Re: Can security/ca_root_nss be retired?

From: Michael Gmelin <>
Date: Thu, 19 Jan 2023 22:16:46 UTC

> On 19. Jan 2023, at 23:09, Tomoaki AOKI <> wrote:
> On Thu, 19 Jan 2023 05:58:12 -0800
> Mel Pilgrim <> wrote:
>>> On 2023-01-19 4:08, Tomoaki AOKI wrote:
>>> On Thu, 19 Jan 2023 03:13:48 -0800
>>> Mel Pilgrim <> wrote:
>>>> Given /usr/share/certs exists for all supported releases, is there any
>>>> reason to keep the ca_root_nss port?
>>> If everyone in the world uses LATEST main only, yes.
>>> But the assumption is clearly nonsense.
>>> Basically, commits to main are settled a while before MFC to stable
>>> branches, and MFS to releng branches needs additional settling days.
>>> If any certs happened to be non-reliable, this delay can cause, at
>>> worst, catastorphic scenario.
>>> If updates to certs are always promised to be "MFC after: now" and
>>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection.
>>> If not, keeping ca_root_nss port and updated ASAP with upstream should
>>> be mandatory.
>> If ca_root_nss delivered the certs in the same format, sure, but that 
>> monolithic file makes installing private CAs a hassle.
>> I wonder if the script secteam uses to update the trust store in the src 
>> tree could be turned into a periodic script that automatically updates 
>> the trust store?  Side-step the release engineering delay entirely by 
>> turning trust store updates into a user task.
> With the approach, how can we avoid man-in-the-middle attack or
> something?
> Ports framework has checksum to avoid it, unless local admins
> intentionally disable it.
> Maybe adding a script to
> *Check if /usr/local/share/certs/ca-root-nss.crt is updated or not.
> *Extract individual certs from ca-root-nss.crt and update trust store.
> *Record current timestamp and hash of ca-root-nss.crt for next run.
> into ca-root-nss port, which can be run from cron or by hand, is needed?

Whatever we do, let’s make sure we don’t break existing setups - this needs to be well coordinated. Personally, I don’t want to update (and reboot) the OS in order to get a current list of trusted CAs (at least as long as pkgbase isn’t mainstream this is an issue).