On Mon, Jun 29, 2026 at 4:57 AM Gordon Messmer <[email protected]> wrote:
>
> On 2026-06-24 7:42 AM, Alexander Sosedkin wrote:
>
> OK. I think you're saying that the library might not even need to adapt to 
> Fedora's configs, we may just need documentation on their configuration 
> format, and we could use that information to write a configuration file for 
> the library. Is that right?
>
> Exactly. That's how it has been with all the other software,
> with the notable exception of Go,
> that, in its infinite wisdom, didn't offer a configuration file
>
>
> I haven't heard back from the s2n-tls developers, but:
>
> https://github.com/aws/aws-lc/blob/main/include/openssl/conf.h#L82-L83
>
> "AWS-LC has no support for loading config files to configure AWS-LC, so the 
> following functions have been deprecated as no-ops." and slightly later, 
> "AWS-LC is defined to have no config file options, thus loading from 
> |filename| always succeeds by doing nothing."
>
> This seems to be a general trend in modern cryptographic software: little or 
> no runtime configuration, fewer and safer ciphers, less discovery and 
> negotiation. And having fiddled with s2n-tls to try to fix its compatibility 
> with newer releases of OpenSSL 3, that makes sense to me 
> (https://github.com/aws/s2n-tls/pull/5866/changes/fe9b37c10268cbeade76bd626ce3272ccf51f049).

That's not a good trend in my book.

> There are a couple of questions that might be worth considering with respect 
> to aws-lc.
>
> For software that can only be configured at build time, is there a 
> configuration that is strict enough that Fedora could ship that, such that it 
> would comply with the system configuration regardless of which configuration 
> was selected (other than "EMPTY")?

I don't have a good answer.
Since we support custom policies, I guess that makes it a "no".

> Could Fedora ship a cryptographic library if its only use within Fedora was 
> specific to the library's own vendor? Specifically, if AWS's libraries and 
> tools drop support for general purpose libraries like OpenSSL in favor of 
> their own secure-by-default "aws-lc" library, does it make more sense for 
> Fedora to refuse to ship any of AWS's integration libraries and tools, or to 
> ship aws-lc and treat it as an integrated part of the protocol between AWS 
> clients and AWS services?

This feels really weird,
but I concede there is at least some sense in such an arrangement,
provided the library's bundled, making its generic interface unusable.

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to