Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
A couple updates: https://twitter.com/mikeymikey/status/989420449485344768 says > As a reminder to anyone out there that's dealing with the TLS 1.2 cutover on > python's pypi on macOS 10.12: You may still get stung by it if you end up > unfortunately needing to deal with setuptools / easy_install packages that > you can't get through pip. and publicizes and discusses > a "tlsssl-1.1.0.pkg" package you can install on 10.12 that will hotfix ssl to > support TLS 1.1/1.2 in most situations. And yesterday, Benjamin Peterson announced the release of Python 2.7.15: https://mail.python.org/pipermail/python-list/2018-May/732755.html > Users of the macOS binaries should note that all python.org macOS installers > now ship with a builtin copy of OpenSSL. Additionally, there is a new > additional installer variant for macOS 10.9+ that includes a built-in version > of Tcl/Tk 8.6. See the installer README for more information. (Will cross-post to PyPA-dev per https://groups.google.com/forum/#!topic/pypa-dev/Oz6SGA7gefo .) -- Sumana Harihareswara Changeset Consulting https://changeset.nyc ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
On Fri, Apr 6, 2018 at 6:25 AM Matthew Brett wrote: > Hi, > > On Mon, Apr 2, 2018 at 9:36 PM, Sumana Harihareswara > wrote: > > Mac users: > > > > If you are running macOS/OS X version 10.12 or older, you need to > > upgrade to the latest pip (9.0.3) to connect to the Python Package Index > > securely: > > > > curl https://bootstrap.pypa.io/get-pip.py | python > > > > Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < > > 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ > > I wanted to check with you, whether these changes are responsible for > pip breaking for me in a extremely confusing way. > > What I observed was that pip was silently failing to find any packages > on pypi, with no informative error. > > This was extremely confusing, because when I tried to do an upgrade, e.g.: > > $ pip install -U matplotlib > > it told me everything is up to date, when this isn't correct. There > is no other message to warn me what is going on. Can you paste the input / output that you saw or are seeing — what you are calling “breaking for me in a extremely confusing way”? On the GitHub issue thread in which this was discussed, the understanding is that people *would* see errors that would lead them in the right direction (e.g. SSL errors). What you’re saying seems to conflict with that. —Chris > > Of course I can't upgrade pip in the usual way, and I get told I am up > to date, when I am not. > > $ python -m pip install -U pip > Requirement already up-to-date: pip in > > /Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages > > I assume there was meant to be some more informative message about > what is happening? Even with such a message this is going to cause a > significant problem, but without it, it's going to cause total chaos. > > Cheers, > > Matthew > ___ > Pythonmac-SIG maillist - Pythonmac-SIG@python.org > https://mail.python.org/mailman/listinfo/pythonmac-sig > unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG > ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Hi, On Fri, Apr 6, 2018 at 7:02 PM, Sumana Harihareswara wrote: > Matthew, > > Thank you for your detailed explanations and thoughts here and in > https://groups.google.com/forum/m/#!topic/pypa-dev/Oz6SGA7gefo . > > I am not a Mac user and am fairly new to the Python packaging/distribution > world, so this may be naive and unrealistic verging on ridiculous, but: is > there anything we could ask Apple to do to help with this situation? > > Our upstream CDN (Fastly) is extremely unlikely to change their June 30th TLS > 1.0/1.1 removal date, which would (I imagine) affect a ton of people on older > Mac OS versions who do not even use PyPI. Sorry, I'm afraid I set off the discussion in the pypa thread you pointed to above. Reporting back here, for those not on the pypa-dev Google group - it looks like the TLS 1.0 shutdown is being driven by the Warehouse release, which I believe is planned for the 16th of April (Warehouse can't use TLS 1.0). In practice, there is no way of giving the users a better or more visible warning message than the message we are currently getting from using the -v flag. I'm arguing over in that thread, that it would be better to give up on the -v flag warning, and go straight to an SSL error (which has an uninformative message - see [1]), because the current situation, where pip silently fails to upgrade, including failing to upgrade itself, is more confusing than the SSL error. Do people agree / disagree? Cheers, Matthew [1] https://github.com/pypa/warehouse/issues/3293#issuecomment-378480462 ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
