Spec URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys.spec SRPM URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys-0.26.0-1.fc41.src.rpm Description: AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team for AWS and their customers. It іs based on code from the Google BoringSSL project and the OpenSSL project. Fedora Account System Username: decathorpe
Copr build: https://copr.fedorainfracloud.org/coprs/build/8730857 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2350145-rust-aws-lc-sys/fedora-rawhide-x86_64/08730857-rust-aws-lc-sys/fedora-review/review.txt Found issues: - No gcc, gcc-c++ or clang found in BuildRequires Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/ Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
Notes: 1. I have not submitted a koji scratch build, though there are test builds in COPR for all architectures: https://copr.fedorainfracloud.org/coprs/decathorpe/aws-lc-rs/monitor/ 2. I put up a repo on pagure with spec file, patches, and rust2rpm.toml config file for easier review: https://pagure.io/aws-lc-rs/blob/main/f/rust-aws-lc-sys 3. After looking through the source code, I don't think this package contains anything objectionable (wrt. cryptography that Fedora isn't allowed to ship). This needs a double-check. 4. I don't think un-bundling aws-lc (the C / C++ library) is feasible. aws-lc doesn't provide a stable ABI, and the bindings in aws-lc-sys are tightly coupled to a specific version (the version that is bundled). The -devel subpackage (with contains the source code) has appropriate "Provides: bundled(aws-lc) = 1.46.0". 5. There are some pre-compiled object files included (used only in Windows), but they are stripped in %prep regardless. 6. The patches should be appropriately documented in the spec file, but here's a summary: - Patch 0001: Unconditionally regenerate Rust bindings for aws-lc at build time (requires rustfmt). - Patch 0002: Set CMake mode for building the bundled aws-lc to RelWithDebInfo unconditionally. - Patch 0003: Enable re-generating some generated assembly code from scratch (requires Perl). - Patch 0004: Hack to work around a "bug" in the cmake crate which would otherwise cause build failures. - Patch 0005: Set CMake minimum_required_version to 3.15 (instead of 3.0) to avoid failures with CMake 4. 7. This has not yet gone through the review wrt/ Crypto Policies: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries Note that I'm not sure whether this requirement even applies here (or *can* be applied). In the default configuration, aws-lc-sys provides only APIs that are roughly equivalent to libcrypto from OpenSSL, not those from libssl. As I understand it, that amounts to low-level cryptography primitives, and not protocol implementations like TLS. I'm not sure applying a crypto policy in these low-level APIs would make sense - or would even be possible. To me, it seems like crypto policy enforcement would need to be handled in higher level code, like actual TLS protocol implementations. This crate (aws-lc-sys) does provide a feature ("ssl") to optionally also provide symbols equivalent to libssl, however, this feature is unused in the "safe" Rust bindings in aws-lc-rs. So, to be safe, it would even be possible to unconditionally disable this feature in the package.
It seems that if both Go and Perl are not found in the CMake build, it uses the pre-generated sources [1]. I wonder if it can be relaxed to not check the go lang, though I don't see `GENERATE_CODE_ROOT` without a check for PERL_EXECUTABLE, so probably it's fine. Best to rm `generated-src` just in case. [1]: https://github.com/aws/aws-lc/blob/5cdc082bd86ffb4539e53444d7806a128ace77f3/CMakeLists.txt#L169-L171
Good find. It should be fine to drop that logic and the files in /generated-src. At least according to the docs, the golang dependency is only for generating FIPS related sources, and we don't use this here.
Turns out this is not as easy as I thought - not all code for generating those sources in included in published crates, so they can't fully be regenerated from scratch offline. This is a problem: https://docs.fedoraproject.org/en-US/packaging-guidelines/what-can-be-packaged/#pregenerated-code I'm not yet sure which files would all need to be included either in published crates or as extra source files.
It turns out that only *one* .go file is missing from the published crates. Adding that, the packaging now re-generates *all* pre-generated code (both Rust code with bindgen, and aws-lc code with Perl and Go). Updated files are available behind the same URLs, and changes can be reviewed here: https://pagure.io/aws-lc-rs/c/bee3491 Updated builds in COPR: https://copr.fedorainfracloud.org/coprs/decathorpe/aws-lc-rs/monitor/
Additionally to the crypto policies issues, this crate is statically building a copy of the C library, not just providing bindings, this is probably not ok for Fedora policy. It would be better if usptream could give an option to build gainst one of the crypto team sanctioned crypto libraries, for example using rust-openssl.
