how to specify trusted hosts in windows config file

Chris Angelico rosuav at gmail.com
Tue Mar 31 06:37:20 EDT 2020 

On Tue, Mar 31, 2020 at 8:51 PM <dcwhatthe at gmail.com> wrote:
>
> On Monday, March 30, 2020 at 5:36:00 PM UTC-4, Chris Angelico wrote:
> > On Tue, Mar 31, 2020 at 8:21 AM <dc> wrote:
> > >
> > > On Monday, March 30, 2020 at 2:49:55 PM UTC-4, Chris Angelico wrote:
> > > > On Tue, Mar 31, 2020 at 5:46 AM dc wrote:
> > > > >
> > > > > These are some of the command lines I've typed, and the results.  It looks like it's going to https://pypi.org.
> > > > >
> > > > > I have no idea whether that's correct, or not.
> > > > >
> > > > > I'm able to get past the Certificate error with other packages like requests.  But I just can't update pip.
> > > > >
> > > >
> > > > That is the correct domain name. The question is, does it translate to
> > > > the correct IP address? Try doing a DNS lookup and compare it to the
> > > > results I got.
> > > >
> > > > And, don't think in terms of *getting past the error*. Try to solve
> > > > the actual problem. The certificate error is protecting you against
> > > > installing a forged version of PIP.
> > > >
> > > > ChrisA
> > >
> > > For pypi.org alone, my dns lookup differs from yours:  151.101.128.223.
> > >
> > > Chris,
> > >
> > > Is there a way to just install pip manually, and bypass all this?  I mean, if we know we're downloading it from the appropriate ftp or git site, then doesn't that in itself avoid a faulty PIP version?
> > >
> >
> > Ahh, I think I see what's happening. Something's interfering with your
> > DNS - that's a Fastly IP address. I think the best solution would be
> > to undo or bypass whatever's messing with your network, and then
> > you'll be able to use pip normally without any sort of issues.
> >
> > ChrisA
>
> Which is what I thought I was trying to do.
>
> Why does the latest Python come with an earlier version of pip, to begin with?

Because the latest Python is older than the latest pip.

> Finally got it.  Damn, this was a nightmare:
>
> python get-pip.py --trusted-host pypi.org --trusted-host files.pythonhosted.org

What you just did was say "hey, I know that I'm being lied to about
where pypi.org is, but I'm going to pretend that it's perfect". Do you
REALLY trust it so much that you would ignore the protections of SSL
certificates? You just installed something onto your computer without
knowing that it's what it claims to be. For all you know, that could
be a forged version of pip that has anything at all in it.

It would be FAR better to actually fix the problem - change your DNS
settings so you actually get the true server.

ChrisA

More information about the Python-list mailing list