[Bug 265250] ports-mgmt/portmaster -F does not suppress build of depends (for sysutils/restic, for one)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=265250

--- Comment #9 from Stefan Eßer <se@FreeBSD.org> ---
(In reply to Tatsuki Makino from comment #8)

> These days, it seems that several root certificates are installed in the base just like any other OS.
> They are located in /usr/share/certs.
> But I don't know if they are used when fetching distfile.

Yes, and I had missed the fact that you specifically mentioned fetching
distfiles from https URLs.

The root certificates in the base system are used by "fetch" (it uses the
default OpenSSL certificate path, unless a different path is requested by means
of the --ca-path option or the SSL_CA_CERT_PATH environment variable).

I'd be surprised if ca_root_nss was required to fetch and distfile, today.

The ca_root_nss port is required to provide Firefox and Thunderbird with the
set of root certificates selected by these projects, but should not be depended
on for fetching distfiles, IMHO.

There is a risk of the root certificates in the base system becoming stale on
systems that are not updated for a long time, though.

I have not checked whether the root certificates in base of the currently
maintained FreeBSD releases always cover the time until the expected EOL date
of the respective FreeBSD release - this might be a useful step in the release
process, and a warning should be issued if such root certificates become
invalid during the life time of a release.

-- 
You are receiving this mail because:
You are the assignee for the bug.