Package: ca-certificates Version: 20180409 I think most people are aware that browser vendors agreed to distrust certificates by Symantec and they no longer issue certificates (their business got sold to Digicert).
This should also be reflected in the ca-certificates package and the Symantec roots should be removed (particularly as this package is acting as a de-facto upstream for several other distros). This needs some checking which certificates exactly shall be removed. Symantec operated under various different brand names (Thawte, Geotrust, and they also owned the old Verisign roots), and some of their roots have changed the owner and are excluded from the distrust.