From nobody Fri Jan 20 16:32:11 2023 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nz4lh6NL9z2sxwc for ; Fri, 20 Jan 2023 16:32:16 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nz4lh1YdWz49WR; Fri, 20 Jan 2023 16:32:16 +0000 (UTC) (envelope-from ml@netfence.it) Authentication-Results: mx1.freebsd.org; none Received: from [10.1.2.18] (mailserver.netfence.it [78.134.96.152]) (authenticated bits=0) by soth.netfence.it (8.17.1/8.17.1) with ESMTPSA id 30KGWBnB063579 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 20 Jan 2023 17:32:12 +0100 (CET) (envelope-from ml@netfence.it) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfence.it; s=202301; t=1674232334; bh=asNjJtpIfIjw53eGYB5vo9/GZcdLQCaboX1RRWLlsAg=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=l2xW03QoRrGNz8ePmXDG3ypC16BVdDXRGFXBQUV8gnkCisOV/eLpQpPmGSlnz0CsU u1MI4OEKoJKaPFPZ/2DjlD6W5rf2Tg/aRW1NzrpGwgmSbMBNGq8SXxkIEzMtueh8Pl BuExavEWpSq19NkRDqAyRCKM4YVqquCzSHjWjXgY= X-Authentication-Warning: soth.netfence.it: Host mailserver.netfence.it [78.134.96.152] claimed to be [10.1.2.18] Message-ID: <5a589d10-5a14-852a-0ae9-ebb6e26da652@netfence.it> Date: Fri, 20 Jan 2023 17:32:11 +0100 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.7.0 Subject: Re: Can security/ca_root_nss be retired? Content-Language: en-US To: Helge Oldach Cc: ume@FreeBSD.org, ports@freebsd.org References: <202301201619.30KGJUaW077412@nuc.oldach.net> From: Andrea Venturoli In-Reply-To: <202301201619.30KGJUaW077412@nuc.oldach.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4Nz4lh1YdWz49WR X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 1/20/23 17:19, Helge Oldach wrote: > Andrea Venturoli wrote on Fri, 20 Jan 2023 15:40:45 +0100 (CET): >> I mean ports-mgmt/pkg, security/pulledpork, www/p5-libwww, to name a few. >> Each one of these uses different methods (so different certificate stores). >> *If* the policy is that certificates are hashed in /etc/ssl/certs, they >> probably should be fixed. > > I daresay either of these runs fine against the hashed cert store from > base (OpenSSL takes care). pkg will, but not by default, only if I remove /usr/local/etc/ssl/cert.pem. > The other perl related oddity is www/p5-Mozilla-CA which installs > another flat file bundle in another different location. And it's not used by all PERL software (see security/pulledpork, which uses /usr/local/share/certs/ca-root-nss.crt instead). Both the above mentioned files come with ca_root_nss. bye av.