Re: Can security/ca_root_nss be retired?

From: Andrea Venturoli <>
Date: Fri, 20 Jan 2023 08:16:11 UTC
On 1/19/23 18:04, Eugene Grosbein wrote:

>> Given /usr/share/certs exists for all supported releases, is there any reason to keep the ca_root_nss port?

Just my 2c...

> Single port may be updates more frequently and easily than base system.

I agree on this, but there's another problem.

Base has single certs in /etc/ssl/certs, where I can add my own private 
CAs' ones.

Port provides a single bundled file in
This (at least in some cases) overrides completely the ones in 
/etc/ssl/certs, so my own private CAs will not work anymore
In the end, I have to delete /usr/local/etc/ssl/cert.pem every time the 
port creates it (and currently I have found no way to prevent it from 
doing this).

So a port would be fine, possibly very appreciated, if it woulnd't 
disrupt base/local.


Then there's www/p5-Mozilla-CA and possibly others...