Date: Thu, 19 Jan 2023 13:58:12 UTC
On 2023-01-19 4:08, Tomoaki AOKI wrote: > On Thu, 19 Jan 2023 03:13:48 -0800 > Mel Pilgrim <firstname.lastname@example.org> wrote: > >> Given /usr/share/certs exists for all supported releases, is there any >> reason to keep the ca_root_nss port? > > If everyone in the world uses LATEST main only, yes. > But the assumption is clearly nonsense. > > Basically, commits to main are settled a while before MFC to stable > branches, and MFS to releng branches needs additional settling days. > > If any certs happened to be non-reliable, this delay can cause, at > worst, catastorphic scenario. > > If updates to certs are always promised to be "MFC after: now" and > committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection. > > If not, keeping ca_root_nss port and updated ASAP with upstream should > be mandatory. If ca_root_nss delivered the certs in the same format, sure, but that monolithic file makes installing private CAs a hassle. I wonder if the script secteam uses to update the trust store in the src tree could be turned into a periodic script that automatically updates the trust store? Side-step the release engineering delay entirely by turning trust store updates into a user task.