Attempting to build go programs that import packages hosted by golang.org fails unless ca_root_nss is installed. E.g. go: golang.org/x/sync@v0.0.0-20190423024810-112230192c58: unrecognized import path "golang.org/x/sync" (https fetch: Get https://golang.org/x/sync?go-get=1: x509: certificate signed by unknown authority) Presumably other sites that use unrecognized certs will also fail. I tripped over this when building in synth, which sets up clean environments.
(In reply to hartzell from comment #0) Network access is not allowed during build, so missing ca_root_nss shouldn't prevent building of any correctly written port. And even lang/go would have a dependency on security/ca_root_nss, the next step for go will be to fetch sources using git (or hg/svn/bzr, depending on the repo) which would be missing too.
> Network access is not allowed during the build, [...] I wasn't clear, this is not a poudriere build, but as regular user of the go package, once it's been installed. Your next point makes sense, the go port should no more have a dependency on the `security/ca_root_nss` that it should on the other bits involved in the `go build` step (or `go mod download`). It's up the end user to install them separately if they're desired. That makes sense. I believe that this can be closed. Should I do it or should "someone else"?