[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [oonib/master] Update the pip recommendations

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [oonib/master] Update the pip recommendations
From: art@xxxxxxxxxxxxxx
Date: Mon, 9 May 2016 17:57:02 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 09 May 2016 13:57:23 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Donald Stufft <donald@xxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit af27fb6f11731f4124813a9bce8953a9e886f3f5
Author: Donald Stufft <donald@xxxxxxxxx>
Date:   Thu Jul 16 15:03:25 2015 -0400

    Update the pip recommendations
    
    * Recommend at least pip 7 because versions since 1.3 have changed
      the defaults to better protect end users during install.
    * Use the new official location for the bootstrap script.
---
 README.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.rst b/README.rst
index 7cf6fa4..5d7fb58 100644
--- a/README.rst
+++ b/README.rst
@@ -47,22 +47,24 @@ you'll want to make sure to get our keyring package in Debian::
     sudo apt-get update
     sudo apt-get install deb.torproject.org-keyring tor tor-geoipdb
 
-Pip (>=1.3.0)
+Pip (>=7.0.0)
 .............
 
-We recommend using the Pip>=1.3.0 because it included several important
+We recommend using the Pip>=7.0.0 because it included several important
 security and privacy related patches:
 
  * It forces the use of HTTPS for [PyPI](pypi.python.org).
  * and checks package hash sums before installation, with support for hashes
    more collision-resistant than MD5.
+ * It does not fetch insecure metadata from external sourced by default.
+ * It does not support an insecure index without explicit opt in.
 
 The least painful way (that we know of) to install a newer Pip is to use Pip's
 get-pip script::
 
     # Grab the get-pip installer to make sure we have pip>=1.3.0
-    curl -O https://raw.github.com/pypa/pip/master/contrib/get-pip.py
-    sudo python ./get-pip.py  ## pip (>=1.3.0) is recommended for security reasons
+    curl -O https://bootstrap.pypa.io/get-pip.py
+    sudo python ./get-pip.py  ## pip (>=7.0.0) is recommended for security reasons
     # And make sure we're actually using the newer one:
     sudo update-alternatives --install /usr/bin/pip pip /usr/local/bin/pip 0
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [oonib/master] Merge pull request #58 from dstufft/patch-1
Next by Author: [tor-commits] [oonib/master] Start adding support for reporting via JSON
Previous by thread: [tor-commits] [oonib/master] Merge pull request #58 from dstufft/patch-1
Next by thread: [tor-commits] [oonib/master] Start adding support for reporting via JSON
Index(es):
- Author
- Thread