[Python-Dev] pip SSL
Nick Coghlan
ncoghlan at gmail.com
Sun Oct 20 03:51:05 CEST 2013
On 20 Oct 2013 06:14, "Glenn Linderman" <v+python at g.nevcal.com> wrote:
>
> On 10/19/2013 12:46 PM, Ian Cordasco wrote:
>>
>> Also the three of us maintaining requests and the author of urllib3
>> are all very conscious that the packaged pem file is outdated. We have
>> an open issue about how to rebuild it accurately while taking into
>> consideration (and not including) the ones that have been revoked. Any
>> suggestions you have can be sent to me off list or reported on the
>> issue tracker.
>
> Is this another issue like the time zone database? Something that needs
to be packaged with some versions of Python, but that needs a mechanism to
update it later for accuracy (which, in this case, also implies security)?
>
> Could a similar mechanism be used for both?
Once pip is installed, then "pip install --upgrade pip" will update it.
This request was about getting the *current* state reviewed prior to the
pip 1.5 release, since 1.5 is the version likely to be provided by
"ensurepip" in CPython 3.4.
As Donald noted the fact pip uses requests internally is actually a benefit
for the broader Python ecosystem, since it means fixing the cert management
and verification for pip (by fixing requests and updating the bundled
version) will fix them for a lot of other projects as well.
Cheers,
Nick.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20131020/70e82899/attachment.html>
More information about the Python-Dev
mailing list