How much work would it be to allow for architecture neutral packages?

I ask because of PR-57456 - http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=57456

By default NetBSD-10 (like earlier NetBSD releases) does not populate /etc/openssl/certs

This impacts the base system ftp - which cannot make requests to https:// URLs by default, and pretty much any openssl using package - for example installing mercurial from pkgsrc:

% hg clone https://anonhg.netbsd.org/src
(an attempt was made to load CA certificates but none were loaded; see https://mercurial-scm.org/wiki/SecureConnections for how to configure Mercurial to avoid this error) abort: error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

Two alternative options could be to:
a) provide the mozilla-certs.tgz pseudo-set as mentioned in the PR (and update regularly)
b) implement architecture neutral packages (primarily for mozilla-rootcerts & mozilla-rootcerts-openssl), and default to installing them on install (certificates available to sysinst is a different issue and we currently have a workaround) - this also allows us to use pkgin as the recommended method to keep the certificates up to date

(I'm using "all-arch" as a placeholder magic token below, I'm assuming it would be named differently)

On the build side is it more than:
- Updating the tools to understand a magic token to mean "all-arch"
- Adding a new option to set in Makefiles (and matching mk logic) to note a package as "all-arch" and pass the relevant flags to pkg_create

As for managing them, one of:
a) Put an extra copy at build time into ./all-arch, and symlink games on upload to ftp.netbsd.org?
b) Add a post upload tool on ftp.netbsd.org which finds the all-arch packages and copies them to ../../all-arch/$(uname -r)ish/
plus teaching pkgin (and pkg_install?) to use the extra URL as fallback

David