SNIMissingWarning / InsecurePlatformWarning not fixable with pip 9.0 / 9.0.1 #4098

Open
gpjt opened this Issue Nov 7, 2016 · 7 comments

Projects

None yet

3 participants

@gpjt
gpjt commented Nov 7, 2016
  • Pip version: 9.0 and 9.0.1
  • Python version: 2.7.6
  • Operating System: Ubuntu

Description:

For various reasons we can't upgrade to Python 2.7.9 or higher. With pip 8.1.2, we (quite understandably) got the SNIMissingWarning / InsecurePlatformWarning errors when trying to install something. These were fixable by installing various security packages.

However, pip 9.0 and 9.0.1 are not fixed by running the same command.

What I've run:

The following log is from a fresh Ubuntu install, after a sudo apt-get update, a sudo apt-get upgrade, and a reboot.

ubuntu@ip-10-37-151-252:~$ python --version
Python 2.7.6
ubuntu@ip-10-37-151-252:~$ uname -a
Linux ip-10-37-151-252 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-10-37-151-252:~$ wget https://bootstrap.pypa.io/get-pip.py
--2016-11-07 14:10:19--  https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)... 151.101.32.175
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.32.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1595408 (1.5M) [text/x-python]
Saving to: ‘get-pip.py’

100%[====================================================================================================>] 1,595,408   --.-K/s   in 0.03s   

2016-11-07 14:10:19 (56.7 MB/s) - ‘get-pip.py’ saved [1595408/1595408]

ubuntu@ip-10-37-151-252:~$ sudo python get-pip.py 
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    100% |████████████████████████████████| 1.3MB 597kB/s 
Collecting setuptools
  Downloading setuptools-28.8.0-py2.py3-none-any.whl (472kB)
    100% |████████████████████████████████| 481kB 1.6MB/s 
Collecting wheel
  Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
    100% |████████████████████████████████| 71kB 7.0MB/s 
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-9.0.1 setuptools-28.8.0 wheel-0.29.0
/tmp/tmpFhE2Zg/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
ubuntu@ip-10-37-151-252:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting aafigure
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading aafigure-0.5.tar.gz (49kB)
    100% |████████████████████████████████| 51kB 3.5MB/s 
Installing collected packages: aafigure
  Running setup.py install for aafigure ... done
Successfully installed aafigure-0.5
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$ sudo apt-get install build-essential python-dev libffi-dev libssl-dev
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:

[snip]

Setting up manpages-dev (3.54-1ubuntu1) ...
Setting up python2.7-dev (2.7.6-8ubuntu0.2) ...
Setting up python-dev (2.7.5-5ubuntu3) ...
Setting up libffi-dev:amd64 (3.1~rc1+r3.0.13-12ubuntu0.1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ip-10-37-151-252:~$ sudo pip install urllib3[secure] pyOpenSSL cryptography idna certifi ndg-httpsclient pyasn1
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: urllib3[secure] in /usr/lib/python2.7/dist-packages
  urllib3 1.7.1 does not provide the extra 'secure'
Requirement already satisfied: pyOpenSSL in /usr/lib/python2.7/dist-packages
Collecting cryptography
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading cryptography-1.5.3.tar.gz (400kB)
    100% |████████████████████████████████| 409kB 1.7MB/s 
Collecting idna
  Downloading idna-2.1-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 5.9MB/s 
Collecting certifi
  Downloading certifi-2016.9.26-py2.py3-none-any.whl (377kB)
    100% |████████████████████████████████| 378kB 1.9MB/s 
Collecting ndg-httpsclient
  Downloading ndg_httpsclient-0.4.2.tar.gz
Collecting pyasn1
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Requirement already satisfied: six>=1.4.1 in /usr/lib/python2.7/dist-packages (from cryptography)
Requirement already satisfied: setuptools>=11.3 in /usr/local/lib/python2.7/dist-packages (from cryptography)
Collecting enum34 (from cryptography)
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting ipaddress (from cryptography)
  Downloading ipaddress-1.0.17-py2-none-any.whl
Collecting cffi>=1.4.1 (from cryptography)
  Downloading cffi-1.8.3-cp27-cp27mu-manylinux1_x86_64.whl (386kB)
    100% |████████████████████████████████| 389kB 1.8MB/s 
Collecting pycparser (from cffi>=1.4.1->cryptography)
  Downloading pycparser-2.17.tar.gz (231kB)
    100% |████████████████████████████████| 235kB 3.3MB/s 
Installing collected packages: idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, certifi, ndg-httpsclient
  Running setup.py install for pycparser ... done
  Running setup.py install for cryptography ... done
  Running setup.py install for ndg-httpsclient ... done
Successfully installed certifi-2016.9.26 cffi-1.8.3 cryptography-1.5.3 enum34-1.1.6 idna-2.1 ipaddress-1.0.17 ndg-httpsclient-0.4.2 pyasn1-0.1.9 pycparser-2.17
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: aafigure in /usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ubuntu@ip-10-37-151-252:~$ 
@gpjt
gpjt commented Nov 7, 2016

