Comment 65 for bug 2036873

> What is the goal of these tests? An independent check of the system CA contents sounds redundant and unhelpful.
> What would a future-proof version of this look like? (which doesn't mean you have to go run and implement it right this second, we're just discussing) Or does this indicate that some certs that are meaningful for Java programs would not be usable?

VerifyCACertificates tries to assert that cacerts truststore contents can be retrieved and match the expected values.
This assertion is covered by ca-certificates-java tests and is redundant. We can disable it in autopkgtest (work in progress).

sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java - fails to find a trust root and checks transition that already happened. This can be rewritten in a more generic way to check any other future root ca expiry.

javax/crypto/CryptoPermissions/InconsistentEntries.java - this one will need root permissions to write to the installation directory (it tries to set up custom crypto policy).