FreeBSD Port: security/ca_root_nss

[Eirik Øverby]

Hi,

we just had our package distribution severely broken by the recent change in ca_root_nss that installs a cert.pem symlink in /usr/local/etc/ssl by default, with no option to disable during build time. Since system fetch (and other tools) defaults to reading the file from /usr/local/etc/ssl before /etc/ssl, this effectively got all our systems stranded, unable to install/update packages.

I see this was discussed on the freebsd-security list, but unfortunately I did not have time to follow the full discussion (trusting the conclusion would be, like before, to allow the sysadmin to decide whom to trust), and therefore did not realise this would be the outcome.

I'm sure I'm bikeshedding now, but to me this seems like something that _should_ have been a build-time option, that _should_ have defaulted to disabled, and that _really_should_ have been mentioned in UPDATING as it breaks all kinds of stuff - either by things suddenly not working, or by introducing security problems (I really REALLY do not want to trust any 3rd party when it comes to where I fetch my built packages from, for instance).

Apologies if this email seems a bit edgy - it would be because I've just spent quite a few hours trying to figure out what on earth just happened... ;-)

Wbr
Eirik Øverby