On Tue, Apr 21, 2020 at 06:17:58PM +0200, Pierre Neidhardt wrote:
> Note that the "--expose=/etc/ssl/certs/" is important.
> 
> Should we consider this a bug?  If not, then should we document
> it?

No, it's not a bug.

TLS X.509 certificates need to be looked up dynamically at run-time,
because their validity depends on the current time. We need to be able
to change the certificates without requiring the packages that use them
to rebuild. Otherwise built packages would become obsolete just because
some time has passed.