Re: Can security/ca_root_nss be retired?

In reply to: deleted: "deleted (X-No-Archive)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Michael Gmelin <grembo_at_freebsd.org>
Date: Fri, 20 Jan 2023 17:11:25 UTC

On Fri, 20 Jan 2023 17:54:15 +0100 (CET)
freebsd@oldach.net (Helge Oldach) wrote:

> Michael Gmelin wrote on Fri, 20 Jan 2023 17:31:43 +0100 (CET):
> > The CA_BUNDLE knob was enabled on ftp/curl by default for many years
> > and was just recently disabled (in c63a8f65af, just in time for
> > 2023Q1), which caused fall-out, e.g.:
> > https://lists.freebsd.org/archives/dev-commits-ports-all/2023-January/050433.html
> >  
> 
> That was changed accidentally and is reverted, so the case is
> irrelevant in the light of this discussion.
> 

The disabling of CA_BUNDLE served as an example (hence "e.g., the
removal...").

My point is that the change should be done in a way that gives users a
chance to avoid breakage/unpleasant surprises.

By the way, I noticed that fetch(1)[0] and fetch(3) man pages should
probably be updated to reflect having CA certs in base (and definitely
stop recommending the installation of ca_root_nss). I'll take care
of that soonish.

Cheers

[0]https://cgit.freebsd.org/src/tree/usr.bin/fetch/fetch.1

-- 
Michael Gmelin