Feature request: Default to ENABLE_TLS_NATIVE_ROOTS #4056
Description
By default, taskwarrior bundles root certificates (see issues/3625rl and #3660 for context) via the webpki-roots crate (note the Warning section).
Bundling certs makes sense when an OS provided CA store isn't available, such as when building distroless container images. When an OS provided CA store is available, using that store is preferable as bundling certs come with some disadvantages:
- Trust is shifted from the OS store to the webpki-roots crate.
- Users now rely on timely updates to the webpki-roots store instead of the OS store.
- Users must monitor the webpki-roots crate for updates.
- Users must recompile the app to keep the store up to date.
- Users cannot use private sync servers (unless they learn how to bundle their own certs with rustls).
I've seen the argument that bundling certs is safer due to protecting against MITM attacks, (which was based on this issue), but bundling certs doesn't protect against someone who already has root privileges on the machine (which was the case in the issue that brought the argument), and most applications choose to rely on the OS cert store due to the disadvantages bundling certs bring.
It's debatable whether native roots should be enabled upstream (i.e. in this repo) or by every distro that packages taskwarrior. Since most taskwarrior users probably run the app with an OS cert store available (even distro-based container images provide this), I think it would be easier to enable it by default here, instead of having each and every distro patch it in. Arch for instance, seems to prefer to have it upstreamed.
P.S. Thanks for providing taskwarrior! It's great :)