I guess everyone's aware that the Symantec certs are being distrusted and by now it should be safe to remove them, as major browsers start showing warnings. (I saw we had a previous bug on this in #613714, but the changes have been reverted.) This will eventually happen automatically, as we use Debian ca-certificates as upstream which takes the data from nss which eventually will remove it. But we may want to do things faster than that. (I reported this to Debian as well). It also needs some careful checking, as there are various brands (Thawte, Geotrust, Verisign) that are owned by Symantec, yet there are also roots from that brands that got sold to other companies and are not part of the distrust.
Won't happen before distrusted in Mozilla and Chrome but both vendors stepped away from their timeline: https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/ and even Google pushed back from initial plan to distrust Symantec in v70 for same reason.
Debian's just released ca-certificates package 20200601 removes the old symantec certs, so this should be done by the next bump.
It's not yet on the mirrors.
Completed now in ca-certificates-20200601.3.53