On 2026-06-23 10:20 AM, Alexander Sosedkin wrote:
Okay. Sorry for being ceaselessly curious,
but poking around copr webui didn't lead me to matching specfiles
quickly enough, so...
how is it related to s2n-tls?
I'm not sure I understand how a pkcs11 module ended up pulling in an
entire TLS implementation =)


This pkcs11 module interfaces with a backend service (AWS KMS) that is available over HTTPS, I think.

In any case, s2n-tls is a dependency of aws-c-io, which is a dependency of a bunch of aws libraries including aws-sdk-cpp, which is a dependency of aws-kms-pkcs11.


While I wait on their reply: If they were interested in supporting Fedora 
crypto policies, is there any documentation available that describes the 
required compliance?
Oh. Sorry for the confusion. I don't even know what to say here, as
there's so little to say.

All crypto-policies does is generating configuration files (or fragments of one)
for multiple libraries/apps from a single system configuration file.
So "supporting crypto-policies" is usually transparent to the upstream
library/app, and boils down to:
1. upstream: a library/application has a config file that defines what
algorithms are enabled by default,
    which most of them just... naturally already do by a certain maturity stage?
2. packaging: it will then, in Fedora, have to
    be compiled to read this config from
/etc/crypto-policies/back-ends/$name.config,
    get patched if the upstream isn't receptive to making it a
compile-time option,
    or even just ship a symlink that points there from the default
location, why not.
3. within crypto-policies: I should then implement a generator for
said configuration file,
    that, given a sane config format,
    mostly just maps the crypto-policies algorithm names to the
library/application ones.

... and that's kinda it?


OK. I think you're saying that the library might not even need to adapt to Fedora's configs, we may just need documentation on their configuration format, and we could use that information to write a configuration file for the library. Is that right?

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to