On Tue, 2026-06-23 at 11:31 +0100, Daniel P. Berrangé wrote: > On Tue, Jun 23, 2026 at 12:04:25PM +0200, Fabio Valentini wrote: > > On Tue, Jun 23, 2026 at 10:57 AM Alexander Sosedkin > > <[email protected]> wrote: > > > > > > On Tue, Jun 23, 2026 at 12:46 AM Gordon Messmer > > > <[email protected]> wrote: > > > > > > > > Fedora's crypto policies say that I should talk to crypto-team about > > > > adding a new crypto library to Fedora, and refers to a mailing list > > > > which requires membership to send messages. > > > > > > Huh, that doesn't sound right to me indeed, > > > one should be able to just send emails to it. > > > > FWIW I had the same experience. Sending emails to this list was > > equivalent to sending them to /dev/null. > > Is the list even working ? The archives are restricted so not visible > if you don't login (why can't they be public ?), and once logging in, > the archives appear to be completely empty. Has archiving been > disabled ? > > > https://lists.fedoraproject.org/archives/list/[email protected]/ > > > As for AWS-LC support in Fedora - I have been waiting for a definitive > > answer on that for over a year now: > > https://bugzilla.redhat.com/show_bug.cgi?id=2350145 > > > > At this point both a definitive "yes" and a definitive "no" would both > > be better than radio silence. > > At what point do we say the process is broken, and we need to change > the guidelines to remove the special gate keeping rule for crypto ? > This feels overdue for a proposal to FESCO to change the guidelines > to something that is workable without such delays.
I am not sure why I did not see stuff on that list, this is probably just a matter of the communication alias/list being broken, so we should fix that, and not immediately assume that Red Hat does not care. And Dan, you know very well we are very responsive when you ask us for anything, so this witch hunt is a bit annoying. > As long as it is not causing regression in existing distro behaviour/ > features for crypto, let crypto best practice problems[1] be addressed > asynchronously after the package is imported. Well it will cause problems the moment our users get very bad cryptography and their data is exposed or their connections are compromised. The reason we want to vet libraries, is for both quality, integration with crypto-policies, integration with the OS certificate store. In the future we'll have thing like UPKI or similar tool to deal with MCTs, CRLs, etc..., and we do not have the bandwidth to go and change dozens of libraries to work well in Fedora. So that's why we "gate-keep", cryptography is black and white, either it works completely or it fails completely ... and we rather have good options, rather than whatever random-joe decided to push through... Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
