"JEP 319: Root Certificates" open-sourced the Oracle JDK Root Certificates and contributed them to the OpenJDK code base. But the certificates have been contributed in a binary format (Java Key Store, JKS) which is not particularly suitable for being maintained in a version control system like Mercurial because of several reasons:

 - we can not add a license and copyright to it
 - it is that it is hard to look inside the file to see what it provides
 - updates to the file will be opaque (we can only see that the file has been changed)
 - it's strange to maintain a security-relevant part of the OpenJDK in an opaque, binary blob

I'd therefor propose to store the certificates in text format (maybe PEM format (https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl), or the NSS format used by the Mozilla certdata.txt file (https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt)) and assemble the "cacerts" file from at build time from the text representation. The AdoptOpenJDK project has some instructions (https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security) on how they assemble their "cacerts" file from the Mozilla certificates which are stored in text format.

Storing the OpenJDK certificates in text format would also allow to simply merge them with additional user certificates provided at configuration/build time (i.e. with a configuration option like '--with-additional-certificates').

This whole topic has been discussed in the following mail thread:

http://mail.openjdk.java.net/pipermail/security-dev/2017-December/thread.html#16590