caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:
- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \ certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \ certctl rehash
Certs can be easily examined after installation with certctl list, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs
No objection from: secteam
Relnotes: Definite maybe