Re: Can security/ca_root_nss be retired?

From: Mel Pilgrim <>
Date: Thu, 19 Jan 2023 13:58:12 UTC
On 2023-01-19 4:08, Tomoaki AOKI wrote:
> On Thu, 19 Jan 2023 03:13:48 -0800
> Mel Pilgrim <> wrote:
>> Given /usr/share/certs exists for all supported releases, is there any
>> reason to keep the ca_root_nss port?
> If everyone in the world uses LATEST main only, yes.
> But the assumption is clearly nonsense.
> Basically, commits to main are settled a while before MFC to stable
> branches, and MFS to releng branches needs additional settling days.
> If any certs happened to be non-reliable, this delay can cause, at
> worst, catastorphic scenario.
> If updates to certs are always promised to be "MFC after: now" and
> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection.
> If not, keeping ca_root_nss port and updated ASAP with upstream should
> be mandatory.

If ca_root_nss delivered the certs in the same format, sure, but that 
monolithic file makes installing private CAs a hassle.

I wonder if the script secteam uses to update the trust store in the src 
tree could be turned into a periodic script that automatically updates 
the trust store?  Side-step the release engineering delay entirely by 
turning trust store updates into a user task.