Documentation Update: Specify where to get a .PEM file for --cert option
#11574
Comments
hardingprofessional
added
S: needs triage
uranusjr
added
type: docs
I don’t think we’ll go very far with that, the maintenance overhead for the Python team would be simply too large. |
|
Im also uncomfortable with the idea of the pip team being responsible for distributing security certificates (or even directing people to specific ones). We don’t have the security expertise or bandwidth for that. |
Is there a good way to source build pip and merge it i to the python build tree? I'm imagining something like this:
|
|
Python <=3.9 are in security fix only mode, so newer releases of pip aren't included, but you could probably find the PRs to upgrade the bundled pip for later Python versions and backport them into your older Python source tree. That's likely to be the most practical solution. |
|
OK, that solution works for me I guess. I find it a bit concerning that people are using random cert bundles from around the web, but if that's not something you want to support then bypassing TLS/SSL is probably the next best option for people. |
I do too, but there's not much we can do about it if people won't get certs from a reputable source...
That's absolutely not a good option. Apart from the fact that bad advice seems endemic on the internet, along with people willing to follow it, why isn't "get a trusted cert bundle and use it via |
|
The simple answer to this is "reputable certs are hard to find and harder for laymen to identify." That's why I made this ticket. |
|
Fair enough. But in this context, the pip maintainers probably count as laymen, too, so you shouldn't trust us to find reputable certs for people 🙂 |
|
Should I try to work on this? |
|
Sure, feel free. |
What's the problem this feature will solve?
When building old versions of Python (3.7, 3.8, 3.9) the bundled pip3 version does not have the correct bundled certificates to get packages or updates from Pypi.org.
If you search the web, the recommended solution is to acquire the Mozilla certificate bundle from a third party and pass it in as an argument to
python3 -m pip install --upgrade --cert=path/to/cert.pem. This is bad security practice. More details here..There are many people complaining about SSL, want to disable it, etc. This would all be a lot less painful if the pip documents simply provided a root store that could be downloaded and used.
I'm not a security guy, and I don't know what all is involved, but if we need a .pem file to upgrade old versions of pip... shouldn't that be provided by pypi or pip through their website?
Describe the solution you'd like
Embed instructions on how to obtain a cert for the
--certflag in the documentation here: Using a specific certificate storePotentially add a link to this cert file in other locations.
This cert file would contain only the components needed to upgrade pip to its latest version. Subsequent use of pip could then use the cert information embedded in pip itself.
Alternative Solutions
The pip team could work with the python team to backport the pip certs into the older builds of python available through python.org.
Solutions that bypass TLS/SSL security should not be used for these reasons:
Additional context
Code of Conduct
The text was updated successfully, but these errors were encountered: