tls, lts: update root certs in v0.12?

[bnoordhuis]

The root certificates in the v0.10 and v0.12 branches were last updated in November 2013.

Do we want to update them? There is a non-zero chance it will break some deployments but on the flip side, outdated certificates are insecure and can lead to breakage too.

@nodejs/crypto @nodejs/lts

EDIT: s/November 2013/December 2014/ - author date for f9456a2 is November 2013 but commit date is December 2014 with a certdata.txt from the month before.

[silverwind]

There might be a questionable third option: Don't remove certs, just add additional ones.

[jasnell]

Not removing known outdated certs can lead to very real security issues. I'm in favor of this but we should communicate the change in advance of the release.

[silverwind]

Yeah, may be best to mention the change beforehand in the next security communication and just update them.

[jasnell]

given that it is unlikely that we will be cutting a new v0.10 before EOL I'm going to pull the v0.10 label off this. We need to decide still if this is something we're going to do for v0.12

[rvagg]

+1 for 0.12

[sam-github]

If you want it, I PRed an update for 0.12.

[sam-github]

Reactions to #10261 show a lack of interest in this, its too disruptive for a final release before end-of-lifeing 0.12