[Distutils] Mac users, upgrade to pip 9.0.3 (due to TLS deprecation)

Sumana Harihareswara sh at changeset.nyc
Mon Apr 2 16:48:31 EDT 2018


Mac users who use pip and PyPI:

If you are running macOS/OS X version 10.12 or older, then you ought to
upgrade to the latest pip (9.0.3) to connect to the Python Package Index
securely:

    curl https://bootstrap.pypa.io/get-pip.py | python

and we recommend you do that by April 8th.

Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS <
10.13. Official release notes: https://pip.pypa.io/en/stable/news/

Context:

As PSF blogged last year
https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
, on June 30, 2018, Python.org sites are going to entirely stop
supporting TLS versions 1.0 and 1.1, because our CDN provider is
deprecating support for those versions.

We are launching the new PyPI (in beta at https://pypi.org) this month
and replacing the legacy PyPI (https://pypi.python.org). Here's the beta
announcement for the new PyPI:
https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html

Warehouse, the codebase for the new PyPI, does not support TLS 1.0 or 1.1.

As of late March, the Python Package Index has started doing brownouts
of the deprecated TLS versions. For some portion of each hour, anyone
attempting to access PyPI with TLSv1.0 or TLSv1.1 will get a 403
response with an informative error. We are ramping up the amount of time
the endpoint is down for the deprecated TLS versions, and plan to make
the endpoint 100% unavailable (for the deprecated TLS versions) on and
after April 8th, prior to the final deadline. That gives us a few months
where, someone tries to "pip install", we can give a good error message
-- once June 30th hits, it will just be an uninformative OpenSSL error.

More info:

* https://github.com/pypa/warehouse/issues/3293
* https://github.com/pypa/warehouse/issues/3411
* https://status.python.org/incidents/btjtz01lzp88

If you have problems accessing PyPI, upgrading pip, etc., please file an
issue at https://github.com/pypa/packaging-problems/issues/ and we'll
help figure it out.

Thank you. Please publicize this. (I'm about to cross-post this to
python-list/comp.lang.python.)

-- 
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc


More information about the Distutils-SIG mailing list