Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
1
Help us understand the problem. What is going on with this article?

More than 5 years have passed since last update.

@kei-sato

pip installでいまだにInsecurePlatformWarningが出るけどなんかいろいろと面倒くさくてやってなかった

pip install -> InsecurePlatformWarning

$ python -V
Python 2.7.1
$ pip -V
pip 8.1.1 from /Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages (python 2.7)
$ pip install everytime-warning
…
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/Users/foo/.anyenv/envs/pyenv/versions/2.7.1/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
…

何で怒られているのか

https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning

Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.

「2.7.9以前のバージョンでは証明書が正しくないサイトにアクセスしてしまう場合があります」的な

証明書が正しくないと何が起こるのか

最悪の場合、

  1. 著名なプラグインだから安心だろうと思ってpip installする(numpyとか)
  2. アクセス先がすり替えられて、悪意のあるプラグインをダウンロードする
  3. 証明書の検証が正しく行われず、インストールしてしまう

ということになるかもしれない

pyenv install

普通にpyenv install 2.7.9しようとしたら、怒られた

ERROR: The Python ssl extension was not compiled. Missing the OpenSSL lib?

anyenvをアップグレード

(cd ~/.anyenv && git pull)
exec $SHELL -l
anyenv install pyenv
exec $SHELL -l
pyenv install 2.7.9
pyenv global 2.7.9
pip install secure-and-silent

めでたし

1
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
1
Help us understand the problem. What is going on with this article?