openssh 8.2p1

[404NetworkError]

Created with brew bump-formula-pr.

[arekm]

Major feature of 8.2p1 is FIDO/U2F keys support. Unfortunately this update lacks of this.

--with-security-key-builtin and dependency on libfido2 [1] is needed

https://developers.yubico.com/libfido2/

[xanderlent]

I began working on this, but found the issue was already settled: Unfortunately, PRs #46071 and #46072 state that Homebrew will not support this until it is notable. After discovering the previous discussions, I have discontinued my duplicate work.

Homebrew's notability guidelines prohibit formule on GitHub with <30 forks, <30 watchers and <75 stars (that's from the audit source) so these features will not be present unless the dependencies meet notability standards or OpenSSH's dependencies are deemed notable by their use in OpenSSH alone.

(Edit purpose: Conciseness and correct terminology.)

[SMillerDev]

Did you check if the dependencies still don't meet that level 4 months later?

[strayer]

https://github.com/Yubico/libfido2 has 33 watchers, 123 stars and 28 forks. It seems a little weird to not have a formula for it just because it itself isn’t very popular on GitHub.

Edit: I missed https://github.com/PJK/libcbor/, which is at 21 watchers, 158 stars and 47 forks.

Doesn't being an optional dependency for such an important software like OpenSSH validate its notability?

[MrMarvin]

Did you check if the dependencies still don't meet that level 4 months later?

For libfido2

According to https://docs.brew.sh/Acceptable-Formulae, the acceptance criteria are as following

The software in question must:

1. be maintained (i.e. the last release wasn’t ages ago, it works without patching on all supported macOS releases and has no outstanding, unpatched security vulnerabilities)

It is maintained by Yubico (a security hardware vendor which has a certain interest of keeping it alive to support their products) with currently contributions from 21 people and releases every few month, last in November 2019.

2. be known

It is known as and 'official' implementation of the FIDO2 standard for hardware based authentication factors. OpenSSH explicitly links to it.

3. be stable (e.g. not declared “unstable” or “beta” by upstream)

The maintainers declared their builds as 'release'

4. be used

It is (optionally) used by OpenSSH and PAM. The major browsers (which have had support for U2f and FIDO2 for some time now) are using their own implementations, however.
I'd argue that the new addition to OpenSSH 8.2 counts as 'usage', given that it is an existing and well known homebrew formula.

5. have a homepage

Has a homepage: https://developers.yubico.com/libfido2/

Unfortunately there is an additional dependency for libfido2 with licbor, which needs separate consideration. However this library is available in a brew tap (pjk/libcbor) already. Not sure what that means for getting libfido2 into core, is it commonly accepted to have a core formula depend on a tap itself?

[xanderlent]

My apologies, I misinterpreted the notability guidelines, (after rechecking the audit source, the condition is that any repository with either 30 forks OR 30 watchers OR 75 stars is notable, so it passes the audit,) and have submitted a PR for libcbor in #50305.

[xanderlent]

Status update: I've got preliminary patches for all three pieces ready, and they work on my machine with the FIDO/U2F tokens I have access to. I've submitted all of them, and the only thing left at this point is cleaning up various issues with each of the PRs. (See #50305, #50326, and #50311, in that order.)