MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructure

Infrastructure only -- no plans in place currently to commit any certs to
these branches.

r352948:
[1/3] Initial infrastructure for SSL root bundle in base

This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352949:
[2/3] Add certctl(8)

This is a simple utility to hash all trusted on the system into
/etc/ssl/certs. It also allows the user to blacklist certificates they do
not trust.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352950:
[3/3] etcupdate and mergemaster support for certctl

This commit add support for certctl in mergemaster and etcupdate. Both will
either rehash or prompt for rehash as new certificates are
trusted/blacklisted.

This work was done primarily by allanjude@, with minor contributions by
myself.

r352951:
caroot: add @generated tags to extracted .pem

As is the current trend; while these files are manually curated, they are
still generated. If they end up in a review, it would be helpful to also
take the hint and hide them.

r353002:
Unbreak etcupdate(8) and mergemaster(8) after r352950

r352950 introduced improper case fall-through for shell scripts. Fix it with
a pipe.

r353066:
certctl(8): realpath the file before creating the symlink

Otherwise we end up creating broken relative symlinks in
/etc/ssl/blacklisted.

r353070:
certctl(8): let one blacklist based on hashed filenames

It seems reasonable to allow, for instance:

$ certctl list
# reviews output -- ah, yeah, I don't trust that one
$ certctl blacklist ce5e74ef.0
$ certctl rehash

We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've
described it to them in `certctl list` output -- I see little sense in
forcing another level of filesystem inspection to determien what cert file
this physically corresponds to.

Relnotes: yes

MFC r326276:

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

MFC r303784, r303785, r305620:

r303784:
etcupdate: directly use diff3(1) instead of merge(1)

During the last attempt to rmeove GNU rcs, 2 blockers were spotted:
We need an ident(1) and etcupdate(8) uses merge(1).

Now nothing should prevent to remove rcs from base

Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D7401

r303785:
always install etcupdate

Now that etcupdate does not depend on rcs anymore there is no need to
conditionnally install it

r305620: (by vangyzen )
etcupdate: preserve the metadata of the destination file

When using diff3 to perform a three-way merge, etcupdate lost the destination
file's metadata. The metadata from the temporary file were used instead.
This was unpleasant for rc.d scripts, which require execute permission.
Use "cat >" to overwrite the destination file's contents while preserving its
metadata.

Reviewed by: bapt
Sponsored by: Dell Technologies
Differential Revision: https://reviews.freebsd.org/D7817

MFC r302674:

META_MODE: Don't require filemon(4) for mergemaster(8)/etcupdate(8)

Approved by: re (gjb)

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Merge ^/user/ngie/release-pkg-fix-tests to unbreak how test files are installed
after r298107

Summary of changes:

- Replace all instances of FILES/TESTS with ${PACKAGE}FILES. This ensures that
namespacing is kept with FILES appropriately, and that this shouldn't need
to be repeated if the namespace changes -- only the definition of PACKAGE
needs to be changed
- Allow PACKAGE to be overridden by callers instead of forcing it to always be
`tests`. In the event we get to the point where things can be split up
enough in the base system, it would make more sense to group the tests
with the blocks they're a part of, e.g. byacc with byacc-tests, etc
- Remove PACKAGE definitions where possible, i.e. where FILES wasn't used
previously.
- Remove unnecessary TESTSPACKAGE definitions; this has been elided into
bsd.tests.mk
- Remove unnecessary BINDIRs used previously with ${PACKAGE}FILES;
${PACKAGE}FILESDIR is now automatically defined in bsd.test.mk.
- Fix installation of files under data/ subdirectories in lib/libc/tests/hash
and lib/libc/tests/net/getaddrinfo
- Remove unnecessary .include <bsd.own.mk>s (some opportunistic cleanup)

Document the proposed changes in share/examples/tests/tests/... via examples
so it's clear that ${PACKAGES}FILES is the suggested way forward in terms of
replacing FILES. share/mk/bsd.README didn't seem like the appropriate method
of communicating that info.

MFC after: never probably
X-MFC with: r298107
PR: 209114
Relnotes: yes
Tested with: buildworld, installworld, checkworld; buildworld, packageworld
Sponsored by: EMC / Isilon Storage Division

Remove redundant word.

Reviewed by: bjk, bcr
Differential Revision: https://reviews.freebsd.org/D6064

Merge the projects/release-pkg branch to head.

