On 2026-06-23 1:57 AM, Alexander Sosedkin wrote:
On Tue, Jun 23, 2026 at 12:46 AM Gordon Messmer<[email protected]> wrote:
I would like to add AWS s2n-tls to Fedorahttps://github.com/aws/s2n-tls
Would you mind sharing the higher-level motivation for that?
I would like to package aws-kms-pkcs11:
https://copr.fedorainfracloud.org/coprs/gordonmessmer/aws-kms-pkcs11/packages/
This package allows the use of AWS KMS as an HSM, which I am using to
sign code and rpm packages.
Alright, as you've probably already read at
https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies,
from the crypto-policies perspective,
we don't want applications/libraries to force any specific algorithms
as such hardcoded decisions go stale and haunt us decades later.
Instead the defaults should follow a configuration file we generate.
Offering a sane allowlisting configuration format is strongly desired,
so that rebases bringing in new algorithms don't become unnecessarily awkward.
I'd be happy to clarify further, but for that I'd need your questions.
I would like to revive a number of AWS libraries in Fedora, including
s2n-tls. The s2n-tls project is considering dropping support for
OpenSSL, and focusing on "aws-lc" which is a fork of BoringSSL.
https://github.com/aws/aws-lc
https://github.com/aws/s2n-tls/issues/5783 (OpenSSL Support Roadmap ticket)
I mentioned to them that in order to package aws-lc in Fedora, it would
need to comply with system crypto policies, as indicated at
https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
While I wait on their reply: If they were interested in supporting
Fedora crypto policies, is there any documentation available that
describes the required compliance? Any tests suites that validate it?
Can we point them to the patches that implement system integration for
any other libcrypto that we ship?
Thanks, Alexander
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new