Re: Can security/ca_root_nss be retired?

In reply to: Hajimu UMEMOTO : "Re: Can security/ca_root_nss be retired?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andrea Venturoli <ml_at_netfence.it>
Date: Fri, 20 Jan 2023 14:40:45 UTC

On 1/20/23 13:01, Hajimu UMEMOTO wrote:


Briefly... (but I can elaborate if someone is interested)...



> If you mean curl, built without CA_BUNDLE should take care of it.

No, I don't mean curl (which I build without CA_BUNDLE).

I mean ports-mgmt/pkg, security/pulledpork, www/p5-libwww, to name a few.
Each one of these uses different methods (so different certificate stores).
*If* the policy is that certificates are hashed in /etc/ssl/certs, they 
probably should be fixed.

I'm not even citing OpenJDK or FireFox, which do this by desing and 
probably should be left as they are.

  bye
	av.