With the certctl patch on the table, I think it will be possible for anybody who wants to
install mozilla-rootcerts change certctl.conf to point to it and get what abs@ wants for updates (which is different that everybody getting it by default). I am now in the "this is not really different from any other serious vulnerability in case" camp. I have long believed that installing any particular release and leaving it indefinitely is not reasonable. My own practice is to run the netbsd-N stable branch and routinely update along the branch every 2 months, which means I am never far out of date and also in a position to update/build/rsync/update quickly when fixes for serious CVEs appear on the branch. So it's the same timeline as updating pkgsrc (update, pkg_rr, create summary, sync, pkgin) with different steps.
