Re: Can security/ca_root_nss be retired?
- In reply to: deleted: "deleted (X-No-Archive)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Jan 2023 08:45:20 UTC
> On 20. Jan 2023, at 09:15, freebsd@oldach.net wrote:
>
> Michael Gmelin wrote on Fri, 20 Jan 2023 08:51:31 +0100 (CET):
>>>> On 20. Jan 2023, at 07:45, freebsd@oldach.net wrote:
>>> Definitely however ca_root_nss should go away in favor of the built-in
>>> cert infrastructure and the ports still referring to this legacy should
>>> be updated.
>>
>> Without tooling in base to update certs independently of updating the OS this will be very painful.
>
> Cert updates are rare so my feeling is that separate tooling for this
> kind of leans into overkill.
>
> The other OS with the colorful tiles will update certs through an OS
> update (and reboot usually). Along the same paradigm, freebsd-update
> would do the job.
>
> One could as well track source and just install from
> ${SRC_BASE}/secure/caroot followed by certctl rehash.
On a single system that works just fine, but when you have many servers, vms, containers/jails (including automatic ones in CI, e.g., GitHub actions) this gets tedious. In our local cluster I would probably end up creating a private package based on what is in current (think security/freebsd-caroot).