On Mon, Jun 29, 2026 at 6:17 AM Alexander Sosedkin <[email protected]> wrote:
>
> On Mon, Jun 29, 2026 at 4:57 AM Gordon Messmer <[email protected]> 
> wrote:
> >
> > On 2026-06-24 7:42 AM, Alexander Sosedkin wrote:
> >
> > OK. I think you're saying that the library might not even need to adapt to 
> > Fedora's configs, we may just need documentation on their configuration 
> > format, and we could use that information to write a configuration file for 
> > the library. Is that right?
> >
> > Exactly. That's how it has been with all the other software,
> > with the notable exception of Go,
> > that, in its infinite wisdom, didn't offer a configuration file
> >
> >
> > I haven't heard back from the s2n-tls developers, but:
> >
> > https://github.com/aws/aws-lc/blob/main/include/openssl/conf.h#L82-L83
> >
> > "AWS-LC has no support for loading config files to configure AWS-LC, so the 
> > following functions have been deprecated as no-ops." and slightly later, 
> > "AWS-LC is defined to have no config file options, thus loading from 
> > |filename| always succeeds by doing nothing."
> >
> > This seems to be a general trend in modern cryptographic software: little 
> > or no runtime configuration, fewer and safer ciphers, less discovery and 
> > negotiation. And having fiddled with s2n-tls to try to fix its 
> > compatibility with newer releases of OpenSSL 3, that makes sense to me 
> > (https://github.com/aws/s2n-tls/pull/5866/changes/fe9b37c10268cbeade76bd626ce3272ccf51f049).
>
> That's not a good trend in my book.
>
> > There are a couple of questions that might be worth considering with 
> > respect to aws-lc.
> >
> > For software that can only be configured at build time, is there a 
> > configuration that is strict enough that Fedora could ship that, such that 
> > it would comply with the system configuration regardless of which 
> > configuration was selected (other than "EMPTY")?
>
> I don't have a good answer.
> Since we support custom policies, I guess that makes it a "no".
>
> > Could Fedora ship a cryptographic library if its only use within Fedora was 
> > specific to the library's own vendor? Specifically, if AWS's libraries and 
> > tools drop support for general purpose libraries like OpenSSL in favor of 
> > their own secure-by-default "aws-lc" library, does it make more sense for 
> > Fedora to refuse to ship any of AWS's integration libraries and tools, or 
> > to ship aws-lc and treat it as an integrated part of the protocol between 
> > AWS clients and AWS services?
>
> This feels really weird,
> but I concede there is at least some sense in such an arrangement,
> provided the library's bundled, making its generic interface unusable.
>

This would not qualify, though. AWS' crypto libraries are increasingly
relied on by third parties. Of particular note, rustls uses it now.

The generic interface *must* be usable.



-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to