Currently, pip can be installed in several different ways:
We need to make sure that all paths to download pip always go through a secure, validated SSL connection and not through raw HTTP. So there is both a documentation and implementation issue here.
NOTE: since pip requires either setuptools or distribute, we need to make sure there is a secure way to install those as well.
I have created issue 354 on distribute
I wish i knew how to submit a patch to github from eclipse, because fixing get-pip.py is easy:
The new get-pip.py will be in /temp/contrib
All methods of installing pip are now as secure as we can make them without adding more features like packaging signing which is outside of the scope of this ticket.