Date: Tue, 8 Feb 2022 14:24:00 -0600 From: Kyle Evans <kevans@freebsd.org> To: Dan Mahoney <freebsd@gushi.org> Cc: ports@freebsd.org Subject: Re: ca_root_nss Message-ID: <CACNAnaE%2BiKEMoa7WO27tpz5Smg6EG%2BfyazDVQgujpDD_esaWNw@mail.gmail.com> In-Reply-To: <007F9ADF-7411-44FB-84B1-E3BC2A0A0DB2@gushi.org> References: <007F9ADF-7411-44FB-84B1-E3BC2A0A0DB2@gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 8, 2022 at 2:05 PM Dan Mahoney <freebsd@gushi.org> wrote: > > All, > > Now that FreeBSD seems to be handling root ssl certs internally, will the= ca_root_nss port/package go away at some point? (Or rather, stop being a = dependency of other packages? I.e. if you want to trust ca_root_nss you ca= n install it, but the OS baseline is what things like "curl" default to tru= sting. > My hope is that we'll eventually transform ca_root_nss into a package that does effectively what the current base infrastructure does, but we can use it as an 'update' mechanism for the trust store. Ideally, long-term, nothing will depend on ca_root_nss and it's entirely a leaf port that users may install if they need something in newer updates that didn't qualify for an SA/EN (e.g., new roots added aren't really a security issue and probably won't be the highest of priority). I don't have a timeline on this yet, unfortunately; there's still a number of issues pointed out by Michael Osipov with the new model that need to be fixed before we can redesign ca_root_nss. I'm still hoping that I can find someone else to help me out here, because my time is pretty over-committed as it is. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaE%2BiKEMoa7WO27tpz5Smg6EG%2BfyazDVQgujpDD_esaWNw>