On 20 October 2013 05:46, Ian Cordasco
Also the three of us maintaining requests and the author of urllib3 are all very conscious that the packaged pem file is outdated. We have an open issue about how to rebuild it accurately while taking into consideration (and not including) the ones that have been revoked. Any suggestions you have can be sent to me off list or reported on the issue tracker.
The requests issue Ian is referring to: https://github.com/kennethreitz/requests/issues/1659 The next version of PEP 453 will include getting this resolved as part of the integration timeline: ======================== * by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2) ``requests`` certificate management issue resolved ``ensurepip`` updated to the final release of pip 1.5, or a subsequent maintenance release (including a suitably updated vendored copy of ``requests``) ======================== And also mentions it under the "security considerations" section for the bootstrapping mechanism: ======================== Only users that choose to use ``pip`` to communicate with PyPI will need to pay attention to the additional security considerations that come with doing so. However, the core CPython team will also assist with reviewing and resolving the `certificate update management issue https://github.com/kennethreitz/requests/issues/1659`__ currently affecting the ``requests`` project (and hence ``pip``). ======================== Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia