There was a previous thread that mooted the idea of using the project built mozilla-rootcerts packages (which are just tarfiles) as the source for some mechanism to populate on-system certificates, such as your proposed certctl. (mozilla-rootcerts is the base package which just populates into PREFIX, not mozilla-rootcerts-openssl which put data in /etc)
https://mail-index.netbsd.org/tech-userlevel/2023/08/04/msg014092.html It would probably involve: - Ensuring that each quarterly package release put the latest mozilla-rootcerts in a Well Defined Location Which would give: - Always getting the latest certificates on install, whether installing 10.0 the moment its released, or in three years time - The same location to pick up updated certificates for a previously installed system There is still the bootstrapping issue, which could be managed by any of: - Including just enough NetBSD certificates in base to make the initial download - Signed packages - Ignoring the issue and just installing over https without validation The mechanism for getting the mozilla-rootcerts package data onto the system could be: 1) certctl Just Downloads And Extracts The Package Tarfile 2) Having the default sysinst flow install pkgin and mozilla-rootcerts (with opt-out), which also provides a ready mechanism to keep the data updated (pkgin upgrade) I rather like option 2), because while it makes the default path to getting trust anchors installed conditional on installing pkgin, that _should_ be the default path for someone new to NetBSD, and anyone running up their own packages and install mechanism can just make sure mozilla-rootcerts is installed and run certctl. (Whether any of the above is useful, thanks for taking action on this) David
