On 2026-06-24 7:42 AM, Alexander Sosedkin wrote:
OK. I think you're saying that the library might not even need to adapt to 
Fedora's configs, we may just need documentation on their configuration format, 
and we could use that information to write a configuration file for the 
library. Is that right?
Exactly. That's how it has been with all the other software,
with the notable exception of Go,
that, in its infinite wisdom, didn't offer a configuration file


I haven't heard back from the s2n-tls developers, but:

https://github.com/aws/aws-lc/blob/main/include/openssl/conf.h#L82-L83

"AWS-LC has no support for loading config files to configure AWS-LC, so the following functions have been deprecated as no-ops." and slightly later, "AWS-LC is defined to have no config file options, thus loading from |filename| always succeeds by doing nothing."

This seems to be a general trend in modern cryptographic software: little or no runtime configuration, fewer and safer ciphers, less discovery and negotiation. And having fiddled with s2n-tls to try to fix its compatibility with newer releases of OpenSSL 3, that makes sense to me (https://github.com/aws/s2n-tls/pull/5866/changes/fe9b37c10268cbeade76bd626ce3272ccf51f049).

There are a couple of questions that might be worth considering with respect to aws-lc.

For software that can only be configured at build time, is there a configuration that is strict enough that Fedora could ship that, such that it would comply with the system configuration regardless of which configuration was selected (other than "EMPTY")?

Could Fedora ship a cryptographic library if its only use within Fedora was specific to the library's own vendor? Specifically, if AWS's libraries and tools drop support for general purpose libraries like OpenSSL in favor of their own secure-by-default "aws-lc" library, does it make more sense for Fedora to refuse to ship any of AWS's integration libraries and tools, or to ship aws-lc and treat it as an integrated part of the protocol between AWS clients and AWS services?

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to