From 351e4f956a11bdf419c14f1f69758a15e77e7fea Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 27 Mar 2026 09:26:15 +0100
Subject: [PATCH] mk-ca-bundle.pl: drop reproducible timestamp feature

Mozilla may push to its repo much later than the commit date, which can
be a source of confusion when using the reproducible timestamp (which is
determined by the commit date) by default. Example:

https://curl.se/ca/cacert-2026-03-19.pem vs.
https://github.com/mozilla-firefox/firefox/commits/1a84aee6387d2f9c9531c655edeea4a80aa0fcfa/security/nss/lib/ckfw/builtins/certdata.txt

This feature had no actual user (or a planned one) from within curl at
the moment, and not requested by curl users. curl-for-win does this on
its own, which is the more practical way there since everything (not
just the CA bundle) needs to be reproducible anyway. I surmise this may
be true for most if not all reproducible use-cases.

Another limitation was that it could bump into GitHub's rate limiting,
needing further updates.

Also: code had some unintented leftovers.

Reported-by: Daniel Stenberg
Bug: https://github.com/curl/curl/pull/20528#issuecomment-4140610008
Follow-up to ca92e20123928e4788d27135cdafdd084d3833d4 #20528

Closes #21116
---
 scripts/mk-ca-bundle.pl | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/scripts/mk-ca-bundle.pl b/scripts/mk-ca-bundle.pl
index 86e3f741f9..6170d781c9 100755
--- a/scripts/mk-ca-bundle.pl
+++ b/scripts/mk-ca-bundle.pl
@@ -60,7 +60,7 @@ $opt_d = 'release';
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.32';
+my $version = '1.33';
 
 $opt_w = 76; # default base64 encoded lines length
 
@@ -307,31 +307,6 @@ my $filedate_iso = '';
 
 if(!$opt_n) {
     report "Using URL: $url";
-
-    my $sha = '';
-    if($opt_d ne 'ref') {
-        report "Determining latest commit and timestamp for the remote file ...";
-
-        my $out = '';
-        # https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/autoland/security/nss/lib/ckfw/builtins/certdata.txt
-        if($url =~ /^https:\/\/raw.githubusercontent.com\/([a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+)\/(refs\/heads\/[a-z]+)(\/.+)$/) {
-            my $slug = $1;
-            my $refs = "&sha=$2";
-            my $path = $3;
-            if(open(my $fh, '-|', 'curl', '-A', 'curl', '-H', 'X-GitHub-Api-Version: 2022-11-28',
-                                          "https://api.github.com/repos/mozilla-firefox/firefox/commits?path=$path$refs")) {
-                $out = do { local $/; <$fh> };
-                close $fh;
-            }
-            if($out) {
-                use JSON::PP;
-                my $json = decode_json($out);
-                $sha = $json->[0]->{sha};
-                $filedate_iso = $json->[0]->{commit}->{committer}->{date};
-            }
-        }
-    }
-
     report "Downloading $txt ...";
 
     # If we have an HTTPS URL then use curl