Re: Can security/ca_root_nss be retired?

From: Michael Gmelin <>
Date: Fri, 20 Jan 2023 16:31:43 UTC

On Fri, 20 Jan 2023 17:15:07 +0100 (CET) (Helge Oldach) wrote:

> Michael Gmelin wrote on Fri, 20 Jan 2023 17:07:41 +0100 (CET):
> > Well, whatever is done, such a change needs to be managed properly,
> > which includes adding an entry to UPDATING in ports (e.g., the
> > removal of ca_root_nss from curl broke tools that relied on having
> > certificates in /etc/ssl/certs.pem).  
> ca_root_nss is not removed from ftp/curl. The CA_BUNDLE knob takes
> care for this, and it's actually default. Selecting inappropriate
> options may bite of course.

Consumers of binary packages don't change default knobs and don't
"select inappropriate options". They get what they get and rely on
UPDATING (and/or pkg-message) to get informed when defaults change and
potentially breaking changes happen.

The CA_BUNDLE knob was enabled on ftp/curl by default for many years
and was just recently disabled (in c63a8f65af, just in time for
2023Q1), which caused fall-out, e.g.:


Michael Gmelin