Re: Can security/ca_root_nss be retired?
- In reply to: deleted: "deleted (X-No-Archive)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Jan 2023 07:51:31 UTC
> On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote: > > Mel Pilgrim wrote on Thu, 19 Jan 2023 14:58:12 +0100 (CET): >>> On 2023-01-19 4:08, Tomoaki AOKI wrote: >>> On Thu, 19 Jan 2023 03:13:48 -0800 >>> Mel Pilgrim <list_freebsd@bluerosetech.com> wrote: >>> >>>> Given /usr/share/certs exists for all supported releases, is there any >>>> reason to keep the ca_root_nss port? >>> >>> If everyone in the world uses LATEST main only, yes. >>> But the assumption is clearly nonsense. >>> >>> Basically, commits to main are settled a while before MFC to stable >>> branches, and MFS to releng branches needs additional settling days. >>> >>> If any certs happened to be non-reliable, this delay can cause, at >>> worst, catastorphic scenario. >>> >>> If updates to certs are always promised to be "MFC after: now" and >>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection. >>> >>> If not, keeping ca_root_nss port and updated ASAP with upstream should >>> be mandatory. >> >> If ca_root_nss delivered the certs in the same format, sure, but that >> monolithic file makes installing private CAs a hassle. > > Move your Private_Root_CA.pem into ${DISTFILES} and add to /etc/make.conf: > > .if ${.CURDIR:M*/security/ca_root_nss} > EXTRA_DISTFILES+=Private_Root_CA.pem > post-build: > for f in ${EXTRA_DISTFILES}; do \ > ${CAT} ${DISTDIR}/"$${f}" >> ${WRKDIR}/ca-root-nss.crt; \ > done > .endif > > Definitely however ca_root_nss should go away in favor of the built-in > cert infrastructure and the ports still referring to this legacy should > be updated. Without tooling in base to update certs independently of updating the OS this will be very painful. Michael