I don't think we should be maintaining our own set if at all possible, this
patch was created by creating a new keystore and inserting every certificate
from an Ubuntu system's Mozilla ca-certificates set:

rm -f ./src/security/truststore
for x in /usr/share/ca-certificates/mozilla/*.crt; do
	y=`basename -s .crt $x`
	keytool -import -storepass changeit -keystore ./src/security/truststore -alias $y -file $x -noprompt
done