For comparison, here's a log on another fresh Ubuntu install showing that the errors go away when I install the various security packages if I'm using pip 8.1.2:

ubuntu@ip-10-165-77-50:~$ python --version
Python 2.7.6
ubuntu@ip-10-165-77-50:~$ uname -a
Linux ip-10-165-77-50 3.13.0-53-generic #89-Ubuntu SMP Wed May 20 10:34:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-10-165-77-50:~$ wget https://bootstrap.pypa.io/get-pip.py
--2016-11-07 14:31:24--  https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)... 151.101.32.175
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.32.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1595408 (1.5M) [text/x-python]
Saving to: ‘get-pip.py’

100%[====================================================================================================>] 1,595,408   --.-K/s   in 0.04s   

2016-11-07 14:31:24 (42.1 MB/s) - ‘get-pip.py’ saved [1595408/1595408]

ubuntu@ip-10-165-77-50:~$ sudo python get-pip.py 
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    100% |████████████████████████████████| 1.3MB 587kB/s 
Collecting setuptools
  Downloading setuptools-28.8.0-py2.py3-none-any.whl (472kB)
    100% |████████████████████████████████| 481kB 1.6MB/s 
Collecting wheel
  Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
    100% |████████████████████████████████| 71kB 6.6MB/s 
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-9.0.1 setuptools-28.8.0 wheel-0.29.0
/tmp/tmpifVzfU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
ubuntu@ip-10-165-77-50:~$ sudo pip install pip==8.1.2
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pip==8.1.2
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading pip-8.1.2-py2.py3-none-any.whl (1.2MB)
    100% |████████████████████████████████| 1.2MB 590kB/s 
Installing collected packages: pip
  Found existing installation: pip 9.0.1
    Uninstalling pip-9.0.1:
      Successfully uninstalled pip-9.0.1
Successfully installed pip-8.1.2
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ pip --version
pip 8.1.2 from /usr/local/lib/python2.7/dist-packages (python 2.7)
ubuntu@ip-10-165-77-50:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting aafigure
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading aafigure-0.5.tar.gz (49kB)
    100% |████████████████████████████████| 51kB 4.9MB/s 
Installing collected packages: aafigure
  Running setup.py install for aafigure ... done
Successfully installed aafigure-0.5
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo apt-get install build-essential python-dev libffi-dev libssl-dev
Reading package lists... Done
Building dependency tree       

[snip]

