Re: [PATCH] HTTPS/TLS CA certificates in base

[David Brownlee <abs%netbsd.org@localhost>]

There was a previous thread that mooted the idea of using the project
built mozilla-rootcerts packages (which are just tarfiles) as the
source for some mechanism to populate on-system certificates, such as
your proposed certctl. (mozilla-rootcerts is the base package which
just populates into PREFIX, not mozilla-rootcerts-openssl which put
data in /etc)

https://mail-index.netbsd.org/tech-userlevel/2023/08/04/msg014092.html

It would probably involve:
- Ensuring that each quarterly package release put the latest
mozilla-rootcerts in a Well Defined Location

Which would give:
- Always getting the latest certificates on install, whether
installing 10.0 the moment its released, or in three years time
- The same location to pick up updated certificates for a previously
installed system

There is still the bootstrapping issue, which could be managed by any of:
- Including just enough NetBSD certificates in base to make the initial download
- Signed packages
- Ignoring the issue and just installing over https without validation

The mechanism for getting the mozilla-rootcerts package data onto the
system could be:
1) certctl Just Downloads And Extracts The Package Tarfile
2) Having the default sysinst flow install pkgin and mozilla-rootcerts
(with opt-out), which also provides a ready mechanism to keep the data
updated (pkgin upgrade)

I rather like option 2), because while it makes the default path to
getting trust anchors installed conditional on installing pkgin, that
_should_ be the default path for someone new to NetBSD, and anyone
running up their own packages and install mechanism can just make sure
mozilla-rootcerts is installed and run certctl.

(Whether any of the above is useful, thanks for taking action on this)

David