-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pip 7.0.1: you should use "--trusted-host". Hey, no such option "--trusted-host"! #2822
Comments
Just wanted to note that the change to no longer allow insecure transport with no option to whitelist a host causes quite large amount of suffering on our side. We have lots of internal libraries that are hosted on an internal pypi server (I guess it's "external" in pip-talk). Issuing a certificate won't help us, since sometimes it's resolved using client1.pip.mycompany.com and issuing certificates on the fly would be a huge pain. Whitelisting all libraries with something like the following would also be inconvenient:
A better solution at this stage would be just to downgrade all our pip usage to <7.0. Unfortunately, it's hard to do as well, since verses like this are used all across the place:
|
I believe |
@smira, using a command line is not an option for us, as we run chef recipes that may not even support it. Moreover, I can't see what problem would it create if the |
I think it's fine for pip to add it to |
We also would like to have the trusted host live in the requirements.txt file. The error message says we need to add it but when we do it throws an error saying the option "--trusted-host" doesn't exist. |
We have bought a wildcard certificate for our site, and it seems that the root CA certificate is not trusted by urllib3 by default. So actually, even with a wildcard certificate in place, we still need to revert to using |
Using puppet here, simply write your pip.conf into the venv. |
+1 for adding |
@dstufft Isn't this just an inconsistency in pip? My understanding is that if you can place the option on the commandline you can place it in the requirements.txt file. |
Not every command line option is available in the |
+1 for |
+1 for |
+1 for --trusted-host ... it's a job stopping for me. |
What I discovered today is part of the issue may be that "which pip" and "whereis pip" report that I'm using /usr/bin/pip (which on Ubuntu 14.04 is 1.5.4 which does NOT have --trusted-host) and the upgraded pip that I deployed ended up in /usr/local/bin/pip (which is 7.1.0 and does support it just fine). |
this should be feasible. |
+1 for --trusted-host it bothers a lot typing '--trusted-host foo' all the time |
This is critical for us as well, since we use Cloudify (Similar to the Chef problem). We cannot write a conf and cannot control the pip command. |
@tommyjcarpenter |
@xavfernandez Thanks! However, pip8 unfortunately does not ship with any standard python, which again creates problems for chef/cloudify envs: http://stackoverflow.com/questions/35295599/python2-which-python-comes-with-pip8 |
Could this help?
|
@tommyjcarpenter I mean, there's not a whole lot we can do about that... We can't go back in time and add the feature to an already released version of pip so your only real options are upgrade pip or wait until Python comes with it. |
https://pip.pypa.io/en/stable/reference/pip_install/#requirements-file-format you should probably update (add --trusted-host to the list of options allowed in a requirements file) the docs regarding this particular issue |
I know that i can run
pip install -r file.txt --trusted-host=mycompany.com
but I configure my servers with Chef, not running pip directly.The text was updated successfully, but these errors were encountered: