Re: Can security/ca_root_nss be retired?

From: grarpamp <>
Date: Fri, 20 Jan 2023 08:33:20 UTC
> /usr/share/certs

Was never necessary.
Should not have been added.

>> trust store
> list of trusted CAs

People are fools if they think they can "trust" any of those.
Including a live cert store in base does little but endorse exposure
of users to such external risks. Users before at least had to read
and actively choose to enable footshooting, now apparently the
teaching is that blindly placing trust upon untrustable external
third parties is the right thing to do. There are lots of MITM
enabling random adversaries in that "trust" store, and its
issues have been in the news multiple times already.

However users choose to disable and manage their own stores,
some of their models for doing that obviously might include making
use of data elements held within a current port of the upstream stores.
Other users have other projects and apps that need it for other reasons as well.
So retiring ca_root_nss would be anti-helpful for them, and thus
retiring it is definitely not suggested. Nor do other unix retire this either.