From nobody Tue Feb 8 20:24:00 2022 X-Original-To: ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 52AED19A2267 for ; Tue, 8 Feb 2022 20:24:12 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JtZH01ZXSz3N7f for ; Tue, 8 Feb 2022 20:24:12 +0000 (UTC) (envelope-from kevans@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644351852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0R3TuEm4G2ZCcldGQfVTL4uWTb6yPm8wFJpd/Ce8cwE=; b=JUybOaR9Labw+wkoNdYIKBYnyvzN3h+IdmwTdVSTK68wJRkcvmdzsiwgAm4Ioj44pqGXlV MmkZG4gSpg4Qh7bZ+gFr/cOsm0aq0UltVTOzSc/fKHFO7gEzvieOO4moDBtEdUxxbhtKIq zEMaAwXMwW2IyN/5KWN6e8Dy0hGB7eEJUbIoAtfRS/5RBqW0fbx7effmFsurr6nZXnDl0l 3Ge7CmDJwTNPG5yTha6sywPkmXTPcqjaXmes3GW0UAyiYG6cHk7BTmCgFQByGpX7kgwedJ lgGo5Pc5QhBn7Ma7GkaIilUXQ8SaOS/q3gk9rL2Y6fpuVSwGZc4vy3TCtjlliw== Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 12FE0C09A for ; Tue, 8 Feb 2022 20:24:12 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qv1-f44.google.com with SMTP id k4so155609qvt.6 for ; Tue, 08 Feb 2022 12:24:12 -0800 (PST) X-Gm-Message-State: AOAM531Oqg30EhKMEZ76i2C8O75tDcQ4Kr1Foh8lB95gYTZ6e87M8Oj2 16wgqePxiC/nG5MkLhep1h7fQ3AXMitusPmV4C8= X-Google-Smtp-Source: ABdhPJyHAGLUY65LVSk5+s6rcHUYlP4h537MK9wEjisbIRMiExE9dAIbifQ15Gwv6KNBrAnkJ5CLMEVJO5nLdbvFqaE= X-Received: by 2002:ad4:5949:: with SMTP id eo9mr4293527qvb.95.1644351851706; Tue, 08 Feb 2022 12:24:11 -0800 (PST) List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 References: <007F9ADF-7411-44FB-84B1-E3BC2A0A0DB2@gushi.org> In-Reply-To: <007F9ADF-7411-44FB-84B1-E3BC2A0A0DB2@gushi.org> From: Kyle Evans Date: Tue, 8 Feb 2022 14:24:00 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: ca_root_nss To: Dan Mahoney Cc: ports@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644351852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0R3TuEm4G2ZCcldGQfVTL4uWTb6yPm8wFJpd/Ce8cwE=; b=vpvGvpmvkONwTZYRmq2hUv9/oBbwFu74DTT2RD5EJNfd41GSYqNbSx5YfQPbcF/YBCzkF1 9jkSaAusTFg/dJHnoEZN9aTi0+qLIFIfYopmfXo8PYRpaJsKIGUfdmNBa4fmySvhIfJPtE PEiWngog2evU8f3rMFa+kh2tn9fH9wNQdzrM8yZufTHOdNtyv3cr/m6/tZJ0NHJtY4e/1c FRz70diGrLfp3kTiqF4EUixHywdHhC6nlebTWEpnYpdccHHjslBH0fom+EEd+OFZQ8IzjJ B+5Y7iFb2tdL1Qjn81R0y6df2h8M/NFRS9vjqqG5VZtySln+CmqsCS7feO1LQg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644351852; a=rsa-sha256; cv=none; b=rJsNywqrgOQmgaKs7Rp+856z5AwuncnOt2X89rgFa14rpHh7XOQ+5el/cByZaUWaJIkfFv yxSV5Qibctj//AN4YYUP6n3wxuwRrMo1DSxA4aA64kJKlChPbaJe6OtX2dyS1FdmCAO7Vg in+ixNlWupuNiF3kDOZoFxPR8NDFCAPdcM9l2tkK+YVsg5TUzgMu9tBV4Ua4/a38hgNErl JGxWnw5BgaoQ2aecmI+vckyiEyHLy98gvEME339T9ymw25gseYDI7omAtxnXB+MQ9MepLD Jtzl5nC/aV0k9oJadhyIS6aq+alude0sftcSguGtWqXUaaCf8SqYXgyx4rAWDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N On Tue, Feb 8, 2022 at 2:05 PM Dan Mahoney wrote: > > All, > > Now that FreeBSD seems to be handling root ssl certs internally, will the= ca_root_nss port/package go away at some point? (Or rather, stop being a = dependency of other packages? I.e. if you want to trust ca_root_nss you ca= n install it, but the OS baseline is what things like "curl" default to tru= sting. > My hope is that we'll eventually transform ca_root_nss into a package that does effectively what the current base infrastructure does, but we can use it as an 'update' mechanism for the trust store. Ideally, long-term, nothing will depend on ca_root_nss and it's entirely a leaf port that users may install if they need something in newer updates that didn't qualify for an SA/EN (e.g., new roots added aren't really a security issue and probably won't be the highest of priority). I don't have a timeline on this yet, unfortunately; there's still a number of issues pointed out by Michael Osipov with the new model that need to be fixed before we can redesign ca_root_nss. I'm still hoping that I can find someone else to help me out here, because my time is pretty over-committed as it is. Thanks, Kyle Evans