[Python-Dev] pip SSL
Nick Coghlan
ncoghlan at gmail.com
Sun Oct 20 06:32:33 CEST 2013
On 20 October 2013 05:46, Ian Cordasco <graffatcolmingov at gmail.com> wrote:
> Also the three of us maintaining requests and the author of urllib3
> are all very conscious that the packaged pem file is outdated. We have
> an open issue about how to rebuild it accurately while taking into
> consideration (and not including) the ones that have been revoked. Any
> suggestions you have can be sent to me off list or reported on the
> issue tracker.
The requests issue Ian is referring to:
https://github.com/kennethreitz/requests/issues/1659
The next version of PEP 453 will include getting this resolved as part
of the integration timeline:
========================
* by December 29th (1 week prior to the scheduled date of 3.4.0 beta 2)
``requests`` certificate management issue resolved
``ensurepip`` updated to the final release of pip 1.5, or a subsequent
maintenance release (including a suitably updated vendored copy of
``requests``)
========================
And also mentions it under the "security considerations" section for
the bootstrapping mechanism:
========================
Only users that choose to use ``pip`` to communicate with PyPI will
need to pay attention to the additional security considerations that come
with doing so.
However, the core CPython team will also assist with reviewing and
resolving the `certificate update management issue
<https://github.com/kennethreitz/requests/issues/1659>`__ currently
affecting the ``requests`` project (and hence ``pip``).
========================
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list