Re: Can security/ca_root_nss be retired?

From: Tomoaki AOKI <>
Date: Thu, 19 Jan 2023 12:08:01 UTC
On Thu, 19 Jan 2023 03:13:48 -0800
Mel Pilgrim <> wrote:

> Given /usr/share/certs exists for all supported releases, is there any 
> reason to keep the ca_root_nss port?

If everyone in the world uses LATEST main only, yes.
But the assumption is clearly nonsense.

Basically, commits to main are settled a while before MFC to stable
branches, and MFS to releng branches needs additional settling days.

If any certs happened to be non-reliable, this delay can cause, at
worst, catastorphic scenario.

If updates to certs are always promised to be "MFC after: now" and
committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection.

If not, keeping ca_root_nss port and updated ASAP with upstream should
be mandatory.

Tomoaki AOKI    <>