On Apr 6, 2018, at 14:02, Sumana Harihareswara wrote: > I am not a Mac user and am fairly new to the Python packaging/distribution > world, so this may be naive and unrealistic verging on ridiculous, but: is > there anything we could ask Apple to do to help with this situation? For the most part, the current problematic software is not shipped by Apple, other than the deprecated OpenSSL libraries, so I don't think there is realistically anything they could do to help. Here is my understanding of the situation regarding Pythons provided by python.org installers: https://github.com/pypa/warehouse/issues/3293#issuecomment-378468534 -- Ned Deily n...@python.org -- [] ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Matthew, Thank you for your detailed explanations and thoughts here and in https://groups.google.com/forum/m/#!topic/pypa-dev/Oz6SGA7gefo . I am not a Mac user and am fairly new to the Python packaging/distribution world, so this may be naive and unrealistic verging on ridiculous, but: is there anything we could ask Apple to do to help with this situation? Our upstream CDN (Fastly) is extremely unlikely to change their June 30th TLS 1.0/1.1 removal date, which would (I imagine) affect a ton of people on older Mac OS versions who do not even use PyPI. -- Sumana Harihareswara Changeset Consulting s...@changeset.nyc On Fri, Apr 6, 2018, at 1:45 PM, Matthew Brett wrote: > Hi, > > On Fri, Apr 6, 2018 at 6:06 PM, Chris Jerdonek > wrote: > > > > On Fri, Apr 6, 2018 at 6:25 AM Matthew Brett > > wrote: > >> > >> Hi, > >> > >> On Mon, Apr 2, 2018 at 9:36 PM, Sumana Harihareswara > >> wrote: > >> > Mac users: > >> > > >> > If you are running macOS/OS X version 10.12 or older, you need to > >> > upgrade to the latest pip (9.0.3) to connect to the Python Package Index > >> > securely: > >> > > >> > curl https://bootstrap.pypa.io/get-pip.py | python > >> > > >> > Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < > >> > 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ > >> > >> I wanted to check with you, whether these changes are responsible for > >> pip breaking for me in a extremely confusing way. > >> > >> What I observed was that pip was silently failing to find any packages > >> on pypi, with no informative error. > >> > >> This was extremely confusing, because when I tried to do an upgrade, e.g.: > >> > >> $ pip install -U matplotlib > >> > >> it told me everything is up to date, when this isn't correct. There > >> is no other message to warn me what is going on. > > > > > > Can you paste the input / output that you saw or are seeing — what you are > > calling “breaking for me in a extremely confusing way”? On the GitHub issue > > thread in which this was discussed, the understanding is that people *would* > > see errors that would lead them in the right direction (e.g. SSL errors). > > What you’re saying seems to conflict with that. > > During the current brownout period, with the default use of pip, you > get no error at all when you attempt to upgrade a package - it just > says you're up to date - this (below) is the full output: > > $ python -m pip install -U pip > Requirement already up-to-date: pip in > /Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages > You are using pip version 9.0.1, however version 9.0.3 is available. > You should consider upgrading via the 'pip install --upgrade pip' command. > > Of course, it's very easy to miss that you don't have the latest > version of the package in this case - everything looks like it worked > correctly. > > If you try and install a package, it just says it can't find it, but not why: > > $ pip3.5 install transforms3d > Collecting transforms3d > Could not find a version that satisfies the requirement transforms3d > (from versions: ) > No matching distribution found for transforms3d > You are using pip version 9.0.1, however version 9.0.3 is available. > You should consider upgrading via the 'pip install --upgrade pip' command. > > You do get an informative message if you use the -v flag, but I rarely > do that myself, and it's not the default. > > Just to give you an index of the problem, I got pretty confused myself > when I asked pip to upgrade a package, it said it was already up to > date, and I found I didn't have what I knew to be the right version, > and I'm a very experienced pip user, who is also on various mailing > lists where this was flagged. > > Cheers, > > Matthew ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Hi, On Fri, Apr 6, 2018 at 6:06 PM, Chris Jerdonek wrote: > > On Fri, Apr 6, 2018 at 6:25 AM Matthew Brett > wrote: >> >> Hi, >> >> On Mon, Apr 2, 2018 at 9:36 PM, Sumana Harihareswara >> wrote: >> > Mac users: >> > >> > If you are running macOS/OS X version 10.12 or older, you need to >> > upgrade to the latest pip (9.0.3) to connect to the Python Package Index >> > securely: >> > >> > curl https://bootstrap.pypa.io/get-pip.py | python >> > >> > Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < >> > 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ >> >> I wanted to check with you, whether these changes are responsible for >> pip breaking for me in a extremely confusing way. >> >> What I observed was that pip was silently failing to find any packages >> on pypi, with no informative error. >> >> This was extremely confusing, because when I tried to do an upgrade, e.g.: >> >> $ pip install -U matplotlib >> >> it told me everything is up to date, when this isn't correct. There >> is no other message to warn me what is going on. > > > Can you paste the input / output that you saw or are seeing — what you are > calling “breaking for me in a extremely confusing way”? On the GitHub issue > thread in which this was discussed, the understanding is that people *would* > see errors that would lead them in the right direction (e.g. SSL errors). > What you’re saying seems to conflict with that. During the current brownout period, with the default use of pip, you get no error at all when you attempt to upgrade a package - it just says you're up to date - this (below) is the full output: $ python -m pip install -U pip Requirement already up-to-date: pip in /Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages You are using pip version 9.0.1, however version 9.0.3 is available. You