On Fri, 20 Jan 2023 17:15:07 +0100 (CET)
free...@oldach.net (Helge Oldach) wrote:
> Michael Gmelin wrote on Fri, 20 Jan 2023 17:07:41 +0100 (CET):
> > Well, whatever is done, such a change needs to be managed properly,
> > which includes adding an entry to UPDATING in ports (e.g., the
> > removal of ca_root_nss from curl broke tools that relied on having
> > certificates in /etc/ssl/certs.pem).
>
> ca_root_nss is not removed from ftp/curl. The CA_BUNDLE knob takes
> care for this, and it's actually default. Selecting inappropriate
> options may bite of course.
>
Consumers of binary packages don't change default knobs and don't
"select inappropriate options". They get what they get and rely on
UPDATING (and/or pkg-message) to get informed when defaults change and
potentially breaking changes happen.
The CA_BUNDLE knob was enabled on ftp/curl by default for many years
and was just recently disabled (in c63a8f65af, just in time for
2023Q1), which caused fall-out, e.g.:
https://lists.freebsd.org/archives/dev-commits-ports-all/2023-January/050433.html
-m
--
Michael Gmelin
