Re: Can security/ca_root_nss be retired?

On Fri, 20 Jan 2023 09:15:32 +0100 (CET)
freebsd@oldach.net (Helge Oldach) wrote:

> Michael Gmelin wrote on Fri, 20 Jan 2023 08:51:31 +0100 (CET):
> > > On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote:
> > > Definitely however ca_root_nss should go away in favor of the
> > > built-in cert infrastructure and the ports still referring to
> > > this legacy should be updated.  
> > 
> > Without tooling in base to update certs independently of updating
> > the OS this will be very painful.  
> 
> Cert updates are rare so my feeling is that separate tooling for this
> kind of leans into overkill.
> 
> The other OS with the colorful tiles will update certs through an OS
> update (and reboot usually). Along the same paradigm, freebsd-update
> would do the job.
> 
> One could as well track source and just install from
> ${SRC_BASE}/secure/caroot followed by certctl rehash.
> 

Well, whatever is done, such a change needs to be managed properly,
which includes adding an entry to UPDATING in ports (e.g., the removal
of ca_root_nss from curl broke tools that relied on having certificates
in /etc/ssl/certs.pem).

-m

-- 
Michael Gmelin