> On Apr 6, 2018, at 11:25 AM, Matthew Brett <matthew.br...@gmail.com> wrote:
> As of 8th April, pip will break, largely in silence.  As used with
> default command line options, pip will stop seeing anything on pypi.
> It will tell the user that it can't find packages that do exist on
> pypi, that that users are up to date for packages that have later
> versions on pypi - including pip.  There are no messages to warn the
> user what has happened or how to fix it.  It is easy to think you've
> upgraded to the latest version, when you have not.

This isn’t quite accurate:

This is not a blanket issue for anyone on macOS < 10.13. It *only* affects 
people using a Python that links against the ancient OpenSSL provided by Apple, 
of which the #1 cause is System Python on macOS < 10.13, however it is also the 
2.7 Python.org <http://python.org/> macOS installer on any version of Python. 
All other forms of getting Python, to my knowledge, link against a newer 
version of OpenSSL (or against LibreSSL in System Python on macOS 10.13). [1]

This affects a small percentage of users, Of the downloads from PyPI in the 
last 7 days that originated from a macOS system, 6% of them would have failed, 
94% of them would have succeeded.

Once we are at 100% unavailability, we can ask our CDN to disable TLSv1.0 and 
TLSv1.1 completely, which will raise an OpenSSL error message instead of a HTTP 
error message. That will look like (ignore the index-url, used that because it 
already has TLSv1.0/1.1 disabled completely):

    $ /usr/local/bin/python2.7 -m pip install --index-url 
https://files.pythonhosted.org/ --upgrade pip
    Could not fetch URL https://files.pythonhosted.org/pip/: There was a 
problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] 
tlsv1 alert protocol version (_ssl.c:661) - skipping
    Requirement already up-to-date: pip in 
    You are using pip version 9.0.1, however version 9.0.3 is available.
    You should consider upgrading via the 'pip install --upgrade pip' command.

Finally, even If the above weren’t true, there really isn’t much we can do 
either way. We can’t go back in time and change the already released version of 
pip, and we only have so many ways that PyPI can signal an error to pip one is 
using an HTTP status code (what the brownouts do now) and one is rejecting the 
connection with a TLS error (what the above snippet does). Beyond that, any 
improvements require getting users to upgrade their version of pip, and if we 
can get them to upgrade for a better error message, presumably we can get them 
to upgrade for the SecureTransport fallback in 9.0.3+.

[1] You can see more information about which Python.org <http://python.org/> 
macOS installers are affected here: 

- Donald

Reply via email to