[Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)

[Matthew Brett]

Hi,

On Fri, Apr 6, 2018 at 7:02 PM, Sumana Harihareswara <sh at changeset.nyc> wrote:
> Matthew,
>
> Thank you for your detailed explanations and thoughts here and in
> https://groups.google.com/forum/m/#!topic/pypa-dev/Oz6SGA7gefo .
>
> I am not a Mac user and am fairly new to the Python packaging/distribution world, so this may be naive and unrealistic verging on ridiculous, but: is there anything we could ask Apple to do to help with this situation?
>
> Our upstream CDN (Fastly) is extremely unlikely to change their June 30th TLS 1.0/1.1 removal date, which would (I imagine) affect a ton of people on older Mac OS versions who do not even use PyPI.

Sorry, I'm afraid I set off the discussion in the pypa thread you
pointed to above.

Reporting back here, for those not on the pypa-dev Google group - it
looks like the TLS 1.0 shutdown is being driven by the Warehouse
release, which I believe is planned for the 16th of April (Warehouse
can't use TLS 1.0).  In practice, there is no way of giving the users
a better or more visible warning message than the message we are
currently getting from using the -v flag.  I'm arguing over in that
thread, that it would be better to give up on the -v flag warning, and
go straight to an SSL error (which has an uninformative message - see
[1]), because the current situation, where pip silently fails to
upgrade, including failing to upgrade itself, is more confusing than
the SSL error.  Do people agree / disagree?

Cheers,

Matthew

[1] https://github.com/pypa/warehouse/issues/3293#issuecomment-378480462