Re: Can security/ca_root_nss be retired?
- In reply to: deleted: "deleted (X-No-Archive)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Jan 2023 16:31:43 UTC
On Fri, 20 Jan 2023 17:15:07 +0100 (CET) freebsd@oldach.net (Helge Oldach) wrote: > Michael Gmelin wrote on Fri, 20 Jan 2023 17:07:41 +0100 (CET): > > Well, whatever is done, such a change needs to be managed properly, > > which includes adding an entry to UPDATING in ports (e.g., the > > removal of ca_root_nss from curl broke tools that relied on having > > certificates in /etc/ssl/certs.pem). > > ca_root_nss is not removed from ftp/curl. The CA_BUNDLE knob takes > care for this, and it's actually default. Selecting inappropriate > options may bite of course. > Consumers of binary packages don't change default knobs and don't "select inappropriate options". They get what they get and rely on UPDATING (and/or pkg-message) to get informed when defaults change and potentially breaking changes happen. The CA_BUNDLE knob was enabled on ftp/curl by default for many years and was just recently disabled (in c63a8f65af, just in time for 2023Q1), which caused fall-out, e.g.: https://lists.freebsd.org/archives/dev-commits-ports-all/2023-January/050433.html -m -- Michael Gmelin