Re: Can security/ca_root_nss be retired?

From: Andrea Venturoli <>
Date: Fri, 20 Jan 2023 16:32:11 UTC
On 1/20/23 17:19, Helge Oldach wrote:
> Andrea Venturoli wrote on Fri, 20 Jan 2023 15:40:45 +0100 (CET):
>> I mean ports-mgmt/pkg, security/pulledpork, www/p5-libwww, to name a few.
>> Each one of these uses different methods (so different certificate stores).
>> *If* the policy is that certificates are hashed in /etc/ssl/certs, they
>> probably should be fixed.
> I daresay either of these runs fine against the hashed cert store from
> base (OpenSSL takes care).

pkg will, but not by default, only if I remove /usr/local/etc/ssl/cert.pem.

> The other perl related oddity is www/p5-Mozilla-CA which installs
> another flat file bundle in another different location.

And it's not used by all PERL software (see security/pulledpork, which 
uses /usr/local/share/certs/ca-root-nss.crt instead).

Both the above mentioned files come with ca_root_nss.