hotp-verification 1.7+non-versioned bump commit (suppression of touch status) still wrong and still repeats itself

[tlaurion]

Ping @sosthene-nitrokey.

@jans23
Heads PR from Nitrokey will be expected for anything heads related in the future, that's the last batch of tests I will do on my side without payment agreement.

Testing under linuxboot/heads#1875, modules/hotp-verification and everything Nitrokey firmware, toolstack related = nitrokey responsibility to produce code, tests and results.

I will review those PR inside of Heads, but do not expect me to do anything more than that from now without a contractual payment agreement/compensation/time bank with Nitrokey signing a contract with myself that is legally bounding. Mutualism is expected. This is not even commensalism.

---

40h of my time for this feature freeze where payment still refused: we will inverse the roles and issues will be raised from my side under nitrokey repos, but testing of PR opened by nitrokey under Heads will be reviewed, challenged and when satisfying, merged. Maybe nitrokey will then and only then value the time involved into needed collaboration when he says how much involvement is required when it's not solely inside of their repo, but as of now they don't.

We will inverse the roles in absence of a co-beneficial agreement and recognition of time spent to arrive to usable code.

This work on my side is not paid by profit sharing agreement, nor part of Heads community paid maintainership.

This 40h should have been/should be paid by Nitrokey only, or made by Nitrokey, not by me where those 40h are totally dismissed as of now, still, to reverse regressions CAUSED by nitrokey changes with their nk3. Not my fault nor responsibility.

[daringer]

This is not a description of an error - I just read a lot of non technical text. Please re-open an issue, which describes your issue and how you would like to solve this and keep away the non-technical blabla...

[sosthene-nitrokey]

It still asks for the touch twice, because the reset and the setting of the PIN are separate operations.

I'm fixing the missing line break in #53

[tlaurion]

@sosthene-nitrokey lack of testing with real life dongles under Heads?

Sometimes it's one touch request. Sometimes it's 2. Sometimes it's 3.

3 as per image @daringer.

[sosthene-nitrokey]

If you see unexpected behaviour you think is a bug, please include the information on:

• How to reproduce it
• Expected output
• Observed output

[tlaurion]

If you see unexpected behaviour you think is a bug, please include the information on:

• How to reproduce it
• Expected output
• Observed output

Regressions to nk2 is not mine to document nor flag. Please use Heads and make it par. Seperation of duties need to be clarified and I won't repeat myself anymore.

• Physical presence was not supposed to be a replacement to authentication which led to hotp-verification 1.6 and nk3 firmware 1.7.1 massive security vuln passed under the rug.

• PIN being set on first use prior of hotp-verification 1.7 was a regression compared to nk2.

• Physical presence under nk3 fw 1.7.2 and hotp-verification 1.7 still prevents unattended workflows with no good justification but regression.

• next downstream releases of Heads+dasharo will be able to resolve most personally discovered regressions and provision secrets app PIN alongside all other secrets, because of hotp-verification 1.7 related bugs reports and testing and nitrokey fixes. But next nk3 firmware + left over patches not under versioned hotp-verification should have been under nk3+heads first initial release, not discovered by my time and involvement on which there is no paid compensation agreement, @jan23 considering I should not be paid for my time leading to those regression discoveries, bug report, PR involvement, code fixing under heads and my own PR under heads.... To be used back by nitrokey users and rest of ecosystem.

As a result of unpaid compensation and lack of prior do diligence, I expect Nitrokey to do way more regression testing under Heads qemu+nk3 and arrive to feature parity with <nk3 and resolve any regression that will be discovered by themselves, otherwise by downstream dasharo+heads releases users, and reported by those Heads users from now on to nitrokey directly.