The question of root certificates for OpenSSL in base came up recently in pkgsrc. That got me thinking: why does NetBSD not come with a set of certificates in the base system? The set that mozilla-rootcerts delivers would be a reasonable thing to put there, because (a) that’s what literally everyone ends up installing anyway and (b) it does not require us to make a moral judgement about individual CAs.
This would have the advantage of no longer requiring to install mozilla-rootcerts explicitly. This removes one source of confusion too; for a n00b, it is not obvious that this is necessary, or why. Thus, it would be a sane default. Disadvantage: the script that takes the file from mozilla and munges it is in Perl. But its _output_ could be checked in instead, so that the script does not need to be run during a build. (There might also be issues around licensing, but I defer to others for that.) agc made the argument that including certificates is similar to including time zone data, which we do. We do not tell users to install a package to use non-UTC timezones, for instance. What do you think? —Benny.