Setting up python2.7-dev (2.7.6-8ubuntu0.2) ...
Setting up python-dev (2.7.5-5ubuntu3) ...
Setting up libffi-dev:amd64 (3.1~rc1+r3.0.13-12ubuntu0.1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
ubuntu@ip-10-165-77-50:~$ sudo pip install urllib3[secure] pyOpenSSL cryptography idna certifi ndg-httpsclient pyasn1
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): urllib3[secure] in /usr/lib/python2.7/dist-packages
  urllib3 1.7.1 does not provide the extra 'secure'
Requirement already satisfied (use --upgrade to upgrade): pyOpenSSL in /usr/lib/python2.7/dist-packages
Collecting cryptography
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Downloading cryptography-1.5.3.tar.gz (400kB)
    100% |████████████████████████████████| 409kB 1.7MB/s 
Collecting idna
  Downloading idna-2.1-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 6.2MB/s 
Collecting certifi
  Downloading certifi-2016.9.26-py2.py3-none-any.whl (377kB)
    100% |████████████████████████████████| 378kB 1.8MB/s 
Collecting ndg-httpsclient
  Downloading ndg_httpsclient-0.4.2.tar.gz
Collecting pyasn1
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.1 in /usr/lib/python2.7/dist-packages (from cryptography)
Requirement already satisfied (use --upgrade to upgrade): setuptools>=11.3 in /usr/local/lib/python2.7/dist-packages (from cryptography)
Collecting enum34 (from cryptography)
  Downloading enum34-1.1.6-py2-none-any.whl
Collecting ipaddress (from cryptography)
  Downloading ipaddress-1.0.17-py2-none-any.whl
Collecting cffi>=1.4.1 (from cryptography)
  Downloading cffi-1.8.3-cp27-cp27mu-manylinux1_x86_64.whl (386kB)
    100% |████████████████████████████████| 389kB 1.8MB/s 
Collecting pycparser (from cffi>=1.4.1->cryptography)
  Downloading pycparser-2.17.tar.gz (231kB)
    100% |████████████████████████████████| 235kB 3.1MB/s 
Installing collected packages: idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, certifi, ndg-httpsclient
  Running setup.py install for pycparser ... done
  Running setup.py install for cryptography ... done
  Running setup.py install for ndg-httpsclient ... done
Successfully installed certifi-2016.9.26 cffi-1.8.3 cryptography-1.5.3 enum34-1.1.6 idna-2.1 ipaddress-1.0.17 ndg-httpsclient-0.4.2 pyasn1-0.1.9 pycparser-2.17
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install aafigure
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): aafigure in /usr/local/lib/python2.7/dist-packages
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install requests
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied (use --upgrade to upgrade): requests in /usr/lib/python2.7/dist-packages
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ sudo pip install pyladies
The directory '/home/ubuntu/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/ubuntu/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pyladies
  Downloading pyladies-2.0.4-py2.py3-none-any.whl (5.5MB)
    100% |████████████████████████████████| 5.5MB 132kB/s 
Collecting Sphinx (from pyladies)
  Downloading Sphinx-1.4.8-py2.py3-none-any.whl (1.6MB)
    100% |████████████████████████████████| 1.6MB 503kB/s 
Collecting sphinx-rtd-theme (from pyladies)
  Downloading sphinx_rtd_theme-0.1.9-py2-none-any.whl (693kB)
    100% |████████████████████████████████| 696kB 1.2MB/s 
Collecting Jinja2>=2.3 (from Sphinx->pyladies)
  Downloading Jinja2-2.8-py2.py3-none-any.whl (263kB)
    100% |████████████████████████████████| 266kB 4.0MB/s 
Collecting babel!=2.0,>=1.3 (from Sphinx->pyladies)
  Downloading Babel-2.3.4-py2.py3-none-any.whl (7.1MB)
    100% |████████████████████████████████| 7.1MB 106kB/s 
Collecting docutils>=0.11 (from Sphinx->pyladies)
Collecting alabaster<0.8,>=0.7 (from Sphinx->pyladies)
  Downloading alabaster-0.7.9-py2.py3-none-any.whl
Collecting snowballstemmer>=1.1 (from Sphinx->pyladies)
  Downloading snowballstemmer-1.2.1-py2.py3-none-any.whl (64kB)
    100% |████████████████████████████████| 71kB 7.0MB/s 
Collecting Pygments>=2.0 (from Sphinx->pyladies)
  Downloading Pygments-2.1.3-py2.py3-none-any.whl (755kB)
    100% |████████████████████████████████| 757kB 1.1MB/s 
Requirement already satisfied (use --upgrade to upgrade): six>=1.5 in /usr/lib/python2.7/dist-packages (from Sphinx->pyladies)
Collecting imagesize (from Sphinx->pyladies)
  Downloading imagesize-0.7.1-py2.py3-none-any.whl
Collecting MarkupSafe (from Jinja2>=2.3->Sphinx->pyladies)
Collecting pytz>=0a (from babel!=2.0,>=1.3->Sphinx->pyladies)
  Downloading pytz-2016.7-py2.py3-none-any.whl (480kB)
    100% |████████████████████████████████| 481kB 1.9MB/s 
Installing collected packages: MarkupSafe, Jinja2, pytz, babel, docutils, alabaster, snowballstemmer, Pygments, imagesize, Sphinx, sphinx-rtd-theme, pyladies
Successfully installed Jinja2-2.8 MarkupSafe-0.23 Pygments-2.1.3 Sphinx-1.4.8 alabaster-0.7.9 babel-2.3.4 docutils-0.12 imagesize-0.7.1 pyladies-2.0.4 pytz-2016.7 snowballstemmer-1.2.1 sphinx-rtd-theme-0.1.9
You are using pip version 8.1.2, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
ubuntu@ip-10-165-77-50:~$ 
@dstufft
Member
dstufft commented Nov 7, 2016

