On Tue, Jun 23, 2026 at 9:35 PM Gordon Messmer <[email protected]> wrote: > > On 2026-06-23 10:20 AM, Alexander Sosedkin wrote: > > Okay. Sorry for being ceaselessly curious, > but poking around copr webui didn't lead me to matching specfiles > quickly enough, so... > how is it related to s2n-tls? > I'm not sure I understand how a pkcs11 module ended up pulling in an > entire TLS implementation =) > > > This pkcs11 module interfaces with a backend service (AWS KMS) that is > available over HTTPS, I think.
Oh, OK. Huh, and thanks for soothing my curiosity. I guess they're not gonna like the idea of switching to libcurl or something =) > In any case, s2n-tls is a dependency of aws-c-io, which is a dependency of a > bunch of aws libraries including aws-sdk-cpp, which is a dependency of > aws-kms-pkcs11. > > While I wait on their reply: If they were interested in supporting Fedora > crypto policies, is there any documentation available that describes the > required compliance? > > Oh. Sorry for the confusion. I don't even know what to say here, as > there's so little to say. > > All crypto-policies does is generating configuration files (or fragments of > one) > for multiple libraries/apps from a single system configuration file. > So "supporting crypto-policies" is usually transparent to the upstream > library/app, and boils down to: > 1. upstream: a library/application has a config file that defines what > algorithms are enabled by default, > which most of them just... naturally already do by a certain maturity > stage? > 2. packaging: it will then, in Fedora, have to > be compiled to read this config from > /etc/crypto-policies/back-ends/$name.config, > get patched if the upstream isn't receptive to making it a > compile-time option, > or even just ship a symlink that points there from the default > location, why not. > 3. within crypto-policies: I should then implement a generator for > said configuration file, > that, given a sane config format, > mostly just maps the crypto-policies algorithm names to the > library/application ones. > > ... and that's kinda it? > > > OK. I think you're saying that the library might not even need to adapt to > Fedora's configs, we may just need documentation on their configuration > format, and we could use that information to write a configuration file for > the library. Is that right? Exactly. That's how it has been with all the other software, with the notable exception of Go, that, in its infinite wisdom, didn't offer a configuration file https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/131 https://github.com/golang/go/issues/60790 and since then seemed to, eh, adopt a progressively more lateral direction https://github.com/golang/go/issues/79043 that I, uh, find puzzling. -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
