On Tue, Feb 8, 2022 at 2:05 PM Dan Mahoney <free...@gushi.org> wrote: > > All, > > Now that FreeBSD seems to be handling root ssl certs internally, will the > ca_root_nss port/package go away at some point? (Or rather, stop being a > dependency of other packages? I.e. if you want to trust ca_root_nss you can > install it, but the OS baseline is what things like "curl" default to > trusting. >
My hope is that we'll eventually transform ca_root_nss into a package that does effectively what the current base infrastructure does, but we can use it as an 'update' mechanism for the trust store. Ideally, long-term, nothing will depend on ca_root_nss and it's entirely a leaf port that users may install if they need something in newer updates that didn't qualify for an SA/EN (e.g., new roots added aren't really a security issue and probably won't be the highest of priority). I don't have a timeline on this yet, unfortunately; there's still a number of issues pointed out by Michael Osipov with the new model that need to be fixed before we can redesign ca_root_nss. I'm still hoping that I can find someone else to help me out here, because my time is pretty over-committed as it is. Thanks, Kyle Evans
