On 2026-06-23 10:20 AM, Alexander Sosedkin wrote:
Okay. Sorry for being ceaselessly curious, but poking around copr webui didn't lead me to matching specfiles quickly enough, so... how is it related to s2n-tls? I'm not sure I understand how a pkcs11 module ended up pulling in an entire TLS implementation =)
This pkcs11 module interfaces with a backend service (AWS KMS) that is available over HTTPS, I think.
In any case, s2n-tls is a dependency of aws-c-io, which is a dependency of a bunch of aws libraries including aws-sdk-cpp, which is a dependency of aws-kms-pkcs11.
While I wait on their reply: If they were interested in supporting Fedora crypto policies, is there any documentation available that describes the required compliance?Oh. Sorry for the confusion. I don't even know what to say here, as there's so little to say. All crypto-policies does is generating configuration files (or fragments of one) for multiple libraries/apps from a single system configuration file. So "supporting crypto-policies" is usually transparent to the upstream library/app, and boils down to: 1. upstream: a library/application has a config file that defines what algorithms are enabled by default, which most of them just... naturally already do by a certain maturity stage? 2. packaging: it will then, in Fedora, have to be compiled to read this config from /etc/crypto-policies/back-ends/$name.config, get patched if the upstream isn't receptive to making it a compile-time option, or even just ship a symlink that points there from the default location, why not. 3. within crypto-policies: I should then implement a generator for said configuration file, that, given a sane config format, mostly just maps the crypto-policies algorithm names to the library/application ones. ... and that's kinda it?
OK. I think you're saying that the library might not even need to adapt to Fedora's configs, we may just need documentation on their configuration format, and we could use that information to write a configuration file for the library. Is that right?
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
