Comments (9)
@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST
env variable) to bump pip and avoid this error
- uses: actions/setup-python@v5
with:
python-version: 3.5
env:
PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi
from setup-python.
Since the point of the action is to install various versions of Python, end-of-life or not, you need to apply this workaround for the affected versions within the action itself.
from setup-python.
I agree, but adding these environment variables effectively ignores any SSL error, including MITM certificate mismatches.
I feel like a INSECURE_EOL_VERSION_OK: 1
(or similar) would be a better environment variable, explicitly acknowledging that EOL versions with security incompatibilities will be vulnerable to attacks, and that developers are okay with that (or have other security mitigations)
from setup-python.
I'm also able to reproduce this behavior in a self-hosted environment.
from setup-python.
Hello @andy-maier, Thank you for creating this issue and we will look into it :)
from setup-python.
The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST
work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:
--trusted-host <hostname>
Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.
(environment variable: PIP_TRUSTED_HOST)
Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.
from setup-python.
@joamag
Hello João. Thank you very much for this workaround!!
I can confirm that it works for us.
from setup-python.
Hello everyone 👋,
This issue seems to be related to the inability of older versions of Python and pip to verify the SSL certificate provided by PyPI servers, likely due to recent updates in PyPI's SSL setup.
Notably, Python 3.5 has reached its end of life and may not be able to verify the new certificate due to compatibility issues.
However, please note that this problem doesn't directly fall within the scope of the 'actions/setup-python' repository, as it's more related to Python's interaction with PyPI, not the setup process itself.
A potential solution could be to upgrade to a newer versions of Python. If upgrading Python isn't feasible, please consider implementing the below workaround as suggested by @joamag .
- uses: actions/setup-python@v5
with:
python-version: 3.5
env:
PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
If you have any concerns feel free to ping us. Thank you for your understanding and cooperation:)
from setup-python.
Thank you for your suggestions. Unfortunately, it's not feasible for us to incorporate the proposed changes directly into the setup-python
action. For users operating with EOL Python versions
, we kindly recommend implementing the proposed workaround within your respective workflows. For optimal security, please consider upgrading to a supported Python version.
@andy-maier👋, as the issue appears to have been resolved with the suggested workaround, we are proceeding with closing the issue and appreciate your understanding and cooperation:)
Please feel free to reach us out incase of any other concerns.
from setup-python.
Related Issues (20)
- Caching doesn't seem to save that much time HOT 6
- Version not found when using new arm-based linux runners (ubuntu 22.04) HOT 4
- Add Python 3.12.4 (released 2 days ago) HOT 6
- [Feature Request] Add Python debug builds with `Py_DEBUG` flag HOT 1
- Python 3.12.4: Extract downloaded archive; gzip: stdin: not in gzip format HOT 22
- is python 3.12.4 download assets broken HOT 7
- Python 3.13 fails to install on windows: Offset to Central Directory cannot be held in an Int64. HOT 6
- Verify checksum of downloaded version archive HOT 1
- Support os-release standard HOT 3
- setup-python CI workflows have been broken for more than 2 months HOT 1
- Sporadically missing patch versions on python-versions for arm64 HOT 5
- `python-version-file` does not support multiple versions HOT 2
- Cannot parse version number from TOML 1.0.0 pyproject.toml file HOT 3
- Associate .py with python on Windows HOT 1
- Ability to set desired version of pip, or to not update it at all HOT 3
- Python version '3.12.x' with architecture 'arm64' was not found for Ubuntu 24.04 HOT 2
- Occasionally getting `candidates is not iterable` error HOT 2
- Self-hosted Windows Runner Fails to Install Python HOT 3
- Python 3.9/3.10 on Darwin runners fails: Error: dyld[78135]: Library not loaded: /usr/local/opt/gettext/lib/libintl.8.dylib HOT 4
- Poetry cache is not invalidated while cached virtual environment's name / location is not correct HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from setup-python.