Comment 3 for bug 295266

@James: Nope, ca-certificates doesn't have to be changed, I didn't know that it already is modular enough. If you know how to remove a package from this bug, please do so with ca-certificates :)

And nope, it can't just use the list in /etc/ssl/certs because it uses an own ini-styled ca-"bundle". So I guess the easiest way to implement this is to create an extra package ca-certificates-kde (based on ca-certificates-java) which generates this list, put the default list from kde4libs into an extra package and make kde4libs-data depend on (kde4libs-data-cacerts || ca-certificates-kde). Oh, and maybe make those two packages conflict with each other. Sounds like a plan?