I had many long discussions with package and application maintainers on the topic of how to best provide data to the library. Arguably you need an up-to-date version of the list if you want to access the web securely today.
You can bundle a static version with the library. That's nice for developers, and users because it just works after "pip install", but will get out of date because library won't update as often as the list changes. Some distros like Debian provide their own mechanism for updating the list.
You can also download behind the scenes and cache. This way data is always up to date, but users don't like that apps call some web service on start-up and some people want to use the library off-line.
If you look at different libraries and apps, each one does it differently. Getting it right is hard. Things would be so much easier if this information would come decentralized from the DNS system.
There's a IETF WG working on this[1]. It's been a while since I checked on the progress, so this might not be up-to-date, but it was DNS-based, with a way to export to a static file like the PSL (I'd assume in order to avoid the performance impact of browsers having to wait for another DNS query to determine cookie scope, etc.)
It also feels a bit like a hack. Would there a be a better way to do this, maybe in the DNS system to denote ownership/isolation?
reply