> this crate is statically building a copy of the C library, not just providing bindings, this is probably not ok for Fedora policy. This is definitely not *preferred* from a Packaging Guidelines point of view, but it's not *forbidden*. > It would be better if usptream could give an option to build gainst one of the crypto team sanctioned crypto libraries, for example using rust-openssl. FWIW, I agree. I will elaborate in the post to the crypto-team mailing list that is mandatory for package reviews like this. But TL;DR is that as far as I can tell, this is the least bad option we have for Fedora packaging. (I am working to replace "rust-ring" with "rust-aws-lc-rs" - aligning with the changed defaults in rustls upstream, and moving from a project with arguably spotty maintenance to one backed by Amazon / AWS. If you think this package is bad, don't look at rust-ring. ;))
Spec URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys.spec SRPM URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys-0.27.1-1.fc42.src.rpm - Update to latest version (0.27.1) with aws-lc 1.48.5. - Drop some downstream patches / workarounds that are no longer necessary due to upstream fixes. - Filed an issue upstream about the missing source file when attempting to re-generate all generated code. Successful COPR build for all architectures: https://copr.fedorainfracloud.org/coprs/decathorpe/aws-lc-rs/monitor/
Spec URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys.spec SRPM URL: https://decathorpe.fedorapeople.org/rust-aws-lc-sys-0.28.0-1.fc42.src.rpm - Update to latest version (0.28.0) with aws-lc 1.49.0. - Rebased downstream patches. - Dropped additional source file that is now included in published crates. Successful COPR build for all architectures: https://copr.fedorainfracloud.org/coprs/decathorpe/aws-lc-rs/build/8865637/
Created attachment 2083634 [details] The .spec file difference from Copr build 8730857 to 8865678
Copr build: https://copr.fedorainfracloud.org/coprs/build/8865678 (succeeded) Review template: https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2350145-rust-aws-lc-sys/fedora-rawhide-x86_64/08865678-rust-aws-lc-sys/fedora-review/review.txt Found issues: - No gcc, gcc-c++ or clang found in BuildRequires Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/ Please know that there can be false-positives. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
General comments: * Spec file was generated with rust2rpm and some manual patches where added * Some features were removed --> OK * `bindgen` feature was moved from optional to mandatory --> OK * Introduced patches force regeneration of assembly code and rust code (through `bindgen`) --> OK * The `aws-lc` library is being bundled and the required `bundled(..)` requires is present * A newer version (0.30) is available for the `aws-lc-sys` crate. Do you think you could update to that version if it is not too much work? This is not a blocker though. Keeping the current version and updating after initial import is also fine for me. Issues: * See rpmlint errors * The compiled RPM package has a requires on `bash`. Is that actually the case here or is this a mistake picked up by some automation? * While looking through the code, I noticed a couple different licenses being mentioned that are not present in the `License` directive. Can you look into this a bit more? * Two examples are (maybe there are more): * https://github.com/aws/aws-lc-rs/blob/main/aws-lc-sys/LICENSE#L167 * https://github.com/aws/aws-lc-rs/blob/main/aws-lc-sys/LICENSE#L191 * Missing "proof" of approval from the crypto ML. Although I do trust that you got the approval, I think adding the responses here would make the ticket more complete. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated [ ] = Manual review needed Issues: ======= - If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. Note: No gcc, gcc-c++ or clang found in BuildRequires See: https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/ ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: Header files in -devel subpackage, if present. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. Generic: [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. Note: Using prebuilt packages [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [!]: License field in the package spec file matches the actual license. Note: Checking patched sources after %prep for licenses. Licenses found: "Unknown or generated", "Apache License 2.0", "Apache License 2.0 and/or ISC License and/or OpenSSL License", "Apache License 2.0 and/or ISC License", "Apache License 2.0 and/or OpenSSL License", "ISC License", "SSLeay", "ISC License [generated file]", "OpenSSL License", "Apache License 1.0 and/or OpenSSL License", "SSLeay [generated file]", "MIT License", "BSD 3-Clause License and/or GNU General Public License", "OpenSSL License [generated file]", "Apache License 2.0 [generated file]", "*No copyright* OpenSSL License". 346 files have unknown license. Detailed output of licensecheck in /var/lib/copr- rpmbuild/results/rust-aws-lc-sys/licensecheck.txt [x]: License file installed when any subpackage combination is installed. [!]: If the package is under multiple licenses, the licensing breakdown must be documented in the spec. [x]: %build honors applicable compiler flags or justifies otherwise. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [x]: Requires correct, justified where necessary. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Package is not known to require an ExcludeArch tag. [x]: Package complies to the Packaging Guidelines [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: There are rpmlint messages (see attachment). [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 0 bytes in 0 files. [x]: Packages must not store files under /srv, /opt or /usr/local Perl: [x]: Package contains the mandatory BuildRequires and Requires:. ===== SHOULD items ===== Generic: [x]: Reviewer should test that the package builds in mock. [x]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [x]: Final provides and requires are sane (see attachments). [x]: Fully versioned dependency in subpackages if applicable. Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in rust- aws-lc-sys-devel , rust-aws-lc-sys+default-devel , rust-aws-lc- sys+bindgen-devel [?]: Package functions as described. [!]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [x]: Patches link to upstream bugs/comments/lists or are otherwise justified. [-]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. Note: gpgverify is not used. [x]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. Rpmlint ------- Checking: rust-aws-lc-sys-devel-0.28.0-1.fc43.noarch.rpm rust-aws-lc-sys+default-devel-0.28.0-1.fc43.noarch.rpm rust-aws-lc-sys+bindgen-devel-0.28.0-1.fc43.noarch.rpm rust-aws-lc-sys-0.28.0-1.fc43.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.13/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp1ryddk4o')] checks: 32, packages: 4 rust-aws-lc-sys-devel.noarch: E: zero-length /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/x509/x_info.c rust-aws-lc-sys+bindgen-devel.noarch: E: spelling-error ('іs', '%description -l en_US іs -> s, es, is') rust-aws-lc-sys+default-devel.noarch: E: spelling-error ('іs', '%description -l en_US іs -> s, es, is') rust-aws-lc-sys.src: E: spelling-error ('іs', '%description -l en_US іs -> s, es, is') rust-aws-lc-sys-devel.noarch: E: spelling-error ('іs', '%description -l en_US іs -> s, es, is') rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/cipher_extra/asm/aes128gcmsiv-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/cipher_extra/asm/aesni-sha1-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/cipher_extra/asm/aesni-sha256-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/cipher_extra/asm/chacha20_poly1305_armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/cipher_extra/asm/chacha20_poly1305_x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/aesni-x86.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/aesni-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/aesni-xts-avx512.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/aesp8-ppc.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/aesv8-armx.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/bsaes-armv7.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/vpaes-armv7.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/vpaes-x86.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/aes/asm/vpaes-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/bn/asm/armv4-mont.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/bn/asm/armv8-mont.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/bn/asm/bn-586.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/bn/asm/co-586.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/ec/asm/p256-armv8-asm.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/md5/asm/md5-586.pl 644 /usr/local/bin/perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/md5/asm/md5-armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/md5/asm/md5-x86_64.pl 644 /usr/bin/perl -w rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/aesni-gcm-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/aesv8-gcm-armv8-unroll8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/aesv8-gcm-armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-armv4.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-neon-armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-ssse3-x86.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-ssse3-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-x86.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghash-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghashp8-ppc.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/modes/asm/ghashv8-armx.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/rand/asm/rdrand-x86_64.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha1-586.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv4-large.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha1-armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha256-586.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha256-armv4.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha512-586.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv4.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/sha/asm/sha512-armv8.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/perlasm/ppc-xlate.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/perlasm/x86asm.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/perlasm/x86gas.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/perlasm/x86masm.