> On 20. Jan 2023, at 09:15, free...@oldach.net wrote:
>
> Michael Gmelin wrote on Fri, 20 Jan 2023 08:51:31 +0100 (CET):
>>>> On 20. Jan 2023, at 07:45, free...@oldach.net wrote:
>>> Definitely however ca_root_nss should go away in favor of the built-in
>>> cert infrastructure and the ports still referring to this legacy should
>>> be updated.
>>
>> Without tooling in base to update certs independently of updating the OS
>> this will be very painful.
>
> Cert updates are rare so my feeling is that separate tooling for this
> kind of leans into overkill.
>
> The other OS with the colorful tiles will update certs through an OS
> update (and reboot usually). Along the same paradigm, freebsd-update
> would do the job.
>
> One could as well track source and just install from
> ${SRC_BASE}/secure/caroot followed by certctl rehash.
On a single system that works just fine, but when you have many servers, vms,
containers/jails (including automatic ones in CI, e.g., GitHub actions) this
gets tedious. In our local cluster I would probably end up creating a private
package based on what is in current (think security/freebsd-caroot).
