devel/arcanist-lib: Drop ca_root_nss dependency.

This was much harder than it needs to be, because Arcanist is dead set
on forcing a CA bundle instead of letting curl pick one or use the OS
native trust store.  Remove the enforced fallback and set CURL_CAINFO
only if a CA bundle was explicitly configured or custom.pem was found
on disk.  Furthermore, if the configured value is a directory, set
CURL_CAPATH instead.

MFH:		2023Q4
Reviewed by:	grembo
Differential Revision:	https://reviews.freebsd.org/D42042

devel/arcanist-lib/Makefile

@@ -1,6 +1,6 @@
 PORTNAME?=	arcanist
 PORTVERSION?=	20220518
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES?=	devel
 PKGNAMESUFFIX=	${SLAVE_PKGNAMESUFFIX}${PHP_PKGNAMESUFFIX}
 
@@ -38,8 +38,6 @@ PLIST=		${.CURDIR}/pkg-plist
 .if ${SLAVEPORT} == lib
 SLAVE_PKGNAMESUFFIX=	-${SLAVEPORT}
 
-RUN_DEPENDS=	ca_root_nss>0:security/ca_root_nss
-
 OPTIONS_DEFINE=	ENCODINGS
 OPTIONS_DEFAULT=ENCODINGS
 ENCODINGS_DESC=	Support for encodings other than utf-8
@@ -82,8 +80,6 @@ do-install:
 	@${REINPLACE_CMD} \
 		's|%%PYTHON_CMD%%|${PYTHON_CMD}|g' \
 		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/src/workflow/ArcanistAnoidWorkflow.php
-	${LN} -sf ${LOCALBASE}/share/certs/ca-root-nss.crt \
-		${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/resources/ssl/default.pem
 	${RLN} ${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/support/shell/hooks/bash-completion.sh \
 		 ${STAGEDIR}${PREFIX}/share/bash-completion/completions/arc
 	${STAGEDIR}${PREFIX}/${PHP_DESTDIR}/bin/arc shell-complete --generate

devel/arcanist-lib/files/patch-src_future_http_HTTPSFuture.php

@@ -0,0 +1,41 @@
+--- src/future/http/HTTPSFuture.php.orig	2022-05-17 23:20:14 UTC
++++ src/future/http/HTTPSFuture.php
+@@ -375,31 +375,24 @@ final class HTTPSFuture extends BaseHTTPFuture {
+       //   means that the user wants to override everything (also because the
+       //   user might not have access to change the box's php.ini to add
+       //   curl.cainfo).
+-      // - Otherwise, try using curl.cainfo. If it's set explicitly, it's
+-      //   probably reasonable to try using it before we fall back to what
+-      //   libphutil ships with.
+-      // - Lastly, try the default that libphutil ships with. If it doesn't
+-      //   work, give up and yell at the user.
+ 
+       if (!$this->getCABundle()) {
+         $caroot = dirname(phutil_get_library_root('arcanist'));
+         $caroot = $caroot.'/resources/ssl/';
+-
+-        $ini_val = ini_get('curl.cainfo');
+         if (self::getGlobalCABundle()) {
+           $this->setCABundleFromPath(self::getGlobalCABundle());
+         } else if (Filesystem::pathExists($caroot.'custom.pem')) {
+           $this->setCABundleFromPath($caroot.'custom.pem');
+-        } else if ($ini_val) {
+-          // TODO: We can probably do a pathExists() here, even.
+-          $this->setCABundleFromPath($ini_val);
+-        } else {
+-          $this->setCABundleFromPath($caroot.'default.pem');
+         }
+       }
+ 
+-      if ($this->canSetCAInfo()) {
+-        curl_setopt($curl, CURLOPT_CAINFO, $this->getCABundle());
++      $ca_bundle = $this->getCABundle();
++      if ($ca_bundle && $this->canSetCAInfo()) {
++        if (is_dir($ca_bundle)) {
++          curl_setopt($curl, CURLOPT_CAPATH, $ca_bundle);
++        } else {
++          curl_setopt($curl, CURLOPT_CAINFO, $ca_bundle);
++        }
+       }
+ 
+       $verify_peer = 1;

devel/arcanist-lib/pkg-plist

@@ -17,7 +17,6 @@ lib/php/arcanist/resources/arclint/include-exclude.arclint.example
 lib/php/arcanist/resources/php/symbol-information.json
 lib/php/arcanist/resources/spelling/english.json
 lib/php/arcanist/resources/ssl/README
-lib/php/arcanist/resources/ssl/default.pem
 lib/php/arcanist/scripts/__init_script__.php
 lib/php/arcanist/scripts/arcanist.php
 lib/php/arcanist/scripts/hgdaemon/hgdaemon_client.php