Call for testing: certctl, postinstall, TLS trust anchors

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

We're preparing to ship TLS trust anchors in base and configure them
so that applications like ftp(1) and pkg_add(1) can do TLS validation
out of the box.

The new certctl(8) tool is provided to manage the TLS trust anchors
configured in /etc/openssl/certs with a simple way to change the
source of trust anchors or distrust individual ones -- and with a
manual override, if you would rather use another mechanism to do it,
like the commands available in the security/mozilla-rootcerts or
security/ca-certificates packages, or the special-purpose
security/mozilla-rootcerts-openssl package.

I've added some logic in postinstall(8) to handle the transition when
you update.  Tried to anticipate all reasonable paths into the update,
and handle them all gracefully.  But no doubt I missed something.

So it would be helpful if you could test updating NetBSD in whatever
way you do it (sysinst, untar/etcupdate/postinstall, etcmanage,
something even more bespoke), and let me know if anything goes wrong
with the TLS trust anchors:

1. Does postinstall work smoothly for you?

2. Does it blow away any configuration you had?  (I don't think it
   should, but if you back up /etc you should be able to see.)

3. Do you end up with the trust anchors you expected?

4. Are the answers obvious or do you have to go digging?

5. Do you hit any messages or warnings or failures that you don't
   understand?

6. If you previously used mozilla-rootcerts, ca-certificates, or
   something else, and you want to switch to certctl(8), is it obvious
   what you need to do?  If not, where did you consult to find what
   you need to do, where you didn't find the answer?