Questions re ca-certificates

[Tony0945]

I unmasked the latest ca-certificates because I was getting "no valid certificate found" errors on websites that have always been clean, and also certificate related errors on eix-sync.

Why are the latest certificates keyword masked?

Why is the ca-cert useflag not the default?

Is there a security risk in accepting ~amd64 for ca-certificates and/or the ca-cert useflag?

[turtles]

Can you share what websites are having issues?

I have not had to unmask app-misc/ca-certificates, but I used to use ca-cert for a work website when apple devices started throwing errors I manually installed the ca-cert root on the affected apple devices for like a month then that became unmanageable.
I ended up switching to Letsencrypt .
I am not sure if ca-cert ever got back on good terms with apple or not?

From the ebuild:
# The Debian ca-certificates package merely takes the CA database as it exists
# in the nss package and repackages it for use by openssl.
#
# The issue with using the compiled debs directly is two fold:
# - they do not update frequently enough for us to rely on them
# - they pull the CA database from nss tip of tree rather than the release
#
# So we take the Debian source tools and combine them with the latest nss
# release to produce (largely) the same end result. The difference is that
# now we know our cert database is kept in sync with nss and, if need be,
# can be sync with nss tip of tree more frequently to respond to bugs.


http://wiki.cacert.org/FAQ/BrowserClients
https://wiki.gentoo.org/wiki/Certificates#Debugging_certificate_issues
_________________
Donate to Gentoo