Re: mozilla rootcerts in base

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Tue, 29 Aug 2023 10:52:53 +0200
> From: Tobias Nygren <tnn%NetBSD.org@localhost>
> 
> I think your dependency chains can be mostly traced to p11-kit, which
> wants to be configured with an explicit path:
> 
> CONFIGURE_ARGS+=	--with-trust-paths=${PREFIX}/share/mozilla-rootcerts/cacert.pem

If this is for TLS validation, this should probably be done with
something like the logic in security/openssl/builtin.mk instead to set
SSLCERTS, since

(a) that's not where the _configured_ trust anchors live, just where
    _one set_ of data files exist that configuration should point to;
    and

(b) where the configured TLS trust anchors live varies from OS to OS,
    like /etc/openssl/certs on NetBSD, /etc/ssl/certs on FreeBSD,
    /etc/pki/tls/certs on Fedora, &c.

Of course, it's not quite right for this to be taken from
security/openssl/builtin.mk because it's about TLS, not OpenSSL
(despite the confusingly named path in NetBSD for hysterical raisins
which we are not about to change).

On the other hand, it's not obvious to me that p11-kit is using this
for TLS validation; if not, perhaps it should be doing something else
altogether.

(And as a side note, I noticed that mozilla-rootcerts includes a bunch
of trust anchors designated for S/MIME, not for TLS validation, so
those shouldn't be put into /etc/openssl/certs...)

> Adding a builtin.mk to the mozilla-rootcerts package that
> exposes the path to trust store as a pkgsrc variable could be one
> way to solve this.

I'm not sure that's the right thing either.  There's no
mozilla-rootcerts _command_ in NetBSD base, and the files aren't
exposed in quite the same way, so what's in NetBSD base isn't exactly
a builtin version of the mozilla-rootcerts package.