On Thu, 19 Jan 2023 03:13:48 -0800 Mel Pilgrim <list_free...@bluerosetech.com> wrote:
> Given /usr/share/certs exists for all supported releases, is there any > reason to keep the ca_root_nss port? If everyone in the world uses LATEST main only, yes. But the assumption is clearly nonsense. Basically, commits to main are settled a while before MFC to stable branches, and MFS to releng branches needs additional settling days. If any certs happened to be non-reliable, this delay can cause, at worst, catastorphic scenario. If updates to certs are always promised to be "MFC after: now" and committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection. If not, keeping ca_root_nss port and updated ASAP with upstream should be mandatory. -- Tomoaki AOKI <junch...@dec.sakura.ne.jp>
