> On 20. Jan 2023, at 07:45, free...@oldach.net wrote:
>
> Mel Pilgrim wrote on Thu, 19 Jan 2023 14:58:12 +0100 (CET):
>>> On 2023-01-19 4:08, Tomoaki AOKI wrote:
>>> On Thu, 19 Jan 2023 03:13:48 -0800
>>> Mel Pilgrim <list_free...@bluerosetech.com> wrote:
>>>
>>>> Given /usr/share/certs exists for all supported releases, is there any
>>>> reason to keep the ca_root_nss port?
>>>
>>> If everyone in the world uses LATEST main only, yes.
>>> But the assumption is clearly nonsense.
>>>
>>> Basically, commits to main are settled a while before MFC to stable
>>> branches, and MFS to releng branches needs additional settling days.
>>>
>>> If any certs happened to be non-reliable, this delay can cause, at
>>> worst, catastorphic scenario.
>>>
>>> If updates to certs are always promised to be "MFC after: now" and
>>> committed to ALL SUPPORTED BRANCHES AT ONCE, I have no objection.
>>>
>>> If not, keeping ca_root_nss port and updated ASAP with upstream should
>>> be mandatory.
>>
>> If ca_root_nss delivered the certs in the same format, sure, but that
>> monolithic file makes installing private CAs a hassle.
>
> Move your Private_Root_CA.pem into ${DISTFILES} and add to /etc/make.conf:
>
> .if ${.CURDIR:M*/security/ca_root_nss}
> EXTRA_DISTFILES+=Private_Root_CA.pem
> post-build:
> for f in ${EXTRA_DISTFILES}; do \
> ${CAT} ${DISTDIR}/"$${f}" >> ${WRKDIR}/ca-root-nss.crt; \
> done
> .endif
>
> Definitely however ca_root_nss should go away in favor of the built-in
> cert infrastructure and the ports still referring to this legacy should
> be updated.
Without tooling in base to update certs independently of updating the OS this
will be very painful.
Michael
