On Fri, 20 Jan 2023 09:16:11 +0100 Andrea Venturoli <m...@netfence.it> wrote:
> On 1/19/23 18:04, Eugene Grosbein wrote: > > >> Given /usr/share/certs exists for all supported releases, is there any > >> reason to keep the ca_root_nss port? > > Just my 2c... > > > > > Single port may be updates more frequently and easily than base system. > > I agree on this, but there's another problem. > > Base has single certs in /etc/ssl/certs, where I can add my own private > CAs' ones. > > Port provides a single bundled file in > /usr/local/etc/ssl/cert.pem. > This (at least in some cases) overrides completely the ones in > /etc/ssl/certs, so my own private CAs will not work anymore > In the end, I have to delete /usr/local/etc/ssl/cert.pem every time the > port creates it (and currently I have found no way to prevent it from > doing this). > > So a port would be fine, possibly very appreciated, if it woulnd't > disrupt base/local. > > > > bye > av. > > Then there's www/p5-Mozilla-CA and possibly others... Doesn't ETCSYMLINK option work? As it's the default option, you need to install security/ca_root_nss from ports with the option disabled, not pkg. Possibly, somehow changing the priority within /etc/ssl/certs and /usr/local/etc/ssl is necessary. Sorry, don't know how to do so. -- Tomoaki AOKI <junch...@dec.sakura.ne.jp>