So this is a bit of a sticky issue. We've modified our bundled copies of the libraries so that they will not load any of the C libraries because on some OSs (particularly Windows) if pip imports the C library then it becomes impossible for pip to actually upgrade or uninstall that library (because importing locks the .dll from deletion). The downside of this is that it means you're stuck with what your Python is able to provide.

I see a few ways around this:

  1. Do nothing, let the warning's stand to try and push people to upgrade their Python to one that has a better SSL module.
  2. Disable the warnings completely, the warnings don't matter much for PyPI's own usage (although they could for non PyPI repositories) and just live with it.
  3. Adjust our disable of C libraries to only disable them on platforms where they cause problems (e.g. Windows).

If we pick (3) we'd still need to pick which of (1) or (2) we want to happen on platforms where our C libraries support is disabled.

@gpjt
gpjt commented Nov 7, 2016

Heh, I was just poking around in the codebase and was about to point to your commit at cab0177, which I assume is the change that you're referring to.

From our perspective (PythonAnywhere PaaS), while we really do want to upgrade our default system Python 2.7 to something more recent, it's really hard in the short term because people have (eg.) --user-installed packages and virtualenvs which would be broken if we did that. Basically, a coordination exercise with tens of thousands of participants. I fully appreciate that's our problem, not yours! But I imagine there are other larger-scale installs with the same problem.

FWIW I'd personally vote for #3, with #1 for Windows etc.

@gpjt
gpjt commented Nov 7, 2016

One thing I would definitely suggest, though, if you don't disable the warnings completely, is that you change them. Right now pip is printing out (thanks to urllib3) messages like

/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

...which is telling people to go to a page that tells them to install something, and installing that thing doesn't fix the problem. That's bound to lead to confusion.

@mattlong

I am in a very similar situation to @gpjt where it is not all that easy to coordinate an update to a newer version of Python for all of our users. I agree that solutions (3) and (1) seem like the way to go along with a change in the warning message shown to more accurately reflect the situation. In my opinion, reducing the security across all platforms for the sake of the lowest common denominator seems like the wrong way to go.

@mattlong
mattlong commented Nov 29, 2016 edited

To help other folks hitting this same issue, I thought I was going crazy since we are indeed pinning pip==8.1.2 on the host OS (ubuntu). I only just discovered that creating a virtualenv doesn't attempt to match the version of pip that is on the host but goes ahead and uses the newest version of pip available (currently 9.0.1), thus reintroducing what had been a solved issue. I'm not suggesting this part in particular is anything the pip maintainers need to address, just a heads up for others trying to debug their setups.

@dstufft
Member
dstufft commented Nov 29, 2016

If someone makes a PR for (1) and (3) I would be happy to accept it, otherwise I'll try to get to it myself.

@dstufft dstufft added this to the 9.1 milestone Nov 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment