Re: Can security/ca_root_nss be retired?

From: Michael Gmelin <grembo_at_freebsd.org>
Date: Fri, 20 Jan 2023 08:45:20 UTC

> On 20. Jan 2023, at 09:15, freebsd@oldach.net wrote:
> 
> ´╗┐Michael Gmelin wrote on Fri, 20 Jan 2023 08:51:31 +0100 (CET):
>>>> On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote:
>>> Definitely however ca_root_nss should go away in favor of the built-in
>>> cert infrastructure and the ports still referring to this legacy should
>>> be updated.
>> 
>> Without tooling in base to update certs independently of updating the OS this will be very painful.
> 
> Cert updates are rare so my feeling is that separate tooling for this
> kind of leans into overkill.
> 
> The other OS with the colorful tiles will update certs through an OS
> update (and reboot usually). Along the same paradigm, freebsd-update
> would do the job.
> 
> One could as well track source and just install from
> ${SRC_BASE}/secure/caroot followed by certctl rehash.

On a single system that works just fine, but when you have many servers, vms, containers/jails (including automatic ones in CI, e.g., GitHub actions) this gets tedious. In our local cluster I would probably end up creating a private package based on what is in current (think security/freebsd-caroot).