Documentation Update: Specify where to get a .PEM file for --cert option #11574
Description
What's the problem this feature will solve?
When building old versions of Python (3.7, 3.8, 3.9) the bundled pip3 version does not have the correct bundled certificates to get packages or updates from Pypi.org.
If you search the web, the recommended solution is to acquire the Mozilla certificate bundle from a third party and pass it in as an argument to python3 -m pip install --upgrade --cert=path/to/cert.pem. This is bad security practice. More details here..
There are many people complaining about SSL, want to disable it, etc. This would all be a lot less painful if the pip documents simply provided a root store that could be downloaded and used.
I'm not a security guy, and I don't know what all is involved, but if we need a .pem file to upgrade old versions of pip... shouldn't that be provided by pypi or pip through their website?
Describe the solution you'd like
Embed instructions on how to obtain a cert for the --cert flag in the documentation here: Using a specific certificate store
Potentially add a link to this cert file in other locations.
This cert file would contain only the components needed to upgrade pip to its latest version. Subsequent use of pip could then use the cert information embedded in pip itself.
Alternative Solutions
The pip team could work with the python team to backport the pip certs into the older builds of python available through python.org.
Solutions that bypass TLS/SSL security should not be used for these reasons:
- Less secure
- These "workarounds" tend to get deprecated frequently
- These "workarounds" will be rejected by sharp security teams
Additional context
- https://groups.google.com/g/mozilla.dev.security.policy/c/FYIBEF_AVMI?pli=1
- https://blog.mozilla.org/security/2021/05/10/beware-of-applications-misusing-root-stores/
- https://www.ccadb.org/resources
- https://groups.google.com/g/mozilla.dev.security.policy/c/FYIBEF_AVMI?pli=1
- https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi
- http://curl.haxx.se/ca/cacert.pem
Code of Conduct
- I agree to follow the PSF Code of Conduct.