Another approach would be to add a feature to pkgin where it would have
a record of whether mozilla-rootcerts-openssl has been installed, and
ask the user whether they wanted to install it or not, and thereafter
not ask. Probably enabled only on systems where the base system is
known not to have preconfigure trust anchors. That lets pkgsrc do this
for a user easily, while not overriding base policy without consent.
This would probably require pkgin, mozilla-rootcerts-openssl and
mozilla-rootcerts to be prestaged as part of install, but we already
need pkgin, or else the same download method could be used for
mozilla-rootcerts as pkgin. Also needs someone to write the code.