Inherit host TLS certificates for networked builds #156
Description
If you enable the networking unsafe setting on a process, it will enable network access in the sandbox and copy the host's DNS settings. But, this alone isn't enough for HTTPS requests to work most of the time-- we don't add any TLS certificates to the sandbox, so certificate verification will fail out-of-the-box. The simplest workaround today is to add the ca_certificates package as a dependency to the process, which will include some certs and set the $SSL_CERT_FILE env var, which is enough config to get HTTPS requests to work.
I think a better option would be to tweak the sandbox to automatically inherit certificates from the host when the networking setting is set (or falling back to a default set of WebPKI certs bundled with Brioche-- possibly with an explicit config setting to tweak this behavior). Philosophically, I believe the set of TLS certificates to use is "network-level configuration", just like the host's DNS config is. Especially in enterprise contexts, it's not uncommon for a proxy to intercept and re-encrypt all traffic, which would require using the host's TLS certificates to work properly.
Additionally, if a build is locked with an old version of ca_certificates, then the build will eventually fail once the root certificates expire and get rotated. While we should still give the option to use a specific version of ca_certificates, defaulting to a current set of certs (from the host or from WebPKI certs distributed with Brioche) would be a better choice.