This allows packaging the base system with pkg(8), including
but not limited to providing the ability to provide upstream
binary update possibilities for non-tier-1 architectures.

This merge is a requirement of the 11.0-RELEASE, and as such,
thank you to everyone that has tested the project branch.

Documentation in build(7) etc. is still somewhat sparse, but
updates to those parts will follow.

Sponsored by: The FreeBSD Foundation

Chase r296204 by renaming tzsetup(1) to tzsetup(8) in the tests

MFC after: 3 days
X-MFC with: r296204
Sponsored by: EMC / Isilon Storage Division

DIRDEPS_BUILD: Connect MK_TESTS.

Sponsored by: EMC / Isilon Storage Division

tzsetup(1) -> tzsetup(8)

MFC after: 1 month
Sponsored by: The FreeBSD Foundation

Refactor the test/ Makefiles after recent changes to bsd.test.mk (r289158) and
netbsd-tests.test.mk (r289151)

- Eliminate explicit OBJTOP/SRCTOP setting
- Convert all ad hoc NetBSD test integration over to netbsd-tests.test.mk
- Remove unnecessary TESTSDIR setting
- Use SRCTOP where possible for clarity

MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Divison

Document the post-merge actions of calling tzsetup(8) and services_mkdb(8)
added in r259134.

MFC after: 3 days

Add META_MODE support.

Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision: D2796
Reviewed by: brooks imp

Reassign copyright statements on several files from Advanced
Computing Technologies LLC to Hudson River Trading LLC.

Approved by: Hudson River Trading LLC (who owns ACT LLC)
MFC after: 1 week

Rework the EXAMPLES section to be a bit clearer.
- Add an example of using etcupdate diff.
- Create a subsection on bootstrapping that is below the simple
examples. This should make it clearer that 'etcupdate extract' is
a one-time operation and not part of the common workflow. It also
adds more suggestions on when bootstrapping is needed and additional
steps to make future merges simpler.

Reviewed by: adrian
MFC after: 3 days

use .Mt to mark up email addresses consistently (part2)

PR: 191174
Submitted by: Franco Fichtner <franco@lastsummer.de>

Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.

Migrate tools/regression/{usr.bin/lastcomm,usr.sbin}/ to the new tests layout.

This change was originally going to only migrate the usr.sbin tests but, as
it turns out, the usr.sbin/sa/ tests require files from usr.bin/lastcomm/
so it's better to just also migrate the latter at the same time. The other
usr.bin tests will be moved separately.

To make these tests work within the test suite, some of them have required
changes to prevent modifying the source directory and instead just rely on
the current directory for file manipulation.

Generate /var/db/services.db during 'make distribution' so that it is
present during new installs. Update etcupdate and mergemaster to
ignore the generated file.

Tested by: gjb (release build)
MFC after: 1 month

- Refresh /etc/localtime after each update using tzsetup -r.
- Regenerate /var/db/services.db when /etc/services changes.

MFC after: 1 week

Fix a couple of issues with -F:
- Fix ALWAYS_INSTALL to take precedence over the FreeBSD ID checks.
In particular, always install a file where the only change was
the FreeBSD ID even if -F is specified.
- Fix the -F option in the case that the only upstream change is a
change in the FreeBSD ID and the local file is removed.
- Add tests for these two cases.

Escape a newline added in the previous commit when verifying the flags
passed to the build, diff, or status commands.

Add a pre-world mode of updating similar to the -p option that can be
passed to mergemaster. In this mode, only changes to /etc/master.passwd
and /etc/group are merged to /etc. In addition, it uses a temporary
tree to stage these changes rather than overwriting the existing
'current' and 'previous' trees so that a full update can be run after
a normal installworld has completed.

MFC after: 2 weeks

Sort option flags and fix the width of the options list. This is a purely
mechanical change, no content changes.

Add HISTORY section.

Minor mdoc, spelling and end of line whitespace fixes.

The etcupdate utility is a tool for managing updates to files that are
not updated as part of `make installworld' such as files in /etc. It
manages updates by doing a three-way merge of changes made to these files
against the local versions. It is also designed to minimize the amount
of user intervention with the goal of simplifying upgrades for clusters
of machines.

The primary difference from mergemaster is that etcupdate requires less
manual work. The primary difference from etcmerge is that etcupdate
updates files in-place similar to mergemaster rather than building a
separate /etc tree.

Requested by: obrien, kib, theraven, joeld (among others)