Secure installation of pip #800

Closed
rasky opened this Issue Feb 10, 2013 · 3 comments

Projects

None yet

3 participants

@rasky

Currently, pip can be installed in several different ways:

  • Through easy_install from PyPI
  • Downloading get-pip.py (through a HTTPS url hosted on github) and running it
  • Through an operating-system package manager
  • Through virtualenv, with the embedded sdist package
  • Through virtualenv, which invokes easy_install

We need to make sure that all paths to download pip always go through a secure, validated SSL connection and not through raw HTTP. So there is both a documentation and implementation issue here.

NOTE: since pip requires either setuptools or distribute, we need to make sure there is a secure way to install those as well.

@rasky rasky referenced this issue Feb 10, 2013
Closed

Fix docs security #801

@pcarbonn

I have created issue 354 on distribute

@pcarbonn

I wish i knew how to submit a patch to github from eclipse, because fixing get-pip.py is easy:

  • install the latest pip version in a virtualenv
  • clone the git repository of pip, e.g in /temp
  • run /temp/contrib/build-installer (a python script) in the virtualenv

The new get-pip.py will be in /temp/contrib

@dstufft
Python Packaging Authority member

All methods of installing pip are now as secure as we can make them without adding more features like packaging signing which is outside of the scope of this ticket.

@dstufft dstufft closed this Jan 29, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment