, Furthermore, last time we had a major Debian-specific certificate
verification issue, we discovered that Debian is not actually capable
of restoring previously-removed certificates without manual user
that even once these certificates are restored, users who have already
updated to the affected version of ca-certificates will suffer
permanently broken certificate verification unless they have found this
bug report and know to take manual intervention, because the
certificates will remain disabled locally.