suddenly realizing i don’t know how POSIX systems make sure software knows where the trusted root certificates are
Debian rips the certs Mozilla uses out and packages them in ca-certificates, which seems to end up installing certs into /etc/ssl/certs. but idk if this is standardized behavior or not
