> Date: Sat, 26 Aug 2023 06:50:22 -0400 > From: Jason Thorpe <thor...@me.com> > > > On Aug 26, 2023, at 1:59 AM, Taylor R Campbell <riastr...@netbsd.org> wrote: > > > > postinstall(8): Add opensslcerts item to regen /etc/openssl/certs. > > > > Works only with destdir /, since it relies on running openssl(1), > > which is not available as a tool or required in the cross-build > > environment. > > Maybe there should be a boot-time check in an rc script for an > out-of-date trust cache?
That would be reasonable, but I didn't want to create a new reason requiring /etc to be writable during normal boot. Right now, to keep it simple and reliable, certctl(8) works by deleting /etc/openssl/certs and recreating it; there's no mechanism to update /etc/openssl/certs incrementally or check whether it is out of date. So at the moment, `certctl rehash' always requires /etc to be writable. We could create a mechanism to check whether it is out of date (both to check for missing symlinks and to check for extraneous symlinks and to check for mismatched symlinks), and define a new command to invoke it, and add new tests for it, and use that in an /etc/rc.d script. It wouldn't hurt to have all that, but it's a bunch of extra work. And the normal install (and upgrade) procedure always goes through postinstall(8) anyway. So that's where I started.
