Comment 35 for bug 1464064

>to trust any number of backdoored https CAs?

Just use HTTP Public Key Pinning. It is was killed by Let's Encrypt as an HTTP extension, but nothing prevents you from using a cert preloaded to the device as a package. Of course it may require some modificatikns to apt.