> a blacklist is less work than a whitelist
No, it isn't. It's so much more tremendously difficult that I don't think it
can reasonably be done that way. Do you have any idea how much software is in
PyPI? There is no requirement for any package to use any trove classifier, or
to list any license. So checking these would not be enough. You would have to
manually check every other package for the license to see if it needs to go
on the blacklist. And as new software gets uploaded, you would have to keep
doing this. Any package not getting caught would completely undermine your
efforts.
If you instead just whitelist based on classifiers, and possibly secondarily
by recognizing particular license strings, you wouldn't need to worry about
it. A package being wrongly assumed to be proprietary because it doesn't have
a proper classifier on it wouldn't be a disaster.
> The Linux Libre kernel blacklists non-free bits, so why can't our custom
pip?
Apples and oranges, my friend. PyPI is a software repository containing some
proprietary software, not a program with blobs in it.
