Description
Due to https://github.com/golang/crypto/blob/7042ebcbe097f305ba3a93f9a22b4befa4b83d29/x509roots/gen_fallback_bundle.go#L129-L134, roots in the Mozilla trust store with Distrust After dates, such as Entrust, are being excluded from the fallback bundle, meaning certificates that Firefox would accept will be incorrectly rejected by Go programs which use x509roots/fallback. I believe this creates a compatibility risk for the WebPKI and the correct thing to do until #70623 is fixed is to include roots with constraints.
This does mean that Distrust After dates would be ignored, but the security value of Distrust After is practically nil due to backdating, and the real point of Distrust After is to pave the way for an uneventful root removal 398 days in the future.
(Apologies for not filing this sooner; when I did my review last month I unfortunately looked only at x509roots/nss/parser.go and missed the code in gen_fallback_bundle.go)