Re: Can security/ca_root_nss be retired?

From: Michael Gmelin <grembo_at_freebsd.org>
Date: Fri, 20 Jan 2023 07:51:31 UTC

> On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote:
> 
> Mel Pilgrim wrote on Thu, 19 Jan 2023 14:58:12 +0100 (CET):
>>> On 2023-01-19 4:08, Tomoaki AOKI wrote:
>>> On Thu, 19 Jan 2023 03:13:48 -0800
>>> Mel Pilgrim <list_freebsd@bluerosetech.com> wrote:
>>> 
>>>> Given /usr/share/certs exists for all supported releases, is there any
>>>> reason to keep the ca_root_nss port?
>>> 
>>> If everyone in the world uses LATEST main only, yes.
>>> But the assumption is clearly nonsense.
>>> 
>>> Basically, commits to main are settled a while before MFC to stable
>>> branches, and MFS to releng branches needs additional settling days.
>>> 
>>> If any certs happened to be non-reliable, this delay can cause, at
>>> worst, catastorphic scenario.
>>> 
>>> If updates to certs are always promised to be "MFC after: now" and
>>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection.
>>> 
>>> If not, keeping ca_root_nss port and updated ASAP with upstream should
>>> be mandatory.
>> 
>> If ca_root_nss delivered the certs in the same format, sure, but that 
>> monolithic file makes installing private CAs a hassle.
> 
> Move your Private_Root_CA.pem into ${DISTFILES} and add to /etc/make.conf:
> 
> .if ${.CURDIR:M*/security/ca_root_nss}
> EXTRA_DISTFILES+=Private_Root_CA.pem
> post-build:
>    for f in ${EXTRA_DISTFILES}; do \
>        ${CAT} ${DISTDIR}/"$${f}" >> ${WRKDIR}/ca-root-nss.crt; \
>    done
> .endif
> 
> Definitely however ca_root_nss should go away in favor of the built-in
> cert infrastructure and the ports still referring to this legacy should
> be updated.

Without tooling in base to update certs independently of updating the OS this will be very painful.

Michael