pip icon indicating copy to clipboard operation
pip copied to clipboard

Published 20 hours ago verified publisher icon pypa

Documentation Update: Specify where to get a .PEM file for `--cert` option

Open hardingprofessional opened this issue 3 years ago • 10 comments

What's the problem this feature will solve?

When building old versions of Python (3.7, 3.8, 3.9) the bundled pip3 version does not have the correct bundled certificates to get packages or updates from Pypi.org.

If you search the web, the recommended solution is to acquire the Mozilla certificate bundle from a third party and pass it in as an argument to python3 -m pip install --upgrade --cert=path/to/cert.pem. This is bad security practice. More details here..

There are many people complaining about SSL, want to disable it, etc. This would all be a lot less painful if the pip documents simply provided a root store that could be downloaded and used.

I'm not a security guy, and I don't know what all is involved, but if we need a .pem file to upgrade old versions of pip... shouldn't that be provided by pypi or pip through their website?

Describe the solution you'd like

Embed instructions on how to obtain a cert for the --cert flag in the documentation here: Using a specific certificate store

Potentially add a link to this cert file in other locations.

This cert file would contain only the components needed to upgrade pip to its latest version. Subsequent use of pip could then use the cert information embedded in pip itself.

Alternative Solutions

The pip team could work with the python team to backport the pip certs into the older builds of python available through python.org.

Solutions that bypass TLS/SSL security should not be used for these reasons:

  • Less secure
  • These "workarounds" tend to get deprecated frequently
  • These "workarounds" will be rejected by sharp security teams

Additional context

  • https://groups.google.com/g/mozilla.dev.security.policy/c/FYIBEF_AVMI?pli=1
  • https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/
  • https://www.ccadb.org/resources
  • https://groups.google.com/g/mozilla.dev.security.policy/c/FYIBEF_AVMI?pli=1
  • https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi
  • http://curl.haxx.se/ca/cacert.pem

Code of Conduct

hardingprofessional avatar Nov 04 '22 01:11 hardingprofessional

The pip team could work with the python team to backport the pip certs into the older builds of python available through python.org.

I don’t think we’ll go very far with that, the maintenance overhead for the Python team would be simply too large.

uranusjr avatar Nov 04 '22 07:11 uranusjr

Im also uncomfortable with the idea of the pip team being responsible for distributing security certificates (or even directing people to specific ones). We don’t have the security expertise or bandwidth for that.

pfmoore avatar Nov 04 '22 09:11 pfmoore

The pip team could work with the python team to backport the pip certs into the older builds of python available through python.org.

I don’t think we’ll go very far with that, the maintenance overhead for the Python team would be simply too large.

Is there a good way to source build pip and merge it i to the python build tree?

I'm imagining something like this:

  1. Get source for python, configure, make, make install
  2. Get source for pip, configure, make, make install
  3. If (2) doesn't merge into python, then sudo rsync path1 path2 to override the old pip with the new one.

hardingprofessional avatar Nov 04 '22 10:11 hardingprofessional

Python <=3.9 are in security fix only mode, so newer releases of pip aren't included, but you could probably find the PRs to upgrade the bundled pip for later Python versions and backport them into your older Python source tree. That's likely to be the most practical solution.

pfmoore avatar Nov 04 '22 11:11 pfmoore

OK, that solution works for me I guess. I find it a bit concerning that people are using random cert bundles from around the web, but if that's not something you want to support then bypassing TLS/SSL is probably the next best option for people.

hardingprofessional avatar Nov 04 '22 22:11 hardingprofessional

I find it a bit concerning that people are using random cert bundles from around the web

I do too, but there's not much we can do about it if people won't get certs from a reputable source...

bypassing TLS/SSL is probably the next best option for people

That's absolutely not a good option.

Apart from the fact that bad advice seems endemic on the internet, along with people willing to follow it, why isn't "get a trusted cert bundle and use it via --cert" the correct option for people hitting this issue?

pfmoore avatar Nov 04 '22 22:11 pfmoore

The simple answer to this is "reputable certs are hard to find and harder for laymen to identify." That's why I made this ticket.

hardingprofessional avatar Nov 04 '22 22:11 hardingprofessional

Fair enough. But in this context, the pip maintainers probably count as laymen, too, so you shouldn't trust us to find reputable certs for people 🙂

pfmoore avatar Nov 04 '22 22:11 pfmoore

Should I try to work on this?

Kaushik-Iyer avatar Jan 04 '23 13:01 Kaushik-Iyer

Sure, feel free.

uranusjr avatar Jan 04 '23 16:01 uranusjr