On Fri, 20 Jan 2023 10:16:41 +0100 Andrea Venturoli <m...@netfence.it> wrote:
> On 1/20/23 09:16, Andrea Venturoli wrote: > > > Base has single certs in /etc/ssl/certs, where I can add my own private > > CAs' ones. > > > > Port provides a single bundled file in > > /usr/local/etc/ssl/cert.pem. > > And also /usr/local/share/certs/ca-root-nss.crt, which is used in other > cases, overriding the others stores. > > So, in the end, there should be agreement on *one* official source of > certs and that would be ideally used by everything. The port > could/should populate that, without disrupting local additions. > > bye > av. IMHO, we would need 3 places. *For base with lowest priority. *For ports which can override base certs. ALL PORTS SHOULD WRITE CERTS ONLY HERE. *For local admins only, with highest priority. Nothing else can override certs here. -- Tomoaki AOKI <junch...@dec.sakura.ne.jp>
