On 20 Oct 2013 06:14, "Glenn Linderman" <v+python@g.nevcal.com> wrote:
>
> On 10/19/2013 12:46 PM, Ian Cordasco wrote:
>>
>> Also the three of us maintaining requests and the author of urllib3
>> are all very conscious that the packaged pem file is outdated. We have
>> an open issue about how to rebuild it accurately while taking into
>> consideration (and not including) the ones that have been revoked. Any
>> suggestions you have can be sent to me off list or reported on the
>> issue tracker.
>
> Is this another issue like the time zone database? Something that needs to be packaged with some versions of Python, but that needs a mechanism to update it later for accuracy (which, in this case, also implies security)?
>
> Could a similar mechanism be used for both?

Once pip is installed, then "pip install --upgrade pip" will update it. This request was about getting the *current* state reviewed prior to the pip 1.5 release, since 1.5 is the version likely to be provided by "ensurepip" in CPython 3.4.

As Donald noted the fact pip uses requests internally is actually a benefit for the broader Python ecosystem, since it means fixing the cert management and verification for pip (by fixing requests and updating the bundled version) will fix them for a lot of other projects as well.

Cheers,
Nick.

>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
>