https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230414
--- Comment #12 from Michael Osipov <michael.osi...@siemens.com> --- OK, let me share a bit differentiated view: * The option needs to be just like for GSS-API: GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT. Converted for this we'd have: CERTS_BASE, CERTS_BUNDLED, CERTS_PORTS (ca_root_nss), CERTS_SSL (ssl.mk based) * I assume that ca_root_nss will be removed at some point in time because certctl(8) will be is available in 12.2-RELEASE (and hopefully in 11-STABLE) and having NSS certs in base and via ports looks like maintenance overhead * What should now be the default at least on 12? CERTS_BASE. Why? Because if something depends on OpenSSL from base, it should also the certs from /etc/ssl/certs. But it must obey ssl=... and point to that certs dir. If Python would have its own TLS implemenation like Java, I would be OK with having a bundled certs store. >From a pkg user's POV, it should work consistently because I cannot change it, i.e., add certs or block certs to certifi while I can with certctl(8). WDYT? -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ freebsd-python@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-python To unsubscribe, send any mail to "freebsd-python-unsubscr...@freebsd.org"