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: non-executable-script /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/perlasm/x86nasm.pl 644 /usr/bin/env perl rust-aws-lc-sys-devel.noarch: E: files-duplicated-waste 973782 rust-aws-lc-sys-devel.noarch: W: files-duplicate /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/kyber/pqcrystals_kyber_ref_common/ntt.c /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/ml_kem/ml_kem_ref/ntt.c rust-aws-lc-sys-devel.noarch: W: files-duplicate /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/kyber/pqcrystals_kyber_ref_common/reduce.c /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/crypto/fipsmodule/ml_kem/ml_kem_ref/reduce.c rust-aws-lc-sys-devel.noarch: W: files-duplicate /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/include/openssl/boringssl_prefix_symbols_asm.h /usr/share/cargo/registry/aws-lc-sys-0.28.0/aws-lc/include/openssl/boringssl_prefix_symbols.h rust-aws-lc-sys-devel.noarch: W: files-duplicate /usr/share/cargo/registry/aws-lc-sys-0.28.0/src/x86_64_pc_windows_msvc_crypto.rs /usr/share/cargo/registry/aws-lc-sys-0.28.0/src/aarch64_pc_windows_msvc_crypto.rs 4 packages and 0 specfiles checked; 53 errors, 4 warnings, 27 filtered, 53 badness; has taken 2.5 s Rpmlint (installed packages) ---------------------------- (none): E: there is no installed rpm "rust-aws-lc-sys-devel". (none): E: there is no installed rpm "rust-aws-lc-sys+bindgen-devel". (none): E: there is no installed rpm "rust-aws-lc-sys+default-devel". There are no files to process nor additional arguments. Nothing to do, aborting. ============================ rpmlint session starts ============================ rpmlint: 2.7.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 3 0 packages and 0 specfiles checked; 0 errors, 0 warnings, 0 filtered, 0 badness; has taken 0.0 s Source checksums ---------------- https://crates.io/api/v1/crates/aws-lc-sys/0.28.0/download#/aws-lc-sys-0.28.0.crate : CHECKSUM(SHA256) this package : b9f7720b74ed28ca77f90769a71fd8c637a0137f6fae4ae947e1050229cff57f CHECKSUM(SHA256) upstream package : b9f7720b74ed28ca77f90769a71fd8c637a0137f6fae4ae947e1050229cff57f Requires -------- rust-aws-lc-sys-devel (rpmlib, GLIBC filtered): (crate(bindgen/default) >= 0.69.5 with crate(bindgen/default) < 0.70.0~) (crate(cc/default) >= 1.0.100 with crate(cc/default) < 2.0.0~) (crate(cc/parallel) >= 1.0.100 with crate(cc/parallel) < 2.0.0~) (crate(cmake/default) >= 0.1.48 with crate(cmake/default) < 0.2.0~) (crate(dunce/default) >= 1.0.0 with crate(dunce/default) < 2.0.0~) (crate(fs_extra/default) >= 1.3.0 with crate(fs_extra/default) < 2.0.0~) /usr/bin/bash /usr/bin/perl cargo golang perl rust rust-aws-lc-sys+default-devel (rpmlib, GLIBC filtered): cargo crate(aws-lc-sys) rust-aws-lc-sys+bindgen-devel (rpmlib, GLIBC filtered): cargo crate(aws-lc-sys) Provides -------- rust-aws-lc-sys-devel: bundled(aws-lc) crate(aws-lc-sys) rust-aws-lc-sys-devel rust-aws-lc-sys+default-devel: crate(aws-lc-sys/default) rust-aws-lc-sys+default-devel rust-aws-lc-sys+bindgen-devel: crate(aws-lc-sys/bindgen) rust-aws-lc-sys+bindgen-devel Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/bin/fedora-review --no-colors --prebuilt --rpm-spec --name rust-aws-lc-sys --mock-config /var/lib/copr-rpmbuild/results/configs/child.cfg Buildroot used: fedora-rawhide-x86_64 Active plugins: C/C++, Shell-api, Perl, Generic Disabled plugins: Java, Haskell, Python, fonts, PHP, Ocaml, SugarActivity, R Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
Thanks for the preliminary preview - the rpmlint warnings are interesting, maybe I can do something about some of them. === As for the responses from the crypto-team mailing list: The list is either broken and / or not public and / or my messages are still held in the moderation queue, so I can't post links to them - but these are the relevant responses I got from Simo Sorce: On March 27, 12:43 AM CET: > However for now aws-lc seem strictly better than ring. > As for crypto-policies, that is something we would have to build in > rusttls not aws-lc ... On March 27, 12:42 PM CET: > Anyway considering the situation I am inclined to say that all you > really need to do here is open a ticket in rusttls asking for config > file configurable options that we can tweak via crypto policies. > It would be nice if they'd coordinate with our crypto-policies > maintainer so we get something usable, as we saw already wolfssl tried > to do something and came up with a quite inadequate "checklist" option. In response to which I filed this ticket: https://github.com/rustls/rustls/issues/2402
Sorry for the long time without a response on this ticket. It appears that rustls is moving towards making *all* providers external (i.e. drop the internal "ring" and "aws-lc" crypto providers): https://github.com/rustls/rustls/issues/2395#issuecomment-3515920685 This should eventually make it a lot easier for us to patch rustls and packages that depend on it to use our preferred crypto backend - which might be able to use an OpenSSL based backend (https://github.com/tofay/rustls-openssl) instead of statically linking ever more BoringSSL forks? Who knows. That said, I don't really have the time to continue with the package review request. It would require updating the spec file and rebasing the downstream patches for the latest version, which I currently have no capacity for. If somebody is still interested in making aws-lc and its rustls backend available in Fedora, feel free to take over from this ticket. The "bureaucracy" side of things should be taken care of, at least. :)