should consider upgrading via the 'pip install --upgrade pip' command. Of course, it's very easy to miss that you don't have the latest version of the package in this case - everything looks like it worked correctly. If you try and install a package, it just says it can't find it, but not why: $ pip3.5 install transforms3d Collecting transforms3d Could not find a version that satisfies the requirement transforms3d (from versions: ) No matching distribution found for transforms3d You are using pip version 9.0.1, however version 9.0.3 is available. You should consider upgrading via the 'pip install --upgrade pip' command. You do get an informative message if you use the -v flag, but I rarely do that myself, and it's not the default. Just to give you an index of the problem, I got pretty confused myself when I asked pip to upgrade a package, it said it was already up to date, and I found I didn't have what I knew to be the right version, and I'm a very experienced pip user, who is also on various mailing lists where this was flagged. Cheers, Matthew ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Sorry to be terse - I am attending to some family stuff for the next few days. Thanks for the report. You may be right - what happens when you use the -v option(s) to make the error message(s) show up? I think -vvv might do the trick. The folks in #pypa on Freenode IRC and in https://github.com/pypa/packaging-problems/issues/134 (I think) may be able to provide more advice and get a bigger announcement going. -- Sumana Harihareswara Changeset Consulting s...@changeset.nyc On Fri, Apr 6, 2018, at 9:24 AM, Matthew Brett wrote: > Hi, > > On Mon, Apr 2, 2018 at 9:36 PM, Sumana Harihareswara > wrote: > > Mac users: > > > > If you are running macOS/OS X version 10.12 or older, you need to > > upgrade to the latest pip (9.0.3) to connect to the Python Package Index > > securely: > > > > curl https://bootstrap.pypa.io/get-pip.py | python > > > > Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < > > 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ > > I wanted to check with you, whether these changes are responsible for > pip breaking for me in a extremely confusing way. > > What I observed was that pip was silently failing to find any packages > on pypi, with no informative error. > > This was extremely confusing, because when I tried to do an upgrade, e.g.: > > $ pip install -U matplotlib > > it told me everything is up to date, when this isn't correct. There > is no other message to warn me what is going on. > > Of course I can't upgrade pip in the usual way, and I get told I am up > to date, when I am not. > > $ python -m pip install -U pip > Requirement already up-to-date: pip in > /Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages > > I assume there was meant to be some more informative message about > what is happening? Even with such a message this is going to cause a > significant problem, but without it, it's going to cause total chaos. > > Cheers, > > Matthew ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Hi, On Fri, Apr 6, 2018 at 2:32 PM, Sumana Harihareswara wrote: > Sorry to be terse - I am attending to some family stuff for the next few days. > > Thanks for the report. You may be right - what happens when you use the -v > option(s) to make the error message(s) show up? I think -vvv might do the > trick. Yes, the message does appear with -v > The folks in #pypa on Freenode IRC and in > https://github.com/pypa/packaging-problems/issues/134 (I think) may be able > to provide more advice and get a bigger announcement going. I doubt very much that any announcement is going to get the attention of more than a small proportion of the people affected by this. The problem is that, using pip's current defaults, pip goes from working correctly, to silently broken. I'll try seeing if I can subvert issue 134 for a discussion. Cheers, Matthew ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG
Re: [Pythonmac-SIG] Upgrade to pip 9.0.3 (due to TLS deprecation)
Hi, On Mon, Apr 2, 2018 at 9:36 PM, Sumana Harihareswara wrote: > Mac users: > > If you are running macOS/OS X version 10.12 or older, you need to > upgrade to the latest pip (9.0.3) to connect to the Python Package Index > securely: > > curl https://bootstrap.pypa.io/get-pip.py | python > > Pip 9.0.3 supports TLSv1.2 when running under system Python on macOS < > 10.13. Official release notes: https://pip.pypa.io/en/stable/news/ I wanted to check with you, whether these changes are responsible for pip breaking for me in a extremely confusing way. What I observed was that pip was silently failing to find any packages on pypi, with no informative error. This was extremely confusing, because when I tried to do an upgrade, e.g.: $ pip install -U matplotlib it told me everything is up to date, when this isn't correct. There is no other message to warn me what is going on. Of course I can't upgrade pip in the usual way, and I get told I am up to date, when I am not. $ python -m pip install -U pip Requirement already up-to-date: pip in /Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages I assume there was meant to be some more informative message about what is happening? Even with such a message this is going to cause a significant problem, but without it, it's going to cause total chaos. Cheers, Matthew ___ Pythonmac-SIG maillist - Pythonmac-SIG@python.org https://mail.python.org/mailman/listinfo/pythonmac-sig unsubscribe: https://mail.python.org/mailman/options/Pythonmac-SIG