Notify users of security risks in README #3
Description
Thanks very much for your work on this.
There are a couple of issues which I think should be addressed in the README of this project.
Security risk posed by lack of post release updates
The README should highlight that the trusted certificate list that is generated is only updated every time a new build is released so any certificates revoked on security grounds or added after the fact will not be present. It seems fairly obvious but given this is a genuine security risk dependent on use case this should be noted at the very start of the README.
In Mozilla's blog https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/ they state that Firefox does continual background updating to remove revoked certificates and add new ones.
This issue is beyond the scope of this project right now but your users really should be notified of the risks if they stop regularly building and deploying their code especially if their programs are used outside of controlled environments (i.e. anything that accesses the internet).
Source and Host of the data
As @nake89 in #1 suggests, you should clarify the source and host for the certificates that are being pulled in. It is correct but non obvious as the URLs and host company are not mentioned anywhere in the README