Yubikey-manager

** Support for YubiKeys with FIDO2. See ykman fido -h
** Report the form factor for YubiKeys that support it.
** OTP: slot command is now called otp. See ykman otp -h for all changes.
** Static password: Add support for different keyboard layouts. See ykman otp static -h
** PIV: Signatures for CSRs are now correct.
** PIV: Commands on slots with PIN policy ALWAYS no longer fail if the YubiKey has a management key protected by PIN.
** Mode: The U2F mode is now called FIDO.
** Dependencies: libu2f-host is no longer used for FIDO communication over USB, instead the python library fido2 is used.

** OpenPGP: Expose remaining PIN retries in info command and API.
** CCID: Only try YubiKey smart card readers by default.
** Handle NEO issues with challenge-response credentials better.
** Improve logging.
** Improve error handling when opening device over OTP.
** Bugfix: Fix adding OTP data through the interactive prompt.

** API breaking changes:
*** OATH: New API more similar to yubioath-android
** CLI breaking changes:
*** OATH: Touch prompt now written to stderr instead of stdout
*** OATH: `-a|--algorithm` option to `list` command removed
*** OATH: Columns in `code` command are now dynamically spaced depending on contents
*** OATH: `delete` command now requires confirmation or `-f|--force` argument
*** OATH: IDs printed by `list` command now include TOTP period if not 30
*** Changed outputs:
**** INFO: "Device name" output changed to "Device type"
**** PIV: "Management key is stored on device" output changed to "Management key is stored on the YubiKey"
**** PIV: "All PIV data have been cleared from the device" output changed to "All PIV data have been cleared from your YubiKey"
**** PIV: "The current management key is stored on the device" prompt changed to "The current management key is stored on the YubiKey"
**** SLOT: "blank to use device serial" prompt changed to "blank to use YubiKey serial number"
**** SLOT: "Using device serial" output changed to "Using YubiKey device serial"
**** Lots of failure case outputs changed
** New features:
*** Support for multiple devices via new top-level option `-d|--device`
*** New top-level option `-l|--log-level` to enable logging
*** OATH: Support for remembering passwords locally.
*** OATH: New option `-s|--single` for `code` command
*** PIV: `set-pin-retries` command now warns that PIN and PUK will be reset to factory defaults, and prints those defaults after resetting
** API bug fixes:
*** OATH: `valid_from` and `valid_to` for `Code` are now absolute instead of relative to the credential period
*** OATH: `period` for non-TOTP `Code` is now `None`

** Will now attempt to open device 3 times before failing
** OpenPGP: Don't say data is removed when not
** OpenPGP: Don't swallow APDU errors
** PIV: Block on-chip RSA key generation for firmware versions 4.2.0 to 4.3.4 (inclusive) since these chips are vulnerable to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361[CVE-2017-15631].

** OATH: Don't print issuer if there is no issuer.

** OATH: Fix yet another issue with backwards compatibility, for adding new credentials.