Re: Can security/ca_root_nss be retired?

From: Andrea Venturoli <>
Date: Fri, 20 Jan 2023 14:40:45 UTC
On 1/20/23 13:01, Hajimu UMEMOTO wrote:

Briefly... (but I can elaborate if someone is interested)...

> If you mean curl, built without CA_BUNDLE should take care of it.

No, I don't mean curl (which I build without CA_BUNDLE).

I mean ports-mgmt/pkg, security/pulledpork, www/p5-libwww, to name a few.
Each one of these uses different methods (so different certificate stores).
*If* the policy is that certificates are hashed in /etc/ssl/certs, they 
probably should be fixed.

I'm not even citing OpenJDK or FireFox, which do this by desing and 
probably should be left as they are.