Discussion: Should we cherry-pick cacert updates before branching?

[adamfarley]

Should we cherry pick cacerts updates that occur in the master branch between the branching for the dry-run and the final GA builds?
OpenJ9 noticed an issue where there ones were different from ours because they are not currently basing things from our release branches.
References:

• Slack thread: https://adoptium.slack.com/archives/C09NW3L2J/p1738169329374839
• OpenJ9 issue with investigation/details: jdk_security3_0 FAILED sun/security/ssl/X509TrustManagerImpl/Entrust/Distrust.java ValidatorException: No trusted certificate eclipse-openj9/openj9#21027
• PR which did the update in temurin-build/master: Update CA Certs #4105

Originally posted by @sxa in #64

[sxa]

My 2¢ on the subject - it would be preferable to use the closest to the GA to be as up to date as is practical at the time we ship (since we would typically not refresh a release just for a cacerts update so I would rather cherry pick.
The docs should be updated if we start doing this to indicate that the cherry pick should be done on the day before release (or maybe on the Tuesday and ideally run one build job though to ensure the new file doesn't cause any failures.