Re: postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Sat, 26 Aug 2023 06:50:22 -0400
> From: Jason Thorpe <thorpej%me.com@localhost>
> 
> > On Aug 26, 2023, at 1:59 AM, Taylor R Campbell <riastradh%NetBSD.org@localhost> wrote:
> > 
> > postinstall(8): Add opensslcerts item to regen /etc/openssl/certs.
> > 
> > Works only with destdir /, since it relies on running openssl(1),
> > which is not available as a tool or required in the cross-build
> > environment.
> 
> Maybe there should be a boot-time check in an rc script for an
> out-of-date trust cache?

That would be reasonable, but I didn't want to create a new reason
requiring /etc to be writable during normal boot.

Right now, to keep it simple and reliable, certctl(8) works by
deleting /etc/openssl/certs and recreating it; there's no mechanism to
update /etc/openssl/certs incrementally or check whether it is out of
date.  So at the moment, `certctl rehash' always requires /etc to be
writable.

We could create a mechanism to check whether it is out of date (both
to check for missing symlinks and to check for extraneous symlinks and
to check for mismatched symlinks), and define a new command to invoke
it, and add new tests for it, and use that in an /etc/rc.d script.

It wouldn't hurt to have all that, but it's a bunch of extra work.
And the normal install (and upgrade) procedure always goes through
postinstall(8) anyway.  So that's where I started.