On Mon, Jan 8, 2024, 7:55〓AM Christian Weisgerber <<a href="mailto:naddy@mips.inka.de" target="_blank">naddy@mips.inka.de</a>><br>
>> wrote:<br>
>><br>
>>> We have FIDO/U2F support for SSH in base.<br>
>>><br>
>>> We also have a group "u2f", 116, in the default /etc/group file.<br>
>>><br>
>>> Why do we keep the devd configuration (to chgrp the device nodes)<br>
>>> in a port, security/u2f-devd? Can't we just add this to base, too?<br>
>>> It's just another devd configuration file.<br>
>>><br>
>><br>
>> This properly belongs to devfs.conf no? Otherwise it's a race...<br>
>><br>
>> Warner<br>
>><br>
>> -- <br>
>>> Christian "naddy" Weisgerber <a href="mailto:naddy@mips.inka.de" target="_blank">naddy@mips.inka.de</a><br>
> <br>
> It's devd.conf materials. It actually is security/usf-devd/files<br>
> u2f.conf and its contents is sets of notify 100 { match "vendor" ...<br>
> match "product" ... action "chgrpy u2f ..." };.<br>
> Some hase more items in it, though.<br>
> <br>
> So it should be in ports to adapt for latest products more quickly than<br>
> in base, I think.<br>
> <br>
<br>
I don't see any obvious reason that we can't compromise and have a <br>
baseline of products in base and just use the port for new products not <br>
yet known to base. These vendors presumably aren't going to quickly <br>
repurpose some PID for a non-u2f thing, much less in a way that we care <br>
about.<br></blockquote><div><br></div><div>Yea, I just wonder why it has to be devd.conf, and not devfs.conf. What are</div><div>we missing from that to make this doable generically? If we want it safe, we</div><div>may need some additional work around the whole ugen thing it uses.</div><div><br></div><div>Warner </div></div></div>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfou_gt9J6gt1fUkzGS1ZbfT1Z64Oz8S52J5z%2Bc%2BCfBcVQ>