pip: PIP under Debian wheezy don't work with "HTTP Error 403: SSL is required"
- Pip version: 1.1-3
- Python version: 2.7.3-4+deb7u1
- Operating system: Debian Wheezy
Description:
Tried with clean wheezy env (cmd down). Any pip command now fails. 😦
Is there any known workaround?
What I’ve run:
pip install --upgrade pip
Cannot fetch index base URL http://pypi.python.org/simple/
Could not find any downloads that satisfy the requirement pip in /usr/lib/python2.7/dist-packages
No distributions at all found for pip in /usr/lib/python2.7/dist-packages
Storing complete log in /root/.pip/pip.log
pip.log:
/usr/bin/pip run on Fri Oct 27 07:28:51 2017
Getting page http://pypi.python.org/simple/pip
Could not fetch URL http://pypi.python.org/simple/pip: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/pip when looking for download links for pip in /usr/lib/python2.7/dist-packages
Getting page http://pypi.python.org/simple/
Could not fetch URL http://pypi.python.org/simple/: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/ when looking for download links for pip in /usr/lib/python2.7/dist-packages
Cannot fetch index base URL http://pypi.python.org/simple/
URLs to search for versions for pip in /usr/lib/python2.7/dist-packages:
* http://pypi.python.org/simple/pip/
Getting page http://pypi.python.org/simple/pip/
Could not fetch URL http://pypi.python.org/simple/pip/: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/pip/ when looking for download links for pip in /usr/lib/python2.7/dist-packages
Could not find any downloads that satisfy the requirement pip in /usr/lib/python2.7/dist-packages
No distributions at all found for pip in /usr/lib/python2.7/dist-packages
Exception information:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 104, in main
status = self.run(options, args)
File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 245, in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
File "/usr/lib/python2.7/dist-packages/pip/req.py", line 920, in prepare_files
req_to_install, self.upgrade)
File "/usr/lib/python2.7/dist-packages/pip/index.py", line 157, in find_requirement
raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for pip in /usr/lib/python2.7/dist-packages
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 15 (5 by maintainers)
Commits related to this issue
- travis-ci: Fix pip failure for older python versions The older python versions only ship with an old version of pip. Since some days SSL is required for downloading from pypi. We have to specify this... — committed to AlexanderS/bcfg2 by AlexanderS 7 years ago
- Support Ansible 2.4.1, Juyter 4.4.0 on Debian 7 — committed to chusiang/ansible-jupyter.dockerfile by chusiang 7 years ago
- python3-jsonschema: enable SSL support Fix is taken from https://github.com/solettaproject/meta-soletta with commit-id bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669. SRC_URI now defaults to use SSL as th... — committed to intel/iotg-yocto-bsp-public by chongyic 7 years ago
- python3-jsonschema: enable SSL support Fix is taken from https://github.com/solettaproject/meta-soletta with commit-id bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669. SRC_URI now defaults to use SSL as th... — committed to intel/iotg-yocto-bsp-public by chongyic 7 years ago
To be clear here, the security implication is that anyone in a position to MITM your connection to PyPI can execute arbitrary Python code on the machine that you’re running
pip install ...on. Obviously this is incredibly dangerous because it means that anyone with a privileged position on the network effectively has root on all of your machine, which is pretty much one of the worst case scenarios security wise.You can work around this by simply updating pip to use the HTTPS URL, such as
pip install -i https://pypi.python.org/simple/ ...but I recommend against only doing that, because unless you’re using a version of pip >= 1.3, then even using HTTPS won’t protect you from the above attack because it doesn’t properly validate the HTTPS connection. It is a shame that Debian never provided a security update topython-pipin their repositories, but since they did not, your best options are going to be to find a way to get an updated version of pip and use that instead.I’m going to go ahead and close this, since there’s nothing actionable here for us to do.
Sorry for bothering you.
Got it.
pip install -v ansible -i https://pypi.python.org/simple/Or pip.conf