On Tue, Jun 23, 2026 at 9:35 PM Gordon Messmer <[email protected]> wrote:
>
> On 2026-06-23 10:20 AM, Alexander Sosedkin wrote:
>
> Okay. Sorry for being ceaselessly curious,
> but poking around copr webui didn't lead me to matching specfiles
> quickly enough, so...
> how is it related to s2n-tls?
> I'm not sure I understand how a pkcs11 module ended up pulling in an
> entire TLS implementation =)
>
>
> This pkcs11 module interfaces with a backend service (AWS KMS) that is 
> available over HTTPS, I think.

Oh, OK. Huh, and thanks for soothing my curiosity.
I guess they're not gonna like the idea of switching to libcurl or something =)

> In any case, s2n-tls is a dependency of aws-c-io, which is a dependency of a 
> bunch of aws libraries including aws-sdk-cpp, which is a dependency of 
> aws-kms-pkcs11.
>
> While I wait on their reply: If they were interested in supporting Fedora 
> crypto policies, is there any documentation available that describes the 
> required compliance?
>
> Oh. Sorry for the confusion. I don't even know what to say here, as
> there's so little to say.
>
> All crypto-policies does is generating configuration files (or fragments of 
> one)
> for multiple libraries/apps from a single system configuration file.
> So "supporting crypto-policies" is usually transparent to the upstream
> library/app, and boils down to:
> 1. upstream: a library/application has a config file that defines what
> algorithms are enabled by default,
>    which most of them just... naturally already do by a certain maturity 
> stage?
> 2. packaging: it will then, in Fedora, have to
>    be compiled to read this config from
> /etc/crypto-policies/back-ends/$name.config,
>    get patched if the upstream isn't receptive to making it a
> compile-time option,
>    or even just ship a symlink that points there from the default
> location, why not.
> 3. within crypto-policies: I should then implement a generator for
> said configuration file,
>    that, given a sane config format,
>    mostly just maps the crypto-policies algorithm names to the
> library/application ones.
>
> ... and that's kinda it?
>
>
> OK. I think you're saying that the library might not even need to adapt to 
> Fedora's configs, we may just need documentation on their configuration 
> format, and we could use that information to write a configuration file for 
> the library. Is that right?

Exactly. That's how it has been with all the other software,
with the notable exception of Go,
that, in its infinite wisdom, didn't offer a configuration file
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/131
https://github.com/golang/go/issues/60790
and since then seemed to, eh, adopt a progressively more lateral direction
https://github.com/golang/go/issues/79043
that I, uh, find puzzling.

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to