PIP under Debian wheezy don't work with "HTTP Error 403: SSL is required" #4817
Comments
|
That version of pip is ancient. You should upgrade to the latest version. If it's the pip supplied with your OS, use your OS tools to get a newer version of pip. If your OS vendor doesn't provide a newer version, then you can use |
|
It's really weird, because Wheezy end-of-life is planned at May 2018 |
|
It's old, the current debian stable is 9, and you have 7. That one is still supported but I presume only bad security issues. Newer debian stable releases have a backports repo, where you can find some newer software compiled with the older libraries. |
|
Unfortunally, I have this version deployed at prod, so, I can't upgrade ASAP. |
|
It's the final stage of a security fix that we've been implementing for a while now. HTTP access to PyPI is inherently insecure. For a long time we've been telling people to change, and we've been redirecting HTTP access to HTTPS as a stopgap to help people who need time to make that change (there's still security risks with redirection, which is why it's not an acceptable permanent solution). We've now finally switched off the redirects, because people have had plenty of time. Unfortunately, we know there's some people who haven't made the change, relying on the redirects, but there's not much we can do about that. IMO, Debian should either have provided an upgrade path to newer versions of pip some time ago, or if they decided they didn't want to introduce the new functionality that would include, then they should have patched their version of the code to use HTTPS, and maintained that as a local security fix. |
|
You could download needed files locally, store them on the server and use |
|
Thanks for detailed answer. |
|
To be clear here, the security implication is that anyone in a position to MITM your connection to PyPI can execute arbitrary Python code on the machine that you're running You can work around this by simply updating pip to use the HTTPS URL, such as I'm going to go ahead and close this, since there's nothing actionable here for us to do. |
The older python versions only ship with an old version of pip. Since some days SSL is required for downloading from pypi. We have to specify this explicitly because the older pip version only try http by default. (pypa/pip#4817)
|
Thanks for @dstufft , I can setup the Ansible 2.4.1 on Debian 7, now. |
Fix is taken from https://github.com/solettaproject/meta-soletta with commit-id bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669. SRC_URI now defaults to use SSL as the redirection of http to https is now officially disabled as a result of security fix from PyPI developer. The link to the issue: pypa/pip#4817 Signed-off-by: Chong Yi Chai <chong.yi.chai@intel.com>
Fix is taken from https://github.com/solettaproject/meta-soletta with commit-id bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669. SRC_URI now defaults to use SSL as the redirection of http to https is now officially disabled as a result of security fix from PyPI developer. The link to the issue: pypa/pip#4817 Signed-off-by: Chong Yi Chai <chong.yi.chai@intel.com>
|
Got a same error when installing ansible with pip.
$ pip install -v ansible
Collecting ansible
1 location(s) to search for versions of ansible:
* http://pypi.python.org/simple/ansible/
Getting page http://pypi.python.org/simple/ansible/
Starting new HTTP connection (1): pypi.python.org
"GET /simple/ansible/ HTTP/1.1" 403 16
Could not fetch URL http://pypi.python.org/simple/ansible/: 403 Client Error: SSL is required for url: http://pypi.python.org/simple/ansible/ - skipping
Could not find a version that satisfies the requirement ansible (from versions: )
Cleaning up...
No matching distribution found for ansible
Exception information:
Traceback (most recent call last):
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/commands/install.py", line 324, in run
requirement_set.prepare_files(finder)
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 380, in prepare_files
ignore_dependencies=self.ignore_dependencies))
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 554, in _prepare_file
require_hashes
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_install.py", line 278, in populate_link
self.link = finder.find_requirement(self, upgrade)
File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/index.py", line 514, in find_requirement
'No matching distribution found for %s' % req
pip.exceptions.DistributionNotFound: No matching distribution found for ansible |
|
Check your pip's configuration: https://pip.pypa.io/en/stable/user_guide/#configuration and see if you've overridden the index pip uses. |
|
Sorry for bothering you. Got it. Or pip.conf [global]
timeout = 60
index-url = https://pypi.python.org/simple |
|
I had the same issue, and was also accused of changing settings.
Creating a config file doesn't stop me getting the same error. |
|
You can manually update pip on wheezy per https://pip.pypa.io/en/stable/installing/#installing-with-get-pip-py I needed to install python-dateutil for my PI-TIMOLO project and it was failing on wheezy due to ssl problem. I was able to update pip to the latest version on my Raspberry Pi running Raspbian Wheezy per commands above. Now pip does the installs OK without ssl failure. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
added
the
auto-locked
Description:
Tried with clean wheezy env (cmd down).
Any pip command now fails. :(
Is there any known workaround?
What I've run:
The text was updated successfully, but these errors were encountered: