Could we cache `rustls-native-certs::load_native_certs()`?

[jschwe]

When creating a new verifier, on certain OSs, rustls_native_certs::load_native_certs is called, which is documented to be potentially expensive, since it probes for certificates, and loads each file.
Would it be possible to cache the result (static LazyLock), and ideally expose a function to initialize the cache?

rustls-platform-verifier/rustls-platform-verifier/src/verification/others.rs

Line 92 in 996b1c9

let result = rustls_native_certs::load_native_certs();

/// ## Caveats
///
/// This function can be expensive: on some platforms it involves loading
/// and parsing a ~300KB disk file. It's therefore prudent to call
/// this sparingly.

https://github.com/rustls/rustls-native-certs/blob/559fd3d8390da90865693e3b48ae6eef56c4d111/src/lib.rs#L118

[djc]

I don't think that's a good idea because I think it's reasonable to expect that a fresh call to Verifier::new() reads the latest set of trust anchors from disk.

However, we could perhaps allow callers to supply these from the outside?

Usually you wrap the verifier in an Arc anyway, so not sure why you want to cache at this level?

[ctz]

Yeah, I agree that this needs to happen a level above. The other reason is that a static cache "leaks" storage indefinitely after use. If that is acceptable, just store an Arc yourself.