`publicsuffix` library is out of date

[lgarron]

Today marks the second time I've received a submission that was rejected because the Go public suffix package was out of date.

We could:

• Try to get the Go package to update more regularly.
• Regenerate the local PSL data before running or deploying. (Requires regenerating Go source code? The documentation doesn't have a dynamic way to get the latest list.)

[nigeltao]

Relevant discussion on the golang-dev mailing list: https://groups.google.com/d/topic/golang-dev/M2m31d1PUqI/discussion

[nharper]

From reading that thread, we might want to consider using https://github.com/weppos/publicsuffix-go, which is updated more frequently.

[lgarron]

From reading that thread, we might want to consider using https://github.com/weppos/publicsuffix-go, which is updated more frequently.

Do you know the Google policy on referencing a third-party library like that, from a project like this? Safest would be to vendor it in the repo (under /third_party, but then we still have to manually update something that is causing problems because it's not automatically updated. :-/

[bwbroersma]

Checking gov.nl on hstspreload.com currently gives an "Error: Cannot connect using TLS" instead of the expected "Error: Domain is a TLD or public suffix".

gov.nl was added in May 2022 to the Public Suffix List (PSL).

However it seems this package references: https://github.com/chromium/hstspreload/blob/36bacd67a2db661852c06af613a49aeae392e0ef/go.mod#L5 And that has the PSL: https://github.com/golang/net/blob/a33c5aa5df48/publicsuffix/table.go#L5

publicsuffix.org's public_suffix_list.dat, git revision 3c213aab32b3c014f171b1673d4ce9b5cd72bf1c (2021-11-26T23:05:53Z)

[lgarron]

Indeed, it would be worth updating that package. However, if you're responsible for gov.nl and want to preload, you'll have to send an email to be manually added, even if the PSL package is updated: https://hstspreload.org/?domain=gov.nl#tld