Re: Can security/ca_root_nss be retired?

From: Michael Gmelin <>
Date: Fri, 20 Jan 2023 17:11:25 UTC

On Fri, 20 Jan 2023 17:54:15 +0100 (CET) (Helge Oldach) wrote:

> Michael Gmelin wrote on Fri, 20 Jan 2023 17:31:43 +0100 (CET):
> > The CA_BUNDLE knob was enabled on ftp/curl by default for many years
> > and was just recently disabled (in c63a8f65af, just in time for
> > 2023Q1), which caused fall-out, e.g.:
> >
> >  
> That was changed accidentally and is reverted, so the case is
> irrelevant in the light of this discussion.

The disabling of CA_BUNDLE served as an example (hence "e.g., the

My point is that the change should be done in a way that gives users a
chance to avoid breakage/unpleasant surprises.

By the way, I noticed that fetch(1)[0] and fetch(3) man pages should
probably be updated to reflect having CA certs in base (and definitely
stop recommending the installation of ca_root_nss). I'll take care
of that soonish.



Michael Gmelin