Secure installation of pip #800

rasky opened this Issue Feb 10, 2013 · 3 comments


None yet

3 participants


Currently, pip can be installed in several different ways:

  • Through easy_install from PyPI
  • Downloading (through a HTTPS url hosted on github) and running it
  • Through an operating-system package manager
  • Through virtualenv, with the embedded sdist package
  • Through virtualenv, which invokes easy_install

We need to make sure that all paths to download pip always go through a secure, validated SSL connection and not through raw HTTP. So there is both a documentation and implementation issue here.

NOTE: since pip requires either setuptools or distribute, we need to make sure there is a secure way to install those as well.

@rasky rasky referenced this issue Feb 10, 2013

Fix docs security #801


I have created issue 354 on distribute


I wish i knew how to submit a patch to github from eclipse, because fixing is easy:

  • install the latest pip version in a virtualenv
  • clone the git repository of pip, e.g in /temp
  • run /temp/contrib/build-installer (a python script) in the virtualenv

The new will be in /temp/contrib

Python Packaging Authority member

All methods of installing pip are now as secure as we can make them without adding more features like packaging signing which is outside of the scope of this ticket.

@dstufft dstufft closed this Jan 29, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment