From nobody Fri Jan 20 07:51:31 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NysBv5nvcz2spTq for ; Fri, 20 Jan 2023 07:51:35 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NysBv1jfbz4Mmq for ; Fri, 20 Jan 2023 07:51:35 +0000 (UTC) (envelope-from grembo@freebsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 04fd3835; Fri, 20 Jan 2023 07:51:33 +0000 (UTC) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id a9fa7597 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 20 Jan 2023 07:51:33 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: Can security/ca_root_nss be retired? From: Michael Gmelin In-Reply-To: <202301200644.30K6iwrO092005@nuc.oldach.net> Date: Fri, 20 Jan 2023 08:51:31 +0100 Cc: list_freebsd@bluerosetech.com, junchoon@dec.sakura.ne.jp, ports@freebsd.org Message-Id: <98D727E4-8E1D-435B-BEB6-22BF45B4D3F8@freebsd.org> References: <202301200644.30K6iwrO092005@nuc.oldach.net> To: freebsd@oldach.net X-Mailer: iPhone Mail (20B110) X-Rspamd-Queue-Id: 4NysBv1jfbz4Mmq X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N > On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote: >=20 > =EF=BB=BFMel Pilgrim wrote on Thu, 19 Jan 2023 14:58:12 +0100 (CET): >>> On 2023-01-19 4:08, Tomoaki AOKI wrote: >>> On Thu, 19 Jan 2023 03:13:48 -0800 >>> Mel Pilgrim wrote: >>>=20 >>>> Given /usr/share/certs exists for all supported releases, is there any >>>> reason to keep the ca_root_nss port? >>>=20 >>> If everyone in the world uses LATEST main only, yes. >>> But the assumption is clearly nonsense. >>>=20 >>> Basically, commits to main are settled a while before MFC to stable >>> branches, and MFS to releng branches needs additional settling days. >>>=20 >>> If any certs happened to be non-reliable, this delay can cause, at >>> worst, catastorphic scenario. >>>=20 >>> If updates to certs are always promised to be "MFC after: now" and >>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection. >>>=20 >>> If not, keeping ca_root_nss port and updated ASAP with upstream should >>> be mandatory. >>=20 >> If ca_root_nss delivered the certs in the same format, sure, but that=20 >> monolithic file makes installing private CAs a hassle. >=20 > Move your Private_Root_CA.pem into ${DISTFILES} and add to /etc/make.conf:= >=20 > .if ${.CURDIR:M*/security/ca_root_nss} > EXTRA_DISTFILES+=3DPrivate_Root_CA.pem > post-build: > for f in ${EXTRA_DISTFILES}; do \ > ${CAT} ${DISTDIR}/"$${f}" >> ${WRKDIR}/ca-root-nss.crt; \ > done > .endif >=20 > Definitely however ca_root_nss should go away in favor of the built-in > cert infrastructure and the ports still referring to this legacy should > be updated. Without tooling in base to update certs independently of updating the OS thi= s will be very painful. Michael